Privacy Policy
Last updated: 11 June 2026
MedOffer is committed to protecting your privacy. This policy describes our practices in clear language and explains your rights when you use medoffer.co.uk.
1. Introduction
This Privacy Policy explains how MedOffer(“MedOffer”, “we”, “us”, “our”) collects, uses, stores, and protects personal data when you visit medoffer.co.ukor use our services (the “Service”).
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This policy supplements our Terms of Service.
Please read this policy carefully. By using the Service, you acknowledge that you have read this Privacy Policy. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
2. Data controller and contact
The data controller responsible for your personal data is MedOffer. We do not publish a postal address. For all privacy-related enquiries, including exercising your rights, contact us at contact@medoffer.co.uk.
We have not appointed a Data Protection Officer. For the nature and scale of our processing, this is not required by law. Privacy queries are handled by our team via the email above.
3. Scope
This policy applies to:
- visitors to our website;
- registered users with a MedOffer account;
- customers who purchase Premium, coaching, or expert review services;
- individuals who contact us through our contact form or email.
It does not apply to third-party websites or services linked from MedOffer (such as Stripe checkout, Cal.com booking, or university sites). Those services have their own privacy policies.
4. Personal data we collect
We may collect the following categories of personal data:
Identity and account data — name, email address, profile image (if provided through our authentication provider), unique user identifiers, and account creation date.
Authentication data — login sessions, authentication tokens, and security logs managed by Clerk (our authentication provider). We do not receive or store your account password.
Academic and application profile data — UCAT and other test scores, SJT band, A-level and GCSE grades, work experience entries, postcode, region, widening participation indicators, application year, and similar information you choose to enter in your profile or matching tools.
Personal statement data — drafts of your UCAS personal statement, coaching chat history while you use the Service, analysis results, and documents you upload for expert review.
Training and usage data — UCAT game play history, scores, accuracy, streaks, leaderboard participation, and feature usage within the Service.
Transaction data — purchase history, subscription status, Stripe customer and session identifiers, and entitlement records (e.g. Premium expiry dates — Season Pass access ends on 31 October 2026; access until 31 october 2026 — two weeks after the ucas application deadline — coaching packages purchased). We do not store full payment card numbers.
Communications — messages you send via our contact form or support email, and our responses.
Technical and analytics data — IP address, browser type and version, device type, operating system, referring URLs, pages viewed, timestamps, and similar diagnostic data from server logs and PostHog analytics (where enabled).
Cookie data — see Section 12. We use essential cookies for authentication and may use analytics cookies to understand how the Service is used.
We do not intentionally collect special category data (such as health information) unless you voluntarily include it in a personal statement or profile field. Please avoid submitting sensitive data unless necessary for your application and you are comfortable with the processing described here.
5. How we collect data
- Directly from you — when you register, complete your profile, write a statement, play games, make a purchase, or contact us.
- Automatically — through cookies, logs, and analytics when you use the Service.
- From processors — e.g. Stripe confirming payment status, or Clerk confirming account details.
- From public sources — where you provide a postcode, we may derive area-based widening participation indicators from public statistical datasets to support matching features.
6. Purposes and legal bases for processing
We process personal data only where we have a lawful basis under UK GDPR:
| Purpose | Legal basis |
|---|---|
| Creating and managing your Account; authenticating you | Performance of a contract; legitimate interests (security) |
| Providing UCAT training, progress tracking, and leaderboards | Performance of a contract; legitimate interests (service delivery) |
| Storing and syncing your profile, statement drafts, and coaching history | Performance of a contract |
| AI coaching and automated draft feedback (Google Gemini) | Performance of a contract; legitimate interests (delivering paid features) |
| Processing payments and managing subscriptions (Stripe) | Performance of a contract; legal obligation (tax/accounting) |
| Delivering expert statement reviews and coaching you purchase | Performance of a contract |
| Responding to contact form and support enquiries | Legitimate interests (customer support); performance of a contract |
| Analytics to improve the Service (PostHog) | Legitimate interests (understanding usage and improving product) |
| Security monitoring, fraud prevention, and enforcing our Terms | Legitimate interests; legal obligation where applicable |
| Service-related email (purchase confirmations, review delivery, account notices) | Performance of a contract; legitimate interests |
| Marketing emails (if we send them in future) | Consent (you may opt out at any time) |
Where we rely on legitimate interests, we have balanced those interests against your rights and expect minimal privacy impact. You may object to processing based on legitimate interests — see Section 11.
