Privacy Policy

Effective date: 6 June 2026

1. Who we are (data controller)

For the purposes of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws, the data controller is:

• Controller: Kateryna Musaieva, a private entrepreneur (FOP) registered in Ukraine ("Tungsten People", "we", "us", "our")
• Privacy contact: hello@tungstenpeople.com

If you have any questions about this policy or about how we handle your personal data, you can reach us at hello@tungstenpeople.com.

2. The personal data we collect

We collect and process the following categories of personal data:

Account data

• Your name and email address, used to create and manage your account.
• If you choose to sign in using a third-party single sign-on option, we receive basic profile information (such as your name and email) from that provider to create and authenticate your account. We do not receive or store your password for that provider.

Study and usage data

• Your study progress, your answers to practice questions, and the mastery and readiness analytics we generate from them.
• The exam date and the country or examination venue you enter. We use this information to build your personalised study plan and to group you with peers (for example, candidates sitting in the same window or region) so we can provide benchmarking and progress comparisons.

Support communications

• The messages you send us through our contact form, together with the email address you provide, so that we can respond to you.

Payment data

• Payments and subscriptions are handled entirely by Paddle.com, which acts as the Merchant of Record for purchases made through the Service. Paddle is an independent controller of the payment data you provide to it.
• We do not collect or store your card number or other payment-card details. We receive only limited transaction and subscription information from Paddle (for example, that a subscription is active, renewed, cancelled, or that a payment succeeded or failed), which we use to give you access to the Service and to manage your account.
• Paddle's own handling of your data is governed by its privacy policy.

Technical data

• Your IP address and basic device and browser information, generated automatically when you use the Service.
• We may detect your approximate country from your IP address to show prices in a suitable currency.

Cookies and local storage

• Essential sign-in and session cookies so that you can log in and stay logged in.
• Your display preferences, such as theme and currency, stored in your browser.
• We do not use advertising cookies or cross-site tracking technologies. See Section 8 for more detail.

3. How and why we use your data, and our lawful bases

Under the UK GDPR and EU GDPR we must have a valid lawful basis for processing your personal data. The list below sets out what we do, why, and the lawful basis we rely on.

• To create and operate your account and provide the Service (account data, study and usage data, transaction status from Paddle). Lawful basis: performance of a contract with you (our Terms of Service).
• To build your personalised study plan using your exam date, country/venue, progress, and answers. Lawful basis: performance of a contract.
• To provide peer benchmarking and readiness analytics by grouping you with comparable candidates. Lawful basis: our legitimate interests in providing useful, comparative learning insights that are a core feature of the Service, in a way you would reasonably expect.
• To respond to your support requests (contact-form messages and email). Lawful basis: performance of a contract and our legitimate interests in providing customer support.
• To take payment and manage subscriptions (transaction and subscription status from Paddle). Lawful basis: performance of a contract.
• To display prices in your local currency using an IP-to-country lookup. Lawful basis: our legitimate interests in showing relevant pricing and improving your experience.
• To keep the Service secure, prevent abuse, and diagnose technical problems (technical data, including IP address). Lawful basis: our legitimate interests in maintaining the security and integrity of the Service.
• To comply with legal and regulatory obligations (for example, accounting and tax records held via our Merchant of Record). Lawful basis: compliance with a legal obligation.
• Where we ask for your consent (for example, for any optional communities or optional communications). Lawful basis: consent, which you may withdraw at any time.

Where we rely on legitimate interests, we have considered whether those interests are overridden by your interests, rights, and freedoms, and we have concluded they are not. You can ask us for more information about this balancing assessment, and you have the right to object (see Section 6).

4. Who we share your data with (subprocessors and third parties)

We do not sell your personal data. We share it only with providers that help us run the Service, and only as needed for that purpose. These providers act on our instructions under contract (except where they act as independent controllers, such as our payment provider) and fall into the following categories:

• Authentication and account management.
• Cloud hosting and database storage.
• Email delivery.
• Security, analytics, and fraud prevention.
• Payment processing: Paddle, acting as Merchant of Record (an independent controller for payment data).

We can provide the current list of the specific providers we use on request at hello@tungstenpeople.com.

We may also disclose personal data where required to comply with the law, enforce our agreements, protect the rights, safety, or property of Tungsten People or others, or in connection with a corporate transaction such as a merger or acquisition (in which case we will continue to protect your data and notify you of any change to this policy).

5. International data transfers

Tungsten People serves users worldwide, and some of our providers may be located outside the United Kingdom and the European Economic Area (EEA), including countries such as the United States. This means your personal data may be transferred to, stored in, or accessed from those countries.

