Privacy Policy

Offload Ltd ("Offload", "we", "us", or "our") operates the Offload study planning platform at https://offload.education. We are the data controller for personal data processed through this platform.

Contact our Data Protection Lead: privacy@offload.education

We collect the following categories of personal data:

2.1 Account and Identity Data

• Email address and name (provided at sign-up)
• Password (hashed — we never store it in plain text)
• Profile preferences (study goals, target grades, preferred study style)
• Google account details if you sign in with Google (name, email, profile picture)

2.2 Study and Content Data

• Documents, notes, and past papers you upload
• Flashcards, exam questions, and study items generated from your content
• Exam plans and revision schedules you create
• Your study session history, review attempts, and quality scores (used to power spaced repetition)
• Progress data including mastery percentages, weak topics, and retention rates

2.3 Calendar Data

• If you connect Google Calendar: access to read your existing events (to avoid scheduling conflicts) and write study session events on your behalf. We store OAuth tokens securely in your user settings to maintain this connection. You can revoke access at any time from your Google Account settings or Offload settings.

2.4 Usage and Technical Data

• IP address and approximate location (country/city level)
• Browser type and device information
• Pages visited and features used within the app
• Error logs and performance data (used to diagnose issues)
• Timestamps of study sessions and review events

2.5 Billing Data

We do not store your full payment card details. Payment processing is handled entirely by Paddle, our authorised merchant of record. We receive confirmation of payment status and subscription tier only. Paddle's privacy policy applies to payment data.

We process your personal data only for the following purposes, each with a specific legal basis under UK GDPR:

We never sell your personal data. We do not use your data for targeted advertising through third-party ad networks.

Offload uses Google Geminito generate study materials (flashcards, notes, exam questions) from content you upload. When you upload a document or past paper, its text is sent to Google's Gemini API for processing. Google processes this data as a data processor acting on our instructions.

We do not use your uploaded documents to train Gemini models. Google's API data usage policy applies — content submitted via the API is not used to improve Google's products by default.

Our internal ML pipelineanalyses anonymised, aggregated study performance data (e.g. which techniques correlate with better retention across all users) to improve scheduling recommendations. This analysis uses statistical patterns — no individual user's content is exposed to other users.

We share personal data only with the following third parties, each acting as a data processor under appropriate safeguards:

We do not share your data with any other third parties without your explicit consent, except where required by law (e.g. response to a lawful court order).

• Active accounts: We retain your data for as long as your account is active.
• Deleted accounts: On account deletion, your personal data (profile, study items, notes, flashcards, exam plans) is permanently deleted within 30 days. Aggregated, anonymised statistical data may be retained indefinitely.
• Billing records: Transaction records are retained for 7 years as required by UK tax law (HMRC).
• Error logs: Technical error logs are retained for 90 days.

Under UK GDPR and the Data (Use and Access) Act 2025, you have the following rights:

• Right of access: Request a copy of all personal data we hold about you.
• Right to rectification: Ask us to correct inaccurate or incomplete data.
• Right to erasure ("right to be forgotten"): Ask us to delete your personal data. You can also delete your account directly from Settings.
• Right to restriction: Ask us to stop processing your data while a dispute is resolved.
• Right to data portability: Request your study data in a machine-readable format (JSON export available in the app).
• Right to object: Object to processing based on legitimate interests (e.g. analytics).
• Rights related to automated decisions:Offload's ML system makes scheduling recommendations but does not make fully automated decisions that have legal or similarly significant effects on you.
• Right to withdraw consent: Where processing is based on consent (e.g. marketing emails), you may withdraw at any time.

To exercise any of these rights, email us at privacy@offload.education. We will respond within 30 days. We may need to verify your identity before acting on a request.

Offload is aimed at students aged 13 and above. We do not knowingly collect personal data from children under 13 without verifiable parental consent. If you believe a child under 13 has created an account, please contact us immediately at privacy@offload.education and we will delete the account promptly.

For users aged 13–17, we apply additional protections in line with the UK ICO's Children's Code (Age Appropriate Design Code): high privacy defaults, no profiling for advertising, and clear, child-friendly language in our communications.

We take data security seriously. Our key security measures include:

• All data is encrypted in transit (TLS 1.2+) and at rest
• Authentication is handled by Supabase with secure cookie-based sessions
• Row-Level Security (RLS) policies ensure each user can only access their own data at the database level
• No user can access another user's study data — access is always derived from a verified JWT, not client-supplied identifiers
• OAuth tokens for Google Calendar are stored encrypted in your user settings
• Error monitoring via Sentry does not capture full user content

If you discover a security vulnerability, please disclose it responsibly to privacy@offload.education.

Offload uses the following cookies:

• Authentication cookies (essential): Set by Supabase to maintain your login session. These are required for the platform to function and cannot be disabled.
• Preference cookies (functional): Store your display preferences (e.g. dark/light mode). These are first-party cookies.

We do not use third-party advertising cookies or tracking pixels. We do not use Google Analytics or similar tracking services that share data with ad networks.

Some of our third-party processors (listed in Section 5) are based outside the UK. Where data is transferred to countries without an adequacy decision, we rely on Standard Contractual Clauses (SCCs) as approved by the ICO to ensure your data remains protected to UK GDPR standards.

We may update this privacy policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The effective date at the top of this page always reflects the most recent update.

If you are unhappy with how we have handled your data, please contact us first at privacy@offload.education. We will do our best to resolve your concern.

You also have the right to lodge a complaint with the UK's supervisory authority: