Rp
Get started

Privacy Policy

Last updated: 22 April 2026

1. Who we are

PreReg Pro is operated by MOVING HIGHER LTD, registered in England and Wales under company number 13247726(“we”, “us”, “our”). We are the data controller for the personal data we process about you.

We are registered with the Information Commissioner's Office (ICO) under registration reference [ICO registration number — to be added prior to launch].

Contact our data protection point of contact at: privacy@preregpro.co.uk

2. What data we collect

Account and profile data

  • Full name and email address (provided at registration)
  • Your role on the platform (candidate, tutor, or admin)
  • Optional: target exam date, university or employer

Study and performance data

  • Questions you have attempted and your answers
  • Session results, time taken, and correct/incorrect counts
  • Mastery scores computed per clinical area and calculation type
  • Revision plan data generated from your exam date and performance

Payment data

  • Subscription tier and status
  • Stripe customer ID (a reference, not card details)
  • Payment history (available in your Stripe-hosted portal)

Card details are processed and stored exclusively by Stripe, Inc. We never see or store your full card number, CVV, or expiry date.

Technical and usage data

  • IP address, browser type, and device type (via Firebase / Vercel hosting logs)
  • Pages visited and features used
  • Authentication tokens (stored in secure browser session storage)

3. Lawful basis for processing

We rely on the following lawful bases under UK GDPR:

  • Contract performance — to create and manage your account, provide access to the platform, and process subscription payments.
  • Legitimate interests — to improve the platform, detect fraud and misuse, and maintain security. We have assessed that our legitimate interests do not override your rights.
  • Legal obligation — to comply with financial record-keeping requirements and respond to lawful requests from regulators.
  • Consent — for any optional communications such as marketing emails (you can withdraw consent at any time).

4. How we use your data

  • Providing and personalising your learning experience
  • Running the adaptive question selection engine
  • Generating your revision plan
  • Processing subscription payments and managing billing
  • Sending service emails (receipts, password resets, platform notices)
  • Detecting and preventing fraud and unauthorised access
  • Aggregated, anonymised analytics to improve platform quality

5. Third-party processors

We share data only with trusted third parties who process it on our behalf under data processing agreements. Our key processors are:

ProcessorPurposeLocation
Google Firebase (Firestore, Auth)Database, authentication, hostingEU / US (SCCs in place)
Vercel Inc.Web hosting and edge deliveryEU / US (SCCs in place)
Stripe Inc.Payment processingEU / US (SCCs in place)
Anthropic PBCAI-assisted question generation (tutor tool only)US (SCCs in place)

SCCs = Standard Contractual Clauses approved by the UK ICO for international transfers.

We do not sell your personal data to any third party.

6. Data retention

  • Account data — retained for as long as your account is active, plus up to 7 years after closure for legal and financial compliance.
  • Study and performance data — retained for the life of your account. You can request deletion at any time (see section 7).
  • Payment records — retained for 7 years as required by HMRC.
  • Server logs — retained for up to 90 days.

7. Your rights

Under UK GDPR you have the following rights:

  • Access — request a copy of the personal data we hold about you.
  • Rectification — ask us to correct inaccurate or incomplete data.
  • Erasure — ask us to delete your data where we no longer have a lawful basis to hold it (“right to be forgotten”).
  • Restriction — ask us to limit processing while a dispute is resolved.
  • Portability — receive your data in a structured, machine-readable format.
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, email privacy@preregpro.co.uk. We will respond within one calendar month. We may need to verify your identity before processing your request.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.

8. Security

We take reasonable technical and organisational measures to protect your personal data, including encryption in transit (TLS), Firebase security rules enforcing role-based access, and Stripe's PCI-DSS compliant payment handling. No method of transmission over the internet is 100% secure; we cannot guarantee absolute security.

9. Cookies

We use the following cookies and similar technologies:

CookieTypePurpose
firebase-auth-tokenStrictly necessaryKeeps you signed in to your account
__stripe_mid / __stripe_sidStrictly necessaryFraud prevention during payment (set by Stripe)

We do not use advertising or tracking cookies. Strictly necessary cookies cannot be disabled as they are required for the platform to function.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 14 days before they take effect. The “Last updated” date at the top of this page shows when the policy was last revised.

11. Contact us

For any privacy-related questions or to exercise your rights, contact us at privacy@preregpro.co.uk or by post at:

Data Protection
PreReg Pro
Unit W34, Grove Business Centre
560–568 High Road, Tottenham
London, N17 9TA
United Kingdom