Privacy Policy

1. Introduction

This Privacy Policy explains how SCP 24 ("we", "us", "our"), operated from Ireland, collects, uses, and protects your personal data when you use our website at scp24.com (the "Service"). We are committed to protecting your privacy in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the Irish Data Protection Act 2018.

2. Data Controller

The data controller responsible for your personal data is SCP 24, based in Ireland. For any data protection queries, please contact us via the contact form on our website or email hatemabnoun@gmail.com.

3. Data We Collect

We collect the following categories of personal data:

• Account information: name, email address, and profile image (provided directly or via Google/Microsoft OAuth).
• Usage data: lesson progress, quiz scores, flashcard activity, and feature interactions to provide personalised learning insights.
• Payment data: processed entirely by Stripe. We do not store credit card numbers or bank details. We retain only a Stripe customer ID and payment status.
• Technical data: IP address, browser type, device information, and cookies necessary for authentication and site functionality.
• Contact form data: name, email, and message content when you contact us.

4. Legal Basis for Processing

We process your data under the following lawful bases (Article 6 GDPR):

• Contract performance: to provide the Service you signed up for, including account management and access to content.
• Legitimate interests: to improve the Service, analyse usage patterns, prevent fraud, and ensure security.
• Consent: where required, such as for optional marketing communications (which we do not currently send).
• Legal obligation: to comply with applicable laws, including Irish and EU regulations.

5. How We Use Your Data

• Providing and personalising the Service (progress tracking, spaced repetition scheduling).
• Processing payments via Stripe.
• Responding to support enquiries.
• Analysing aggregated, anonymised usage data to improve content and features.
• Ensuring the security and integrity of the Service.

6. Data Sharing

We do not sell your personal data. We share data only with:

• Stripe: payment processing (see Stripe's Privacy Policy).
• Vercel: hosting and infrastructure (see Vercel's Privacy Policy).
• Authentication providers: Google and Microsoft, only for OAuth sign-in.
• Resend: transactional email delivery (see Resend's Privacy Policy).

7. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where retention is required by law. Anonymised, aggregated analytics data may be retained indefinitely.

8. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access your personal data.
• Rectify inaccurate or incomplete data.
• Erase your data ("right to be forgotten").
• Restrict processing in certain circumstances.
• Data portability — receive your data in a structured, machine-readable format.
• Object to processing based on legitimate interests.
• Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us via the contact form or email. We will respond within 30 days as required by the GDPR.

9. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising or tracking cookies. No cookie consent banner is required for strictly necessary cookies under EU ePrivacy rules.

10. International Transfers

Your data may be processed by our service providers (Vercel, Stripe) in the United States. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, and/or the EU-US Data Privacy Framework where applicable.

11. Data Security

We implement appropriate technical and organisational measures to protect your data, including encrypted connections (TLS/HTTPS), secure authentication protocols (OAuth 2.0, bcrypt password hashing), and access controls. No method of transmission over the internet is 100% secure, but we strive to use commercially acceptable means to protect your data.

12. Children

The Service is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete it promptly.

13. Supervisory Authority

If you believe we have not handled your data appropriately, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC):

Data Protection Commission
21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland
Website: www.dataprotection.ie

14. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email or via the Service. The "Last updated" date at the top reflects the most recent revision.