Privacy, plainly.

About Revise

Revise (revise.alltheway.ing) is developed and maintained by a one-person team as part of the alltheway.education family of educational tools for IB Diploma Programme students. This service is provided to support student learning through active recall, spaced repetition, and teacher-led classroom activities.

Our commitments to students

Student data on Revise is processed for educational purposes only. Specifically:

• We do not show advertising to students.
• We do not perform behavioural profiling for commercial or marketing purposes.
• We do not sell or rent student data to third parties.
• We do not share student data with third parties except the subprocessors listed below, who act on our behalf and only as needed to deliver the service.
• We do not use student questions, answers, flashcards, or performance data to train artificial intelligence or machine learning models. AI providers used by Revise (notably Anthropic) are contractually prohibited from training their models on data we send via their API.
• We collect only the personal data needed to run the educational service.

Data we collect

When you use Revise, we collect and store:

• Identity — your first name, last name, email address, and profile photo (if any), as supplied by your Google account. We do not ask for your name separately; we read what Google sends.
• Flashcards — the questions and answers you create.
• Study activity — your review history, FSRS scheduling state, streaks, and creation activity.
• AI feedback history — for cards you submit to the quality coach: the AI rating, principle, evidence, and direction line.
• Preferences — subject and level selections, and assessment dates you add to your calendar.
• Class membership — if you join a class via an invite code, we store the link between you and that class.
• Cards sent for teacher review — if you opt to send a card for feedback, your teacher sees the question, answer, and the AI evaluation at the time you sent it.
• Technical metadata — basic sign-in timestamps, request logs needed to operate the service, and (when an error occurs) crash diagnostics via Sentry.

We do not knowingly collect special-category personal data (e.g. health, religion, ethnicity). You control the content of your flashcards; please do not enter sensitive personal information.

Browser extension (flashcard capture)

Revise offers an optional Chrome extension, “Revise flashcard capture”, that lets you turn a sentence you have highlighted while reading into a flashcard. Installing it is entirely optional and it is not required to use Revise.

• What it captures, and when. The extension reads selected text from the current tab only at the moment you click its toolbar icon. It does not track your browsing, does not read pages in the background, and does not run on web pages except to read the text you have deliberately highlighted when you click it.
• How the text travels. The highlighted sentence is stored briefly in the browser's local extension storage and handed to the capture page on revise.alltheway.ing. It is never placed in a URL. Once the capture page receives it, the temporary copy is cleared.
• What happens to it then. On the capture page you choose a syllabus point and ask Revise to draft a card. At that point the highlighted text and the chosen syllabus point are sent to Revise's backend, which uses Anthropic's Claude API to draft a card and grade its quality — exactly the same flow as in-app card coaching (see AI usage below). Text from cards you discard is not stored; only cards you choose to add are saved to your deck.
• Permissions, and why. activeTab and scripting let the extension read your selection from the tab you clicked on. storage holds the selection just long enough to hand it over. The host permission for revise.alltheway.ing lets the extension open the capture page, deliver the selection to it, and check whether you are signed in.
• No tracking. The extension contains no analytics, no advertising, and no third-party trackers, and it holds no API keys — all AI calls happen on Revise's server, never in the extension.

Age of users and minors

Revise is designed for IB Diploma Programme students, who are typically aged 16–19. Access is provided through school classes, and students sign in with their own Google accounts (commonly issued by the school).

Where schools enrol students under 16: in the school context, the school is the data controller and is responsible for obtaining any parental or guardian consent required under local law before inviting minors to the service. Revise acts as a processor on behalf of the school. Revise itself does not collect parental consent directly — schools should treat this notice as part of the information they share with parents when seeking that consent.

Where a student signs up independently (i.e. not through a school class), the student is the data controller of their own data and is responsible for confirming they are of an age at which they can lawfully consent to use the service under their local jurisdiction.

We do not knowingly collect data from children under 13. If you believe a child under 13 has created an account, please contact us and we will promptly delete the account and associated data.

Teacher and class features

Teachers can create classes and invite students via shareable codes. If you join a class, your teacher can see your study progress (card counts, review activity, streaks, AI quality ratings) and, where you choose to send a card for review, the content of that specific card. Teachers do not have routine read access to the full content of your flashcard deck unless you explicitly send cards to them. Teachers can also schedule lessons, manage exam questions, and run collaborative activities (whiteboards, card sorts, etc.) with their classes.

How we use your data

Your data is used solely to provide the flashcard, spaced-repetition, and classroom service. We use your study history to calculate optimal review intervals using the FSRS algorithm. We do not sell, rent, or share your personal data with third parties for marketing, and we do not use it to train AI models (see Our commitments to students above).

Subprocessors

We use the following third-party services to deliver Revise. Each one acts as a subprocessor and processes only the data needed for its stated purpose.

