Privacy Policy

ExamsClinic Ltd | www.examsclinic.com

Last Updated: 30/04/2026

LEGAL INFORMATION

We are: ExamsClinic Ltd a company registered in England and Wales under company number 16621987 with its registered office at Suite A, 82 James Carter Road, Mildenhall, Suffolk IP28 7DE (“ExamsClinic”, “we”, “us”, or “our”).

Website: www.examsclinic.com (“Platform“)

Privacy contact: info@examsclinic.com

ICO Registration Number: [[NUMBER] — register at https://ico.org.uk if not yet registered]

INTRODUCTION

We are committed to protecting your personal data and being transparent about how we collect and use it. This Privacy Notice sets out how ExamsClinic collects, uses, stores, and shares personal data in connection with your use of our Platform and Services, and describes your rights under applicable data protection law.

This Privacy Notice applies to all users of the Platform, including visitors, registered users, subscribers, and purchasers of individual Courses. The Platform is not intended for use by persons under the age of 18 and we do not knowingly collect personal data from children.

This Privacy Notice should be read together with our Website Terms and Conditions and Cookie Policy, which are available on the Platform. Please also read our Cookie Policy (set out in section 9 below) for information on how we use cookies and similar technologies.

We keep this Privacy Notice under regular review and may update it from time to time. Where we make material changes, we will notify you as described in section 12 below.

  1. WHO WE ARE AND HOW TO CONTACT US
    • ExamsClinic Ltd is the data controller responsible for your personal data collected through the Platform. If you have any questions about this Privacy Notice or wish to exercise any of your data protection rights, please contact us at: info@examsclinic.com.
    • If you are a UK resident and have concerns about how we handle your personal data, you have the right to make a complaint to the Information Commissioner’s Office (ICO):

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF | Tel: 0303 123 1113 | www.ico.org.uk

  • We would welcome the opportunity to address your concerns directly before you approach the ICO, so please contact us in the first instance.
  1. PERSONAL DATA WE COLLECT

2.1. We collect and process the following categories of personal data about you:

  • Identity Data: first name, last name, username or similar identifier, title, and date of birth (to verify you are 18 or older). Where you register for a Course, we may also collect your phone number, professional or training level (for example, medical student, FY1, ST3, or dental student), and the name of your institution, workplace, or university. Where you register or sign in using your Google account, we receive your name and email address from Google via OAuth authentication. This data is treated as Identity and Contact Data for all purposes under this Privacy Notice;
  • Contact Data: email address and any other contact information you provide to us;
  • Transaction Data: details of Subscriptions, Course purchases, and payment history. Note that we do not store your full payment card details — these are processed and held by our payment processor, Stripe. We may receive limited billing-related data such as the last four digits of your card and expiry date for reference purposes;
  • Profile Data: your Account username and password (stored in encrypted form), Subscription plan, purchase history, saved content, progress through question banks or courses, and preferences;
  • Usage Data: information about how you access and use the Platform, including features accessed, content viewed, time spent on the Platform, question bank activity, questions attempted and answered, mock examination results and scores, subject and topic performance metrics, revision session history, and patterns of use. Where you use interactive or simulation features (such as mock OSCE environments), records of your performance in those sessions may also be collected as Usage Data;
  • Technical Data: IP address (held in anonymised or pseudonymised form), browser type and version, operating system, device type, referring URLs, pages visited, and date and time of access, collected automatically as you interact with the Platform;
  • Communications Data: any communications you send us via email, contact forms, or otherwise, and records of our responses; and
  • Marketing and Preferences Data: your preferences in receiving marketing communications from us and your communication preferences.
    • We do not collect any special categories of personal data (for example, health, biometric, or ethnic data) in the ordinary course of providing our Services. If such data were to be provided voluntarily by you (for example, in the context of a mentoring session), it would be processed only to the extent strictly necessary and with appropriate safeguards.
    • We do not knowingly collect or process data relating to criminal convictions or offences.
    • Where we are required to collect certain personal data in order to perform our contract with you and you fail to provide it, we may be unable to provide the relevant Service.
  1. HOW WE COLLECT YOUR PERSONAL DATA
    • Direct interactions: You provide personal data directly when you create an Account, purchase a Subscription or Course, book Mentoring Services, submit questions or notes within the Platform, correspond with us, submit feedback or error reports, or otherwise interact with the Platform.
    • Automated technologies: As you use the Platform, we automatically collect Technical Data and Usage Data using cookies, server logs, and similar technologies. This includes your question bank activity, examination performance data, session duration and navigation patterns, and feature usage. Where you use interactive features such as OSCE simulation tools, data relating to your performance in those sessions is captured automatically. Please see our Cookie Policy in section 9 for further details on cookies.
    • Third-party sources: We receive Transaction Data from our payment processor Stripe when you make a purchase. We receive Technical Data from Google Analytics in connection with your use of the Platform. Where you use Google sign-in, we receive your name and email address from Google LLC via OAuth. Any data received from third parties in this way is handled in accordance with this Privacy Notice from the point of receipt. Where you register or sign in using a third-party authentication service, we may receive certain identity or contact data from that service in accordance with their terms.
    • Inferred data: We may derive information about your likely examination, training stage, or study preferences from your usage patterns and the Content you access. This inferred data is used only to personalise your experience on the Platform and to improve our Services. It is not shared with third parties for profiling or advertising purposes.
  2. HOW WE USE YOUR PERSONAL DATA
    • We will only process your personal data where we have a lawful basis for doing so. The lawful bases we rely on are:
  • Performance of a contract: where processing is necessary to perform our contract with you or to take steps at your request before entering into a contract;
  • Legitimate interests: where processing is necessary for our legitimate interests or those of a third party, provided that those interests are not overridden by your rights and interests;
  • Legal obligation: where processing is necessary to comply with a legal obligation to which we are subject; and
  • Consent: where you have given us your explicit consent for a specific purpose, such as receiving marketing communications.
    • The table below sets out the purposes for which we process your personal data, the categories of data involved, and the lawful basis for processing:
Purpose / Activity Type of Data Lawful Basis
To register you as a user and create your Account Identity Data

