Privacy Policy

Last updated: 23 May 2025

1. Introduction

Surgri ("we", "us", "our") is committed to protecting the privacy of all users. This Privacy Policy explains how we collect, use, store and share your personal data when you use the Surgri question‑bank and study platform (the "Service"). It also describes your rights under the EU and UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018.

2. Who we are

Surgri is owned and operated by O Asmar, a plastic surgery trainee in the UK.

3. Data we collect

  • Account data — name, e‑mail address, encrypted password, authentication tokens.
  • Profile data — your self‑reported stage of training, specialty interests and other optional details you choose to add.
  • Usage data — question responses, scores, feedback ratings, progress metrics, time‑on‑page and other interaction logs.
  • Technical data — IP address, browser type/version, device identifiers, operating system, referral URL, and cookie / local‑storage identifiers.
  • Support correspondence — e‑mails and messages you send to our support channels.

4. How & why we use your data

PurposeTypes of dataLegal basis (GDPR)
Provide and secure the Service Account, Profile, Usage, Technical Art. 6(1)(b) — contract
Art. 6(1)(f) — legitimate interests (security)
Personalised learning analytics & progress tracking Usage, Profile Art. 6(1)(b) — contract
Service e‑mails (password reset, transactional notices) Account Art. 6(1)(b) — contract
Product updates, news & marketing (optional) Account Art. 6(1)(a) — consent (you may opt‑out at any time)
Research, audit & quality improvement using anonymised data Usage, Profile (de‑identified) Art. 6(1)(f) — legitimate interests

5. Anonymised data & research

We may aggregate and anonymise performance metrics and feedback to evaluate learning outcomes and inform educational research. Data are irreversibly de‑identified before analysis, and no individual can be recognised in any publication or presentation.

6. Cookies & tracking

We use essential cookies to keep you signed in and to remember your preferences. We also set limited analytics cookies to understand how users navigate the platform. You can control cookies via your browser settings. Blocking some cookies may impact site functionality.

7. Data sharing

We never sell your personal data. We share it only with trusted third‑party processors who help us run the Service — for example, Heroku (hosting) and Mailgun (transactional e‑mail). Each processor is bound by a data‑processing agreement that meets GDPR requirements.

8. International transfers

Our primary servers are located in the European Economic Area (EEA). Where we transfer data to the United States (e.g. Heroku, Mailgun), we rely on the EU Standard Contractual Clauses and supplementary safeguards to protect your information.

9. Data retention

We keep account data for as long as your account is active. If you delete your account, personal identifiers are erased within 30 days and backups within a further 30 days. Anonymised analytic data may be retained indefinitely.

10. Your rights

You have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request erasure, restriction or object to processing;
  • data portability;
  • withdraw consent at any time (for consent‑based processing);
  • lodge a complaint with the UK Information Commissioner’s Office (ICO).

11. Security

We employ industry‑standard security measures: HTTPS/TLS, encryption in transit and at rest, role‑based access controls, routine vulnerability scanning and staff training. No internet transmission is 100% secure, but we work continuously to protect your data.

12. External links

Surgri may contain links to external websites. We have no control over the content or privacy practices of those sites and accept no responsibility for them.

13. Changes to this policy

We may update this Privacy Policy from time to time. Significant changes will be notified via the Service or by e‑mail. Please review the policy regularly to stay informed.

14. Contact us

If you have any questions about this policy or your data, please e‑mail privacy@surgri.com.