Legal

Privacy Policy

Last updated: March 2026

Contents

1. Who We Are
2. What Data We Collect
3. How We Use Your Data
4. Legal Basis for Processing
5. Third Parties
6. Data Retention
7. Your Rights
8. Children's Privacy
9. Cookies
10. Security
11. Changes to This Policy
12. Contact Us

1. Who We Are

ScotMark is an independent AI-powered revision tool for Scottish students. We are the data controller for the personal data described in this policy.

For any privacy-related queries, contact us at scotmark17@outlook.com.

This policy applies to all users of ScotMark, including visitors, registered users, and paying subscribers. It complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Data We Collect

Data Type	What We Collect	Why
Account data	Email address, hashed password, account creation date	To create and manage your account
Usage data	Subjects used, analyses count, session history, scores, streak data	To provide the service and show your progress dashboard
Content data	Questions and answers you submit for marking	To generate AI feedback. Passed to Anthropic API for processing.
Payment data	Subscription plan, Stripe customer ID	To manage your subscription. Full payment details handled by Stripe.
Technical data	IP address (for rate limiting), request timestamps	To prevent abuse and ensure service reliability

We do not collect your full name, date of birth, phone number, or physical address unless you voluntarily provide them.

3. How We Use Your Data

We use your personal data only for the following purposes:

Creating and managing your ScotMark account
Providing AI-powered exam feedback and model answers
Displaying your progress dashboard and revision history
Processing subscription payments and managing billing
Sending account verification and password reset emails
Preventing fraud, abuse, and unauthorised access
Complying with legal obligations

We do not sell, rent, or trade your personal data to third parties for marketing purposes.

4. Legal Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

Contract performance — processing necessary to provide the Service you have signed up for
Legitimate interests — security, fraud prevention, and service improvement
Legal obligation — compliance with applicable UK law
Consent — where you have explicitly agreed, such as email verification

5. Third Parties

We share data with the following third-party services to operate ScotMark:

Service	Purpose	Data Shared
Anthropic	AI feedback generation	Questions and answers submitted for marking
Stripe	Payment processing	Email address, subscription plan
Resend	Transactional emails	Email address
Railway	Backend hosting	All data stored in our database

Each of these providers has their own privacy policy and data protection commitments. We only share the minimum data necessary for each service to function.

Content you submit (questions and answers) is sent to Anthropic's API for processing. Anthropic does not use API inputs to train their models by default. Please review Anthropic's privacy policy for full details.

6. Data Retention

We retain your data for as long as your account is active. Specifically:

Account data — kept until you delete your account
Session history and answers — kept until you delete them or close your account
Payment records — kept for 7 years as required by UK financial regulations
Technical logs — retained for up to 30 days for security purposes

When you delete your account, we will permanently delete all personal data within 30 days, except where retention is required by law.

7. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access

Request a copy of all personal data we hold about you

Right to Rectification

Request correction of inaccurate or incomplete data

Right to Erasure

Request deletion of your personal data ("right to be forgotten")

Right to Restrict

Request that we limit how we process your data

Right to Portability

Receive your data in a machine-readable format

Right to Object

Object to processing based on legitimate interests

To exercise any of these rights, contact us at scotmark17@outlook.com. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Children's Privacy

ScotMark is designed for students aged 13 and above. We do not knowingly collect personal data from children under 13 without verifiable parental consent.

If you are under 16, we recommend reviewing this policy with a parent or guardian before creating an account.

If we become aware that we have inadvertently collected data from a child under 13 without consent, we will delete it promptly. Please contact us at scotmark17@outlook.com if you have concerns.

9. Cookies

ScotMark uses minimal browser storage to provide the Service:

localStorage — stores your authentication token and email to keep you signed in between sessions. This is essential for the Service to function.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not use Google Analytics or similar tracking services.

10. Security

We take reasonable technical and organisational measures to protect your personal data, including:

Passwords are hashed using bcrypt — we never store plain-text passwords
All data transmitted between your browser and our servers is encrypted via HTTPS
Authentication tokens expire after 24 hours
Rate limiting protects against brute force attacks
Payment data is handled entirely by Stripe and never stored on our servers

While we implement industry-standard security practices, no system is completely secure. We cannot guarantee absolute security of your data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by displaying a notice within the Service at least 14 days before changes take effect.

The "last updated" date at the top of this page indicates when the policy was last revised. Your continued use of the Service after changes take effect constitutes acceptance of the updated policy.

12. Contact Us

For any privacy-related questions, data requests, or concerns, please contact us at:

scotmark17@outlook.com

We aim to respond to all privacy requests within 30 days. For complaints, you may also contact the Information Commissioner's Office (ICO) at ico.org.uk.

Questions about your privacy?

We're committed to being transparent about how we handle your data.

scotmark17@outlook.com