Privacy Policy
Lex Prep | Operated by Jobbit Ltd
Last updated: 13 June 2026
This privacy policy explains how Jobbit Ltd ("we", "us", "our") collects, uses, stores, and protects your personal data when you use the Lex Prep platform at lex-prep.uk (the "Platform"). Lex Prep is an SQE1 revision tool operated as a product of Jobbit Ltd, a company registered in England and Wales.
We take your privacy seriously and are committed to complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
If you have any questions about this policy, contact us at [email protected].
1. Who we are
Jobbit Ltd is the data controller for the personal data processed through the Platform.
Company name: Jobbit Ltd Company number: 14669887 Registered office: 124 City Road, London, EC1V 2NX Contact email: [email protected]
2. What data we collect
We collect only the data necessary to provide and improve the Platform. We do not collect phone numbers, dates of birth, location data, device fingerprints, or any special category data. Payment card details are handled directly by Stripe and never reach our servers (see Payment data below).
Account data. When you register, we collect and store your chosen username and a hashed version of your password. We do not store your password in plain text. Your username may be a pseudonym; we do not require or request your real name.
Email data. We collect your email address at registration. We use it to send you a verification link, to send password-reset links when you request one, and to contact you about your account or material changes to the Platform. Email verification is required before you can log in. Your email is stored within our encrypted database and is never shared with third parties for marketing.
Authentication data. When you log in, we generate a session token and store it in your browser. If you choose "Remember this device" at login, the token and a small cached record of your account (your user id, username, plan tier, and whether you have finished onboarding) are kept in your browser's local storage so you stay signed in across visits. If you do not choose it, the same values are kept in session storage only and are cleared when you close the tab. The token is sent with each request via an HTTP header (not a cookie). We record the date your token was created, when it was last used, and when it expires. We also record the date and time of your most recent login. For password reset and email verification we generate short-lived single-use tokens that are stored against your account until used or expired.
Payment data. If you subscribe to a paid plan, payment is processed by Stripe Payments Europe Limited ("Stripe"). Card details and billing address are submitted directly to Stripe through their hosted checkout page. They never reach our servers. After a successful checkout we store only the opaque Stripe customer identifier and subscription identifier needed to match Stripe's webhook events to your account. Stripe is an independent data controller in respect of payment information and is governed by its own privacy notice at https://stripe.com/privacy.
Usage and performance data. As you use the Platform, we store data about your interactions to provide the revision features you signed up for. This includes quiz session records (subject, score, number of questions, time taken, date), individual quiz answers and whether they were correct, questions you have marked as favourites or flagged, notes you have read and when you last read them, questions you have reported as having issues (along with the category of issue and any comment you provided), flashcards you have created (front, back, subject, timestamps, only ever visible to you), user preferences and settings (such as theme choice, timer defaults, and exam dates you have entered), and blackletter rules you have saved.
Leaderboard. The Platform has a leaderboard that shows your username alongside your quiz performance and score to other signed-in users. You can turn this off in your settings: if you opt out, your entry is shown without your username and cannot be linked back to you, and accounts that have been banned are never shown. The leaderboard is provided so you can compare your progress with other users, and you can opt out at any time.
Technical data processed in transit. Our server processes your IP address for rate limiting and security purposes. For rate-limiting, IP addresses are held in application memory only for the duration of the rate-limiting window (between 60 seconds and 10 minutes depending on the endpoint) and are not written to any persistent database in that form.
Access and security logs. We log question-bearing API calls to protect the security and integrity of the Platform. We use these logs to detect bulk scraping of our content, to detect account sharing and multi-account abuse (for example, an unusual number of distinct network addresses using a single account), and for administrative activity and security monitoring. Each record contains your user identifier, the endpoint called, the number of questions returned, the timestamp, and one-way salted hashes of your IP address and user-agent string. We do not store the raw IP address or user-agent string. Records are retained for 30 days and then deleted automatically at server startup.
