Professor Clive

Privacy Policy

Professor Clive

Last updated: 7 May 2026 Effective from: 7 May 2026 Version: v1.2 (ICO registration number ZC141324 inserted into Section 12 — first publication-ready version with no placeholders)

Privacy Notice for Young People

This section is a plain-English summary written for users aged 13 to 17. It is not the binding legal document — the full Privacy Policy below applies — but it summarises the same commitments in clearer language.

Who runs this service? Professor Clive is operated by Alexander Brown, a sole trader based in the United Kingdom, trading as "Professor Clive."

What information do you collect about me? Your email, real name, password (encrypted), date of birth, a username we generate for you, and a record of the questions you attempt and how well you do.

Who do you share it with? Companies that help us run the service: Supabase (which stores your data in London), Anthropic (whose AI marks your answers, based in the United States), Vercel (which hosts the website), Cloudflare (which manages our domain), and Resend (which sends our service emails). If you connect to a tutor or school, they can see your performance.

Do you sell my data? No. We do not sell your data to anyone. We do not share it with advertisers. We do not track you for advertising.

How long do you keep it? While you are using the service. If you delete your account, we erase your identity within 30 days. If you stop using the service for 12 months, we will email you, and if we do not hear back, we will anonymise your account.

What rights do I have? You can ask for a copy of your data, ask us to correct or delete it, or complain to the UK Information Commissioner's Office (ICO). Email us at contact@professorclive.com.

Are there extra protections because I'm under 18? Yes. We do not profile you for advertising, we collect only what we need, and our marketing email box is unticked by default.

Can I sign up if I'm under 13? No. This service is not available to children under 13.

The full legal Privacy Policy follows.

1. Introduction and Data Controller

This Privacy Policy describes how personal data is collected, used, stored, and disclosed by Alexander Brown, sole trader, trading as Professor Clive ("we," "us," "our," or "Professor Clive"), in connection with the operation of the Professor Clive service available at professorclive.com and clive.school.ai (the "Service").

For the purposes of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018, the data controller is:

Alexander Brown, sole trader, trading as Professor Clive Correspondence address: 9 Lauda Way, Towcester, Northamptonshire, NN12 7AZ, United Kingdom Contact email: contact@professorclive.com

Any queries, complaints, or requests in connection with this Privacy Policy or the exercise of data subject rights should be directed to the contact details above.

2. Categories of Personal Data Processed

We process the following categories of personal data in connection with the Service.

2.1 Data provided by the user at registration

  • Email address — used as the unique account identifier and for service-related correspondence.
  • Real name — used to enable identification by tutors and educational institutions to which the user voluntarily connects.
  • Password — stored solely as a cryptographic hash by our authentication sub-processor (Supabase). The plaintext password is not transmitted to, stored by, or accessible to us.
  • Date of birth — collected to verify that the user satisfies the minimum age requirement (13) and to apply additional protections in respect of users aged 13 to 17 in accordance with the Age Appropriate Design Code.
  • Marketing preferences — recorded where the user has expressly opted in to receive marketing communications.

2.2 Data generated by the Service in respect of the user's account

  • Username, automatically generated at the time of account creation in a hyphenated two-word format. The username is fixed at the point of account creation.
  • Student identifier, automatically generated in a fixed format (e.g. PC-2026-XXXXXX).
  • Account creation timestamp.
  • Subscription status and term, where applicable.

2.3 Data generated through use of the Service

  • Submitted answers to biology examination questions.
  • Marks awarded in respect of those answers.
  • Mark scheme alignment data (which mark points were awarded or missed) and error categorisation tags generated by automated marking.
  • Time taken per question and per session.
  • Authentication metadata, including login timestamps and source IP addresses, retained by our authentication sub-processor for security monitoring.
  • Tutor and institutional linkages, where the user has voluntarily connected their account to a tutor or educational institution.

2.4 Categories of data not collected

We do not collect:

  • Payment card details (when paid plans are introduced, payment processing will be handled by Stripe; payment card details are collected directly by Stripe and not by us).
  • Cookies or identifiers used for behavioural advertising or cross-site tracking.
  • Data obtained from third-party data brokers.
  • Special category personal data within the meaning of Article 9 UK GDPR (such as health, religion, ethnicity, or political opinions). Users are requested not to include such information in submitted answers.

3. Purposes and Legal Bases for Processing

3.1 Provision of the Service

To create and maintain user accounts, authenticate users, deliver AI-marked feedback on submitted answers, present performance data to the user, and facilitate connections with tutors and institutions.

Legal basis: Performance of a contract pursuant to Article 6(1)(b) UK GDPR.

3.2 Improvement of the Service

To analyse aggregated and anonymised performance data across the user population for the purpose of identifying common difficulties, refining question quality, and improving marking accuracy.

Legal basis: Legitimate interests pursuant to Article 6(1)(f) UK GDPR. Our legitimate interest is the continuous improvement of an educational service. We have assessed that this processing has minimal privacy impact, since it operates on aggregated or anonymised data.

