This page mirrors the in-app Privacy Policy. It is provided for general information and is not legal advice.
This Privacy Policy explains how StudyRise ("we", "us", "our") collects, uses, shares, and protects your personal data when you use the StudyRise study planning application at https://studyrise.app (the "Service"). It also describes your rights and how to exercise them.
StudyRise is currently operated as a personal project by the individual developer trading as "StudyRise"; the operating entity may change in the future, and this Policy will continue to apply to the Service. By using the Service you acknowledge the practices described here. If you do not agree, please do not use the Service.
1. Who is the data controller
For the purposes of the EU and UK General Data Protection Regulation (GDPR / UK GDPR) and similar laws, StudyRise is the data controller for the personal data described in this Policy. Because StudyRise is operated as a personal project rather than through a formal company, you can reach the person responsible for data protection — our acting Data Protection contact — at hello@studyrise.app.
2. What data we collect
We collect the following categories of personal data:
Account data
- Email address
- Phone number (stored in E.164 format with a country code; defaults to Bangladesh +880)
- Display name
- Optional avatar / profile photo (stored in Supabase Storage)
Authentication data
- Password (stored only as a secure hash by Supabase Auth — we never see your plaintext password)
- Google OAuth identifiers and tokens, if you sign in with Google
- Session tokens
Study data
- Exam type and target date
- Study plan, phases, subjects, and tasks
- Daily study log and completion status
- Practice question logs and mock exam scores (including subject-level breakdowns)
- Spaced-repetition (SR) records and review history
- Mistake logs and correction notes
- For university users: terms, units, assessments, classes, attendance, study sessions, and grades
Preferences
- App settings and schedule templates
- Optional prayer times, gym, and commute (CD-path) schedules
- Notification and display preferences
Consent records
- Terms of Service version accepted and timestamp
- Privacy Policy version accepted and timestamp
- Marketing-communications consent
- Cookie preferences
Technical data
- IP address and approximate location derived from it
- Browser type, device, and operating-system information (collected via Supabase and Vercel)
- Failed login attempts and basic security logs
- Usage and diagnostic information
Payment data (future)
- When paid subscriptions are activated, payment information will be processed by bKash and/or Nagad. We do not store full payment-instrument details — these are handled by the payment processors under their own privacy policies.
3. How we collect it
We collect data: (a) directly from you when you register, complete your profile, and use the Service; (b) automatically as you interact with the Service (technical and usage data); and (c) from third parties such as Google when you choose to sign in with them.
4. Legal bases for processing (GDPR Article 6)
Where the GDPR or UK GDPR applies, we rely on the following legal bases:
- Performance of a contract (Art. 6(1)(b)) — to create and operate your account and provide the features you request (the core of the Service).
- Consent (Art. 6(1)(a)) — for optional marketing emails, non-essential cookies, the AI Study Advisor where you choose to use it, and any optional data you provide (such as prayer times). You may withdraw consent at any time.
- Legitimate interests (Art. 6(1)(f)) — to secure the Service, prevent fraud and abuse, maintain logs, and improve the product, balanced against your rights.
- Legal obligation (Art. 6(1)(c)) — to comply with applicable laws, including retention of certain records.
5. How we use your data
We use your data to:
- Create, authenticate, and maintain your account.
- Provide and personalise the Service — generate your study plan and daily schedule, compute analytics, schedule spaced-repetition reviews, and track your progress.
- Operate the optional AI Study Advisor (see Section 7).
- Communicate with you about the Service (transactional emails such as verification, password reset, and important notices), and — only with your consent — product updates and study tips.
- Maintain security: detect, prevent, and respond to fraud, abuse, and unauthorised access (including failed-login monitoring).
- Comply with legal obligations and enforce our Terms of Service.
- Improve and develop the Service.
We do not sell your personal data.
6. Who we share data with
We share data only as necessary to run the Service, with the following third-party processors and service providers. Each operates under its own privacy policy:
- Supabase Inc. — authentication, PostgreSQL database, and file storage (avatars). Privacy: https://supabase.com/privacy
- Vercel Inc. — application hosting, edge/serverless functions, and analytics. Privacy: https://vercel.com/legal/privacy-policy
- Google LLC — Google OAuth sign-in and reCAPTCHA bot protection. Privacy: https://policies.google.com/privacy
- OpenAI L.L.C. — powers the AI Study Advisor; receives anonymised/summarised study data when you use that feature. Privacy: https://openai.com/policies/privacy-policy
- Resend Inc. (or our current transactional email provider) — sending transactional emails. Privacy: https://resend.com/legal/privacy-policy
- SMS OTP provider (future) — phone verification, when activated. The provider's privacy policy will apply at that time.
- bKash Limited and Nagad Limited (future) — payment processing for users in Bangladesh, when paid subscriptions are activated.
