Privacy Policy — Custom Backup

This Privacy Policy explains how Custom Backup ("CB", "we", "our", or "us") collects, uses, and protects your personal information.

We are committed to protecting your privacy and complying with applicable data protection laws, including the UK GDPR and the Data Protection Act 2018.

Custom Backup is an online learning platform operated by:

Not applicable for v0.9. When paid plans are introduced, payments will be handled securely by a trusted provider (e.g. Stripe). This section will be updated at that time.

We use your information to:

• Provide and improve our services.
• Power memory algorithms (SM-2+), Backup Blocks (progress tracker), and AI features.
• Communicate with you about updates or support.
• Ensure compliance with our Terms of Service.

We process your data under the following legal bases:

• Contract → to deliver the CB service you signed up for.
• Consent → for optional communications (e.g. newsletters).
• Legal obligation → to comply with applicable UK law.
• Legitimate interests → to improve platform security and performance.

We do not sell your personal data.

We may share data with trusted third-party providers:

• Supabase → authentication and database hosting.
• Cloudinary → image/media hosting.
• OpenAI → AI-powered features.
• SendGrid → transactional email delivery.

When payment functionality is introduced, we will add details of the provider (e.g. Stripe).

All providers are contractually required to handle your data securely and in compliance with GDPR.

Some of our service providers may process data outside the UK.

To ensure your data is protected, we use the following safeguards:

• Supabase → We have executed and signed a Data Processing Agreement (DPA) with Supabase, covering authentication and database hosting.
• Cloudinary → We rely on Cloudinary's standard DPA, which governs image and media hosting.
• OpenAI → We rely on OpenAI's standard Data Processing Addendum, which applies to AI feature usage.
• SendGrid (Twilio SendGrid) → We rely on SendGrid's standard DPA, which governs transactional email delivery.

These agreements and safeguards ensure that each provider processes data securely and in compliance with UK GDPR.

• Account data → retained while you have an active account.
• Deleted accounts → anonymised or removed within 30 days.
• Payment data → not collected in v0.9. Will be retained per law once payments are introduced.

Under UK GDPR, you have the right to:

• Access your personal data — request a copy of the information we hold about you.
• Data Portability — receive certain data you have provided to us (such as account details, study content you create, and usage history) in a structured, commonly used, machine-readable format (JSON/CSV). On request, we can provide this via a secure, expiring download link.
• Rectification and Erasure — request correction of inaccurate data or deletion of your data, subject to our legal obligations.
• Restriction and Objection — restrict or object to certain types of processing.
• Withdraw Consent — withdraw consent where processing is based on consent.

To exercise any of these rights, contact us at privacy@mycustombackup.com. We may ask you to verify your identity before fulfilling your request.

We will respond within one month of receiving your request, in accordance with UK GDPR. In complex cases, this period may be extended by up to two additional months, but we will notify you if this applies.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) if you believe your rights have been infringed.

You may delete your Custom Backup account at any time. Deleting your account permanently removes your personal data from our systems, including login credentials and stored study progress.

Content you have published (such as Custom Steps (study sets) shared under a licence) may remain available to other users.

We take reasonable measures to protect your information, including encryption, access controls, and secure hosting.

However, no system is 100% secure, and we cannot guarantee absolute security.

CB is not directed at children under 13.

Users aged 13–17 must have parental/guardian consent to use the service.

We may update this Privacy Policy periodically. Updates will be posted on this page with a new "Effective Date."

Continued use of CB after changes means acceptance of the new Policy.

For privacy matters, contact: