Privacy policy
Last updated: October 2024
What does this notice cover?
This notice describes how Medly AI Limited (also referred to as "MedlyAI", "we" or "us") will make use of your personal data when you use our website (the "Site") and our mobile app (the "App") (collectively the "Platform"). We are in charge of what happens to your personal data and this means we are the data controller for data protection purposes and we are registered with the UK Information Commissioner's Office (ZB724661).
This notice also describes your data protection rights, including the right to object to some of the processing which MedlyAI carries out. More information about your rights, and how to exercise them, is set out in the "Your choices and rights" section.
Contact us
If you have questions about this privacy notice or wish to contact us for any reason in relation to our personal data processing, please contact our Data Protection Officer at contact@medlyai.com.
Personal data we may collect about you
We collect and process personal data about you when you interact with us and our Platform and when you purchase services from us. This includes:
| Category | Details |
|---|---|
| Subscriber Information (usually parents/guardians) | Your Subscriber ID, name, address, email and phone number, type of subscription purchased |
| User Profile Information (student) | Your name, email address, and phone number, user name and password, and school |
| Marketing Information | Your marketing preferences, including any consents you have given us |
| Device Information | Information related to the browser or device you use to access our Platform |
| AI Input and Output Data | Personal data that you input as part of your prompts using our AI functionality, as well as personal data included as part of the AI output. See below for more details. |
Sometimes, we receive personal data about you from third parties. In particular, from educational institutions that can establish accounts with MedlyAI on behalf of their students and teachers. We may also receive personal data from parents or guardians who might be setting up accounts on a student's behalf.
We do not process your credit card or debit information. This is securely handled by Apple who are responsible for billing and processing this information in connection with your subscription. However, we may receive your Subscriber ID and details of the subscription you purchased from Apple in order to allow us to provide our Platform to you.
More information on AI Input and Output Data and our use of AI Models
Our Platform uses AI functionality (based on OpenAI's model or other similar LLMs) to help you learn, revise and prepare for GCSE's, A Levels and IBs. Our different features allow you to:
- Practice predicted papers and receive instant marking and feedback
- Get instant answers and explanations to exam questions or specific topics
- Navigate and visualise your exam curriculum
- Receive personalised lessons
Our adaptive AI algorithms respond to your input and generate personalised AI output that evolve with your ability and learn what you need to learn. Given that your input and personalised AI output is linked to your user profile, this is likely to constitute your personal data. We have set out below how we use this personal data and who we share it with.
We may use your AI Input and Output Data (including personal data) to fine tune, train, or develop our AI functionality or models and services, however we do not allow any third parties (including OpenAI or other LLM providers) to do this.
How do we use this information, and what is the legal basis for this use?
We will only use your personal data for the purposes and legal bases set out below:
| Purpose | Legal Basis | Personal Data |
|---|---|---|
| To register and create an account on our Platform, process payments and provide you with services. This includes sending you service related messages. | It is necessary for us to process your personal data in order to perform our contract with you, or to take steps at your request prior to entering into a contract with you. | Subscriber Information, User Profile, Device Information, AI Input and Output Data |
| To ensure the security of your account and the Platform. | We have a legitimate interest in ensuring the security of our Platform and data. We have a legal obligation. | Subscriber Information, User Profile, Device Information |
| To manage our relationship with you. This includes the provision of subscriber/user support including responding to your queries and investigating any complaints about the Platform. | We have a legitimate interest in managing our business and providing services to our clients. | Subscriber Information, User Profile, AI Input and Output Data, Device Information |
| To analyse your use and effectiveness of our Platforms. | Your consent. We have a legitimate interest in improving our user experience. | Subscriber Information, User Profile, AI Input and Output Data, Device Information |
| To monitor your accounts to prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law. | We have a legal obligation. We have a legitimate interest in preventing and detecting fraud or other wrongdoing. | Subscriber Information, User Profile, AI Input and Output Data, Device Information |
| To send you direct marketing in relation to our relevant products and services, or other products and services provided by us and carefully selected partners. | Your consent. We have a legitimate interest in promoting our services to our clients. | Subscriber Information, User Profile |
| To manage and operate our Platforms, including to keep it updated and relevant, to develop our business and to inform our marketing strategy. | Your consent. We have a legitimate interest in operating our Platforms and improving its operation. | Subscriber Information, User Profile, AI Input and Output Data, Device Information |
| To create aggregate and statistical data (which cannot be used to identify you). | We have a legitimate interest to understand the demographic, usage or characteristics of our Platform's users | Subscriber Information, User Profile |
| To respond to requests by governments, law enforcement or regulators. | We have a legal obligation. We have a legitimate interest to cooperate with legal investigations and enquiries. | Subscriber Information, User Profile |
| To invite you to take part in and manage customer surveys, reviews and market research activities carried out by us and by other organisations on our behalf. | Your consent. We have a legitimate interest in managing our business and providing services to our clients. | Subscriber Information, User Profile |
There are instances where we have a legitimate interest to use your data. Our legitimate interest will vary depending on what we are using your data for, and we explain above what the interest is and how it relates to the processing operations that we are carrying out.