Contact Data		 Performance of a contract with you
To process payments for Subscriptions and one-off Course purchases and manage your billing Identity Data

Contact Data

Transaction Data		 Performance of a contract with you; Legitimate interests (debt recovery)
To provide access to Content, Subscriptions, Courses, and Mentoring Services Identity Data

Contact Data

Profile Data

Usage Data		 Performance of a contract with you
To manage our relationship with you, including notifying you of changes to our Terms, Privacy Notice, or Services Identity Data

Contact Data

Profile Data

Communications Data		 Performance of a contract with you; Legal obligation; Legitimate interests (keeping records updated)
To administer and protect the Platform, including fraud prevention, security monitoring, and detecting account misuse (including password sharing) Identity Data

Contact Data

Technical Data

Usage Data		 Legitimate interests (security, fraud prevention, and protecting our business and users)
To analyse usage of the Platform in order to improve our Services, Content, and user experience Technical Data

Usage Data		 Legitimate interests (improving our Services and developing our business)
To generate anonymised and aggregated performance benchmarking data (e.g. comparing a user’s question bank scores against the anonymised performance of other users in the same cohort or preparing for the same examination) Usage Data (anonymised and aggregated only — no identifiable personal data) Legitimate interests (improving our Services, providing users with meaningful performance context, and developing our platform)
To use anonymised and aggregated Content interaction data to improve the quality and relevance of our question banks, mock examinations, and educational materials Usage Data (anonymised and aggregated)

Profile Data (anonymised)		 Legitimate interests (improving our Content and ensuring educational quality)
To communicate with you regarding your Account, purchases, or enquiries Identity Data

Contact Data

Communications Data		 Performance of a contract with you; Legitimate interests (effective customer communications)
To send you marketing communications regarding our Services (where you have opted in or where otherwise permitted) Identity Data

Contact Data

Communications Data		 Consent (where required); Legitimate interests (marketing to existing customers, soft opt-in)
To comply with applicable legal obligations, including tax and regulatory requirements Identity Data