If you have a specific question about a subprocessor or want to see the relevant Data Processing Agreement (DPA), please contact us.

Where your data is hosted

Personal data is stored exclusively in the European Union.

• Production database — your account, flashcards, study activity, and class records are stored in Supabase's managed Postgres in the European Union (AWS eu-central-1, Frankfurt, Germany).
• Backups — automated backups are managed by Supabase and remain in the same EU region. Retained for 7 days.
• Error monitoring — crash diagnostics sent to Sentry are stored in Sentry's European Union region.
• Bookmarks source — the Raindrop.io account used for curating weekly resources is hosted in the European Union (AWS, Frankfurt). No student data is sent to Raindrop.

The web application itself runs on Vercel and is delivered via Vercel's global edge network. The edge nodes cache static assets (HTML, JavaScript, CSS, images) but do not store any personal data. Compute that handles personal data (database queries, authentication, AI evaluation) runs in Vercel's primary region, not at the edge.

International data transfers

Our primary data store and error monitoring are hosted in the European Union (see Subprocessors above). However, some subprocessors are based in the United States — namely Anthropic, OpenAI, Vercel, Google, Resend, Notion, Felt, and Spotify. Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we rely on:

• EU–US Data Privacy Framework (and its UK extension / Swiss adequacy decision) where the receiving organisation is certified. Google, Vercel, and Anthropic are DPF-certified at the time of writing; we periodically verify this against the official DPF list.
• Standard Contractual Clauses (SCCs) — the European Commission's 2021 modules, together with the UK International Data Transfer Addendum and Swiss-equivalent clauses — in each subprocessor's data processing agreement where adequacy or DPF certification does not cover the transfer.
• Supplementary technical and organisational measures — encryption in transit and at rest, role-based access control, and the data-minimisation principle: we send each subprocessor only the data it needs to do its job. For example, the AI providers receive flashcard text but not your name, email, or session cookies.

Subprocessors based in the European Union (Supabase, Sentry, Raindrop) do not require transfer mechanisms because the data does not leave the EEA.

Security measures

We use the following technical and organisational measures to protect your data:

• Encryption in transit — all traffic to revise.alltheway.ing is served over HTTPS/TLS.
• Encryption at rest — Supabase encrypts the underlying Postgres database and storage volumes at rest.
• Access control — database-level row-level security (Supabase RLS) restricts each user to their own data; teacher access to student data is scoped to active class memberships; one named administrator has elevated access (see Administrator access below).
• Authentication — sign-in is delegated to Google OAuth; we never see or store your Google password.
• Backups — managed automated backups via Supabase, in the same region as the production database.
• Environment segregation — development, preview, and production environments are isolated. Production uses a dedicated Supabase project and a dedicated set of secrets stored in Vercel's encrypted environment-variable store. Preview deployments cannot read or write production data.
• Strong administrator authentication — the administrator account signs in via Google OAuth and has two-step verification enabled on the underlying Google account. There is no password-based login path that bypasses this.
• Vulnerability management — dependencies are tracked by GitHub Dependabot, which raises alerts and pull requests for known vulnerabilities. Critical and high-severity advisories are reviewed promptly. The platform is patched on a continuous basis through Vercel deployments.
• Monitoring — Sentry captures application errors so we can fix bugs quickly; logs do not include raw flashcard content.
• Rate limiting — AI evaluation, grading, and other endpoints are rate-limited to prevent abuse.

AI usage and automated decision-making

Revise uses AI in two main ways:

• Flashcard quality coaching. When you submit a flashcard for evaluation, the question, answer, and related syllabus point are sent to Anthropic's Claude API. The model returns a traffic-light rating (green / amber / red), a principle from a fixed 7-rule taxonomy, an evidence quote, and a direction sentence.
• Teacher review tools. When a teacher reviews a card you have sent them, they may use AI helpers to generate rewrite suggestions, split a bundled card into atomic cards, or re-evaluate under the latest grading rules. These tools also use Anthropic's Claude API.

In both cases, data is processed under Anthropic's privacy policy and Anthropic's API terms prohibit using API content to train Anthropic's models.

No automated decisions with legal or similarly significant effects are made. AI ratings are pedagogical signals to help you and your teacher think about card quality; they do not determine grades, school placements, or any other consequential outcome. Teachers retain full discretion over educational decisions.

Cookies and tracking

Revise uses only strictly-necessary cookies. We do not use advertising, marketing, or third-party analytics cookies, and we do not embed any third-party tracking scripts.

Specifically:

• Authentication cookies set by our authentication provider (Supabase) to keep you signed in and to refresh your session. These are first-party, HTTP-only, secure, and same-site. Without them, you cannot sign in.
• No analytics cookies. We do not run Google Analytics, Vercel Analytics, Plausible, PostHog, or any equivalent.
• No advertising or social-media tracker cookies.

