Privacy Policy

§1Who we are#

Morgan Brown Consultancy Ltd (“we”, “us”, “our”) is the data controller for personal data processed in connection with the Go SQE1 service. We are registered in England and Wales and operate from the United Kingdom.

For any privacy-related question, including data subject rights requests, contact us at [email protected]. We aim to respond within five working days; the statutory deadline for rights requests is one calendar month.

This platform is intended for adults aged 18 and over who are preparing for professional qualifications. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal data, contact us and we will delete it.

§2What data we collect#

We collect the following categories of personal data:

Account data

• Email address (required to create an account and recover access).
• Display name, where you choose to provide one.
• Authentication is handled by our identity provider, Kinde, which may collect additional information as described in their privacy policy.

Learning data

• Questions you have answered, the answer you chose, the time you took, and whether you were correct.
• Practice session history (modules studied, difficulty levels selected).
• Performance metrics (mastery scores, progress tracking).

Technical data

• Browser type and version, operating system, and device information.
• IP address.
• Pages you visit on the platform and features you use.
• Errors your browser reports back to us, captured by Sentry. Where the error includes data you typed, we redact it before storage on a best-effort basis.

§3How we use your data#

We use your data for the following specific purposes:

• To provide the service. Authenticate you, deliver personalised practice sessions, track your progress, and adapt question difficulty to your ability level.
• To improve your learning. Analyse your performance to identify areas needing more practice and optimise spaced repetition.
• To improve the platform. Aggregate (non-identifying) statistics on which questions are too hard, too easy, or ambiguous.
• To communicate with you. Send service-related notifications and, with your consent, promotional information about our services.
• To ensure security. Protect against fraud, rate-limit logins, and maintain platform integrity.
• To comply with the law. Respond to lawful requests from courts and regulators.

We do not sell your personal data. We do not use it to train any machine-learning model.

§4Lawful basis#

Under UK GDPR Article 6, we rely on the following lawful bases:

• Contract (Art. 6(1)(b)) — for processing necessary to deliver the service you signed up for: account, learning data, sync, dashboards.
• Legitimate interests (Art. 6(1)(f)) — for security logging, abuse prevention, error monitoring, and aggregate question-quality analysis.
• Consent (Art. 6(1)(a)) — for non-essential cookies (advertising and analytics) and for marketing email. You can withdraw consent at any time without affecting service delivery.

§5Sharing & sub-processors#

We share your data only with the following sub-processors, each acting on our written instructions under a data processing agreement. The list is the same for every customer of the platform; when it changes, this page is updated.

KindeAuthentication

Stores your email and authentication tokens. Kinde never sees your learning data.

RenderApplication hosting · EU

Runs the application servers and the primary database. Your account and learning data live here.

GoogleAdvertising & analytics

Google Ads and Google Analytics measure advertising effectiveness and how visitors use the platform — only when you consent to non-essential cookies.

SentryError monitoring · EU (Frankfurt)

Captures uncaught errors so we can fix them. Personal data is redacted before storage on a best-effort basis. Sentry's AI-powered features (Seer) may analyse error data to group and summarise issues automatically.

We do not share your data with any other third party, except where required by law (a valid court order or regulator request) or with your explicit consent.

§6Retention#

We keep different categories of data for different periods:

Account data

For as long as your account is open. If you delete your account, we delete your account data, except where retention is required by law.

Learning data

Same as account data. We do not retain learning data after account deletion in any identifiable form.

Aggregate question statistics

Indefinitely, but only in non-identifying aggregate form. Cannot be linked back to you.

§7International transfers#

Your data is primarily stored and processed within the UK and European Economic Area (EEA). Some of our sub-processors may transfer data to servers outside the UK/EEA — including Google (when you consent to advertising and analytics cookies) and, in limited circumstances, Sentry.

These transfers are protected by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, which we have executed with each such sub-processor. We do not transfer data to jurisdictions that lack appropriate safeguards.

§8Cookies#

Strictly necessary

We use essential cookies required for the platform to function, including authentication cookies that keep you logged in, your CSRF token, and your selected locale. These do not require your consent under UK cookie regulations.

Advertising & analytics

With your consent, we use Google Ads and Google Analytics to measure advertising effectiveness and understand how visitors use the platform. These services may set cookies on your device to track conversions and collect usage data.

Google Consent Mode

We use Google Consent Mode v2 to manage how Google services operate based on your cookie preferences. When you decline cookies, Google does not store cookies on your device but may send cookieless pings for basic measurement. When you accept, full tracking and advertising cookies are enabled.

You can change your cookie preferences at any time using the Cookie Settings link in the page footer.

§9Your rights#

Under the UK GDPR you have the right to:

• Access a copy of the data we hold about you (Art. 15).
• Correct data that is inaccurate or incomplete (Art. 16).
• Delete your account and personal data (Art. 17). You can do this directly from your account settings, or email us and we will action it.
• Restrict processing while a complaint is being investigated (Art. 18).
• Receive your data in a portable format (Art. 20).
• Object to processing based on legitimate interests (Art. 21).
• Not be subject to solely automated decision-making with legal or similarly significant effects (Art. 22). We don't make any such decisions about you.
• Withdraw consent for any consent-based processing at any time, without affecting service delivery.

To exercise any of these rights, email [email protected]. We will not charge a fee, and we will not require you to use a specific form. We may ask you to verify your identity if the request is ambiguous.

§10Security#

We implement appropriate technical and organisational measures to protect your data, including TLS encryption in transit, encryption at rest for the primary database, secure authentication, and regular security reviews.

No system is perfectly secure. If we ever suffer a personal-data breach that risks your rights or freedoms, we will notify the ICO within 72 hours and notify you directly when notification is required under Art. 34.

§11Changes to this policy#

We may update this policy. The “last updated” date at the top of this page reflects the most recent change. For material changes — new categories of data collected, new sub-processors that handle personal data, changes in lawful basis — we will notify you by email or through a notice on the platform before the change takes effect.

Minor changes (clarifying language, fixing typos, updating the contact email) will be made silently with the date updated.

§12Contact & complaints#

For any privacy question, write to [email protected], or by post to Morgan Brown Consultancy Ltd, United Kingdom.

You also have the right to complain to the UK Information Commissioner's Office (ICO) if you believe we have handled your personal data incorrectly. We would prefer the chance to address your concern first, but you do not have to come to us before going to them. The ICO can be reached at ico.org.uk/make-a-complaint, by phone on 0303 123 1113, or by post at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.