Contact Data

Transaction Data		 Legal obligation
To deal with complaints, disputes, or legal claims Identity Data

Contact Data

Transaction Data

Communications Data		 Legitimate interests (defending and managing legal claims)
To display user testimonials or reviews on the Platform or in marketing materials Identity Data (name, where identified); Communications Data (testimonial content) Consent — identifiable testimonials only used with prior consent; all other testimonials anonymised before use. Users may withdraw consent at any time.
  • We will not use your personal data for any purpose that is incompatible with the purpose for which it was collected without giving you prior notice, save where otherwise permitted by applicable law.
  • We do not use your personal data for automated decision-making that produces legal or similarly significant effects without human oversight.
  • Performance benchmarking: We may use anonymised and aggregated Usage Data to generate comparative performance statistics displayed to you on the Platform, such as how your score in a particular question bank or mock examination compares to other users preparing for the same examination. This benchmarking uses only anonymised and aggregated data. Your identifiable personal data is never disclosed to other users, and you cannot be individually identified from any statistics presented to others.
  • Content development and quality improvement: We may analyse anonymised and aggregated patterns of Content interaction — for example, which questions are most frequently answered incorrectly, or which topics attract the highest revision activity — to inform content development, accuracy improvements, and platform updates. This processing uses only aggregated data that cannot identify you individually. We do not use your identifiable personal data to train or develop third-party AI systems.
  1. MARKETING
    • We may send you marketing communications about our Services where you are an existing customer and we have a legitimate interest in doing so (soft opt-in basis), or where you have opted in to receive such communications.
    • You can opt out of receiving marketing communications at any time by:

(a)   clicking the unsubscribe link in any marketing email;

(b)   updating your communication preferences in your Account settings; or

(c)   contacting us at info@examsclinic.com.

