Legal

Privacy policy

What we collect, why, and how to get it corrected or deleted. Short version: your email, your practice scores, and your subscription status. No trackers, no ad cookies, no selling data.

Last updated: 3 July 2026. Version 2026-07-03.

Who we are

PublicServicePathway is operated from Ireland and is the data controller for the personal data described here. For anything in this policy, email hello@publicservicepathway.com.

What we collect

  • Account data. Your email address and a password hash. Stored in Supabase in the EU (eu-west-1, Ireland). We never see or store your plain-text password.
  • Practice history. Your attempts, answers, scores and timings. This is the product: it is how your dashboard shows where you are improving.
  • Consent records. When you accept the terms and this policy at signup, we record what version you accepted and when.
  • Payment status. If you subscribe, Stripe processes the payment and we store your subscription status and Stripe customer reference. Card numbers go to Stripe directly; we never see or store them.
  • Server logs. Standard request logs (IP address, timestamp, page requested) kept briefly by our hosting providers for security and debugging.

Why we're allowed to (lawful bases)

  • Contract. Account data, practice history and payment status are needed to provide the service you signed up for.
  • Legitimate interest. Server logs and rate limiting protect the service from abuse.
  • Consent. We do not send marketing email today. If we ever add it, it will be opt-in, with its own consent record, and you can withdraw at any time.

Cookies and local storage

There are no advertising cookies and no analytics trackers on this site. When you log in, your session is kept in your browser's localStorage. That is strictly necessary for login to work at all, so no consent banner is required for it. Log out and it is cleared.

Who processes your data

  • Supabase - database and authentication, hosted in the EU (Ireland).
  • Stripe - payment processing. Stripe is the only party that handles your card details.
  • Cloudflare - hosting and CDN for the site itself.

We do not sell your data or share it with anyone else.

How long we keep it

  • Account data and practice history are kept while your account is active.
  • Accounts inactive for 24 months are deleted, along with all their practice history.
  • If you ask us to erase your account, we do it within 30 days. Email us from the address on the account.

Your rights

Under the GDPR you can, at any time:

  • Access - ask for a copy of everything we hold about you.
  • Rectification - have anything inaccurate corrected.
  • Erasure - have your account and all its data deleted.
  • Portability - get your data in a machine-readable format.

Email hello@publicservicepathway.com and we will respond within 30 days. If you are not happy with how we handle it, you can complain to the Data Protection Commission at dataprotection.ie.

Changes to this policy

If this policy changes in a way that matters, the version string at the top changes and existing users are told before the change takes effect. The version you accepted at signup is recorded against your account.