Where we transfer personal data outside the UK or EEA to a country that is not covered by an adequacy decision, we put in place appropriate safeguards to protect it, which may include:

• the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the European Commission's Standard Contractual Clauses, for transfers subject to UK GDPR;
• the European Commission's Standard Contractual Clauses (SCCs), for transfers subject to EU GDPR;
• reliance on a recognised certification framework where a provider participates in one; and
• the data processing agreements and equivalent contractual commitments of our providers.

You can contact us at hello@tungstenpeople.com for more information about the safeguards in place for a particular transfer.

6. Your rights

Subject to applicable law, and in particular under the UK GDPR and EU GDPR, you have the following rights in relation to your personal data:

• Access: to be told whether we process your data and to receive a copy of it.
• Rectification: to have inaccurate or incomplete data corrected.
• Erasure: to ask us to delete your data in certain circumstances ("right to be forgotten").
• Restriction: to ask us to limit how we use your data in certain circumstances.
• Portability: to receive certain data in a structured, commonly used, machine-readable format, and to have it transferred to another controller where technically feasible.
• Objection: to object to processing based on our legitimate interests.
• Withdraw consent: where we rely on your consent, to withdraw it at any time, without affecting the lawfulness of processing before withdrawal.
• Complain: to lodge a complaint with a data protection supervisory authority (see below).

To exercise any of these rights, contact us at hello@tungstenpeople.com. We will respond within the time limits required by applicable law (generally one month under the UK and EU GDPR). We may need to verify your identity before acting on your request. Exercising these rights is normally free of charge, although we may charge a reasonable fee or decline a request that is manifestly unfounded or excessive, as permitted by law.

If you are in the United Kingdom, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk. If you are in the EEA, you can complain to your local data protection authority. We would, however, appreciate the chance to address your concerns before you do so, so please consider contacting us first.

7. Data retention

We keep your personal data only for as long as we need it for the purposes set out in this policy.

• Account, study, and usage data: kept for as long as your account is active. After you close your account, or after a prolonged period of inactivity, we will delete or anonymise this data within 12 months, unless we are required to keep it longer for legal reasons.
• Support communications: kept for as long as needed to resolve your query and for a reasonable period afterwards (typically up to 24 months) for our records and to handle any follow-up.
• Payment and transaction records: retained by our Merchant of Record (Paddle) and by us as needed to meet accounting, tax, and other legal obligations, for the period required by applicable tax and accounting law (typically up to 7 years).
• Technical and security data: kept only for a short period needed for security, troubleshooting, and abuse prevention.

Benchmarking and analytics may be retained in aggregated or anonymised form that no longer identifies you, and which is not subject to these retention limits. You can ask us to delete your account and associated personal data at any time by contacting us at hello@tungstenpeople.com.

8. Cookies and local storage

We use a minimal set of cookies and browser storage, and we do not use advertising or cross-site tracking technologies.

• Essential sign-in and session cookies: strictly necessary to log you in and keep you securely signed in. These are required for the Service to function and do not require consent.
• Display preferences: we store your preferences, such as theme and currency, in your browser so the Service remembers your settings. This information stays in your browser and is used only to provide your chosen preferences.

Because we use only essential and preference technologies and no tracking or advertising cookies, we do not currently display a cookie consent banner. You can clear cookies and local storage at any time through your browser settings, though doing so may affect your ability to stay logged in or to keep your preferences.

9. Security

We take the security of your personal data seriously and use reasonable technical and organisational measures designed to protect it against unauthorised access, loss, misuse, or alteration. These measures include encryption of data in transit, access controls, use of reputable infrastructure and service providers, and limiting access to personal data to those who need it.

However, no method of transmission over the internet or method of electronic storage is completely secure, and we cannot guarantee absolute security. You are responsible for keeping your account credentials confidential and for taking reasonable steps to protect your account.

10. Children

The Service is intended for adults preparing for the FRCR Part 2B examination. It is not directed at children, and we do not knowingly collect personal data from anyone under the age of 18. If you believe a person under 18 has provided us with personal data, please contact us at hello@tungstenpeople.com and we will take appropriate steps to delete it.

11. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, our providers, or applicable law. When we make material changes, we will update the effective date at the top of this policy and, where appropriate, notify you by email or through the Service. We encourage you to review this policy periodically.

12. Contact us

If you have any questions, requests, or concerns about this Privacy Policy or about how we handle your personal data, please contact us:

• Tungsten People (Kateryna Musaieva, a private entrepreneur (FOP) registered in Ukraine)
• Email: hello@tungstenpeople.com

This Privacy Policy is governed by the laws of Ukraine, without prejudice to any mandatory data protection rights you have under the UK GDPR, the EU GDPR, or the laws of your country of residence.