Privacy Notice

This Privacy Notice explains how OET with Dr Ahmed Hesham ("we", "us", "our") processes personal data when you use our learner platform, mobile and desktop apps, websites, marketing emails, and support channels.

• We act as the data controller for personal data you give us directly (account details, submissions, payment metadata).
• For some services we also process data on behalf of sponsors or institutions (e.g. employer-funded learners) — in those cases the sponsor is the controller and we are a processor under a written agreement.
• This notice is read alongside our Terms of Service.

• Account data — name, email, mobile number, country, password hash, MFA secrets, profession, target exam date.
• Learning data — writing submissions, speaking and conversation audio recordings, mock-exam answers, AI feedback, expert review notes, study plan progress, predicted scores.
• Billing data — Stripe customer / subscription IDs, plan, invoice history, partial card metadata (last 4, brand) — full card numbers stay with Stripe.
• Device & technical data — IP address, user-agent, device model, OS, app version, language, time zone, crash and performance traces.
• Communications — emails to support, feedback, in-app chat, satisfaction surveys.

• Performance of contract — to provide the Service you signed up for, including AI feedback, tutor review, and mock scoring.
• Legitimate interests — keeping the Service secure, preventing abuse, improving features, measuring product quality, and running de-identified analytics.
• Legal obligation — accounting, tax, fraud prevention, response to lawful requests.
• Consent — optional marketing emails, product research interviews, and any non-essential cookies. You can withdraw consent at any time without affecting prior processing.

• Account data: while your account is active, plus up to 24 months after closure to handle re-activation, support disputes, and statutory obligations.
• Speaking and conversation audio: by default 30 days, configurable in Settings → Privacy. Transcripts and scores have longer retention (1 year) for progress tracking.
• Writing submissions and tutor feedback: retained while your account is active so you can revisit feedback over your prep journey.
• Billing records: 7 years (UK accounting requirement).
• Security logs: up to 90 days for incident investigation.

We never sell personal data. We share it only with vetted processors and only as needed to run the Service:

• Stripe — payments and subscription billing.
• Brevo — transactional and (where you opted in) marketing email delivery.
• AI providers — Azure OpenAI, OpenAI, Whisper, ElevenLabs, Deepgram, and others, selected per feature. We send the minimum data required (e.g. your submission, our grounded prompt) and contractually prohibit training on your content where the provider supports it.
• Sentry — application error reporting (no audio or full submissions are attached to error reports).
• Cloud infrastructure — our hosting provider in the UK / EU.
• Professional advisers, insurers, and authorities — when legally required.

International transfers — some providers operate outside the UK / EEA. Where they do, we rely on UK IDTA / EU Standard Contractual Clauses and additional safeguards as required.

• Encryption in transit (TLS 1.2+) and at rest for sensitive learner content.
• Two-step verification (MFA) for all admin and expert accounts; offered to learners.
• Granular role-based access — 16 distinct admin permissions; reviewers see only the submissions they are assigned.
• Refresh-token rotation, short-lived access tokens, IP & device anomaly detection.
• Annual penetration tests and quarterly security reviews.

Under UK GDPR (and equivalent regimes) you have the right to:

• Access a copy of your personal data.
• Have inaccurate data corrected.
• Have your data deleted (subject to legal retention).
• Restrict or object to certain processing.
• Receive a portable export of data you provided.
• Withdraw consent for marketing or optional processing at any time.
• Lodge a complaint with the UK ICO (ico.org.uk) or your local supervisory authority.

Most rights can be exercised from Settings → Privacy or by emailing dpo@oetwithdrhesham.co.uk. We aim to respond within 30 days.

• Strictly necessary cookies — used for authentication, CSRF protection, and session continuity. These cannot be disabled without breaking sign-in.
• Functional storage — remembers your theme, language, and study-plan preferences locally.
• Analytics — privacy-respecting, aggregated, IP-truncated. No cross-site tracking. No third-party advertising cookies are set.

• The Service is not intended for under-16s. If you believe a child has registered, contact dpo@oetwithdrhesham.co.uk and we will delete the account.

• We may update this notice from time to time. Material changes will be notified by email and posted in-app at least 14 days in advance unless a faster change is required by law.