Skip to main content

Legal

Privacy Policy

Last updated: April 24, 2026

This Privacy Policy describes how cueball (“cueball”, “we”, “us”, or “our”) collects, uses, stores, and shares information about you when you access or use the cueball platform at cueball.ai (the “Service”). By using the Service you agree to the practices described in this policy. If you do not agree, you must not use the Service.

Please read this policy carefully. It contains important information about your rights and our obligations.

1. Who we are

cueball is operated by cueball Ltd, a company registered in England and Wales. We are the data controller for personal data processed in connection with the Service. You can contact us at privacy@cueball.ai.

2. Data we collect

We collect the following categories of personal data, depending on how you interact with the Service:

2.1 Data you provide to us

  • Account data: your email address, display name, password (stored as a bcrypt hash — we never see your plaintext password), optional avatar image, job title, and bio.
  • Payment data: billing name, billing address, and card details. Card details are processed and stored exclusively by Stripe, Inc. We receive only a non-sensitive token and the last four digits of your card number.
  • Enterprise data: company name, contact name, job title, number of seats, and team member email addresses submitted via the enterprise quote or setup flow.
  • Communications: messages sent to us via the contact form, email, or any other channel, including the content of those messages and any attachments.
  • Newsletter: your email address if you subscribe to the cueball Weekly newsletter.

2.2 Data we collect automatically

  • Learning data: courses enrolled, lessons completed, quiz answers and scores, lab submissions and results, XP earned, streak history, and certificate issuances.
  • Usage data: pages and features accessed, clickstream data, session duration, and device interactions.
  • Technical data: IP address, browser type and version, operating system, device type, screen resolution, referring URL, and timezone.
  • Log data: server logs recording requests made to our infrastructure, including timestamps and response codes.
  • Cookie data: see Section 9 for full details.

2.3 Data from third parties

  • Social login: if you sign in with Google, we receive your name and email address from Google in accordance with your Google account permissions.
  • Payment provider: Stripe may share billing status, dispute information, and fraud signals with us to operate the subscription service.

3. How we use your data

We use personal data for the following purposes:

  • Providing the Service: creating and managing your account, authenticating you, delivering course and lab content, tracking progress, issuing certificates, and operating all platform features.
  • Processing payments: managing your subscription, processing transactions via Stripe, handling refund requests, and preventing fraud.
  • Transactional communications: sending account verification emails, password reset links, payment receipts, subscription renewal notifications, streak reminders (if enabled), and service announcements.
  • Marketing communications: sending the cueball Weekly newsletter and promotional emails, but only with your explicit consent. You can withdraw consent and unsubscribe at any time.
  • Product improvement: analysing aggregate and anonymised usage data to understand how the platform is used, identify bugs, prioritise new features, and improve the overall experience.
  • Safety and security: detecting, investigating, and preventing fraudulent transactions, abuse, unauthorised access, and other malicious or illegal activities.
  • Legal obligations: complying with applicable laws, regulations, and lawful requests from public authorities, including tax and financial reporting requirements.
  • Dispute resolution: establishing, exercising, and defending legal claims.

We will not use your personal data for any purpose that is materially different from those described above without first obtaining your consent, where required by law.

4. Legal basis (GDPR / UK GDPR)

If you are in the European Economic Area (EEA) or United Kingdom, we rely on the following legal bases to process your personal data:

  • Contract performance (Art. 6(1)(b)): processing necessary to provide the Service, including account management, course delivery, and billing.
  • Legitimate interests (Art. 6(1)(f)): product analytics, fraud prevention, security monitoring, and improving the Service, where our interests are not overridden by your data protection rights.
  • Consent (Art. 6(1)(a)): sending marketing emails and the newsletter. You may withdraw consent at any time without affecting the lawfulness of prior processing.
  • Legal obligation (Art. 6(1)(c)): retaining billing records and responding to lawful requests from competent authorities.