Content watermarking. Each question we serve to you carries a per-account HMAC tag computed from your account identifier and a server-side secret. The tag is invisible and is not used to track your activity across the Platform. It lets us identify the source account if Platform content surfaces elsewhere.
Cookies and local storage. The Platform currently uses your browser's local storage and session storage (not cookies) for sign-in and for your preferences. Session storage also holds short-lived items such as a session-only sign-in (when you do not choose to be remembered) and one-off interface notices. We may introduce cookies in the future for essential operational purposes such as hosting infrastructure, security, or session management. Full details of everything we store in your browser are set out in our Cookie Policy. If we introduce any cookies or similar storage that require your consent under PECR, we will obtain that consent before setting them.
Data we do not collect. We do not embed any third-party analytics, advertising, tracking pixels, or social media widgets. We do not collect your real name, phone number, location data, or device fingerprints. We do not store payment card numbers, CVV codes, or any other card data on our servers.
3. How we use your data
We use your data on the following lawful bases under UK GDPR Article 6(1):
Performance of a contract (Article 6(1)(b)). Processing your account data, authentication data, and usage data is necessary to provide you with the revision platform you registered to use. Without this processing, we cannot deliver the service.
Legitimate interests (Article 6(1)(f)). We process IP addresses in memory for rate limiting and preventing abuse. We also maintain access and security logs (with one-way hashed IP and user-agent values), which we use to detect bulk scraping, to detect account sharing and multi-account abuse, and for administrative security monitoring, and we apply per-account watermarks to question content so that bulk redistribution of our content can be detected and traced. Our legitimate interest is maintaining the security, integrity, and commercial viability of the Platform for all users. We have assessed that this processing is minimal, proportionate, and does not override your rights, given that raw IP addresses are not persisted, hashed log records are retained for only 30 days, and the watermark is not used to track your activity across the Platform.
We do not use your data for marketing, profiling, automated decision-making, or any purpose beyond providing and securing the Platform.
4. Data storage and security
Encryption. Your data is stored in an encrypted SQLite database using AES-256 encryption via SQLCipher. The database is accessible only with a secret key that is not stored alongside the database.
Password hashing. Your password is hashed using PBKDF2 with SHA-256 before storage. We cannot read or recover your password.
Session tokens. Authentication tokens are generated using 32 bytes of cryptographically secure random data. Tokens expire after 30 days and can be revoked at any time (for example, when you change your password).
Hosting. The Platform is hosted on Fly.io infrastructure. Fly.io's data centres are located in various regions. Your data may be stored or processed outside the UK, but Fly.io operates under terms that include appropriate safeguards for international data transfers. Where data is transferred outside the UK, we ensure that adequate protection is in place through standard contractual clauses or equivalent mechanisms recognised under UK data protection law.
Access controls. The Platform uses origin-checking on mutating API requests to prevent cross-site request forgery. Rate limiting is applied to authentication endpoints to prevent brute-force attacks.
Retention. Different categories of data are retained for different periods:
- Account data, email, and usage data are retained for as long as your account exists. If you request deletion of your account, we will delete all personal data associated with it within 30 days.
- Session tokens expire automatically 30 days after creation and are invalidated immediately when you log out or change your password.
- Email verification and password reset tokens are single-use, expire one hour after issue, and are cleared on use.
- Anti-scrape access logs are retained for 30 days and then automatically deleted.
- Payment records held by Stripe are retained by Stripe under their own retention schedule (see https://stripe.com/privacy). We retain only the opaque Stripe customer and subscription identifiers needed to match subscription events to your account.
5. Data sharing
We do not sell, rent, trade, or otherwise share your personal data with any third party for marketing or advertising purposes.
Your data may be disclosed only in the following limited circumstances: where we are required to do so by law, regulation, or court order; where it is necessary to protect our legal rights or the safety of our users; or where it is necessary for us to provide the Platform through the sub-processors listed below.
