Privacy Policy

Last updated: 11 May 2026, version 2026-05-11

This Privacy Policy explains what personal data MimWise collects, why we collect it, how we use it, who we share it with, and the rights you have under the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018, the UK Data (Use and Access) Act 2024 (DUAA), the Privacy and Electronic Communications Regulations (PECR), the EU General Data Protection Regulation (EU GDPR) where applicable, and the EU Artificial Intelligence Act (Regulation (EU) 2024/1689).

In plain English

If you sign in with Google we keep your email address, the year you were born (so we know you're 18+), and the things you do on MimWise (e.g. "asked for feedback on a question"). We never store your full date of birth, your home address, your phone number, or your payment card details.

We use that activity to produce AI-generated progress summaries. When you opted in at signup we may email those summaries to you. A real human on our team has to approve any high-stakes email (for example, "you might be at risk of falling behind") before it leaves our system.

You can ask a human to review any AI suggestion, turn the marketing emails off in Settings, or delete your account and AI history in one click. Details are in Sections 5, 7 and 12 below.

1. Who we are

MimWise (“we”, “our”, “us”) is the controller for the personal data described below.

Legal entity: MimWise — company formation in progress; registered details to be published on completion
ICO registration: notification in progress; the registration number will appear here once issued
Trading domain: mimwise.co.uk

2. Data Protection contact

Data Protection lead: MimWise Privacy Team
Email: info.mimwise@gmail.com
EU Article 27 representative: Not currently appointed. We process personal data on a small scale and our processing is not the kind that triggers the EU GDPR Art. 27 threshold; we will appoint a representative if and when that changes, and we will update this page at the same time.

3. What we collect

Category	Examples	How it reaches us
Account identifiers	Email address, username, password hash, optional display name	You enter them at sign-up
Profile & preferences	Age range, country, education level, role, language, learning mode, urgency, AI tone	You enter them during onboarding
Special-category data (UK GDPR Art. 9)	`has_disability` flag, accessibility / support notes	Optional fields you fill in your profile
Learning content	Uploaded answers, exam papers, lecture slides, notes, questions, AI-generated feedback, AI tutor transcripts	You upload or generate them while using the product
Bring-your-own-key (BYOK) API keys	Encrypted credentials for Groq, Mistral, OpenAI, Google Gemini, etc.	You optionally paste them in Settings; stored encrypted at rest
Technical data	IP address (hashed), User-Agent, session ID, CSRF token, request paths	Automatically collected for security and abuse-prevention
Consent log	Timestamp, policy version, granted/revoked state, hashed IP, User-Agent	Recorded each time you accept or change cookie/privacy preferences

4. Legal basis (UK GDPR Article 6 and Article 9)

Processing purpose	Lawful basis
Creating and operating your account	Article 6(1)(b): performance of a contract
Generating AI feedback, lessons, tutor responses, grades	Article 6(1)(b): performance of a contract
Storing accessibility / disability information	Article 9(2)(a): your explicit consent. You may withdraw at any time and the field will be deleted.
Security, abuse prevention, bot detection, rate limiting, logs	Article 6(1)(f): our legitimate interests in protecting the service and our users (balancing test on file).
Non-essential cookies and analytics	Article 6(1)(a): your consent (collected via the cookie banner). PECR Reg. 6 applies.
Using your content to train or evaluate AI models	Article 6(1)(a): your explicit, opt-in consent (default off). See section 7.
Complying with legal obligations (e.g. responding to a court order)	Article 6(1)(c): legal obligation

5. Automated decision-making and profiling (UK GDPR Art. 22, UK DUAA 2024 s. 80, EU AI Act Annex III §3)

MimWise uses large language models (LLMs) to evaluate learning outcomes: it grades answers, scaffolds feedback, generates personalised explanations, and recommends what to study next. Under the EU AI Act this places MimWise in the high-risk category for education (Annex III, point 3). Under UK GDPR and the UK DUAA 2024 this is “automated decision-making” and may also be “profiling” where we adapt content to a learner profile.

