Privacy Policy

Last updated: 3 May 2026

Alpha notice: SuperStudies is currently in Alpha and is provided free of charge. No payment instrument is required and no funds are taken. See the Alpha Programme clause in our Terms for full details.

Want to know how we protect your data? Read our Trust & Security page for details on encryption, guardrails, and your rights.

1. Who We Are

SuperStudies Ltd (Company Number: 16694082) is the data controller responsible for your personal data. Registered office: 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

Email: admin@superstudies.co.uk

2. Data We Collect

We collect the minimum data necessary to deliver Sohamlab. We use passwordless authentication — no passwords are ever created or stored on our systems. We do not ask for date of birth at signup; you only confirm you are 18 or over and have read these terms.

Account data: name, email address, account type (practitioner / parent), Firebase user ID, the timestamp of your 18+/Terms attestation
Profile data: tradition affiliation (optional), practice preferences, daily-rhythm preferences — all optional and entered after signup
Practice data: course progress, daily Aspire / Reject / Surrender entries, journal reflections, AI Companion conversation history, lived-event log entries
Sensitive practice data (handled separately under §6): birth-chart inputs, Karmic Genome model, astrological surface data
Payment data: processed by Stripe — we do not store card numbers, only a Stripe customer reference, your subscription tier, and the timestamp at which you waived your 14-day right of withdrawal
Technical data: IP address (transient, for session security only), browser type, device information, essential cookies

No passwords stored: Authentication is handled via email magic links only. There are no passwords on our systems that could be compromised in a data breach.

3. How We Use Your Data

We use your data to:

Provide and personalise your daily practice on the Sohamlab platform
Power the AI Spiritual Companion and the daily Aspire / Reject / Surrender prompts contextual to your current course progress
Compute astrological surfaces from your birth-chart inputs, refine your Karmic Genome model from your lived events, and surface daily field-quality readings
Process subscription payments (only once paid tiers are activated — currently in Alpha there are no charges)
For adolescent practitioner accounts only: enable parent/guardian oversight (linked parents can view practice progress and receive safeguarding alerts; not Companion conversation transcripts)
Send service notifications, safeguarding alerts, and — only if you have opted in — a periodic practice digest
Enforce a single-session-per-account policy: signing in on a new device automatically signs you out of any other device, to deter credential sharing
Improve our platform and develop new features

What we do not do with your data:

We do not sell your personal data to anyone.
We do not use your practice data, AI Companion conversations, generated topic guides, journal entries, lived-event logs, birth-chart data, the Karmic Genome model, or any other content you create on the platform to train, fine-tune, or evaluate any AI model — neither our own models nor those of any third party. Prompts are sent to AI providers only to generate responses for you, and are subject to those providers' standard data-handling terms (see §7).
We do not use your data for advertising or to build advertising profiles.
We do not share your data with data brokers.
We do not log surveillance metrics — no session length, mouse movements, scroll depth, or engagement signals beyond what's needed to render your practice surfaces.

4. Lawful Basis for Processing

We rely on the following lawful bases under UK GDPR:

Contract: processing necessary to provide the Service
Legitimate interests: improving our platform, preventing fraud
Consent: marketing communications (you may opt out at any time)
Legal obligation: tax records, regulatory compliance

5. Children's Data

Sohamlab is primarily designed for adult practitioners. Adolescent practitioners (typically aged 13–17, accessed under a parent or guardian account) are subject to the data-minimisation and safeguarding measures below, and we follow the ICO's Age Appropriate Design Code throughout. The Karmic Genome and other astrological surfaces are reserved for adults; adolescent accounts run on a tailored practice course without the astrology layer.

Under 13: children cannot create their own Sohamlab account. A parent or legal guardian must register first and then add the practitioner via the "Add a practitioner" flow on the parent dashboard. The parent's act of adding the child is the parental consent required under UK GDPR Article 8.
Aged 13–17: adolescent practitioners may use Sohamlab under a parent or guardian's account. We expect the parent or guardian to be aware of the practitioner's use of the service and to oversee their practice activity.
Data minimisation: we do not ask an adolescent practitioner for date of birth, postcode, photograph, or any data we don't strictly need to deliver their tailored practice content and keep them safe.
Safeguarding: the AI Spiritual Companion includes automated safety filters that route any concerning content (suicidal ideation, abuse disclosure, self-harm) to an alert path. For adolescent accounts, flagged content also generates a safeguarding alert to the linked parent — see our Trust & Security page.

