Privacy Policy

Last updated: November 9 2025

Controller:
SubSchool LTD
2nd Floor College House, 17 King Edwards Road,
RUISLIP, London, UK
Email: maksim@subschool.us

This Privacy Policy explains how we collect, use and protect your personal data when you use the 10kQ mobile applications, website and related services (together, the “Service”).

By using the Service, you acknowledge that you have read this Policy. If you do not agree, you should not use the Service.

1. Who we are

SubSchool LTD (“we”, “us”, “our”) is the controller of your personal data for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

We do not currently appoint a separate Data Protection Officer, but you can contact us about privacy matters at maksim@subschool.us.

2. What data we collect

2.1. Data you provide to us

• Account data
  Email address or other identifier, password or authentication token (e.g. Apple/Google sign-in), language preference.
• Journal entries and answers
  Your daily answers to questions, notes, tags, uploaded or dictated text, and any other content you enter in the app. This may include sensitive information (e.g. about health, emotions, beliefs) if you choose to write about it.
• Support and communication data
  Messages you send to us (email, feedback forms, bug reports), and the information you provide when you request help or exercise your privacy rights.

2.2. Data we collect automatically

• Device and usage data
  Device model, operating system, app version, anonymised identifiers, time of access, in-app events (for example, that you completed a day’s questions), crash logs, and similar technical data.
• Analytics data
  Aggregated statistics on how features are used (for example, how often users view summaries or export data). When possible, we use this data in de-identified or pseudonymised form.

2.3. Data from third parties

• App stores (Apple App Store, Google Play) – basic transaction information, subscription status and anonymised identifiers. We do not receive your full payment card data.
• Authentication providers – if you log in with Apple, Google or similar, they send us a unique identifier and basic profile information you choose to share (e.g. name, email).

3. Purposes and legal bases

We process your data for the following purposes and under these legal bases:

1. To provide and maintain the Service
   • Creating and managing your account, saving entries, generating summaries, enabling export.
   • Legal basis: performance of a contract (UK GDPR Art. 6(1)(b)).
2. To improve and develop the Service
   • Analysing how features are used, fixing bugs, optimising user experience, developing new features (including AI-based ones).
   • Legal basis: our legitimate interests in improving the Service (Art. 6(1)(f)). Where possible, we use aggregated or de-identified data.
3. To communicate with you
   • Responding to support requests, sending service messages (e.g. changes to Terms, security notices).
   • Legal basis: performance of contract and legitimate interests (Art. 6(1)(b), 6(1)(f)).
4. Optional notifications and tips
   • Reminders to answer daily questions, optional product tips or updates.
   • Legal basis: consent where required (Art. 6(1)(a)). You can manage notifications in the app or your device settings.
5. Security and fraud prevention
   • Detecting abuse, protecting against attacks, enforcing our Terms of Use.
   • Legal basis: legitimate interests (Art. 6(1)(f)); legal obligations where applicable (Art. 6(1)(c)).
6. Compliance with law and requests from authorities
   • Keeping necessary records, responding to lawful requests.
   • Legal basis: compliance with legal obligations (Art. 6(1)(c)).

Special category data (sensitive data)

We do not require you to enter special category data (e.g. health, religion, sexual orientation). However, you may choose to write about such topics in your entries.

In that case, we process this data only to provide the journaling and summarising functionality you requested. By voluntarily entering such information, you give us your explicit consent to process it for these purposes (Art. 9(2)(a) UK GDPR). You can delete specific entries or your entire account at any time.

If you do not want us to process such information, please avoid including it in your entries.

4. AI-related processing

Some features may use AI models (for example, suggesting questions, assisting with summaries or generating insights). When we use AI:

• your content may be sent to an AI service provider under strict contractual safeguards;
• we do not use your identifiable journal content to train public or third-party models that are not under our control;
• if in the future we offer training of a personal “digital twin” model, this will be an opt-in feature with separate information and consent.

We do not engage in automated decision-making that produces legal or similarly significant effects about you.

5. How we share your data

We do not sell your personal data.

We may share your data with:

• Service providers (processors)
  Cloud hosting, database, analytics, logging and crash reporting, email providers, customer support tools, AI model providers. They process data on our instructions and under data protection agreements.
• Payment and distribution platforms
  Apple, Google and other platforms that handle billing and distribution of the app. They are separate controllers for their processing.
• Professional advisers
  Lawyers, auditors and similar, where necessary to protect our legitimate interests and comply with law.
• Authorities and legal requests
  Where we are legally required to do so, e.g. by court order or to protect rights, property or safety.

If we are involved in a merger, acquisition or asset sale, your data may be transferred as part of that transaction, subject to confidentiality and continued protection.

6. International transfers

We are based in the UK. Some of our service providers may be located outside the UK and the European Economic Area (EEA).

Where personal data is transferred outside the UK/EEA, we will ensure appropriate safeguards are in place, such as:

• adequacy regulations by the UK government, or
• standard contractual clauses / international data transfer agreements approved by regulators.

You can contact us for more information about specific transfers.

7. Data retention

We keep your personal data only as long as necessary for the purposes described in this Policy:

• Account and journal data – for as long as your account is active, until you delete entries or request deletion of your account.
• Backup copies – for a limited period according to our backup cycles.
• Transaction and billing data – generally up to 6 years to comply with accounting and tax obligations.
• Logs and technical records – typically from a few weeks to 12 months, unless longer retention is needed for security or legal reasons.

When data is no longer needed, we delete it or irreversibly anonymise it.

8. Security

We use appropriate technical and organisational measures to protect your data, including encryption in transit, access control, and monitoring. However, no system is completely secure, and we cannot guarantee absolute security.

You are responsible for keeping your password and devices secure.

9. Your rights

Under UK data protection law, you have the following rights (subject to legal conditions):

• Right of access – to obtain a copy of your personal data.
• Right to rectification – to correct inaccurate or incomplete data.
• Right to erasure – to ask us to delete your data, for example when it is no longer needed.
• Right to restriction – to request we limit processing in certain cases.
• Right to data portability – to receive certain data in a structured, machine-readable format.
• Right to object – to object to processing based on our legitimate interests or for direct marketing.
• Right to withdraw consent – where processing is based on consent, you can withdraw it at any time.

You can exercise many of these rights directly in the app (export, deletion of entries, account deletion). You can also contact us at maksim@subschool.us.

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) or your local data protection authority.

10. Children

The Service is not intended for children under 16. We do not knowingly collect personal data from children under this age. If you believe a child has provided us with personal data, contact us and we will take appropriate steps.

11. Third-party links

The Service may contain links to third-party websites or services (for example, research articles, app stores). We are not responsible for their privacy practices. We encourage you to read their privacy policies.

12. Changes to this Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you in the app or by other reasonable means. The “Last updated” date at the top indicates the latest version. Continued use of the Service after changes take effect means you accept the updated Policy.

13. Contact

For questions or requests regarding this Policy or your data, contact:

SubSchool LTD
2nd Floor College House, 17 King Edwards Road,
RUISLIP, London, UK
Email: maksim@subschool.us