Privacy Policy
Last updated: 12 July 2026
Percentile Labs ("Percentile Labs", "we", "our" or "us") operates the online exam-preparation platforms tmua.fyi and esat.fyi (each a "Service", together the "Services"). You are reading this on esat.fyi. Our registered office is 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. We are the data controller for the personal data described here.
This Policy explains what personal data we collect, why, who we share it with, how long we keep it, and the rights you have under the UK GDPR and the Data Protection Act 2018. It applies to visitors and registered users of the Services. If you do not agree with it, please do not use the Services.
1. The data we collect
Data you give us
- Account data: your name, email address, the exam board you study for, target universities, and any profile details you add. We use passwordless email sign-in, so we do not store passwords.
- Learning data: your answers, practice and mock-exam sessions, scores, confidence and progress, journal entries, and questions you submit.
- Communications: messages you send us and your email and notification preferences.
- Billing data: your subscription status and plan. Card payments are taken by our payment provider; we do not see or store full card numbers.
Data we collect automatically
- Usage data: pages viewed, features used, actions taken, and timestamps, used to run and improve the Services.
- Device and technical data: IP address, browser and device type, operating system, and referring pages.
- Cookies and similar technologies: see section 7.
We do not intentionally collect special-category data. Please do not send it to us through free-text fields.
2. Why we use your data, and our legal bases
- To provide the Services (accounts, practice, mocks, progress, billing): performance of our contract with you.
- To personalise your learning (recommendations, adaptive practice, predicted scores): our legitimate interests in delivering a useful product, and, where required, your consent.
- To communicate with you (service and transactional emails, support): performance of our contract and our legitimate interests. Marketing emails are sent only with your consent, and you can opt out at any time.
- To keep the Services secure and prevent fraud and abuse: our legitimate interests and legal obligations.
- To analyse and improve the Services: our legitimate interests, using analytics data that is aggregated or pseudonymised where practical.
- To comply with the law: our legal obligations.
3. Service providers (sub-processors)
We share personal data with carefully selected providers who process it on our behalf under written contracts, only for the purposes below. The principal providers are:
| Provider | Purpose |
|---|---|
| Stytch | Authentication and sign-in |
| Convex | Application database and backend |
| Railway | Application hosting |
| Cloudflare | Content delivery and file storage (R2) |
| Autumn (on Stripe) | Subscription billing and card payments |
| PostHog | Product analytics |
| Sentry | Error and performance monitoring |
| UseSend | Transactional and notification email |
| Google (Gemini) | AI features such as embeddings and content generation |
We do not sell your personal data. We may also disclose data where required by law, to enforce our terms, or in connection with a merger, acquisition or sale of assets, in which case we will tell you.
4. International transfers
Some of our providers are based outside the UK, including in the United States and the European Economic Area. Where we transfer personal data outside the UK we rely on an adequacy decision or appropriate safeguards such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, together with additional measures where needed.
5. How long we keep your data
We keep your account and learning data for as long as your account is active, and for a reasonable period afterwards so you can reactivate. If you delete your account we delete or anonymise your personal data within 90 days, except where we must keep certain records (for example billing records) to meet legal obligations. Aggregated or anonymised data that cannot identify you may be kept indefinitely.
6. Your rights
Under the UK GDPR you have the right to:
- access a copy of your personal data;
- have inaccurate data corrected;
- have your data erased in certain circumstances;
- restrict or object to processing, including profiling;
- data portability;
- withdraw consent at any time, where we rely on consent.
To exercise any of these, email us at [email protected]. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk, though we would appreciate the chance to help first.
7. Cookies
We use strictly necessary cookies to keep you signed in and secure, and analytics cookies to understand how the Services are used. You can control cookies through your browser settings; blocking necessary cookies may stop parts of the Services from working.
8. Children
The Services are intended for students aged 13 and over. If you are under 18 you confirm you have permission from a parent or guardian to use the Services. If you believe a child under 13 has given us personal data, contact us and we will delete it.
9. Security
We use technical and organisational measures, including encryption in transit, access controls and reputable infrastructure providers, to protect your data. No system is completely secure, so we cannot guarantee absolute security, but we take it seriously and will notify you and the ICO of a personal-data breach where the law requires.
10. Changes to this Policy
We may update this Policy from time to time. When we make material changes we will update the date above and, where appropriate, notify you through the Services or by email.
11. Contact us
For any privacy question or request, email [email protected] or write to Percentile Labs, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.