PRIVACY POLICY

1. WHO WE ARE

PMP Warrior System Ltd (“PMPWS”, “we”, “us”) is a company incorporated in England and Wales (Company Number 17115274). We operate the PMP Warrior System platform at pmpwarriorsystem.com: an AI-powered PMP certification preparation platform.

We are the data controller for personal data collected through this website and platform. This Privacy Policy is issued by PMP Warrior System Ltd in accordance with the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (“DPA 2018”). Questions about this policy should be directed to us using the contact details in section 12.

2. WHAT DATA WE COLLECT

We collect the following categories of personal data:

• Identity data: name, email address
• Account data: password (stored in encrypted form via Netlify Identity: we never see your raw password)
• Payment data: billing information processed by Stripe. We do not store card details on our servers.
• Usage data: drill scores, domain performance, session history, question responses
• Technical data: IP address, browser type, device information, pages visited
• Cookie data: see section 8

3. HOW WE USE YOUR DATA

We use your personal data for the following purposes:

• To create and manage your subscriber account
• To deliver the platform services you have subscribed to
• To process payments and manage your subscription via Stripe
• To personalise your training content and track your progress
• To send transactional emails (account setup, password reset, subscription receipts)
• To improve the platform using aggregated, anonymised analytics
• To comply with our legal obligations

4. LEGAL BASIS FOR PROCESSING

We process personal data in accordance with Article 6 of the UK GDPR and the Data Protection Act 2018. We rely on the following legal bases:

• Contract: processing necessary to deliver the subscription service you have purchased
• Legitimate interests: analytics, platform improvement, security
• Consent: non-essential cookies and analytics (you can withdraw consent at any time)
• Legal obligation: compliance with applicable law

5. AUTOMATED DECISION-MAKING AND PROFILING

The PMP Warrior System platform uses automated processing to personalise your learning experience. This processing analyses signals from your platform activity, including your performance on drill questions, accuracy across PMP exam domains, engagement patterns, and completion data. On the basis of these signals, the platform adapts the difficulty, domain weighting, and selection of subsequent practice content presented to you.

This activity constitutes profiling under Article 4(4) of the UK GDPR. We rely on the lawful basis of contract performance under Article 6(1)(b) of the UK GDPR, as the personalised learning experience is a core feature of the subscription service you have purchased.

Your rights. Under Article 22 of the UK GDPR, where automated processing produces legal effects or similarly significantly affects you, you have the right to:

• (a) obtain human intervention in any such decision;
• (b) express your point of view in relation to any such decision; and
• (c) contest any such decision.

We do not use automated processing to make decisions about account eligibility, subscription approval, pricing, refunds, or any matter that produces legal effects or similarly significantly affects you. All such decisions involve human review. If you wish to exercise any of the rights set out above, or request further information about the logic involved in our personalisation activity, contact us using the details in section 12.

6. THIRD-PARTY SERVICES

6.1 Named Processors. We use the following third-party services that may process your data:

• Netlify: hosting and identity management (netlify.com). Data processed in accordance with their privacy policy.
• Stripe: payment processing (stripe.com). Stripe is PCI-DSS compliant. We do not store card numbers.
• Anthropic: AI question generation via the Claude API (anthropic.com). Drill questions are generated dynamically. We do not pass personal subscriber data to Anthropic APIs.
• Google Analytics: site usage analytics (analytics.google.com). We use Google Consent Mode v2. Analytics cookies are only loaded with your consent.

6.2 International Data Transfers. Some of our processors are located in the United States. When we transfer your personal data outside the United Kingdom, we rely on one or more of the following lawful transfer mechanisms under Chapter V of the UK GDPR:

(a) UK Extension to the EU-US Data Privacy Framework. Where the receiving processor is self-certified under the Data Privacy Framework and its UK Extension, the transfer is covered by the adequacy decision issued by the UK Secretary of State on 12 October 2023.

(b) UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses. Where a processor is not certified under the Data Privacy Framework, we execute the UK IDTA or the UK Addendum to the EU SCCs as the lawful transfer mechanism, together with any supplementary measures required by our transfer risk assessment.

We take reasonable steps to ensure that processors handling UK personal data maintain security standards consistent with the UK GDPR. You may request further information about our international transfer arrangements and the safeguards in place by contacting us using the details in section 12.

7. DATA RETENTION

We retain your data for as long as your account is active. If you cancel your subscription, we retain your account data for 12 months in case you wish to reactivate, then delete it unless we are required to retain it for legal or financial compliance purposes (typically 6 years for financial records under UK law).

8. COOKIES

We use the following types of cookies:

• Essential cookies: required for the platform to function (authentication, session management). These cannot be disabled.
• Analytics cookies: Google Analytics 4, used to understand how the site is used. These are only set with your consent via our cookie banner.

You can withdraw consent for non-essential cookies at any time by clearing your browser cookies and declining when the consent banner next appears.

9. YOUR RIGHTS UNDER UK GDPR

You have the following rights in relation to your personal data:

• Right of access: request a copy of the data we hold about you
• Right to rectification: request correction of inaccurate data
• Right to erasure: request deletion of your data (“right to be forgotten”)
• Right to restrict processing: request that we limit how we use your data
• Right to data portability: request your data in a portable format
• Right to object: object to processing based on legitimate interests
• Right to withdraw consent: where processing is based on consent

To exercise any of these rights, contact us using the details in section 12. We will respond within 30 days.

10. DATA SECURITY

We take reasonable technical and organisational measures to protect your data, including encrypted transmission (HTTPS), encrypted password storage, and access controls. No method of internet transmission is 100% secure. If you believe your account has been compromised, contact us immediately.

11. CHANGES TO THIS POLICY

We may update this policy from time to time. Where changes are material, we will notify subscribers by email. The effective date at the top of this page will always reflect the most recent update.

12. CONTACT

If you have questions about this policy, wish to exercise your data rights, or wish to raise a complaint:

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk if you are not satisfied with our response.