Privacy Policy

Last updated: 11 June 2026

MedOffer is committed to protecting your privacy. This policy describes our practices in clear language and explains your rights when you use medoffer.co.uk.

1. Introduction

This Privacy Policy explains how MedOffer(“MedOffer”, “we”, “us”, “our”) collects, uses, stores, and protects personal data when you visit medoffer.co.ukor use our services (the “Service”).

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy supplements our Terms of Service.

Please read this policy carefully. By using the Service, you acknowledge that you have read this Privacy Policy. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.

2. Data controller and contact

The data controller responsible for your personal data is MedOffer. We do not publish a postal address. For all privacy-related enquiries, including exercising your rights, contact us at contact@medoffer.co.uk.

We have not appointed a Data Protection Officer. For the nature and scale of our processing, this is not required by law. Privacy queries are handled by our team via the email above.

3. Scope

This policy applies to:

  • visitors to our website;
  • registered users with a MedOffer account;
  • customers who purchase Premium, coaching, or expert review services;
  • individuals who contact us through our contact form or email.

It does not apply to third-party websites or services linked from MedOffer (such as Stripe checkout, Cal.com booking, or university sites). Those services have their own privacy policies.

4. Personal data we collect

We may collect the following categories of personal data:

Identity and account data — name, email address, profile image (if provided through our authentication provider), unique user identifiers, and account creation date.

Authentication data — login sessions, authentication tokens, and security logs managed by Clerk (our authentication provider). We do not receive or store your account password.

Academic and application profile data — UCAT and other test scores, SJT band, A-level and GCSE grades, work experience entries, postcode, region, widening participation indicators, application year, and similar information you choose to enter in your profile or matching tools.

Personal statement data — drafts of your UCAS personal statement, coaching chat history while you use the Service, analysis results, and documents you upload for expert review.

Training and usage data — UCAT game play history, scores, accuracy, streaks, leaderboard participation, and feature usage within the Service.

Transaction data — purchase history, subscription status, Stripe customer and session identifiers, and entitlement records (e.g. Premium expiry dates — Season Pass access ends on 31 October 2026; access until 31 october 2026 — two weeks after the ucas application deadline — coaching packages purchased). We do not store full payment card numbers.

Communications — messages you send via our contact form or support email, and our responses.

Technical and analytics data — IP address, browser type and version, device type, operating system, referring URLs, pages viewed, timestamps, and similar diagnostic data from server logs and PostHog analytics (where enabled).

Cookie data — see Section 12. We use essential cookies for authentication and may use analytics cookies to understand how the Service is used.

We do not intentionally collect special category data (such as health information) unless you voluntarily include it in a personal statement or profile field. Please avoid submitting sensitive data unless necessary for your application and you are comfortable with the processing described here.

5. How we collect data

  • Directly from you — when you register, complete your profile, write a statement, play games, make a purchase, or contact us.
  • Automatically — through cookies, logs, and analytics when you use the Service.
  • From processors — e.g. Stripe confirming payment status, or Clerk confirming account details.
  • From public sources — where you provide a postcode, we may derive area-based widening participation indicators from public statistical datasets to support matching features.

6. Purposes and legal bases for processing

We process personal data only where we have a lawful basis under UK GDPR:

PurposeLegal basis
Creating and managing your Account; authenticating youPerformance of a contract; legitimate interests (security)
Providing UCAT training, progress tracking, and leaderboardsPerformance of a contract; legitimate interests (service delivery)
Storing and syncing your profile, statement drafts, and coaching historyPerformance of a contract
AI coaching and automated draft feedback (Google Gemini)Performance of a contract; legitimate interests (delivering paid features)
Processing payments and managing subscriptions (Stripe)Performance of a contract; legal obligation (tax/accounting)
Delivering expert statement reviews and coaching you purchasePerformance of a contract
Responding to contact form and support enquiriesLegitimate interests (customer support); performance of a contract
Analytics to improve the Service (PostHog)Legitimate interests (understanding usage and improving product)
Security monitoring, fraud prevention, and enforcing our TermsLegitimate interests; legal obligation where applicable
Service-related email (purchase confirmations, review delivery, account notices)Performance of a contract; legitimate interests
Marketing emails (if we send them in future)Consent (you may opt out at any time)

Where we rely on legitimate interests, we have balanced those interests against your rights and expect minimal privacy impact. You may object to processing based on legitimate interests — see Section 11.

7. AI and automated processing

When you use AI coaching or draft analysis features, the text you submit (including personal statement content and related context such as work experience summaries) is sent to Google's Gemini API for processing. Google processes this data as our sub-processor to generate responses and feedback.

We do not use AI to make solely automated decisions that produce legal or similarly significant effects about you (such as automated admission decisions). AI output is advisory only; you decide what to use.

We cache certain analysis results (e.g. draft feedback keyed to content hashes) to reduce redundant API calls and improve performance. Cached results are stored in your profile data on our database.

8. Who we share data with

We do not sell, rent, or trade your personal data. We share data only as described below:

Service providers (processors) who process data on our instructions and under appropriate contracts:

  • Clerk, Inc. — user authentication and account management (United States).
  • Stripe Payments UK Ltd — payment processing and subscription billing (United Kingdom / Ireland / United States, depending on Stripe entity).
  • Supabase, Inc. — secure file storage for personal statement uploads submitted for expert review (United States / EU regions, depending on project configuration).
  • Google LLC (Gemini API) — AI coaching and text analysis (United States / global infrastructure).
  • PostHog, Inc. — product analytics (United States / EU, depending on configuration).
  • Cloudflare, Inc. — hosting, CDN, and security (global edge network).
  • Email delivery providers — sending transactional and support emails (e.g. Resend or similar, if configured).