5. Sharing and sub-processors

We do not sell, rent, or trade your personal data. We share data only in the following circumstances:

5.1 Service providers (sub-processors)

We engage the following third-party sub-processors who access personal data solely to perform services on our behalf and are bound by data processing agreements:

  • Supabase, Inc. — database hosting, authentication, and real-time infrastructure. Data stored on servers in the EU.
  • Stripe, Inc. — payment processing and subscription management. Subject to Stripe's own privacy policy.
  • Resend, Inc. — transactional and marketing email delivery.
  • Anthropic, PBC — AI model API used for AI-generated features. Requests may include content you submit to AI features but are not used to train Anthropic's models under our API agreement.
  • Vercel, Inc. — platform hosting and edge network infrastructure.

5.2 Legal and safety disclosures

We may disclose your data to law enforcement, regulators, or other third parties when we believe in good faith that such disclosure is necessary to: (a) comply with applicable law or a legal process; (b) protect the rights, property, or safety of cueball, our users, or the public; or (c) detect, prevent, or address fraud, security, or technical issues.

5.3 Business transfers

If cueball is involved in a merger, acquisition, restructuring, or sale of all or part of its assets, your personal data may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on the Service before your data is transferred and becomes subject to a different privacy policy.

5.4 Enterprise admins

If your account is covered by an enterprise subscription, the enterprise account owner (your organisation) can see your name, email, and aggregate learning progress for their team. They cannot see your quiz answers, individual lesson progress, or personal communications with cueball.

6. International data transfers

cueball is based in the United Kingdom. Your data may be processed in the United States and other countries where our sub-processors operate. When we transfer personal data from the UK or EEA to countries not deemed adequate by the UK ICO or the European Commission, we ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission or UK ICO.
  • Adequacy decisions where applicable.
  • Data Processing Agreements with all sub-processors.

You may request a copy of the relevant safeguards by contacting us at privacy@cueball.ai.

7. Data retention

We retain your personal data for as long as necessary to provide the Service and to fulfil the purposes set out in this policy. Specific retention periods:

  • Account data: retained for the lifetime of your account and deleted or anonymised within 30 days of account deletion.
  • Learning data (progress, XP, streaks): retained for the lifetime of your account and deleted within 30 days of account deletion.
  • Certificate records: retained indefinitely so that certificate verification links remain functional even after account deletion.
  • Billing and payment records: retained for 7 years from the date of transaction, as required by UK tax law.
  • Server and access logs: retained for 90 days for security and debugging purposes, then deleted.
  • Support communications: retained for 3 years from the date of last contact.
  • Newsletter subscribers: retained until you unsubscribe. Suppression records (to honour unsubscribe requests) retained indefinitely.

After the applicable retention period, data is either securely deleted or irreversibly anonymised.

8. Your rights

Depending on your location, you have the following rights in relation to your personal data. To exercise any of these rights, contact us at privacy@cueball.ai. We will respond within 30 days (or within the timeframe required by applicable law).

  • Right of access (Art. 15 GDPR): request a copy of the personal data we hold about you.
  • Right to rectification (Art. 16 GDPR): request correction of inaccurate or incomplete data.
  • Right to erasure (Art. 17 GDPR): request deletion of your personal data, subject to certain legal exceptions (e.g. we must retain billing records).
  • Right to restriction (Art. 18 GDPR): request that we restrict processing of your data in certain circumstances.
  • Right to data portability (Art. 20 GDPR): receive your personal data in a structured, commonly used, machine-readable format.
  • Right to object (Art. 21 GDPR): object to processing based on legitimate interests, including profiling. We will cease processing unless we can demonstrate compelling legitimate grounds.
  • Rights related to automated decisions (Art. 22 GDPR): we do not make solely automated decisions that have a legal or similarly significant effect on you.
  • Right to withdraw consent: where processing is based on consent (e.g. newsletter), you may withdraw at any time without affecting lawfulness of prior processing. Use the unsubscribe link in any email or contact us.

We may ask you to verify your identity before acting on a request. We will not charge a fee unless a request is manifestly unfounded or excessive.

9. Cookies and tracking

We use cookies and similar technologies (local storage, session storage) to operate the Service. Cookies are small text files placed on your device.