How we share your personal data
We may share your data with the following categories of recipients:
| Personal Data Category | Category of Recipient | Why? |
|---|---|---|
| All categories | Third party service providers | We engage other companies and individuals to manage or support certain aspects of our business on our behalf. Examples include Platform hosting and maintenance, analytics, sending e-mails, processing payments and providing customer service. |
| User Profile, AI Input and Output Data | Parents, guardians | User Profile Data may be shared with your parents or guardians upon their request. |
| User Profile, AI Input and Output Data | Educators, schools | To assist educators and schools in assessing the efficacy of MedlyAI, we might provide them with a roster of students enrolled in the service from their institution. |
| All categories | Credit reference agencies, law enforcement and fraud prevention agencies | To prevent, investigate and/or report fraud, terrorism, misrepresentation, security incidents or crime, in accordance with applicable law. |
| All categories | Prospective Buyer/Seller | In the event that the business is sold or integrated with another business, your details will be disclosed to our advisers and any prospective purchaser's adviser and will be passed to the new owners of the business. |
| AI Input and Output Data and Device Information | LLM providers such as OpenAI, Anthropic and Google | To enable our AI functionality, we share your personal data with LLM providers for the provision of AI API services for businesses. LLM providers act as our data processors for these services and do not use your personal data to train their AI models. |
Where we transfer your personal data
Personal data that we collect from you may be transferred to and stored at a destination outside the UK including in the US. Where these locations do not provide an adequate level of data protection, we ensure appropriate safeguards are in place to protect the transfer of your personal data to these countries. When transferring your personal data we may rely on decisions of adequacy by the UK Government or on appropriate safeguards such as standard contractual clauses.
A copy of the relevant mechanism can be obtained for your review on request by using the contact details above.
Your choices and rights
You have the following rights:
| Right | Summary |
|---|---|
| The right of access | Enables you to receive a copy of your personal data |
| The right to rectification | Enables you to correct any inaccurate or incomplete personal data we hold about you |
| The right to erasure | Enables you to ask us to delete your personal data in certain circumstances |
| The right to restrict processing | Enables you to ask us to halt the processing of your personal data in certain circumstances |
| The right to object | Enables you to object to us processing your personal data on the basis of our legitimate interests (or those of a third party), including processing for direct marketing purposes or profiling for purposes of direct marketing and we will cease processing your personal data, unless the processing is based on compelling legitimate grounds or is needed for the exercise or defence of legal claims that may be brought by or against us. |
| The right to data portability | Enables you to request us to transmit personal data that you have provided to us, to a third party without hindrance, or to give you a copy of it so that you can transmit it to a third party, where technically feasible |
These rights may be limited, for example if fulfilling your request would reveal personal data about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep.
If you wish to exercise any of these rights, please contact us at the contact details set out in the Contact Us section. If you wish to turn off your App push-notifications or stop your subscription, you can update these permissions at any time using your device settings.
Wherever we rely on your consent, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. We may however have other legal grounds for processing your data for other purposes, such as those set out above.
In some cases, we are able to send you direct marketing without your consent, where we rely on our legitimate interests. You have an absolute right to opt-out of direct marketing, or profiling we carry out for direct marketing, at any time. You can do this by following the instructions in the communication where this is an electronic message, or by contacting us using the details set out below.
We do not use your personal data to make any solely automated decisions including profiling which produce legal or significantly similar effects.
Where we need to collect your personal data by law, or under the terms of a contract we have with you, and you fail to provide that personal data when requested, we may not be able to provide our products and services to you. In this case, we may have to cancel the supply of a product or service but we will notify you if this is the case at the time. The provision of all other information is optional.
How to complain
If you have any concerns about our use of your personal data, you can make a complaint via the details in the Contact Us section. If you remain unhappy with how we've used your personal data after raising a complaint with us, you can also complain to the ICO:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
Website: https://www.ico.org.uk/make-a-complaint
How long do we keep your personal data?
Where we process Subscriber Information and User Profile, we do this for as long as you are an active user of our Platform and for 6 years after this.
When you engage with the AI features in our Platform, the information you provide and any content that is generated in response (AI Input and Output Data) will be stored by us as long as you are an active user of the Platform and for 2 years after this. If you are looking for past sessions or just want to discover the personal data we have about you, please see "Your choices and rights" section above.
Where we process personal data for marketing purposes or with your consent, we process the data until you ask us to stop and for a short period of 30 days after this (to allow us to implement your requests). We also keep a record of the fact that you have asked us not to send you direct marketing or to process your data indefinitely so that we can respect your request in future.
Where we process personal data for Platform security purposes, we retain it for 6 months.
We may rectify, update or remove incomplete or inaccurate information, at any time and at our discretion. For more information on our retention periods, please contact us via the details in the Contact Us section.
Updates to this privacy notice
We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.