Expert reviewers and tutors — if you purchase a human statement review or coaching, we share the minimum information necessary (e.g. your statement document or booking details) with the assigned reviewer or tutor to deliver the service.

Legal and safety — we may disclose data if required by law, court order, or regulatory request, or where necessary to protect rights, safety, and security of MedOffer, users, or the public.

Business transfers — if MedOffer is involved in a merger, acquisition, or sale of assets, personal data may transfer to the successor entity subject to this policy or equivalent protections.

9. International transfers

Some of our processors are located outside the United Kingdom, including in the United States. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, such as:

  • UK adequacy regulations (where the destination country is recognised as adequate);
  • International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses approved under UK GDPR;
  • the UK-US Data Bridge or equivalent mechanisms where applicable to certified US recipients;
  • processor contractual commitments required by UK GDPR Article 46.

You may request further information about safeguards for a specific transfer by contacting contact@medoffer.co.uk.

10. How long we keep data

We retain personal data only as long as necessary for the purposes described:

  • Account and profile data — while your Account is active, plus up to 30 days after deletion request to allow recovery and complete erasure from backups.
  • Personal statement drafts and coaching data — while your Account is active, or until you delete the content or your Account.
  • UCAT training history — while your Account is active; anonymised aggregates may be retained longer for analytics.
  • Payment and transaction records — up to seven years for tax, accounting, and legal compliance.
  • Expert review documents — for the period needed to deliver the review and handle support queries (typically up to 12 months after delivery unless you request earlier deletion).
  • Contact form messages — up to 24 months unless a longer period is needed to resolve a dispute.
  • Server logs — typically up to 90 days for security and debugging.
  • Analytics data — according to PostHog retention settings (typically up to 12 months for event-level data, with aggregation thereafter).

When data is no longer needed, we delete or anonymise it. Residual copies may persist in encrypted backups for a limited period before automatic purging.

11. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

  • Right of access — request a copy of personal data we hold about you.
  • Right to rectification — request correction of inaccurate or incomplete data (you can also update much of your profile directly in the Service).
  • Right to erasure— request deletion in certain circumstances (“right to be forgotten”).
  • Right to restrict processing — request that we limit processing in certain cases.
  • Right to data portability — receive your data in a structured, machine-readable format where processing is based on consent or contract and carried out by automated means.
  • Right to object — object to processing based on legitimate interests, including profiling and direct marketing.
  • Rights related to automated decision-making — not to be subject to solely automated decisions with significant effects (we do not conduct such processing as described in Section 7).
  • Right to withdraw consent — where processing is consent-based, without affecting prior lawful processing.

To exercise any right, email contact@medoffer.co.uk with sufficient detail to identify you and your request. We may ask for verification information. We aim to respond within one month, extendable by two further months for complex requests as permitted by law.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority: ico.org.uk. We encourage you to contact us first so we can try to resolve your concern.

12. Cookies and similar technologies

Cookies are small text files stored on your device. We use cookies and similar technologies as follows:

Strictly necessary cookies — required for the Service to function, including authentication session cookies managed by Clerk. These cannot be switched off without breaking login.

Analytics cookies — PostHog may set cookies or use local storage to collect usage statistics (pages visited, feature usage, approximate location from IP). This helps us understand how the product is used and improve it. You can limit analytics through browser settings or opt-out mechanisms PostHog provides where configured.

You can control cookies through your browser settings (block, delete, or alert). Blocking necessary cookies may prevent you from signing in or using paid features.

13. Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • encryption in transit (HTTPS/TLS) for data sent between your browser and our servers;
  • access controls limiting staff and system access to personal data on a need-to-know basis;
  • use of reputable sub-processors with their own security certifications and practices;
  • rate limiting and monitoring to reduce abuse and unauthorised access attempts;
  • server-side protection of sensitive content such as UCAT question banks and answer keys.

No method of transmission or storage is completely secure. If we become aware of a personal data breach likely to affect your rights, we will notify you and the ICO where required by law.

14. Children and young people

The Service is aimed at UK medical school applicants, typically aged 16 and over. We do not knowingly collect personal data from children under 16 without appropriate consent. If you believe a child under 16 has provided data without parental permission, contact contact@medoffer.co.uk and we will take steps to delete it.

Users aged 16–17 should ensure a parent or guardian is aware of their use of the Service, particularly where paid purchases are made.

15. Marketing communications

We may send transactional emails necessary for the Service (account verification, purchase receipts, review delivery, important service notices). These are not marketing and cannot always be opted out of while you maintain an Account.

We do not currently send promotional marketing emails without your consent. If we introduce marketing communications in future, we will ask for your consent where required and provide an unsubscribe link in every message.

17. Changes to this policy

We may update this Privacy Policy to reflect changes in law, technology, or our practices. The “Last updated” date will change accordingly. Material changes will be posted on this page; where required we may notify you by email or in-product notice.

Continued use after changes take effect indicates acceptance. If you disagree, stop using the Service and contact us to delete your Account.

18. Contact us

Privacy enquiries and rights requests: contact@medoffer.co.uk. Terms of Service: medoffer.co.uk/terms.