Categories of cookies we use:

  • Strictly necessary: session and authentication cookies required for you to log in and use the Service. These cannot be disabled without breaking core functionality.
  • Functional: cookies that remember your preferences such as theme and notification settings.
  • Analytics: anonymised data on pages visited, features used, and session duration to help us improve the Service. We use privacy-respecting analytics tools and do not share raw analytics data with advertisers.

We do not use advertising or tracking cookies. We do not serve targeted advertising of any kind.

You can control or delete cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in. Most browsers allow you to refuse all cookies or only certain types.

10. Security

We implement appropriate technical and organisational measures to protect your personal data against accidental loss, destruction, alteration, unauthorised disclosure, or access. These measures include:

  • All data in transit is encrypted using TLS 1.2 or higher.
  • All data at rest is encrypted using AES-256 or equivalent.
  • Passwords are hashed using bcrypt with a work factor of at least 12.
  • Access to production data is restricted to authorised personnel on a need-to-know basis.
  • Row-level security is enforced at the database level.
  • Payment card data is never stored on cueball systems — it is handled entirely by Stripe.

Despite these measures, no method of transmission or storage is 100% secure. We cannot guarantee absolute security. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay as required by applicable law.

11. Children's privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from anyone under 16. If you are a parent or guardian and believe your child has provided us with personal data without your consent, please contact us at privacy@cueball.ai and we will delete such data promptly.

12. Third-party links

The Service may contain links to third-party websites, products, or services. These links are provided for convenience only. We have no control over, and are not responsible for, the privacy practices or content of those third parties. We encourage you to review the privacy policies of any third-party sites you visit.

13. AI features and your data

Some features of the Service use AI models provided by Anthropic, PBC via their API. When you interact with AI-powered features, the content you submit (e.g. prompts, lab answers) may be sent to Anthropic's API for processing.

Under our API agreement with Anthropic, your data is not used to train their models. API requests and responses are processed ephemerally and are subject to Anthropic's API data handling policies.

AI-generated outputs are for educational and informational purposes only. cueball is not responsible for the accuracy, completeness, or suitability of any AI-generated content. Do not rely on AI outputs for professional, legal, medical, or financial decisions.

14. Do Not Track

Some browsers transmit “Do Not Track” (DNT) signals. We honour DNT signals by not placing analytics cookies on your device when a DNT signal is detected. Strictly necessary cookies (authentication) are still placed regardless of DNT as they are essential to the Service.

15. California residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) grants you the following additional rights:

  • Right to know: you may request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, the categories of sources, the business or commercial purpose for collection, and the categories of third parties with whom we share the information.
  • Right to delete: you may request deletion of your personal information, subject to certain exceptions.
  • Right to correct: you may request correction of inaccurate personal information.
  • Right to opt out of sale / sharing: we do not sell or share personal information for cross-context behavioural advertising.
  • Right to limit use of sensitive information: we do not use sensitive personal information beyond what is necessary to provide the Service.
  • Right to non-discrimination: we will not discriminate against you for exercising any of your CCPA rights.

To exercise these rights, contact us at privacy@cueball.ai. You may also designate an authorised agent to make requests on your behalf. We may require verification of your identity and, for agent requests, proof of the agent's authority.

16. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. The “Last updated” date at the top indicates when the policy was last revised.

For material changes — those that significantly affect your rights or the way we use your data — we will provide notice via email to the address associated with your account and/or a prominent notice on the Service at least 14 days before the change takes effect. Non-material clarifications may be made without prior notice.

Continued use of the Service after the effective date of any change constitutes your acceptance of the revised policy. If you do not agree to the revised policy, you must stop using the Service.

17. Contact & complaints

For questions, concerns, or requests relating to this Privacy Policy, contact our data privacy team:

  • Email: privacy@cueball.ai
  • Post: Data Protection Officer, cueball Ltd, London, United Kingdom

If you are in the UK or EEA and are not satisfied with our response, you have the right to lodge a complaint with your local supervisory authority. In the UK this is the Information Commissioner's Office (ICO) at ico.org.uk. In the EU, contact your national data protection authority.