Lucid Mastery — CRISC
Privacy Policy
How Lucid Mastery collects, uses and protects your personal data, in plain language. We follow the UK GDPR and the Data Protection Act 2018.
Last updated 18 July 2026
1. Who we are
Lucid Mastery (“we”, “us”) operates Lucid Mastery — CRISC, an independent CRISC exam-preparation platform at lucidapp.co. We are the data controller for the personal data described here. For any privacy question or to exercise your rights, contact our data protection contact at ask@lucidapp.co.
2. What data we collect
- Account data — your email address and (optionally) name, so we can sign you in and sync your progress.
- Learning progress — scenarios completed, question answers, quiz and exam scores, and readiness analytics.
- Payment data — if you subscribe, your card details are collected and processed by Stripe; we never see or store full card numbers. We keep a customer reference and subscription status.
- Technical data — IP address, browser type, and device information, used for security and to keep the service reliable.
- Cookies — see our Cookie Policy. Non-essential cookies load only with your consent.
3. How we use your data, and our lawful basis
- To provide the service (authentication, saving progress) — lawful basis: contract.
- To process payments and manage subscriptions — lawful basis: contract and legal obligation.
- To improve the product through analytics — lawful basis: consent (you can decline).
- To show advertising to free-tier users — lawful basis: consent.
- To keep the service secure and prevent abuse — lawful basis: legitimate interests.
4. How long we keep it
- Learning progress & account data — retained while your account is active and for up to 2 years after your last sign-in, after which it is deleted or anonymised.
- Payment & transaction records — retained for 6 years to meet UK tax and accounting law.
- Support messages — retained for up to 2 years.
5. Who we share it with
We do not sell your personal data. We share it only with the processors below, each bound by a data-processing agreement and appropriate safeguards (such as Standard Contractual Clauses for transfers outside the UK/EU).
| Processor | Purpose | Lawful basis | Region |
|---|---|---|---|
| Supabase | Database, authentication & storage | Contract | EU (Frankfurt) |
| Stripe | Payment processing | Contract / legal obligation | EU / US (SCCs) |
| ElevenLabs | Audio narration (text-to-speech) | Contract | US (SCCs) |
| Google AdSense | Advertising (free tier only) | Consent | US (SCCs) |
| Vercel | Application hosting & delivery | Contract | EU / US (SCCs) |
6. International transfers
Some processors are based outside the UK/EU (for example in the United States). Where personal data is transferred internationally, we rely on UK-approved safeguards including Standard Contractual Clauses and the UK International Data Transfer Addendum.
7. Your rights
Under the UK GDPR you have the right to:
- Access — get a copy of the data we hold about you.
- Rectification — correct inaccurate or incomplete data.
- Erasure — ask us to delete your data (“right to be forgotten”).
- Portability — receive your data in a structured, machine-readable format.
- Restriction & objection — limit or object to certain processing, including profiling and direct marketing.
- Withdraw consent — at any time, where we rely on consent.
To exercise any of these, email ask@lucidapp.co. You can also export or request deletion of your data from your account settings. We respond within one month.
8. Complaints
If you are unhappy with how we handle your data, you can complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk. We’d appreciate the chance to resolve it first — please contact us.
9. Changes to this policy
We may update this policy from time to time. Material changes will be notified in-app or by email. The “last updated” date above always reflects the current version.
Questions about this policy? Email ask@lucidapp.co or visit our contact page.