  • Opting out of marketing communications will not affect our ability to send you transactional or service-related messages, such as order confirmations, payment receipts, or important notices about your Account.
  • We will not share your personal data with third parties for their own marketing purposes without your express consent.
  1. SHARING YOUR PERSONAL DATA
    • We share your personal data with the following categories of third parties:
  • Payment processor: Stripe, Inc. processes payments on our behalf and receives the personal data necessary to process your transactions securely. Stripe is subject to its own privacy policy and security standards. We do not receive or store your full payment card details;
  • Analytics provider: Google LLC (Google Analytics) receives Technical Data and Usage Data to help us understand how the Platform is used and to improve our Services;
  • Email delivery: Twilio Inc. (SendGrid) delivers transactional and marketing emails on our behalf and processes your email address and associated communications data for this purpose;
  • Hosting and infrastructure: Amazon Web Services, Inc. (AWS) provides the cloud hosting and infrastructure on which the Platform operates and stores Platform data;
  • Communications and productivity: Google LLC (Google Workspace) is used for internal business communications and administration;
  • Video conferencing: Zoom Video Communications, Inc. facilitates the delivery of online courses and mentoring sessions and processes participant names, email addresses, and session data for that purpose;
  • Website content management: Automattic Inc. (WordPress) provides the content management system used for the Platform’s landing pages and static content pages, and may process Technical Data in connection with your access to those pages.
  • Professional advisers: lawyers, accountants, auditors, and insurers who provide professional services to us;
  • Regulatory authorities: HMRC and other government authorities and regulators where required by law; and
  • Business transfers: if we sell, transfer, or merge part or all of our business or assets, personal data may be transferred to the acquirer or successor entity, who will be required to handle it in accordance with applicable data protection law.
    • We require all third-party processors to implement appropriate technical and organisational measures to protect your personal data and to process it only on our instructions and in accordance with applicable law.
    • We do not sell your personal data to third parties.
  1. INTERNATIONAL TRANSFERS
    • Some of our third-party service providers are based outside the United Kingdom, and their processing of your personal data involves a transfer of personal data outside the UK. In particular:
  • Stripe, Inc. (payment processing) – based in the United States. Transfers are safeguarded by the International Data Transfer Addendum (IDTA) and/or Stripe’s standard contractual clauses approved for UK transfers;
  • Google LLC (Google Analytics and Google Workspace) – based in the United States. Google participates in approved data transfer frameworks and provides standard contractual clauses for UK data transfers. Google Analytics data is processed with IP anonymisation enabled. Where you register or sign in using your Google account, we receive your name and email address from Google LLC via OAuth authentication. This data is treated as Identity and Contact Data for all purposes under this Privacy Notice;
  • Twilio Inc. (SendGrid) – based in the United States. Transfers are safeguarded by standard contractual clauses approved for use in the UK;
  • Amazon Web Services, Inc. (AWS) – ExamsClinic’s primary application data, including user account data and platform data, is hosted on AWS servers located in the United Kingdom. Data is not routinely transferred outside the UK for primary hosting purposes. However, certain third-party processors (including Stripe, Google, and SendGrid) may process limited data outside the UK as set out below.
  • Zoom Video Communications, Inc. – based in the United States. Zoom participates in approved data transfer frameworks and provides standard contractual clauses for UK data transfers. Zoom processes participant data in connection with online course and mentoring session delivery; and
  • Automattic Inc. (WordPress) – based in the United States. WordPress may process Technical Data in connection with your access to the Platform’s landing pages. Transfers are safeguarded by standard contractual clauses approved for use in the UK.
    • Where we transfer personal data outside the UK, we ensure that an appropriate level of protection is provided by relying on one or more of the following mechanisms:
  • transfer to a country or territory that has been recognised by the UK Secretary of State as providing an adequate level of protection for personal data;
  • use of the International Data Transfer Addendum (IDTA) to the EU Standard Contractual Clauses, as approved by the ICO; or
  • where the relevant organisation participates in an approved certification scheme or framework recognised under UK law.
    • You may request further information about the specific safeguards in place for any particular international transfer by contacting us at the details given in section 1.
  1. DATA SECURITY
    • We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, loss, or destruction. These measures include, without limitation, encrypted storage and transmission of personal data, access controls, and regular security reviews.
    • Notwithstanding the measures we take, no method of electronic transmission or storage is entirely secure, and we cannot guarantee absolute security of your personal data. Transmission of data via the internet is done at your own risk.
    • We have procedures in place to respond to suspected personal data breaches and will notify you and the ICO of a breach where we are legally required to do so.
  2. DATA RETENTION
    • We retain your personal data only for as long as is reasonably necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, tax, accounting, or reporting requirements. We may retain personal data for longer in the event of a complaint or where we reasonably believe there is a prospect of litigation.
    • In general, we apply the following retention periods:
  • Account identity and contact data is retained for the duration of your Account and for a period of up to 7 years thereafter, in accordance with our statutory obligations under UK tax and company law;
  • Transaction and billing data is retained for 7 years from the date of the relevant transaction, as required by HMRC and applicable financial record-keeping obligations;
  • Examination performance data, question bank activity, and usage history is retained for the duration of your Account and for a period of up to 3 years following Account closure, after which it will be anonymised or deleted;
  • Technical and analytics data is retained in pseudonymised or anonymised form for up to 26 months from collection, in line with standard Google Analytics retention settings; and