We use the following sub-processors to operate the Platform. Each sub-processor only receives the minimum personal data needed for its role and is bound by its own data-protection obligations under contract or under the applicable terms of service.
| Sub-processor | Role | Location | Data shared | Their policy |
|---|---|---|---|---|
| Fly.io (Hydroxide Holdings, Inc.) | Application hosting and persistent storage | United States, with the application running in the London region | All Platform data at rest and in transit, in encrypted form | https://fly.io/legal/privacy-policy/ |
| Cloudflare, Inc. | DNS resolution for lex-prep.uk | United States and global edge | DNS query metadata only (the domain looked up and the resolver's network address). HTTP traffic is not routed through Cloudflare, so it does not receive your request headers or page content. | https://www.cloudflare.com/privacypolicy/ |
| Stripe Payments Europe Limited | Payment processing for subscriptions | Ireland and the United States | Email address, billing details you provide to Stripe at checkout, and subscription events. Card numbers are submitted to Stripe directly and are not received by us. | https://stripe.com/privacy |
| Resend (Resend, Inc.) | Delivery of transactional email (verification, password reset, account notifications) | United States | Recipient email address and the contents of the transactional message | https://resend.com/legal/privacy-policy |
There are no third-party analytics, advertising networks, or tracking services embedded in the Platform.
6. International transfers
Some of our sub-processors are based outside the United Kingdom. Fly.io, Cloudflare, and Resend are US-based. Stripe is based in Ireland with operations in the United States.
For transfers to the United States, we rely on one of the following safeguards, depending on the sub-processor:
- the UK Extension to the EU-US Data Privacy Framework (the "UK-US Data Bridge"), which took effect on 12 October 2023 and applies where the US recipient is certified to the Data Privacy Framework;
- the International Data Transfer Agreement (IDTA) issued by the Information Commissioner's Office; or
- the UK Addendum to the European Commission's standard contractual clauses.
For transfers within the European Economic Area (for example, to Stripe Payments Europe Limited in Ireland), we rely on the UK's adequacy decision in respect of the EEA.
Transfers are limited to what is needed to operate the Platform: hosting your encrypted account and usage data (Fly.io), resolving the lex-prep.uk domain name (Cloudflare), processing subscription payments (Stripe), and delivering transactional emails (Resend).
7. Your rights
Under UK GDPR, you have the following rights in relation to your personal data:
Right of access. You can request a copy of the personal data we hold about you.
Right to rectification. You can update your username and password through the settings panel in the Platform. To update your email address or correct any other data we hold about you, contact us at [email protected] and we will correct it.
Right to erasure. You can request that we delete your account and all associated data. Contact us at [email protected] and we will process your request within 30 days.
Right to restriction of processing. You can request that we restrict the processing of your personal data in certain circumstances.
Right to data portability. You can request a copy of the data you have provided to us in a structured, commonly used, and machine-readable format.
Right to object. You can object to processing based on legitimate interests. If you object, we will stop processing your data unless we can demonstrate compelling legitimate grounds.
Right to withdraw consent. Where processing is based on consent, you can withdraw it at any time. However, we do not currently rely on consent as a lawful basis for any processing.
To exercise any of these rights, contact us at [email protected]. We will respond within one month as required by law. If your request is complex or we receive a large number of requests, we may extend this by a further two months, but we will inform you if this is the case.
If you are not satisfied with how we handle your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
ICO website: https://ico.org.uk ICO helpline: 0303 123 1113
8. Children
The Platform is designed for individuals preparing for the Solicitors Qualifying Examination (SQE1). We do not knowingly collect data from children under the age of 18. If you are under 18, please do not register for an account. If we become aware that we have collected data from a child under 18, we will take steps to delete that data promptly.
9. Changes to this policy
We may update this privacy policy from time to time. When we do, we will update the "Last updated" date at the top of this page. We encourage you to review this policy periodically.
If we make changes that materially affect how we process your personal data, we will notify you through the Platform before the changes take effect.
10. Contact
If you have any questions, concerns, or requests relating to this privacy policy or your personal data, contact us at:
Email: [email protected]
Post: Jobbit Ltd, 124 City Road, London, EC1V 2NX