Privacy Notice
This notice explains what personal data we collect when you use these study guides, why we collect it, and the rights you have over it. It is written in plain English and is intended to meet our obligations under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and under the EU GDPR where it applies to you.
These are independent, self-published study guides for IAPP and AI-governance certifications. The same notice applies across our sites, including the CIPP/E and AIGP guides. For more on who we are, see the About page; for the terms governing use of the guides, including the warranty disclaimer and limitation of liability, see the Terms and the Disclaimer.
Who is responsible for your data
The data controller is Victor Humenhuk, a sole trader based in London, United Kingdom. You can reach the controller by post care of the email contact below; we will provide a postal service address on request.
For any privacy question, request, or complaint, you can contact us at hello@thesmios.com. This is the contact point for all data-protection matters. Where the operator is required to register with the UK Information Commissioner's Office and pay the data protection fee, that registration is maintained; you can ask us for the registration reference using the contact above.
What data we collect and how
We keep the data we collect to a minimum. The categories below cover everything we hold.
| Data | How we get it | Why |
|---|---|---|
| Account email address and an account identifier | You provide your email when you register with email and password, or it is shared by Google when you choose "Sign in with Google". Sign-in is handled by Supabase Auth. | To create and secure your account and let you sign in across our sites. |
| Password | If you register with a password, it is handled and hashed by Supabase. We never see or store your password. | To authenticate you. We have no access to the password itself. |
| Payment metadata | When you make the one-time payment to unlock a question bank, the payment is processed entirely by Stripe. We receive only a Stripe customer or session identifier and a record of your entitlement (what you bought). | To confirm your purchase and unlock lifetime access to that bank. We never receive or store full card numbers. |
| Study progress (optional) | If you are signed in, your quiz progress (which questions you have answered and whether you got them right or wrong) is synced to your account in a Supabase Postgres database only when you choose to sign in and sync. If you are signed out, this stays only in your browser. | To let your progress follow you across devices, when you choose to sign in and sync. |
| Essential cookies and local storage | Set in your browser as you use the site. | To keep you signed in (an authentication session token) and to cache study progress locally. See "Cookies and local storage" below. |
We do not collect special category data, we do not run advertising or cross-site tracking, and we do not buy or sell personal data.
Why we use your data and our lawful bases
- To provide your account and unlock purchased content - lawful basis: performance of a contract with you. This covers creating and maintaining your account, processing your one-time payment through Stripe, and giving you access to what you purchased.
- To keep the service secure and working - lawful basis: our legitimate interests in operating a reliable, secure study service and preventing misuse. This covers authentication and basic operation of the site.
- To sync your optional study progress across devices - lawful basis: your consent, given when you choose to sign in and sync, which you can withdraw at any time by signing out and stopping sync. Study progress sync is an optional, free feature; signed-out progress never leaves your browser.
- To respond to you when you email us - lawful basis: our legitimate interests in answering your enquiry, or performance of a contract where your message concerns your account or purchase.
Where we rely on consent for optional processing, we ask you clearly first and you can withdraw it at any time, without affecting processing already carried out.
Who processes data on our behalf, and providers acting as their own controllers
We use a small number of trusted providers to run the service. For some processing they act as our processor, handling only the data needed for their role on our instructions. For other processing - in particular payment, fraud prevention, and the Google sign-in flow - the provider acts as an independent controller in its own right and processes data under its own privacy policy. The table notes which role applies.
| Provider | Role |
|---|---|
| Vercel | Processor. Static site hosting and content delivery (CDN). See Vercel's privacy policy. |
| Supabase | Processor. Account authentication and the database that stores your email, account identifier, entitlement, and synced study progress. See Supabase's privacy policy. |
| Stripe | Processor for completing your purchase on our behalf, and an independent controller for payment processing, fraud prevention, and its own legal and regulatory duties. See Stripe's privacy policy. |
| Independent controller for the "Sign in with Google" authentication flow, where you choose it, and for the data it processes about your Google account. See Google's privacy policy. |
We also use Google Search Console to help our pages appear in search results; this is for search indexing of the site rather than for tracking individual users.
International transfers
Some of our providers store or process data on servers outside the United Kingdom, including in the United States. These transfers do occur. Where personal data is transferred outside the UK, it is protected by an appropriate safeguard for each provider: for Stripe and Google we rely on the EU-US Data Privacy Framework and its UK Extension, where the provider is certified, backed by the EU Standard Contractual Clauses with the UK International Data Transfer Addendum; for Vercel and Supabase we rely on the EU Standard Contractual Clauses with the UK International Data Transfer Addendum, or the UK International Data Transfer Agreement. A copy of the relevant safeguards is available on request using the contact above.
How long we keep your data
We keep your account email and identifier, and your entitlement and synced progress, for as long as your account is active, so you keep access to what you purchased and your progress is preserved. We treat an account as inactive after three years with no sign-in, and we will delete an inactive account after that period unless you ask us to keep it. If you ask us to delete your account sooner, we will erase your account data, except where we need to keep limited records (for example, a basic record of your purchase) to meet legal, accounting, or tax obligations; in the UK we typically keep purchase and tax records for six years. Stripe retains its own payment records under its terms and legal duties. Signed-out study progress lives only in your browser and is removed when you clear your browser storage.
Your rights
Under UK GDPR you have the right to:
- Access - get a copy of the personal data we hold about you.
- Rectification - have inaccurate or incomplete data corrected.
- Erasure - ask us to delete your data, subject to any records we must keep by law.
- Restriction - ask us to limit how we use your data in certain circumstances.
- Portability - receive the data you gave us in a structured, commonly used, machine-readable format.
- Objection - object to processing we carry out on the basis of legitimate interests.
- Withdraw consent - where we rely on consent, withdraw it at any time, without affecting processing already carried out.
To exercise any of these rights, email hello@thesmios.com. We will respond within one month. We may extend this by up to two further months where a request is complex or where we receive a number of requests, in which case we will tell you within the first month and explain why. Exercising these rights is free; we may charge a reasonable fee, or decline to act, only where a request is manifestly unfounded or excessive, and we will explain our reasons if so.
Complaints
If you have a concern about how we handle your data, please contact us first at hello@thesmios.com so we can try to put it right. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, or to your local supervisory authority in the EU where the EU GDPR applies to you.
Cookies and local storage
We use only essential cookies and browser local storage. Specifically, an authentication session token to keep you signed in, and locally cached study progress. These are necessary for the site to work and for you to stay logged in. We do not use third-party advertising cookies, and we do not carry out cross-site tracking or behavioural profiling. Because this storage is strictly essential to providing the service you have asked for, it does not rely on consent. You can clear cookies and local storage in your browser at any time, though doing so will sign you out and remove locally cached progress.
Your purchase: cancellation, refunds, and digital-content rights
Unlocking a question bank is a purchase of digital content that is made available to you immediately. By completing the payment and unlocking the bank, you ask us to give you immediate access to the digital content and you acknowledge that you therefore lose the 14-day right to cancel that would otherwise apply under the Consumer Contracts (Information, Cancellation and Additional Charges) Regulations 2013. This means that, once you have unlocked a bank, you are not entitled to a refund simply for changing your mind.
This does not affect your statutory rights under the Consumer Rights Act 2015, which cannot be excluded. The digital content must be of satisfactory quality, fit for purpose, and as described. If it is not, you may be entitled to a repair, a replacement, or a refund as the law provides. The fuller purchase terms are set out in the Terms. To raise a quality issue or request a refund where you are entitled to one, email hello@thesmios.com.
No guarantee and use of the guides
The study guides and question banks are provided as study aids on an "as is" and "as available" basis, to the extent permitted by law and without affecting your statutory rights above. We do not guarantee that using them will result in passing any examination, and the content may contain inaccuracies or become out of date. The material is for study purposes only and is not legal advice. You use the guides at your own risk. Our full warranty disclaimer and the limitation of our liability are set out in the Terms and the Disclaimer. Those pages also carry our trademark attribution and confirm that these guides are independent and are not affiliated with, endorsed by, or sponsored by IAPP, PMI, ACAMS, or any other certification body; names and marks are used only to identify the relevant examinations.
Children
Our guides are aimed at people preparing for professional certifications and are not directed at children. As a policy choice we do not knowingly collect data from anyone under 16; this is a threshold we set ourselves and is stricter than the age of 13 set for information society services under the UK GDPR and the Data Protection Act 2018. If you believe a child has provided us with personal data, please contact us and we will delete it.
Changes to this notice
We may update this notice from time to time as the service or the law changes. The current version always appears on this page.
Last updated: 20 June 2026.
Return to the home page.