What the system does: we send your answer, your preferences and (where you have opted in) your prior learning context to an LLM via one of our sub-processors. The LLM returns a structured response (rubric scores, feedback, suggested next step). A persona-based rubric (“Prof Leniency”, “Prof Precision”) adjusts tone and strictness. The model and provider used are recorded with each result.

Your rights: for any AI-generated assessment you have the right to (a) be informed it was produced by an AI system, (b) obtain meaningful information about the logic involved, (c) request human review, (d) contest the result, and (e) express your point of view. You can exercise these by clicking the “Request human review” button on any AI feedback page, or by emailing info.mimwise@gmail.com. A human reviewer will respond within 30 days.

Significance: MimWise's AI outputs are study aids and do not by themselves produce a legal or similarly significant effect. However, if an institution chooses to use MimWise grades for high-stakes assessment, the institution becomes a joint controller for that use and must put its own Art. 22 safeguards in place.

5a. Automated decision making for educational progress

MimWise periodically runs an AI process over your recent learning events (e.g. sessions completed, topics covered, time spent on feedback) to produce a written progress summary and, optionally, an email containing that summary plus a suggested next step.

Plain-English version:

An AI reads what you've done on MimWise and writes a short paragraph about it.
If the paragraph looks "high stakes" (for example, it suggests you are at risk of falling behind) a human on our team has to approve it before it can be emailed to you.
You only receive these emails if you explicitly opted in. The marketing checkbox at signup is off by default.
You can ask for a human review of any specific summary, pause the AI insights entirely, or delete your data.

How it works under the hood: we generate a ProgressInsight row from a window of your behavioural events. If the model's reported confidence is below 0.75, or the template is in our high-stakes list (e.g. risk_of_failing, recommend_paid_tier), requires_human_review = True and the corresponding AutomatedEmailDecision is held in our admin review queue until a reviewer approves it. The reviewer's identity and approval timestamp are stored alongside the decision (Art. 14 audit trail).

Your control panel:

Request human review of the most recent AI insight or any specific feedback page.
Manage marketing-email consent via the Settings page; opting out takes effect on the next dispatcher run (under 5 minutes).
Delete your account and AI history in one click; the cascade is described in Section 12.

Legal basis: we rely on legitimate interest (Art. 6(1)(f)) for the in-product display of the AI summary, and separately on consent (Art. 6(1)(a)) for sending you a marketing email about it. Because UK PECR Reg. 22 requires consent for unsolicited direct marketing by email, you can withdraw that consent at any time without affecting the rest of your account.

6. EU AI Act transparency (Article 50)

Wherever you interact with our AI tutor, AI feedback, AI-generated explanations, AI-generated voices, or AI-generated diagrams, you are interacting with an AI system, not a human. We label AI-generated outputs in the user interface. We are working on adding a machine-readable provenance signal (e.g. C2PA / watermarking) to synthetic audio and images by 2 August 2026, in line with Art. 50(2).

7. AI training (explicit opt-in)

We do not use your account, profile, content, answers or conversation history to train, fine-tune or evaluate AI models unless you have specifically opted in. The setting is found in your Account Settings (“Help improve MimWise AI”) and defaults to off. You can withdraw at any time; we will stop the processing prospectively and remove your contributions from any training pipeline that has not yet completed.

We follow the EDPB Opinion 28/2024 on AI training and the UK ICO generative-AI guidance: opt-in consent, granular control, deletion on request.

8. Retention

Data category	Retention
Account record	For as long as you have an account, then 30 days for backups
AI feedback & learning content	While the account exists, or until you delete it via `/api/user/delete-data/`
Encrypted BYOK API keys	Until you remove them or delete the account
Hashed IP / User-Agent in security logs	90 days
Consent log (Article 30 record)	6 years from last activity (UK Limitation Act 1980)
Backups	Encrypted, rolling 30-day window

9. Who we share data with (sub-processors)

We use the following processors. We have data-processing agreements with each. Transfers outside the UK rely on the UK International Data Transfer Addendum (IDTA) or UK addendum to the EU Standard Contractual Clauses, with a transfer risk assessment on file.

