LexPrepBack to home

Privacy Policy

Last updated: 29 March 2026

LexPrep ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and safeguard information when you use the LexPrep SQE1 revision and practice platform (the "Service"). Please read this policy carefully alongside our Terms & Conditions.

1. Who We Are

LexPrep is an online SQE1 preparation platform. For the purposes of UK data protection law, LexPrep is the data controller responsible for your personal data. If you have questions about this policy or wish to exercise your rights, please contact us at [email protected].

2. Data We Collect

We collect the following categories of personal data:

CategoryExamplesPurpose
Account dataName, email address, OAuth identifierAccount creation and authentication
Usage dataQuestions answered, scores, study sessions, SRS card statesPersonalising your spaced repetition schedule and analytics
Payment dataSubscription status, billing period (card details held by Stripe)Processing subscription payments
Technical dataIP address, browser type, device type, session cookiesSecurity, fraud prevention, and service improvement

3. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract performance — to provide you with the Service you have subscribed to.
  • Legitimate interests — to improve the platform, prevent fraud, and ensure security.
  • Legal obligation — where required by applicable law (e.g. tax and financial records).
  • Consent — for optional communications such as marketing emails (you may withdraw consent at any time).

4. How We Use Your Data

  • To create and manage your account.
  • To provide, personalise, and improve the Service, including the SM-2 spaced repetition algorithm.
  • To process subscription payments via our payment processor, Stripe.
  • To send transactional emails (e.g. subscription confirmations, password resets).
  • To send marketing communications where you have opted in.
  • To detect and prevent fraud, abuse, and security incidents.
  • To comply with legal and regulatory obligations.

5. Sharing Your Data

We do not sell your personal data. We share data only with:

  • Stripe — our payment processor. Stripe processes card data under its own privacy policy and PCI-DSS compliance programme.
  • Cloud infrastructure providers — for hosting and database services, operating under data processing agreements.
  • Law enforcement or regulators — where required by law or to protect the rights and safety of users.

6. Data Retention

We retain your account data and study history for as long as your account is active. If you close your account, we will delete your personal data within 30 days, except where we are required to retain it for legal or regulatory purposes (e.g. financial records, which are retained for 6 years under UK tax law).

7. Your Rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data ("right to be forgotten"), subject to legal obligations.
  • Restriction — ask us to restrict processing in certain circumstances.
  • Portability — receive your data in a structured, machine-readable format.
  • Object — object to processing based on legitimate interests or for direct marketing.
  • Withdraw consent — where processing is based on consent, withdraw it at any time.

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Cookies

We use cookies and similar technologies to operate the Service. Please see our Cookie Policy for full details, including how to manage your preferences.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encrypted data transmission (TLS), hashed credentials, and access controls. No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. International Transfers

Your data is processed primarily in the United Kingdom and the European Economic Area. Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses) in accordance with UK GDPR requirements.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a prominent notice on the Service. Continued use of the Service after changes take effect constitutes your acceptance of the revised policy.

12. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at:
[email protected]