Early access — 50% off the annual plan until launch. Claim your seat →

Privacy Policy

Last updated .

1. Summary

MLA Prep helps candidates prepare for the UK Medical Licensing Assessment. We hold as little personal data as we can get away with, encrypt what we do hold, never sell it, and don't use it for third-party advertising. This page explains exactly what we collect, why, how long we keep it, and what rights you have over it.

2. Who we are

MLA Prep is the data controller for the information described in this policy. Our registered business address will be published at public launch. Until then, all data-protection queries should be directed to golukicoding@gmail.com.

3. Information we collect

We collect the following categories of personal data:

  • Account data: name, email address, hashed password, exam date, and pathway (UK medical student or international graduate).
  • Study data: the questions you answer, your correctness history, flashcard schedules, time spent per question, and mock-exam results.
  • Billing data: subscription plan, start and end dates, and transaction IDs. We do not see or store your card details — those are handled entirely by our payment processor, Dodo Payments.
  • Technical data: IP address, user-agent string, device type and the approximate location derived from your IP (country level). Captured for security, abuse prevention and debugging.
  • Communications: the content of any support email or contact-form submission you send us.

4. How we use your information

We use your personal data to:

  • Provide, maintain and improve the MLA Prep service.
  • Personalise your study plan — the mix of questions we show you is calculated from your study data.
  • Process your subscription and handle billing queries.
  • Send you essential service emails (receipts, security notices, material product changes). You cannot opt out of these — they are a condition of the account.
  • Respond to support requests.
  • Detect and prevent fraud, abuse and security incidents.
  • Comply with legal obligations (e.g. tax records).

Under UK GDPR and the EU GDPR, we rely on the following legal bases:

  • Contract: providing the service you have subscribed to.
  • Legitimate interests: fraud prevention, service improvement, and defending legal claims. Where we rely on this, your rights take precedence if they override our interest.
  • Consent: non-essential analytics and any marketing emails. You can withdraw consent at any time.
  • Legal obligation: keeping payment records for HMRC requirements.

6. Who we share data with

We share your personal data only with the following sub-processors, each bound by a data-processing agreement:

  • Supabase — authentication and primary database. Hosted in the EU. Holds your account and study data.
  • Dodo Payments — subscription billing and checkout. Handles card data directly; we never see it.
  • Vercel — web hosting and edge infrastructure. Holds request logs and operational telemetry.
  • Google Analytics 4 — product analytics, with IP anonymisation enabled. Used only with your explicit consent (see our Cookies Policy). Hosted by Google in the US under the EU–US Data Privacy Framework.
  • Sentry — error monitoring. Used to diagnose crashes and bugs. We scrub personal data from error payloads where technically possible.

We do not sell, rent or share personal data for advertising purposes.

7. International transfers

Where a sub-processor is outside the UK or European Economic Area, we rely on the UK's International Data Transfer Agreement or the European Commission's Standard Contractual Clauses to protect your data.

8. Retention

  • Account and study data: kept for 24 months after your last login, then deleted or anonymised.
  • Payment records: kept for 6 years to meet HMRC record-keeping requirements.
  • Support correspondence: kept for 24 months from the date of last contact.
  • Backups: routine backups are retained for up to 30 days and then overwritten.

You can request earlier deletion at any time — see Your rights below.

9. Your rights

Under UK and EU GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate personal data (rectification).
  • Request deletion of your personal data (erasure or “right to be forgotten”).
  • Restrict or object to our processing of your data.
  • Receive a copy of your data in a portable, machine-readable format.
  • Withdraw consent where processing is based on consent.
  • Lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email golukicoding@gmail.com. We aim to respond within 30 days.

10. Cookies

We use strictly necessary cookies to keep you signed in, plus analytics cookies only with your consent. See our Cookies Policy for the full list.

11. Children

MLA Prep is a professional exam-preparation product for candidates preparing for the UK Medical Licensing Assessment. The service is not directed at children under 16 and we do not knowingly collect personal data from anyone under 16.

12. Changes to this policy

When we make material changes, we will update the “last updated” date at the top of this page and, where the change affects your rights, email you at least 14 days before it takes effect.

13. Contact

Questions about this policy or how we handle your data? Email golukicoding@gmail.com.