We may also disclose data where required by law, to enforce our Terms, to protect the rights, safety, or property of StudyRise or others, or in connection with a transfer of the Service to a successor operating entity (in which case this Policy continues to apply).
7. AI Study Advisor
When you use the AI Study Advisor, a summarised view of your study data (such as task progress, days to exam, SR status, and question statistics) is sent to OpenAI to generate suggestions. We aim to limit this to what is needed for the feature and to avoid sending directly identifying information beyond what is necessary. The AI Study Advisor is optional — if you do not use it, no data is sent to OpenAI. Its output is AI-generated and is not professional or medical advice.
8. International data transfers
StudyRise relies on infrastructure providers (Supabase, Vercel, OpenAI, Google) that may store and process data on servers located in the United States, the European Union, or other regions. Where data is transferred outside your country — including from the EU/UK to the United States — we rely on appropriate safeguards offered by these providers, such as Standard Contractual Clauses and equivalent transfer mechanisms, as described in their respective privacy policies.
9. How long we keep your data (retention)
- Account and study data — retained for as long as your account is active. When you delete your account, your associated data is deleted (cascaded across the database), subject to short-lived backups and any records we must keep by law.
- Server and diagnostic logs — retained for approximately 90 days.
- Failed login records — retained for approximately 30 days for security purposes.
- Consent records — retained for as long as needed to demonstrate compliance, even after account deletion where the law requires us to keep proof of consent.
10. Your rights
Depending on where you live, you have some or all of the following rights:
- Access — obtain a copy of your data. You can export your data yourself at any time via Settings → Danger Zone / Import-Export (JSON export).
- Rectification / correction — correct inaccurate data via Profile and Settings.
- Erasure / deletion — delete your account and associated data via Settings → Danger Zone.
- Portability — receive your data in a structured, machine-readable format (the JSON export).
- Restriction and objection — restrict or object to certain processing.
- Withdraw consent — withdraw consent for optional processing (marketing, non-essential cookies, AI Study Advisor) at any time, without affecting the lawfulness of prior processing.
- Lodge a complaint — complain to your local data-protection or supervisory authority (for example, the UK ICO, an EU member-state authority, or the relevant authority in your country).
For California residents (CCPA/CPRA): you have the right to know what personal information we collect, to access and delete it, to correct it, and to opt out of the "sale" or "sharing" of personal information. StudyRise does not sell your personal information. You will not be discriminated against for exercising your rights.
To exercise any right, contact hello@studyrise.app. We will respond within the timeframe required by applicable law. We may need to verify your identity before acting on a request.
11. Cookies and tracking
We use cookies and similar technologies in three categories:
- Essential — required for the Service to function (for example, keeping you signed in and storing security and session state). These are always on.
- Analytics — help us understand how the Service is used so we can improve it. Opt-in.
- Marketing — used to measure and improve any promotional communications. Opt-in.
You can set your preferences through the cookie-consent banner and change them at any time. Some session state and preferences are stored in your browser's local storage (for example, your timer state and AI-advisor cache); these are essential to the features you use.
12. Security
We take reasonable technical and organisational measures to protect your data, including encryption in transit, row-level security on the database so that you can only access your own records, hashed password storage handled by Supabase Auth, and security monitoring such as failed-login tracking and (when enabled) bot protection and rate limiting. No method of transmission or storage is completely secure, however, and we cannot guarantee absolute security. Please protect your credentials and notify us at hello@studyrise.app of any suspected compromise.
13. Children's privacy
The Service is intended for users aged 13 and over, with parental or guardian consent required for users under the age of majority (and under any higher digital-consent age that applies, such as 16 in parts of the EU). The Service is not directed at children under 13, and we do not knowingly collect their data. If we learn we have collected personal data from a child under 13, we will delete it. See Section 3 of the Terms of Service for the full age policy.
14. Compliance across jurisdictions
We aim to comply with the data-protection laws applicable to our users, including:
- Bangladesh — the Digital Security Act 2018 and the developing Data Protection framework.
- European Union / United Kingdom — the GDPR and UK GDPR (relevant to many PLAB and other candidates).
- California, USA — the CCPA as amended by the CPRA (relevant to many USMLE candidates).
- Australia — the Privacy Act 1988 (relevant to AMC MCQ candidates).
Where these laws grant you rights beyond those described above, we will honour them.
15. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the version number and effective date and, where the change is significant, prompt you to re-accept the updated Policy the next time you use the Service. A summary of changes is recorded in the Changelog at the end of this document. Your continued use after the updated Policy takes effect constitutes acceptance.
16. Contact
Questions, requests, or complaints about this Policy or your data? Contact our acting Data Protection contact at hello@studyrise.app.
Changelog
- Version 1.0.0 — 13 June 2026: Initial publication of the Privacy Policy.
Last updated 13 June 2026 · Version 1.0.0