We also use first-party browser storage that is not a cookie:

• Local storage — UI preferences such as theme, last-viewed tab, and planner view mode. Never sent to our servers.
• IndexedDB and service-worker cache — used for offline study and faster loading; see “Offline data storage” below.

Because no non-essential cookies or tracking technologies are used, no consent banner is shown. If we ever introduce non-essential cookies or analytics, we will update this section and provide an appropriate consent mechanism before doing so.

Collaborative whiteboards

When you use a collaborative whiteboard, your drawings and edits are shared in real time with other participants in the session via Supabase Realtime. Whiteboard content is stored on our servers (Supabase). Teachers can control whether students can edit or only view a whiteboard.

Exam questions and lesson content

Exam questions and lesson content (including key terms) are managed by teachers and stored on our servers. Teachers control which exam questions are visible to students. Lesson data and key terms are synced from external Notion databases managed by the teacher and do not contain student personal data.

Administrator access

One named site administrator (the developer of Revise) has access to aggregated usage data including total cards created, review activity, AI costs, and streak information. This is used to monitor the health of the service and support students and teachers. The administrator may access individual records when investigating a specific support request or a suspected abuse / security incident, but does not routinely browse student flashcard content.

Offline data storage

When you start a flashcard revision session, your card data (questions, answers, and scheduling state) is cached locally on your device using IndexedDB. This allows you to continue reviewing cards if you lose your internet connection. Pending reviews are stored locally and synced to our servers automatically when your connection returns.

• Locally cached cards are automatically deleted after 24 hours.
• Pending reviews are removed from your device once successfully synced.
• You can clear all local data by clearing your browser's site data.
• If you install Revise as an app (PWA), static assets are also cached locally by a service worker for faster loading.

Your rights

Depending on your location, you may have the following rights regarding your personal data:

• Access — request a copy of the personal data we hold about you. You can self-serve this from the data export link in your settings.
• Correction — request correction of inaccurate data. Most of your profile (name, email, level, subjects, assessment dates) is editable directly on the Settings page; for anything else, contact us.
• Deletion — request deletion of your account and all associated data. Students can self-serve this from the Danger zone on the Settings page. Teacher and administrator accounts have dependent records and need to contact us.
• Restriction — request that we restrict processing of your data in certain circumstances (e.g. while a complaint is being investigated). To request restriction, write to richard@geographyalltheway.com.
• Objection — object to how we process your data, where processing is based on legitimate interests. To object, write to the same address.
• Data portability — request your data in a structured, commonly used, machine-readable format. Use the self-service export for the standard JSON format, or contact us for a different format.
• Withdraw consent — where processing relies on consent (rather than contract or legitimate interest), withdraw that consent at any time by writing to the address above. We will normally suggest account deletion as the most complete way to do this.

We aim to respond to all data-subject rights requests within 30 days. You also have the right to lodge a complaint with a supervisory authority — for users in the EU/EEA, your national data protection authority; for users in Switzerland, the Federal Data Protection and Information Commissioner (FDPIC); for users in the UK, the Information Commissioner's Office (ICO).

Data retention

We retain personal data only for as long as it is needed for educational purposes:

• Active accounts — data is retained for as long as you maintain an account.
• Inactive accounts — accounts with no sign-in for 24 months (the duration of an IB Diploma Programme course) are flagged for deletion. The user is notified by email and given 30 days to sign in and keep the account active; if there is no response, the account and associated data are deleted.
• Class membership — when you leave a class, the membership record is removed; your own cards and study history remain in your account.
• End of school engagement — if a school stops using Revise, the school can request bulk deletion of all student accounts associated with that school. Individual students may also choose to keep their account and continue using Revise independently after they leave the school.
• End of academic year — Revise does not automatically delete accounts at the end of an academic year, because students typically continue revising for IB exams across two years. Schools that prefer year-end deletion can request it from the administrator.
• Backups — Supabase-managed backups retain copies for 7 days beyond the live data, after which they are overwritten.
• Crash diagnostics in Sentry — retained according to Sentry's default retention (typically 90 days).
• On request — you can ask us to delete your account and all associated data at any time (see Your rights).

Data portability and account deletion

Signed-in users can download a complete export of their personal data — including flashcards, review history, assessments, class memberships, teacher review messages, and other activity — as a single JSON file.

Download my data (JSON)

Students can delete their account at any time from the Settings page — look for the Danger zone at the bottom. Deletion is permanent and cannot be undone. Teacher accounts cannot be deleted self-service because they own classes and lessons that students depend on; please contact us to arrange teacher-account deletion.

Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our service, subprocessors, or applicable law. The “last updated” date below indicates when the policy was last revised. Material changes will be communicated to users via the service.

Contact

For any privacy-related questions, requests, or complaints, please contact us or write to richard@geographyalltheway.com. Revise does not have a formal Data Protection Officer at this stage, given the size of the service; the site administrator handles privacy queries directly.