7. AI and automated processing
When you use AI coaching or draft analysis features, the text you submit (including personal statement content and related context such as work experience summaries) is sent to Google's Gemini API for processing. Google processes this data as our sub-processor to generate responses and feedback.
We do not use AI to make solely automated decisions that produce legal or similarly significant effects about you (such as automated admission decisions). AI output is advisory only; you decide what to use.
We cache certain analysis results (e.g. draft feedback keyed to content hashes) to reduce redundant API calls and improve performance. Cached results are stored in your profile data on our database.
9. International transfers
Some of our processors are located outside the United Kingdom, including in the United States. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, such as:
- UK adequacy regulations (where the destination country is recognised as adequate);
- International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses approved under UK GDPR;
- the UK-US Data Bridge or equivalent mechanisms where applicable to certified US recipients;
- processor contractual commitments required by UK GDPR Article 46.
You may request further information about safeguards for a specific transfer by contacting contact@medoffer.co.uk.
10. How long we keep data
We retain personal data only as long as necessary for the purposes described:
- Account and profile data — while your Account is active, plus up to 30 days after deletion request to allow recovery and complete erasure from backups.
- Personal statement drafts and coaching data — while your Account is active, or until you delete the content or your Account.
- UCAT training history — while your Account is active; anonymised aggregates may be retained longer for analytics.
- Payment and transaction records — up to seven years for tax, accounting, and legal compliance.
- Expert review documents — for the period needed to deliver the review and handle support queries (typically up to 12 months after delivery unless you request earlier deletion).
- Contact form messages — up to 24 months unless a longer period is needed to resolve a dispute.
- Server logs — typically up to 90 days for security and debugging.
- Analytics data — according to PostHog retention settings (typically up to 12 months for event-level data, with aggregation thereafter).
When data is no longer needed, we delete or anonymise it. Residual copies may persist in encrypted backups for a limited period before automatic purging.
11. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access — request a copy of personal data we hold about you.
- Right to rectification — request correction of inaccurate or incomplete data (you can also update much of your profile directly in the Service).
- Right to erasure— request deletion in certain circumstances (“right to be forgotten”).
- Right to restrict processing — request that we limit processing in certain cases.
- Right to data portability — receive your data in a structured, machine-readable format where processing is based on consent or contract and carried out by automated means.
- Right to object — object to processing based on legitimate interests, including profiling and direct marketing.
- Rights related to automated decision-making — not to be subject to solely automated decisions with significant effects (we do not conduct such processing as described in Section 7).
- Right to withdraw consent — where processing is consent-based, without affecting prior lawful processing.
To exercise any right, email contact@medoffer.co.uk with sufficient detail to identify you and your request. We may ask for verification information. We aim to respond within one month, extendable by two further months for complex requests as permitted by law.
You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority: ico.org.uk. We encourage you to contact us first so we can try to resolve your concern.
13. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- encryption in transit (HTTPS/TLS) for data sent between your browser and our servers;
- access controls limiting staff and system access to personal data on a need-to-know basis;
- use of reputable sub-processors with their own security certifications and practices;
- rate limiting and monitoring to reduce abuse and unauthorised access attempts;
- server-side protection of sensitive content such as UCAT question banks and answer keys.
No method of transmission or storage is completely secure. If we become aware of a personal data breach likely to affect your rights, we will notify you and the ICO where required by law.
14. Children and young people
The Service is aimed at UK medical school applicants, typically aged 16 and over. We do not knowingly collect personal data from children under 16 without appropriate consent. If you believe a child under 16 has provided data without parental permission, contact contact@medoffer.co.uk and we will take steps to delete it.
Users aged 16–17 should ensure a parent or guardian is aware of their use of the Service, particularly where paid purchases are made.
15. Marketing communications
We may send transactional emails necessary for the Service (account verification, purchase receipts, review delivery, important service notices). These are not marketing and cannot always be opted out of while you maintain an Account.
We do not currently send promotional marketing emails without your consent. If we introduce marketing communications in future, we will ask for your consent where required and provide an unsubscribe link in every message.
16. Third-party links
The Service may link to external sites (universities, UCAS, Cal.com, Stripe, etc.). We are not responsible for their privacy practices. Review their policies before providing personal data.
17. Changes to this policy
We may update this Privacy Policy to reflect changes in law, technology, or our practices. The “Last updated” date will change accordingly. Material changes will be posted on this page; where required we may notify you by email or in-product notice.
Continued use after changes take effect indicates acceptance. If you disagree, stop using the Service and contact us to delete your Account.
18. Contact us
Privacy enquiries and rights requests: contact@medoffer.co.uk. Terms of Service: medoffer.co.uk/terms.