Privacy Policy

Last updated: 7 April 2026

Summary: obiter is a UK law study platform. We collect only the data necessary to provide our service. We do not sell your data. We do not use tracking cookies or analytics. You can request deletion of your data at any time.

1. Data Controller

obiter is operated by Jasmine Sakpoba, a sole trader based in the United Kingdom.

Contact: hello@obiter.site

ICO Registration Number: [To be added upon registration]

2. Data We Collect

We collect the following personal data when you use obiter:

Data Category	Specific Data	Purpose
Account information	Email address, display name, university name, course type, year of study	Account creation and personalisation
Authentication data	Hashed password, JWT refresh tokens	Secure access to your account
Study progress	Selected modules, flashcard performance (review dates, ease factors, repetitions), practice question scores and attempts	Providing spaced repetition and progress tracking features
Content organisation	Folders, favourited cases, custom notes, case ordering within folders	Enabling you to organise your study materials
Deadline data	Deadline titles, due dates, module associations, completion status, notes	Deadline tracking and coverage analysis features
Subscription data	Subscription tier, subscription status, referral code	Managing your subscription and referral programme

Data we do NOT collect

We do not collect or store payment card details. All payment processing is handled by Stripe.
We do not use analytics cookies, advertising trackers, or third-party tracking scripts.
We do not collect location data, device identifiers, or IP addresses for tracking purposes.

3. Legal Basis for Processing

Under Article 6 of UK GDPR, we process your data on the following legal bases:

Contract performance (Article 6(1)(b)): Processing your account data, study progress, and content organisation is necessary to provide the obiter study service that you have signed up for.
Legitimate interests (Article 6(1)(f)): We process aggregated, anonymised usage patterns to improve our service, fix bugs, and develop new features. This processing does not override your rights and freedoms.
Consent (Article 6(1)(a)): We only send marketing emails (feature announcements, study tips) with your explicit opt-in consent. You can withdraw consent at any time by unsubscribing.

4. Data Storage and Security

Your data is stored in a PostgreSQL database hosted by Supabase, located in the AWS eu-west-2 (London) region. All data remains within the United Kingdom.

We implement the following security measures:

Passwords are hashed using bcrypt with 12 rounds (never stored in plaintext)
Authentication uses short-lived JWT access tokens (15 minutes) with rotating refresh tokens
All data transmitted over HTTPS/TLS encryption
Database access restricted to application-level credentials only
Refresh tokens are revoked on rotation and on logout

5. Third-Party Processors

We use the following third-party services to operate obiter. Each acts as a data processor under a Data Processing Agreement (DPA):

Processor	Purpose	Data Shared	Location
Supabase	Database hosting	All account and study data	AWS eu-west-2 (London, UK)
Stripe	Payment processing	Email, subscription tier (card details handled entirely by Stripe)	EU/UK (Stripe UK Ltd)
Resend	Transactional emails	Email address, display name	US (with UK GDPR-compliant DPA)
Vercel	Application hosting	Server logs (IP addresses, request paths)	EU (London region)

6. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights:

Right of access (Article 15): You can request a copy of all personal data we hold about you.
Right to rectification (Article 16): You can update your personal information at any time through the app settings, or by contacting us.
Right to erasure (Article 17): You can request deletion of your account and all associated data. We will complete deletion within 30 days.
Right to data portability (Article 20): You can request an export of your data in a machine-readable format (JSON).
Right to object (Article 21): You can object to processing based on legitimate interests.
Right to restrict processing (Article 18): You can request that we limit how we use your data while a complaint is resolved.

To exercise any of these rights, email hello@obiter.site. We will respond within 30 days. There is no fee for exercising your rights.

7. Data Deletion

You can request deletion of your account and all personal data by:

Using the "Delete Account" option in the app (Settings > Danger Zone)
Emailing hello@obiter.site from your registered email address

Upon receiving a deletion request, we will permanently delete all your personal data, study progress, folders, flashcards, and account information within 30 days. This action is irreversible.

8. Cookies and Local Storage

obiter uses only essential cookies required for the service to function:

Authentication tokens: JWT access tokens and refresh tokens stored securely for session management. These are necessary for you to remain logged in.
Cookie consent: A single cookie recording your acceptance of this cookie notice.

We do not use analytics cookies, advertising cookies, social media tracking pixels, or any other non-essential cookies. Because we only use strictly necessary cookies, consent is not legally required under the Privacy and Electronic Communications Regulations (PECR), but we inform you of their use as a matter of transparency.

9. Data Retention

Account data: Retained for as long as your account is active. Deleted within 30 days of a deletion request.
Study progress and content: Retained for as long as your account is active.
Authentication tokens: Refresh tokens expire after 30 days and are automatically purged.
Password reset tokens: Expire after 1 hour.

10. Age Restriction

obiter is designed for university students and is intended for users aged 16 and over. We do not knowingly collect personal data from anyone under 16. If we become aware that we have collected data from a user under 16, we will delete that data promptly.

11. International Data Transfers

We primarily store data within the UK (AWS London). Where data is processed by third parties outside the UK (e.g., Resend in the US), we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and UK International Data Transfer Agreements (IDTAs), as required by UK GDPR.

12. Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113

We would appreciate the opportunity to resolve any concerns before you contact the ICO. Please email us at hello@obiter.site first.

13. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email at least 14 days before the changes take effect. The "Last updated" date at the top of this page indicates when this policy was last revised.

Continued use of obiter after changes take effect constitutes acceptance of the revised policy.