6. Sensitive Practice Data

Sohamlab processes specific categories of practice data that warrant explicit treatment:

Birth-chart data. Date, time, and place of birth used to compute Vedic astrological surfaces (chart, dasha, transits, the Karmic Genome) are encrypted at rest using Fernet symmetric encryption. They are visible only to you, never shared with third parties, and never used outside the calculations they were collected for.
Karmic Genome model. The personalised model derived from your chart and lived events is your data. We do not train shared or cross-user models on it. You can delete the model at any time without deleting your account; on account deletion, the model is purged within 24 hours with all model artefacts cleared from backups within 30 days.
AI Companion conversations. Stored against your account so the Companion can hold context across sessions. Never used to train, fine-tune, or evaluate AI models — the same commitment we make for all other practice content. Deleted on account deletion or earlier on request.
Lived-event log. When you tell the Genome that something happened in your life (a job change, a loss, a breakthrough), that entry is stored encrypted and used only to refine your personal model. You can read or delete the log at any time under §8 (your rights).
Reflections and journals. Any journal entries, reflections, or uploaded notes you add to the platform are private to your account, encrypted at rest where they contain identifying material, and never used for AI training.

We do not process special-category data under UK GDPR Article 9 (health, religion as a protected characteristic, sexuality, biometrics) unless you explicitly volunteer it inside reflective material; we treat any such voluntarily-shared material with the same encryption and deletion rules.

7. Data Sharing & Sub-processors

We do not sell your personal data. We share data only with trusted third-party processors under data processing agreements, each providing appropriate safeguards:

Processor	Purpose	Data Shared	Location
Google (Firebase)	Authentication & identity management	Email address, display name	EU / UK
Anthropic (Claude)	AI Spiritual Companion, course content drafting, daily Aspire / Reject / Surrender prompts	Practice context, anonymised prompts; never used for model training	USA (SCCs applied)
Google (Gemini)	AI Companion fallback, occasional generation tasks	Practice context, anonymised prompts; never used for model training	EU / UK
OpenAI	AI Companion fallback (provider rotation)	Practice context, anonymised prompts; never used for model training	USA (SCCs applied)
Stripe	Payment processing	Name, email, billing address (no card numbers stored by us)	EU / UK
Brevo (formerly Sendinblue)	Transactional email delivery (magic-link sign-in, safeguarding alerts, weekly digest, account notifications)	Email address, recipient name, message content	EU
DigitalOcean	Cloud hosting & database	All platform data (encrypted at rest)	EU / UK (London)
Parents / guardians	Parental oversight (adolescent practitioner accounts only)	Practice progress, safeguarding alerts; not Companion conversation transcripts	N/A

SCCs = Standard Contractual Clauses (EU mechanism for lawful data transfer to non-adequate countries). We review sub-processor agreements annually.

8. Data Retention

We retain your data for as long as your account is active. If you delete your account, your personal data is removed immediately and permanently (hard delete). We retain anonymised deletion audit records for 3 years for GDPR compliance purposes — these contain no personal data.

Accounts that have been inactive for 3 years will be automatically deleted following 30 days' email notice.

Sensitive practice data (birth chart, Karmic Genome model, Companion conversation history, lived-event log, journals): retained while your account is active and accessible to you for read or delete at any time. On account deletion, all such data is purged from the live database within 24 hours; recovery-purges complete in 30 days. See §6 for full handling.

Billing and refund records (6 years): when paid subscriptions are active, we are required by HMRC and UK tax law to retain financial records — including invoice data, Stripe customer reference, subscription tier history, the timestamp of any 14-day right-of-withdrawal waiver, refund requests, refund decisions, refund amounts and Stripe refund identifiers — for 6 years from the end of the relevant accounting period. This retention applies even if you delete your account; the records are pseudonymised where possible and accessed only for tax, accounting, dispute resolution, or regulatory purposes. During the current Alpha period no charges are taken, so no billing records are generated.

9. Your Rights

Under UK GDPR you have the following rights, which you can exercise via your account or by contacting us:

Access & Portability (Art. 15 & Art. 20) — request a complete machine-readable copy of all data we hold about you by emailing admin@superstudies.co.uk from the address on your account. We respond within 30 days, usually sooner.
Rectification (Art. 16) — correct inaccurate data via your profile
Erasure (Art. 17) — delete your account instantly via Account Settings (parent accounts only; all linked accounts are also deleted)
Restrict processing — contact us to suspend processing
Object to processing — contact us at any time
Withdraw consent — withdraw marketing consent at any time

We will respond to all rights requests within 30 days as required by UK GDPR. Contact us at admin@superstudies.co.uk.

10. Cookies

We use only the cookies strictly necessary to deliver the service: a session cookie to keep you signed in, a CSRF token cookie to protect form submissions, a Firebase authentication cookie for the magic-link flow, and a small cookie that records your cookie-consent choice. We do not use Google Analytics, Facebook Pixel, Hotjar, Datadog, advertising trackers, or any other third-party analytics. See our Cookie Policy for the full list.

11. Security

We implement appropriate technical and organisational measures to protect your data, including encryption in transit (TLS), encryption at rest for sensitive fields, role-based access controls, and a passwordless sign-in flow that means there are no passwords on our systems to be compromised in a breach.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or through the platform.

13. Complaints

If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk.

Back to Home