Legal

Privacy Policy

Last updated 26 April 2026

This policy explains what data Passkey collects, why we collect it, and what you can do about it. Passkey is operated from the United Kingdom and follows UK GDPR and the Data Protection Act 2018.

Who we are

Passkey is a study tool for CISI professional qualifications. You can reach us at hello@passkeyprep.com for any privacy questions or requests.

What we collect

We keep data collection light. The categories are:

  • Account data. Your email address and a hashed password, used to log you in.
  • Study data. Your answers, scores, and progress across syllabus elements, used to power practice mode, mock exams, and your weak-spot dashboard.
  • Support data. Anything you send us by email when you get in touch.
  • Payment data. Card details are handled entirely by Stripe. We only store your Stripe customer ID and subscription status.
  • Technical data. Standard server logs (IP address, browser, request timestamps) retained briefly for security and debugging.

We do not collect special category data (health, political views, and so on). We do not sell your data. We do not share it with advertisers.

Why we process it

  • Running the service (contract performance): serving practice questions, saving your progress, authenticating you.
  • Improving the product (legitimate interests): looking at aggregate usage patterns to spot bugs and decide what to build next.
  • Billing (contract performance): managing subscriptions and one-time purchases through Stripe.
  • Security (legitimate interests): detecting abuse, brute-force attempts, and fraud.

Who we share it with

We use a small number of processors to operate Passkey:

  • Supabase (database, authentication). Data is stored in EU regions where available.
  • Vercel (hosting). Traffic may transit US data centres.
  • Anthropic (AI question generation and explanations). The content of a prompt, such as the syllabus element and any user context we include, is sent to generate questions. Your email and account identifiers are not sent.
  • Stripe (payments). Card data never touches our servers.

Where a processor is outside the UK or EEA, we rely on UK-approved safeguards such as the International Data Transfer Agreement or the EU Standard Contractual Clauses.

How long we keep it

Account and study data stay on file for as long as your account exists. If you delete your account, we remove your personal data within 30 days, except for anonymised study statistics that can no longer be tied back to you. Billing records are kept for the period required by HMRC (currently six years).

Your rights

Under UK GDPR you can ask us to:

  • give you a copy of your data;
  • correct anything that's wrong;
  • delete your account and data;
  • restrict or object to specific processing;
  • export your data in a portable format;
  • withdraw consent where we rely on it.

Email hello@passkeyprep.com and we'll respond within one month. If you're unhappy with how we handle a request, you can complain to the Information Commissioner's Office at ico.org.uk.

Cookies and analytics

We use strictly necessary cookies for authentication (so you stay logged in between pages). We do not use third-party advertising cookies. If we add analytics in the future that require consent, we'll show you a cookie banner before dropping any non-essential cookies.

Changes to this policy

If we make material changes we'll email account holders and update the date at the top of this page. Routine wording fixes won't trigger an email.

Questions? Get in touch.