PRIVACY POLICY

1. Data Controller Information

This Privacy Policy explains how SimsBuddy collects, uses, stores, and protects your personal information when you use our website (www.simsbuddy.com) and services, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Data Controller:
SimsBuddy
Suite A 82 James Carter Road
Mildenhall, United Kingdom, IP28 7DE
Website: www.simsbuddy.com

We are responsible for deciding how and why your personal data is processed. If you have any questions about this Privacy Policy or how we handle your personal data, please contact us using the details above.

2. Categories of Personal Data We Collect

2.1 Information You Provide Directly

When you register for an account, make a purchase, or contact us, we collect:

• Your full name
• Email address
• Account password (stored in encrypted form)
• Any additional profile information you choose to provide

2.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Course access history and progress data
• AI virtual patient interaction logs and transcripts
• Questions answered and performance metrics
• Notes and bookmarks you create
• Login timestamps, IP addresses, and session duration
• Device type, browser type, and operating system
• Pages visited and features used within the platform

2.3 Payment Information

We do NOT collect or store your credit/debit card details. Payment processing is handled securely by our third-party payment processor (Stripe). We only receive: transaction confirmation, amount paid, payment method type (e.g., Visa, Mastercard), and transaction reference numbers.

3. Purposes, Legal Bases, and Retention Periods

The table below explains how we process your personal data, the legal basis for each processing activity, and how long we retain the data:

Legitimate Interests Explanation: Where we rely on legitimate interests, our interests are: (a) improving and developing our educational services; (b) protecting our platform and users from security threats and fraud; (c) understanding how users interact with our platform to enhance user experience. We have balanced these interests against your rights and determined that they do not override your fundamental rights and freedoms.

4. Automated Decision-Making and AI Processing

Our platform uses AI-powered virtual patient simulations. Here is how automated processing works:

AI Virtual Patients: When you use our AI practice features, your text inputs are processed by AI systems to generate simulated patient responses. This processing is necessary to provide the core educational service you have subscribed to. The AI does not make decisions that have legal or similarly significant effects on you - it simply provides educational simulations.

Progress Tracking: We may use automated systems to track your learning progress, calculate performance scores, and suggest areas for improvement. These are educational recommendations only and do not affect your legal rights or access to services.

You have the right to request human review of any significant automated decisions affecting you. Contact us if you have concerns about automated processing.

5. Recipients of Your Personal Data

We will NEVER sell your personal data to third parties. We share your data only with the following categories of recipients:

Payment Processor - Stripe, Inc.: Processes your payments securely. They receive transaction data but we never see your full card details. Stripe is certified to PCI Service Provider Level 1. Location: USA (with UK GDPR adequate safeguards via Standard Contractual Clauses).

Cloud Hosting Provider: Our platform is hosted on secure cloud servers. They store your data on our behalf but do not access it. Appropriate data processing agreements are in place.

AI Service Provider: Our AI virtual patient features may use third-party AI APIs. Your practice session inputs are processed to generate responses. Appropriate data processing agreements are in place to protect your data.

Analytics Services: We may use analytics services (such as Google Analytics) to understand website usage. These services collect anonymised or pseudonymised data. See our Cookie Policy for details.

Legal and Regulatory Bodies: We may share your data where required by law, court order, or to protect our legal rights. We may also share information with law enforcement if we detect fraud or illegal activity.

6. International Data Transfers

Some of our service providers are located outside the United Kingdom. When we transfer your personal data internationally, we ensure appropriate safeguards are in place:

• Transfers to countries with UK adequacy decisions (e.g., EEA countries)
• Standard Contractual Clauses (SCCs) approved by the UK ICO
• Additional technical and organisational measures where necessary

You can request a copy of the safeguards we use for international transfers by contacting us.

7. Your Rights Under UK GDPR

Under the UK GDPR, you have the following rights:

Right of Access (Article 15): You can request a copy of all personal data we hold about you, free of charge.

Right to Rectification (Article 16): You can request correction of inaccurate or incomplete personal data.

Right to Erasure (Article 17): You can request deletion of your personal data in certain circumstances (e.g., when no longer necessary for the original purpose).

Right to Restrict Processing (Article 18): You can request that we limit processing of your data in certain circumstances.

Right to Data Portability (Article 20): You can request your data in a structured, commonly used, machine-readable format.

Right to Withdraw Consent (Article 7): Where processing is based on consent, you can withdraw consent at any time. This will not affect the lawfulness of processing before withdrawal.

Rights Related to Automated Decisions (Article 22): You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise any of these rights, please contact us at simsbuddyteam@gmail.com. We will respond within one month.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/SSL) and at rest
• Secure password hashing (bcrypt or equivalent)
• Regular security assessments and penetration testing
• Access controls and role-based permissions
• Regular backups and disaster recovery procedures
• Staff training on data protection

While we implement robust security measures, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security but will notify you and the ICO of any data breach as required by law.

9. Cookies and Similar Technologies

We use cookies and similar technologies on our website. For detailed information about the cookies we use, why we use them, and how to control them, please see our separate Cookie Policy available on our website.

10. Children's Privacy

Our Service is intended for adults aged 18 and over. We do not knowingly collect personal data from children under 18. If we become aware that we have collected personal data from a child under 18, we will take steps to delete that information promptly.

11. Complaints

If you have concerns about how we handle your personal data, please contact us first so we can try to resolve your concern.

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: www.ico.org.uk
Telephone: 0303 123 1113

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to registered users and by notice on our website before they take effect. We encourage you to review this Privacy Policy periodically. The "Last Updated" date at the top indicates when this policy was last revised.