How we collect, use, and protect your personal data — written in plain English.
Summary: We collect only what we need to run FlashDeck. We do not sell your data. We do not use your data for advertising. Students' data is used solely to provide the revision service.
FlashDeck.AI ("FlashDeck", "we", "us", "our") is an AI-powered revision platform that generates exam-ready flashcards for students studying GCSE, IGCSE, and A Level qualifications worldwide. The platform is operated by FlashDeck.AI, developed in association with Cutlass Group.
For the purposes of UK and EU data protection law, FlashDeck.AI is the data controller responsible for your personal data.
Contact: hello@flashdeck.ai | www.flashdeck.ai
We collect the following categories of personal data:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Creating and managing your account | Name, email, password | Contract |
| Generating AI flashcards | Topic, subject, exam board, level | Contract |
| Personalising spaced repetition schedules | Study session ratings and history | Contract |
| Processing subscription payments | Billing name, email (via Stripe) | Contract |
| Sending account and service emails | Email address | Contract |
| Improving the platform and AI quality | Anonymised usage patterns | Legitimate interests |
| Preventing fraud and abuse | IP address, login data | Legitimate interests |
| Complying with legal obligations | As required by law | Legal obligation |
We do not use your data for targeted advertising, profiling for commercial purposes, or sale to third parties.
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we process your personal data on the following legal bases:
We use the following third-party services to operate FlashDeck. Each is bound by its own privacy policy and data processing terms:
| Service | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | Account data, usage data | EU (AWS) |
| Anthropic (Claude) | AI flashcard generation | Topic and subject prompts only — no personal data | USA |
| Stripe | Payment processing | Billing name and email | USA / EU |
| Vercel | Website hosting and deployment | Technical/log data | USA / EU |
We do not share your personal data with any other third parties without your explicit consent, except where required by law.
We retain your personal data for as long as your account is active or as necessary to provide the service. Specifically:
FlashDeck is designed for students aged 13 and above. We do not knowingly collect personal data from children under the age of 13 without verifiable parental consent.
For students aged 13–17, we recommend that parents or guardians review this Privacy Policy. If a school is deploying FlashDeck to students under 16, the school acts as the data controller for those students and is responsible for obtaining appropriate consents under applicable law.
If you believe a child under 13 has provided us with personal data without appropriate consent, please contact us at hello@flashdeck.ai and we will delete that data promptly.
Under UK GDPR, you have the following rights regarding your personal data:
| Right | What It Means |
|---|---|
| Access | Request a copy of the personal data we hold about you. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion of your personal data ("right to be forgotten"). |
| Restriction | Request that we restrict processing of your data in certain circumstances. |
| Portability | Request your data in a structured, machine-readable format. |
| Objection | Object to processing based on legitimate interests. |
| Withdraw consent | Withdraw consent at any time where processing is based on consent. |
To exercise any of these rights, please contact us at hello@flashdeck.ai. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
Some of our third-party service providers are located outside the UK and European Economic Area (EEA), including in the United States. Where we transfer personal data internationally, we ensure appropriate safeguards are in place, including:
We take the security of your personal data seriously and implement appropriate technical and organisational measures, including:
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by UK GDPR.
FlashDeck uses a small number of cookies to operate the service:
| Cookie | Purpose | Duration |
|---|---|---|
| Session cookie | Keeps you logged in during your session | Session (deleted when browser closes) |
| Authentication token | Remembers your login if "Keep me logged in" is selected | 30 days |
| Preference cookie | Remembers your exam board and subject preferences | 1 year |
We do not use advertising cookies or third-party tracking cookies. You can control cookies through your browser settings, though disabling essential cookies may affect the functionality of the service.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will notify you by email (if you have an account) and update the "Last updated" date at the top of this page. Your continued use of FlashDeck after any changes constitutes your acceptance of the updated policy.
If you have any questions about this Privacy Policy, wish to exercise your data rights, or have a concern about how we handle your personal data, please contact us:
If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint
We're committed to transparency. If anything in this policy is unclear, please get in touch.
hello@flashdeck.ai