Privacy Policy
Last updated: 1 June 2026
Who we are
Steel Learning is operated as a sole trader business based in the United Kingdom. Contact: info@steellearning.com
Data we collect
- Email address — collected at sign-up via Supabase Auth
- Subscription status and plan tier — stored in our database
- Stripe customer ID — stored when you subscribe, used to manage billing
- Learning progress — which modules you have completed, stored in our database
- Feedback submissions — message, optional email, and category submitted via the feedback form; sent to our support inbox and not stored in our database
- Anonymised usage analytics — page views and behavioural events (e.g. upgrade button clicks) via Vercel Analytics (no cookies, no PII)
- Analytics cookies — pseudonymous identifiers, session data, and device/browser information via Google Analytics 4, set only with your consent
We do not collect names, addresses, or payment card details. Card data is handled entirely by Stripe.
How we use your data
- To provide and manage your account
- To process subscription payments via Stripe
- To send transactional emails (account confirmation, password reset) via Supabase
- To understand aggregate usage patterns and improve the platform
We do not sell your data. We do not send marketing emails without your explicit consent.
Legal basis for processing (UK GDPR)
- Contract performance — processing your email and subscription data to deliver the service you signed up for
- Legitimate interests — anonymised, cookieless analytics via Vercel Analytics to improve the platform
- Consent — Google Analytics 4 cookies, set only if you accept via the cookie banner
Third parties
- Supabase — database and authentication, hosted in the EU (Ireland). Privacy policy. Data Processing Agreement in place.
- Stripe — payment processing, operated from the United States. Data is transferred under Standard Contractual Clauses. Privacy policy. Data Processing Agreement in place.
- Vercel — hosting and privacy-friendly analytics (cookieless, no PII), operated from the United States. Data is transferred under Standard Contractual Clauses. Privacy policy. Data Processing Agreement in place.
- Resend — transactional email delivery (feedback form submissions and account emails), operated from the United States. Data is transferred under Standard Contractual Clauses. Privacy policy. Data Processing Agreement in place.
- Google Analytics — analytics (only if you consent), operated by Google LLC from the United States. Data is transferred under Standard Contractual Clauses. Data retention is set to 2 months. IP addresses are anonymised by default. Privacy policy. Data Processing Agreement in place.
Data retention
We retain your account data for as long as your account is active. If you delete your account, your email and subscription records are deleted within 30 days. Stripe retains payment records as required by financial regulations.
Data breach notification
In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay, as required under UK GDPR Articles 33–34.
Your rights
Under UK GDPR you have the right to: access your data, correct inaccurate data, request deletion (right to erasure), and data portability. To exercise any of these rights, email info@steellearning.com. We will respond to all rights requests within one calendar month, as required by UK GDPR.
ICO registration
We are registered with the UK Information Commissioner's Office (ICO). Registration number: ZC151824.
Changes to this policy
We will notify you by email of any material changes to this policy before they take effect.