3.3 Communications with users

We send two categories of email communication:

  • Service communications — including account confirmations, security notifications, password reset instructions, notifications of material changes to terms or policies, and account closure confirmations. Service communications are necessary for the operation of the Service and cannot be opted out of.
  • Marketing communications — sent only where the user has expressly opted in at the point of registration. Users may withdraw consent at any time via the unsubscribe link in any marketing email or by emailing contact@professorclive.com.

Legal basis: Performance of a contract (service communications); consent (marketing communications) pursuant to Article 6(1)(a) UK GDPR and Regulation 22 of the Privacy and Electronic Communications (EC Directive) Regulations 2003.

3.4 Compliance with legal obligations

To comply with applicable law, including responding to lawful requests from regulators or law enforcement and maintaining records required under tax law.

Legal basis: Legal obligation pursuant to Article 6(1)(c) UK GDPR.

3.5 Protection of the Service

To detect, prevent, and respond to fraud, unauthorised access, abuse, and breaches of our Terms of Service.

Legal basis: Legitimate interests pursuant to Article 6(1)(f) UK GDPR.

4. Disclosure of Personal Data

4.1 Sub-processors

We engage the following sub-processors, each of whom processes personal data on our behalf pursuant to a Data Processing Agreement compliant with Article 28 UK GDPR.

| Sub-processor | Function | Processing location | Data Processing Agreement | |---|---|---|---| | Supabase Inc. | Authentication and database services | London, United Kingdom (eu-west-2) | https://supabase.com/legal/dpa | | Anthropic, PBC | AI-based answer marking | United States | https://www.anthropic.com/legal/data-processing-addendum | | Vercel Inc. | Website hosting | Global edge network | https://vercel.com/legal/dpa | | Cloudflare, Inc. | Domain Name System and email forwarding | Global | https://www.cloudflare.com/cloudflare-customer-dpa/ | | Resend, Inc. | Transactional email delivery (account confirmations, password resets, service notifications) | European Union | https://resend.com/legal/dpa |

We will update this Privacy Policy in the event of any change to our sub-processors.

4.2 Tutors and institutional users

Where a user voluntarily links their account to a tutor or educational institution by means of a code provided by that party, the linked party will be granted access to the user's username, student identifier, real name, and performance data. The linked party will not have access to the user's password, email address, or date of birth. A user may request termination of such a link at any time by contacting contact@professorclive.com.

4.3 No sale of personal data

We do not sell personal data, and we do not disclose personal data to third parties for the purpose of behavioural advertising.

4.4 Disclosures required by law

We may disclose personal data where required by law, including in response to a court order, lawful request from a regulator, or where disclosure is necessary to protect the rights, property, or safety of the user, ourselves, or any third party.

5. International Transfers

Personal data is primarily stored within the United Kingdom (Supabase eu-west-2 region) and the European Union (Resend).

A subset of personal data — specifically, submitted answer text — is transferred to the United States for processing by Anthropic, PBC, in the course of AI-based marking. This transfer is effected pursuant to the UK Information Commissioner's International Data Transfer Addendum to the European Commission Standard Contractual Clauses, executed between Professor Clive and Anthropic, PBC, and supplemented by Anthropic's Data Processing Agreement.

Operational data (including request logs) processed by Vercel and Cloudflare may be transferred outside the United Kingdom as part of those providers' global infrastructures, subject to equivalent transfer safeguards as set out in their respective Data Processing Agreements.

A copy of the relevant transfer safeguards may be requested by emailing contact@professorclive.com.

6. Retention

| Data category | Retention period | |---|---| | Active user accounts | For the duration of the account's active use | | Inactive accounts (no authentication for 12 consecutive months) | A reminder communication is sent to the registered email address. If no response is received within 30 days thereafter, identifying data (email, real name, date of birth) is deleted; performance data is anonymised and retained | | Accounts deleted at user request | Identifying data deleted within 30 days; performance data anonymised and retained for the purposes set out in section 3.2 | | Authentication logs and source IP addresses | Up to 90 days | | Marketing consent and unsubscribe records | Indefinitely, to ensure ongoing compliance with the user's marketing preferences | | Records subject to statutory retention obligations (e.g. tax records) | For the period required by applicable law |

Anonymisation involves the replacement of identifying fields with a non-reversible randomised reference, such that the residual data cannot reasonably be re-associated with the data subject.

7. Rights of the Data Subject

Users have the following rights under UK GDPR. To exercise any such right, please contact contact@professorclive.com. We will respond within one calendar month of receipt, save where the request is complex or numerous, in which case we may extend this period by a further two months in accordance with Article 12(3) UK GDPR.

7.1 Right of access (Article 15)

The user may request confirmation of whether personal data concerning them is being processed, and a copy of such data. Data is provided free of charge in a structured, commonly used, and machine-readable format (typically JSON).

7.2 Right to rectification (Article 16)

The user may request correction of inaccurate personal data and completion of incomplete personal data. Certain fields, including the username, are fixed at account creation by design.

7.3 Right to erasure (Article 17)

The user may request the deletion of their personal data. Such a request will be honoured within 30 days, save in respect of data we are obliged to retain by law. Performance data will be anonymised rather than deleted, in accordance with section 6.

7.4 Right to restriction of processing (Article 18)

The user may request restriction of processing in the circumstances set out in Article 18 UK GDPR.

7.5 Right to data portability (Article 20)

The user may request that personal data they have provided to us be transmitted to them, or to another data controller, in a structured, commonly used, and machine-readable format.

7.6 Right to object (Article 21)

The user may object to processing carried out on the basis of legitimate interests. Marketing communications will cease immediately upon objection.

7.7 Rights in relation to automated decision-making (Article 22)

The Service includes automated marking of submitted answers. A user who considers that an automated marking decision has materially affected them may request review by a human member of our team. Such requests will be evaluated under our internal review process and a substantive response provided within 30 days. Requests for review should be sent to contact@professorclive.com, citing the question and answer in dispute.

7.8 Right to withdraw consent (Article 7)

Where processing is based on consent (specifically, marketing communications), the user may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out prior to withdrawal.

7.9 Right to lodge a complaint with the supervisory authority

The user has the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: https://ico.org.uk
  • Telephone: 0303 123 1113
  • Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We encourage users to raise any concern with us first, but the right to lodge a complaint with the ICO is unconditional.

8. Cookies

The Service uses only strictly necessary cookies as that term is defined in the Privacy and Electronic Communications (EC Directive) Regulations 2003.

The cookies set are authentication cookies set by Supabase, which are required to maintain the user's authenticated session. The specific cookie names and details are set out in our separate Cookie Notice.

We do not currently set analytics, advertising, or tracking cookies. As only strictly necessary cookies are set, prior consent is not required under PECR. In the event that we introduce non-essential cookies, this Privacy Policy will be amended and prior consent will be sought.

Users may disable cookies in their browser settings; doing so will prevent the Service from functioning, as authenticated sessions cannot be maintained without authentication cookies.

For full details, please see our separate Cookie Notice.

9. Provisions Relating to Users Under 18

We comply with the UK Information Commissioner's Office Age Appropriate Design Code in respect of users aged 13 to 17.

9.1 Specific protections

  • Registration is not available to persons under the age of 13. Where we become aware that an account has been created by a person under 13, the account will be deleted.
  • We collect the minimum personal data necessary to provide the Service.
  • We do not engage in profiling for advertising purposes, and we do not share personal data with third parties for marketing purposes.
  • Privacy-protective settings are applied by default. The marketing communications opt-in is unselected by default.
  • We do not engage in cross-site tracking.

9.2 Exercise of rights

A user aged 13 to 17 may exercise the rights set out in section 7 in the same manner as any other user. Where assistance is required to understand any provision of this Privacy Policy, the user may contact contact@professorclive.com to request a plainer-language explanation. Information regarding data subject rights is also available from the ICO at https://ico.org.uk/your-data-matters/.

9.3 Parents and guardians

A parent or guardian of a user aged 13 to 17 may exercise rights under section 7 on behalf of their child, subject to appropriate verification of identity and parental responsibility. Queries from parents or guardians may be directed to contact@professorclive.com.

10. Security

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 UK GDPR. These include:

  • Encryption of data in transit using Transport Layer Security (TLS).
  • Storage of authentication credentials as cryptographic hashes only.
  • Database-level access controls, including Row-Level Security policies enforcing per-user data isolation.
  • Restriction of administrative access to authorised personnel only.
  • Engagement of sub-processors that maintain recognised information security certifications and provide contractual security commitments.

In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the Information Commissioner's Office within 72 hours of becoming aware of the breach in accordance with Article 33 UK GDPR. Where the breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will additionally notify those individuals without undue delay in accordance with Article 34 UK GDPR.

11. Amendments to this Privacy Policy

We may amend this Privacy Policy from time to time. The "Last updated" date at the head of the document will reflect the date of any amendment.

Material amendments will be communicated to registered users by email. Where the amendment requires renewed consent, such consent will be sought before the amendment takes effect in respect of that user.

Prior versions of this Privacy Policy are available on request to contact@professorclive.com.

12. Information Commissioner's Office Registration

Alexander Brown, trading as Professor Clive, is registered with the United Kingdom Information Commissioner's Office under registration number ZC141324. The registration is effective from 7 May 2026 and expires on 6 May 2027 (renewed annually by Direct Debit).

Definitions

  • "Personal data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) UK GDPR.
  • "Processing" means any operation performed on personal data, as defined in Article 4(2) UK GDPR.
  • "Data controller" means the natural or legal person which determines the purposes and means of processing, as defined in Article 4(7) UK GDPR. The data controller in respect of this Privacy Policy is Alexander Brown trading as Professor Clive.
  • "Sub-processor" means a third party engaged by us to process personal data on our behalf.
  • "UK GDPR" means Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.
  • "PECR" means the Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended.

End of Privacy Policy.