  • Communications data (including support correspondence) is retained for up to 3 years from the date of the communication, or longer where required for the management of a dispute or legal claim.
    • Where you request deletion of your personal data, we will delete or anonymise it subject to any legal or regulatory obligations that require us to retain certain records. We will inform you if any such obligations prevent full deletion.
    • Where data is anonymised rather than deleted, it can no longer be attributed to you and may be retained and used indefinitely in aggregated form for platform improvement and research purposes.
  1. COOKIE POLICY
    • A cookie is a small text file placed on your browser or device when you visit the Platform. Cookies help us to operate the Platform effectively, recognise you as a returning user, and understand how you use the Platform.
    • We use the following categories of cookies:
  • Strictly necessary cookies: these are essential to enable you to use the Platform and cannot be switched off. They are usually set in response to actions you take, such as logging in or making a purchase;
  • Analytics cookies: these allow us to count visits and sources of traffic so that we can measure and improve the performance of the Platform; and
  • Functionality cookies: these enable the Platform to remember your preferences and provide enhanced, personalised features.
    • We do not currently use targeting or advertising cookies on the Platform.
    • You can control and manage cookies via your browser settings. If you disable strictly necessary cookies, some parts of the Platform may not function correctly. You can also opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-On, available at https://tools.google.com/dlpage/gaoptout.
    • Our full, standalone Cookie Policy is also available on the Platform and provides further detail on how to manage your cookie preferences.
  1. YOUR DATA PROTECTION RIGHTS
    • Subject to applicable law, you have the following rights in relation to your personal data:
  • Right of access: to request a copy of the personal data we hold about you and information about how we process it (commonly known as a data subject access request or DSAR);
  • Right to rectification: to request that we correct any inaccurate or incomplete personal data we hold about you;
  • Right to erasure: to request that we delete your personal data in certain circumstances — for example, where it is no longer necessary for the purpose for which it was collected, where you have withdrawn consent on which processing was based, or where you have successfully exercised your right to object;
  • Right to restriction: to request that we suspend or limit processing of your personal data in certain circumstances, for example while we verify the accuracy of data you have disputed;
  • Right to data portability: to receive your personal data in a structured, commonly used, and machine-readable format, or to request that it be transferred to another controller, where processing is based on consent or contract and is carried out by automated means;
  • Right to object: to object at any time to processing of your personal data that is based on our legitimate interests — including processing for analytics, performance benchmarking, usage profiling, or direct marketing. Where you object to processing for direct marketing, we will stop immediately and without exception. For other legitimate-interest processing, we will stop unless we can demonstrate compelling legitimate grounds that override your rights and interests; and
  • Right to withdraw consent: to withdraw any consent you have given at any time, without affecting the lawfulness of processing carried out before withdrawal. You can withdraw consent to analytics cookies at any time via the cookie consent tool on the Platform.
    • To exercise any of these rights, please contact us at info@examsclinic.com. We will acknowledge your request promptly and respond within one calendar month of receipt, or within three months for complex or multiple requests (in which case we will notify you of the extension). We may need to verify your identity before acting on your request.
    • You will not ordinarily be charged a fee for exercising your rights. However, we reserve the right to charge a reasonable administrative fee, or to decline to act, where a request is manifestly unfounded, repetitive, or excessive.
    • Certain rights are not absolute and may be subject to exemptions under applicable data protection law. For example, we may be required by law to retain certain data despite an erasure request, or we may have compelling legitimate grounds that override an objection. We will always explain the position clearly if we are unable to comply fully with your request.
  1. CHANGES TO THIS PRIVACY NOTICE
    • We keep this Privacy Notice under review and may update it from time to time to reflect changes in our data processing activities, the services we use, or applicable data protection law.
    • Where we make material changes (for example, introducing a new purpose for processing your data, engaging a new category of third-party processor, or changing how long we retain your data) we will notify you by email to your registered address or by posting a prominent notice on the Platform, not less than 14 days before the changes take effect. Your continued use of the Platform following the effective date of any changes will constitute your acceptance of the updated Privacy Notice.
    • We encourage you to review this Privacy Notice periodically. The current version and its last updated date are always published on the Platform.
  2. COMPLAINTS
    • If you have a concern about how we handle your personal data, we would welcome the opportunity to address it directly. Please contact us in the first instance at info@examsclinic.com.
    • If you remain dissatisfied following our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office | Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF | Tel: 0303 123 1113 | www.ico.org.uk

  • If you are based in the EEA, you also have the right to complain to your local data protection supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

GLOSSARY

Lawful Basis

  • Legitimate Interests means the interests of ExamsClinic in conducting and managing our business to enable us to give you the best services and the most secure experience. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests.
  • Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party, or to take steps at your request before entering into such a contract.
  • Legal Obligation means processing your personal data where it is necessary for compliance with a legal obligation to which we are subject.
  • Consent means processing where you have given us clear and explicit agreement to use your personal data for a specific purpose. You have the right to withdraw your consent at any time.

BY USING THE PLATFORM, YOU CONFIRM THAT YOU HAVE READ AND UNDERSTOOD THIS PRIVACY NOTICE.