Privacy notice

Last updated: 16 April 2026

This notice explains what personal data we collect when you use Quava, why we collect it, who we share it with, and the rights you have under UK data protection law.

1. Who we are

Quava is a trading name of Index Education Limited, a company registered in England and Wales (company number 16454016), with its registered office at 58 Chaucer Road, London SE24 0NU, United Kingdom.

Index Education Limited is the data controller for the personal data processed through Quava. You can contact us about this notice at team@quava.app.

We have not appointed a Data Protection Officer, as our processing does not require one under Article 37 of the UK GDPR.

2. Who this notice applies to

Quava is offered to users in the United Kingdom only. You must be 18 or older to create an account. We do not knowingly collect personal data from anyone under 18.

3. What personal data we collect and why

We only collect personal data you give us when you create and use your account. In plain terms, that is:

• Account information. Your email address and, where you provide it or your sign-in provider supplies it, your name. Used to create your account, authenticate you, and contact you about your account (password resets, security notices, service changes).
• Authentication credentials. If you sign in with a password, a hashed version of that password is stored on our behalf by our authentication provider (see Section 5). If you sign in with Google, we receive the profile information Google provides (typically your email address, name, and profile image URL).
• Billing information. Where you take a paid subscription, your Stripe customer identifier, subscription status, billing country, and VAT status. We do not see or store your full card number — Stripe handles that directly.
• Study and usage data. Your answers to multiple-choice questions, flashcard self-ratings, progress through revision guides, and edits you make to your own notes. Used to provide the core study features and show you your progress.
• AI assistant (“Plato”) usage metadata. When you use Plato, we store a record of which AI model was used, the number of tokens consumed, and the time of the request. We do not store the content of your prompts or the AI’s responses. Prompts are sent to the AI provider in real time to generate a response and are not retained on our servers after the response is returned.
• Technical data. Your IP address, browser type and version, device type, approximate location derived from IP, and diagnostic information if an error occurs. Used to keep the service secure, rate-limit abuse, protect against bots, and debug problems.
• Cookies and similar technologies. See Section 8.

4. Our lawful bases for processing

Under the UK GDPR we must have a lawful basis for each purpose for which we use your personal data. Ours are:

• Contract (Art. 6(1)(b)) — creating and administering your account, providing the study features you pay for or access under a free tier, processing your payments, and dealing with your support queries.
• Legitimate interests (Art. 6(1)(f)) — keeping the service secure, preventing fraud and abuse, rate-limiting, bot protection, diagnosing errors, and understanding how the product is used in aggregate so we can improve it. Our interests are balanced against your rights; you can object to processing on this basis using the contact details above.
• Legal obligation (Art. 6(1)(c)) — retaining records we are required by law to keep (for example, tax and accounting records related to billing).

We do not rely on consent for any of the above, and we do not process special-category data (health, religion, biometrics, and so on). We do not send marketing emails; all emails you receive from us are transactional (account, security, billing, or service notices).

5. Who we share your data with

We use a small number of third-party providers to run Quava. Each processes your personal data only on our instructions and under a written data-processing agreement. They are:

• Supabase (Supabase, Inc., United States) — authentication, database, and file storage.
• Vercel (Vercel, Inc., United States) — application hosting, content delivery, and performance monitoring (Vercel Speed Insights).
• Stripe (Stripe Payments Europe, Ltd., Ireland, and Stripe, Inc., United States) — payment processing and subscription management.
• OpenAI (OpenAI, L.L.C., United States) and Anthropic (Anthropic, PBC, United States) — AI model providers for the Plato assistant. Your prompts are sent to one of these providers at the time you send a message. We have API-level agreements with each that prohibit use of your prompts or the AI’s responses to train their models.
• Upstash (Upstash, Inc., United States) — short-lived rate-limit and abuse-prevention data.
• Resend (Resend, Inc., United States) — sending transactional emails (password resets, account notices).
• Sentry (Functional Software, Inc. dba Sentry, United States) — error and performance diagnostics.
• Cloudflare (Cloudflare, Inc., United States) — bot protection (Turnstile) at sign-in and signup.
• Google (Google LLC, United States) — only if you choose to sign in with Google.

We do not sell your personal data. We do not share it with advertisers, data brokers, resellers, or affiliates. We may share data with our professional advisers (lawyers, accountants, auditors) where necessary, and with law-enforcement or regulatory authorities where we are legally required to do so.

6. International transfers

Most of our providers listed above are based in the United States. When we transfer your personal data to a country outside the UK, we rely on one of the following safeguards recognised under UK data protection law:

• the UK Extension to the EU–US Data Privacy Framework, where the recipient is certified under that framework; or
• the International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, where the recipient is not so certified.

You can ask us for a copy of the safeguard that applies to a specific transfer by writing to the contact address above.

7. How long we keep your data

• Account data — kept for as long as your account is active. If you ask us to delete your account, we delete it within 7 days, except for data we must keep for legal reasons (see below).
• Billing and payment records — retained for seven (7) years after the end of the tax year in which the transaction occurred, to comply with UK tax and accounting law.
• Plato prompts and AI responses — not stored. Usage metadata (model, token counts, timestamps) is retained while your account is active.
• Error and diagnostic logs — retained for up to 90 days.
• Rate-limit records — retained for minutes to hours, as required by the specific limit.

8. Cookies and similar technologies

We use only strictly necessary cookies. We do not use any advertising, marketing, analytics, or tracking cookies, and we do not display a cookie banner because no consent is required for the cookies we use. The cookies we set are:

• Authentication cookies (set by our authentication provider) — keep you signed in and protect against cross-site request forgery. Essential.
• Site-access and beta-access cookies — record that you have entered a valid site-gate or beta-access password. Essential.
• Theme preference cookie — records your light/dark mode choice.

9. Your rights

Under the UK GDPR you have the following rights in relation to your personal data:

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct data that is inaccurate or incomplete.
• Erasure — ask us to delete your personal data.
• Restriction — ask us to limit how we use your data.
• Objection — object to processing based on our legitimate interests.
• Portability — ask us to send your data to you, or to another provider, in a structured, commonly used, machine-readable format.

To exercise any of these rights, email team@quava.app. We will respond without undue delay and in any event within one month, as required by the UK GDPR. There is no charge for a request unless it is manifestly unfounded or excessive.

10. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you using automated processing (within the meaning of Article 22 of the UK GDPR).

11. Security

We take appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, or alteration, including encryption in transit, encryption at rest for credentials and sensitive fields, role-based database access, and routine review of our providers’ security posture. No online service can be guaranteed secure; if we become aware of a personal data breach affecting you we will notify you and the ICO as required by law.

12. Changes to this notice

We may update this notice from time to time. When we do, we will change the “Last updated” date at the top. If the changes are material, we will also notify you by email.

13. How to complain

If you have a concern about how we handle your personal data, please contact us first at team@quava.app and we will try to resolve it. If you remain unhappy, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK regulator for data protection: