Privacy Policy
Last updated: 12 May 2026
This Privacy Policy explains how Acumen Logic Ltd (“Acumen Logic”, “we”, “us” or “our”) collects, uses, shares and protects personal data when you visit acumenlogic.co.uk or use the platform at app.acumenlogic.co.uk (together, the “Service”). It is written to comply with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations 2003 (“PECR”).
Data controller: Acumen Logic Ltd, a company registered in England and Wales (company number 16032469) with its registered office at 1 Factory Row, Beccles Road, Thurlton, Norwich, NR14 6AJ, United Kingdom. We are registered with the UK Information Commissioner’s Office under registration number ZC076851.
1. Quick summary
- We collect what we need to run an account, score assessments, take payment and send service messages — nothing more.
- We never sell your data.
- Marketing emails are opt‑in only and you can withdraw consent at any time.
- You can request access, correction, deletion or export of your data at support@acumenlogic.co.uk.
- You can complain to the ICO at ico.org.uk at any time.
2. Information we collect
2.1 Information you give us
- Account: name, email address, password (stored as a salted hash, never in plain text).
- Profile (optional): target sector, target start date, education level, university, self‑assessed preparation level and weakest reasoning category — you can skip every page of the registration profile.
- Email verification status: whether your email address has been verified, and the time at which it was verified.
- Communications: the contents of any message you send to support or enquiries inboxes.
- Marketing preference: a single opt‑in record kept against your account where you have consented to receive lessons, insights and occasional product offers from us. There is one marketing preference per account, which you can toggle at any time in Settings → Notifications.
2.2 Information generated by your use of the Service
- Assessment data: the assessment type, your answers (including the option you selected, time spent on each question, whether you flagged it for review), your score, your category breakdown and your estimated percentile.
- Drill data: drill session results, sub‑topic mastery and accuracy trends.
- Activity: last login timestamp, in‑app notifications you have read, accessibility preferences (e.g. reduced motion, larger text).
2.3 Information collected automatically
- Device and connection data: IP address, approximate location derived from IP, browser, operating system, referring URL.
- Error data: minimal error‑capture metadata to keep the platform reliable (this runs whether or not you accept analytics cookies, on the basis of legitimate interest under UK GDPR Art. 6(1)(f) — see section 5).
- Analytics: aggregated usage data — only if you accept analytics cookies. See the Cookie Policy.
2.4 Payment data
Card details are entered directly with our payment provider, Stripe. We never see or store your card number. Stripe gives us back a customer reference, the amount paid, the plan purchased, the country code and the last four digits of the card so we can reconcile the order — that is all.
3. Why we use your data and the legal basis
| Purpose | Legal basis (UK GDPR Art. 6) |
|---|---|
| Creating and running your account; providing assessments, drills and analytics; sending account‑related and assessment‑result emails. | Performance of a contract with you (Art. 6(1)(b)). |
| Taking payment, issuing receipts, preventing fraud and meeting accounting obligations. | Performance of a contract; legal obligation (Art. 6(1)(b) and (c)). |
| Calculating estimated percentile rankings and category benchmarks (which use your aggregated, de‑identified results alongside other candidates’). | Performance of a contract; legitimate interest in the integrity of the benchmarking model (Art. 6(1)(b) and (f)). |
| Sending marketing emails about our products. | Consent (Art. 6(1)(a)). You can withdraw at any time. |
| Running site analytics and product analytics to improve the Service. | Consent for analytics cookies (Art. 6(1)(a) + PECR reg. 6); legitimate interest for first‑party usage logs that do not require cookies (Art. 6(1)(f)). |
| Securing the Service, detecting abuse and capturing minimal error data. | Legitimate interest in operating a reliable, secure platform (Art. 6(1)(f)). |
| Complying with court orders, regulator requests or other legal duties. | Legal obligation (Art. 6(1)(c)). |
4. How we share your data
We do not sell your personal data. We share it with the categories of recipient set out below, each of which is bound by a written data‑processing agreement and processes data on our instructions only.
| Recipient | Role | Location / transfer mechanism |
|---|---|---|
| Supabase | Database, authentication, file storage | UK / EU (Frankfurt & London regions) |
| Stripe Payments UK Ltd | Payment processing | UK (with onward transfers to Stripe Inc. in the US under SCCs + UK Addendum) |
| Resend | Transactional email delivery (verification, receipts, results) | US, under SCCs + UK Addendum |
| Sentry | Error monitoring; session replay only when you accept analytics cookies | US, under SCCs + UK Addendum |
| PostHog | Product analytics — only when you accept analytics cookies | EU instance; UK adequacy |
| Upstash | Rate limiting and short‑lived caching | EU regions; UK adequacy |
| Vercel | Hosting of the platform application | EU and US edge nodes; SCCs + UK Addendum where relevant |
| Hostinger | Hosting of the marketing site | EU |
| Google Analytics (Google Ireland) | Aggregated traffic measurement — only when you accept analytics cookies | EU/US; SCCs + UK Addendum |
We may also share data with our professional advisers (lawyers, accountants, auditors) where confidentially necessary, with regulators or courts when legally compelled, and with any successor entity in the event of a sale or restructure (subject to the protections in this policy).
5. International transfers
Some of the recipients above process data outside the UK. Where they do, we rely on one of the following safeguards:
- The country has been recognised as providing an adequate level of protection by the UK government (e.g. EEA states under the UK adequacy regulations).
- An International Data Transfer Agreement (IDTA), or the EU Standard Contractual Clauses with the UK Addendum, signed with the recipient.
- For US recipients certified to it, the UK extension of the EU‑US Data Privacy Framework.
You can request a copy of the relevant transfer mechanism by contacting support@acumenlogic.co.uk.
6. How long we keep your data
| Category | Retention |
|---|---|
| Account details (name, email, profile fields) | For the life of the account. When you close your account we delete these within 30 days — in practice this happens immediately on the deletion request. |
| Assessment and drill results | For the life of the account; deleted on account closure. Anonymous aggregated bucket counts contributed to the percentile model remain in our benchmarking dataset and cannot be linked back to you. |
| Purchase records (transaction reference, amount, currency, country code, plan, Stripe customer ID) | 7 years from the date of purchase, in an archive that survives account closure. Held to meet our HMRC record‑keeping obligations. Personal identifiers (your name, email and address) are not retained in this archive — the canonical customer record is held by our payment processor, Stripe. |
| Consent records (cookies, marketing, privacy policy acceptance) | 6 years from the consent event. We keep an append‑only audit trail of consents and withdrawals (timestamp, consent type and version, IP address, user agent) so we can evidence the lawful basis for processing. |
| Marketing preference | Held against your account while it is active and reflected in the live profile. The act of granting or withdrawing the preference is logged separately in the consent audit trail. |
| Support correspondence | 3 years from the date of the last interaction, held in our email provider and inbox archives. Cleanup is performed manually. |
| Server logs and security data | Up to 30 days at the platform‑hosting layer; error and security logs in Sentry are retained for up to 90 days, then rotated. |
Retention is enforced by a daily automated cleanup process that removes archived purchase and consent records past their expiry window.
7. Your rights under UK GDPR
You have the right to:
- Access the personal data we hold about you (Art. 15).
- Rectification of inaccurate or incomplete data (Art. 16).
- Erasure of your data in defined circumstances (Art. 17).
- Restriction of processing in defined circumstances (Art. 18).
- Portability — receive certain data in a structured, machine‑readable format (Art. 20).
- Object to processing based on legitimate interest, including direct marketing (Art. 21).
- Withdraw consent at any time, where we rely on consent. Withdrawal does not affect the lawfulness of prior processing.
- Complain to the ICO (ico.org.uk) without going through us first.
To exercise any of these rights, email support@acumenlogic.co.uk. We will respond within one calendar month and may extend that by up to two further months for complex requests, in line with UK GDPR Art. 12(3).
8. Security
We use TLS for all traffic, encrypted storage at rest, role‑based access on production systems, multi‑factor authentication for admin access, row‑level security on every personal‑data table in our database, and a documented incident response process. Reportable personal‑data breaches will be notified to the ICO within 72 hours of our becoming aware of them, and to affected users where the breach is likely to result in a high risk to their rights and freedoms.
9. Children
The Service is not directed at children. You must be at least 16 years old to create an account. If we discover that we have collected data from a child under 16 without an appropriate basis, we will delete it.
10. Automated decision‑making
Percentile rankings and category recommendations are generated by an automated model. They are indicative and do not produce legal or similarly significant effects on you within the meaning of UK GDPR Art. 22. They never form the basis of any decision taken about you by Acumen Logic that affects your legal position, your ability to use the Service, or any third‑party recruitment outcome.
11. Changes to this policy
If we change this policy, we will update the “last updated” date above. Material changes will be notified to active account holders by email or in‑app message at least 14 days before they take effect.
12. Contact
For privacy questions or to exercise any of your rights:
- Email: support@acumenlogic.co.uk
- Post: Acumen Logic Ltd, 1 Factory Row, Beccles Road, Thurlton, Norwich, NR14 6AJ, United Kingdom
If you are dissatisfied with our response, you can complain to the Information Commissioner’s Office: ico.org.uk · 0303 123 1113.