Back to Lex Prep Lex Prep
Legal · Lex Prep

Privacy Policy

Lex Prep | Operated by Jobbit Ltd

Last updated: 23 May 2026

This privacy policy explains how Jobbit Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Lex Prep platform at lex-prep.uk (the "Platform"). Lex Prep is an SQE1 revision tool operated as a product of Jobbit Ltd, a company registered in England and Wales.

We take your privacy seriously and are committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).

If you have any questions about this policy, contact us at privacy@jobbit.uk.

1. Who we are

Jobbit Ltd is the data controller for the personal data processed through the Platform.

Company name: Jobbit Ltd Company number: 14669887 Registered office: River Apartments, 20 Gillender Street, London, England, E3 3YJ Contact email: privacy@jobbit.uk

2. What data we collect

We collect only the data necessary to provide and improve the Platform. We do not collect email addresses, phone numbers, dates of birth, payment details, or any special category data.

Account data. When you register, we collect and store your chosen username and a hashed version of your password. We do not store your password in plain text. Your username may be a pseudonym; we do not require or request your real name.

Authentication data. When you log in, we generate a session token stored in your browser's local storage. This token is sent with each request via an HTTP header (not a cookie). We record the date your token was created, when it was last used, and when it expires. We also record the date and time of your most recent login.

Usage and performance data. As you use the Platform, we store data about your interactions to provide the revision features you signed up for. This includes quiz session records (subject, score, number of questions, time taken, date), individual quiz answers and whether they were correct, questions you have marked as favourites or flagged, notes you have read and when you last read them, questions you have reported as having issues (along with the category of issue and any comment you provided), flashcard progress and spaced-repetition scheduling data, user preferences and settings (such as theme choice, timer defaults, and exam dates you have entered), and blackletter rules you have saved.

Technical data processed in transit. Our server processes your IP address for rate limiting and security purposes. IP addresses are held in application memory only for the duration of the rate-limiting window (between 60 seconds and 10 minutes depending on the endpoint) and are not written to any persistent database or log file.

Cookies and local storage. The Platform currently uses browser local storage (not cookies) for authentication and preferences. We may introduce cookies in the future for essential operational purposes such as hosting infrastructure, security, or session management. Full details of what we store and how are set out in our Cookie Policy. If we introduce any cookies that require your consent under PECR, we will obtain that consent before setting them.

Data we do not collect. We do not embed any third-party analytics, advertising, tracking pixels, or social media widgets. We do not collect your real name, email address, phone number, location data, or device fingerprints. We do not process any payment or financial information through the Platform.

3. How we use your data

We use your data on the following lawful bases under UK GDPR Article 6(1):

Performance of a contract (Article 6(1)(b)). Processing your account data, authentication data, and usage data is necessary to provide you with the revision platform you registered to use. Without this processing, we cannot deliver the service.

Legitimate interests (Article 6(1)(f)). We process IP addresses in memory for rate limiting and preventing abuse. Our legitimate interest is maintaining the security and availability of the Platform for all users. We have assessed that this processing is minimal, proportionate, and does not override your rights, given that IP addresses are not stored persistently.

We do not use your data for marketing, profiling, automated decision-making, or any purpose beyond providing and securing the Platform.

4. Data storage and security

Encryption. Your data is stored in an encrypted SQLite database using AES-256 encryption via SQLCipher. The database is accessible only with a secret key that is not stored alongside the database.

Password hashing. Your password is hashed using PBKDF2 with SHA-256 before storage. We cannot read or recover your password.

Session tokens. Authentication tokens are generated using 32 bytes of cryptographically secure random data. Tokens expire after 30 days and can be revoked at any time (for example, when you change your password).

Hosting. The Platform is hosted on Fly.io infrastructure. Fly.io's data centres are located in various regions. Your data may be stored or processed outside the UK, but Fly.io operates under terms that include appropriate safeguards for international data transfers. Where data is transferred outside the UK, we ensure that adequate protection is in place through standard contractual clauses or equivalent mechanisms recognised under UK data protection law.

Access controls. The Platform uses origin-checking on mutating API requests to prevent cross-site request forgery. Rate limiting is applied to authentication endpoints to prevent brute-force attacks.

Retention. We retain your account and usage data for as long as your account exists. If you request deletion of your account, we will delete all personal data associated with it within 30 days.

5. Data sharing

We do not sell, rent, trade, or otherwise share your personal data with any third party.

Your data may be disclosed only in the following limited circumstances: where we are required to do so by law, regulation, or court order; or where it is necessary to protect our legal rights or the safety of our users.

We do not use any third-party data processors for the processing of your personal data on the Platform. There are no third-party analytics, advertising networks, or tracking services embedded in the Platform.

6. International transfers

The Platform is hosted on Fly.io, which may process data in data centres outside the United Kingdom. Where personal data is transferred outside the UK, we rely on appropriate safeguards such as the International Data Transfer Agreement (IDTA) or standard contractual clauses approved by the Information Commissioner's Office (ICO) to ensure your data receives an adequate level of protection.

7. Your rights

Under UK GDPR, you have the following rights in relation to your personal data:

Right of access. You can request a copy of the personal data we hold about you.

Right to rectification. You can update your username and password through the settings panel in the Platform. If you believe any other data we hold about you is inaccurate, contact us and we will correct it.

Right to erasure. You can request that we delete your account and all associated data. Contact us at privacy@jobbit.uk and we will process your request within 30 days.

Right to restriction of processing. You can request that we restrict the processing of your personal data in certain circumstances.

Right to data portability. You can request a copy of the data you have provided to us in a structured, commonly used, and machine-readable format.

Right to object. You can object to processing based on legitimate interests. If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent. Where processing is based on consent, you can withdraw it at any time. However, we do not currently rely on consent as a lawful basis for any processing.

To exercise any of these rights, contact us at privacy@jobbit.uk. We will respond within one month as required by law. If your request is complex or we receive a large number of requests, we may extend this by a further two months, but we will inform you if this is the case.

If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

ICO website: https://ico.org.uk ICO helpline: 0303 123 1113

8. Children

The Platform is designed for individuals preparing for the Solicitors Qualifying Examination (SQE1). We do not knowingly collect data from children under the age of 18. If you are under 18, please do not register for an account. If we become aware that we have collected data from a child under 18, we will take steps to delete that data promptly.

9. Changes to this policy

We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.

If we make changes that materially affect how we process your personal data, we will notify you through the Platform before the changes take effect.

10. Contact

If you have any questions, concerns, or requests relating to this privacy policy or your personal data, contact us at:

Email: privacy@jobbit.uk Jobbit Ltd, River Apartments, 20 Gillender Street, London, England, E3 3YJ