Legal

Privacy Policy

Last updated: June 1, 2026 · Effective: June 1, 2026

BandUp ("we", "our", "us") is committed to protecting your privacy. This policy explains what data we collect, why we collect it, and how you can control it. We will never sell your personal data to third parties.

1. Who We Are

BandUp is an IELTS preparation platform operated by Quest Labs. If you have any questions about this policy, contact us at [email protected].

2. Data We Collect

Account data

When you create an account we collect your email address and the password hash generated by our authentication provider (Supabase). We never store plaintext passwords.

Usage data

We collect information about how you use the app, including:

Practice sessions completed (skill, score, timestamp)
Mock test results and band score estimates
Lesson and course progress
Features accessed and time spent

Device and technical data

We automatically collect standard technical information when you use BandUp:

Browser type and version
Operating system
IP address (anonymized after 30 days)
Referring URL

Audio and written responses

If you use Speaking or Writing practice features, your responses are processed by our AI scoring engine. Audio recordings are processed in real time and are not stored beyond the active session unless you explicitly save a result. Written responses are stored with your session history so you can review feedback later.

Payment data

Payments are processed by Stripe. We do not store card numbers or payment credentials. We receive only a transaction reference, subscription status, and plan type.

3. How We Use Your Data

To provide and improve the BandUp service
To personalize your practice recommendations and adaptive difficulty
To send you account-related emails (password reset, billing receipts)
To send product update emails if you opt in
To detect and prevent fraud or abuse
To comply with legal obligations

4. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area, our legal bases for processing your data are:

Contract performance — to provide the service you signed up for
Legitimate interests — to improve the product and prevent fraud
Consent — for marketing emails (you can withdraw at any time)
Legal obligation — where required by law

5. Data Sharing

We share data only with the following categories of third-party service providers, and only to the extent necessary to operate BandUp:

Supabase — authentication and database hosting
Stripe — payment processing
ElevenLabs — AI voice generation for speaking prompts
OpenAI / AI providers — writing and speaking scoring
Cloudflare — content delivery and DDoS protection

All providers are bound by data processing agreements and are prohibited from using your data for their own purposes.

6. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., billing records for 7 years in some jurisdictions).

7. Your Rights

Depending on your location, you may have the right to:

Access the personal data we hold about you
Correct inaccurate data
Request deletion of your data ("right to be forgotten")
Restrict or object to processing
Data portability (receive your data in a structured format)
Withdraw consent at any time

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Cookies

BandUp uses the following cookies and local storage entries:

bu-lp-theme — stores your light/dark theme preference (local storage, no expiry)
Supabase auth tokens — required for keeping you signed in (session storage)
Stripe cookies — fraud prevention during checkout

We do not use advertising or tracking cookies.

9. Children's Privacy

BandUp is intended for users aged 13 and older. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with data without parental consent, contact us and we will delete it promptly.

10. Security

We implement industry-standard security measures including HTTPS encryption in transit, hashed passwords, row-level security on our database, and regular security reviews. No system is 100% secure, and we cannot guarantee absolute security.

11. Changes to This Policy

We may update this policy from time to time. We will notify you of material changes by email or by displaying a notice in the app. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of BandUp after changes take effect constitutes acceptance.

12. Contact

Questions or requests regarding this Privacy Policy:

Email: [email protected]
Website: bandupielts.com