Processor	Purpose	Location
Railway Corp.	Application hosting, container runtime	USA (UK IDTA)
Railway Postgres / managed Postgres host	Application database, encrypted at rest (AES-256)	USA / EU (UK IDTA)
Railway Redis	Session and cache store	USA / EU (UK IDTA)
Groq Inc.	LLM inference for AI feedback (qwen3-32b et al.)	USA (UK IDTA)
Mistral AI	LLM inference	France (UK adequacy)
OpenAI, L.L.C.	Optional LLM inference where you provide your own key	USA (UK IDTA)
Google LLC (Gemini API)	Optional LLM / vision inference where you provide your own key	USA / Ireland (UK IDTA / UK adequacy)
Google LLC (gTTS, edge-tts services)	Server-side text-to-speech for AI tutor voice	USA (UK IDTA)
Gmail SMTP (Google LLC)	Outbound transactional email (verification, beta access)	USA (UK IDTA)
Spotify AB (embeds)	Optional podcast playback on marketing pages, click-to-load with consent	Sweden / EU (UK adequacy)

We do not use Google Analytics, Meta/Facebook Pixel, LinkedIn Insight, Clearbit, Apollo, HubSpot or any other marketing / lead-generation tracker. If we ever add one, we will update this list and trigger a re-consent prompt.

10. International transfers

Where personal data is transferred outside the UK we rely on:

UK adequacy decisions for EEA destinations and any other countries listed on the ICO adequacy register;
the UK International Data Transfer Addendum (IDTA) to the EU SCCs for transfers to the United States;
supplementary technical measures: encryption in transit (TLS 1.2+), encryption at rest (AES-256), hashed identifiers in logs.

11. Security

TLS 1.2+ on all traffic; HTTP Strict Transport Security with preload.
Database encrypted at rest (managed Postgres, AES-256).
BYOK API keys encrypted at the row level using Fernet (AES-128 in CBC mode with HMAC-SHA256), with the key derived from a dedicated DATA_ENCRYPTION_SALT environment secret.
Password hashing via Django's default PBKDF2-SHA256 with the project secret.
Hashed IPs and rotating audit logs.
Boot-time guards refuse to start the app in production if any cryptographic secret is left at a development default.
Content-Security-Policy, Referrer-Policy, X-Content-Type-Options, X-Frame-Options and Permissions-Policy security headers.
Multi-factor authentication for staff accounts (rolling out to all logged-in users alongside Google sign-in).

12. Your rights

You have the right to:

access the personal data we hold about you (Art. 15): use the in-app export at /api/user/export-data/;
rectify inaccurate data (Art. 16): edit your profile, or email us;
erase your data (Art. 17): use /api/user/delete-data/ or email us; we complete erasure within 30 days;
restrict processing (Art. 18);
data portability (Art. 20): the export is JSON and machine-readable;
object to processing under legitimate interests (Art. 21);
not be subject to a solely automated decision with legal or similarly significant effects (Art. 22): see section 5;
withdraw any consent at any time (cookies, AI training, optional features);
complain to the UK Information Commissioner's Office at ico.org.uk/make-a-complaint or (for EEA users) your local supervisory authority.

13. Children

MimWise is designed for learners aged 13 and over. If you are between 13 and 18, please review our policy with a parent or carer. We treat data about children with extra care in line with the ICO Age Appropriate Design Code. See our separate Children's Privacy notice for details of additional safeguards, default privacy settings and the parental consent workflow we use for under-13s where applicable.

14. Cookies and similar technologies

We use a small number of strictly-necessary cookies (CSRF token, session, NDA acknowledgement) and, only with your consent, optional analytics and functional cookies. We do not currently set marketing cookies. Manage your preferences at any time on the Cookie Preferences page.

15. Changes to this policy

We may update this policy. The version identifier at the top of this page changes whenever we make a material update. When that happens we ask you to renew your consent the next time you visit the site.

16. Contacting us & complaints

To exercise any of the rights above, or if you have questions about this policy, email info.mimwise@gmail.com. You can also complain to the UK Information Commissioner's Office.