NextGenMedPrep LogoNextGenMedPrep

Privacy Policy

Effective Date: 4 May 2026

This page explains what personal data NextGenMedPrep collects when you use nextgenmedprep.com and our related services, why we collect it, who we share it with, and what rights you have. We've tried to write it in plain English. If anything is unclear, email contact@nextgenmedprep.com.

1. Who we are

NextGenMedPrep is a UK-based educational service providing tutoring and guidance for medicine and dentistry applicants. For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for personal data collected through this site.

Contact: contact@nextgenmedprep.com

2. What data we collect

We group the data we collect into three categories.

2.1 Strictly necessary (always on)

This is data we must collect for the site to work at all:

  • Session and authentication cookies - to keep you logged in when you use the student or tutor dashboard
  • CSRF tokens - to protect form submissions from cross-site attacks
  • Payment processing data - when you book a consultation or purchase materials, Stripe collects card details directly. We never see or store your card number.
  • Email + name - when you create an account, sign up for a free guide, or apply to join the team

Lawful basis: Necessary for the performance of a contract (Article 6(1)(b) UK GDPR), and our legitimate interest in operating a secure service (Article 6(1)(f)).

2.2 Analytics (with your consent)

We use a product analytics tool to understand how the site is used and improve it:

  • PostHog (EU region) - captures page views, button clicks, guide downloads, sign-up conversions, and similar interaction events. PostHog assigns each visitor a random distinct ID on first visit, which is pseudonymous. If you sign up for an account or download a free guide via the email gate, we link your email address to that distinct ID so we can analyse the full conversion path (this is standard product analytics practice). We do not store your full IP address - only the country code derived from it. PostHog is hosted by PostHog Inc. on infrastructure in Frankfurt, Germany.

Lawful basis: Consent (Article 6(1)(a) UK GDPR + PECR regulation 6). You can withdraw at any time using the section below.

2.3 Marketing (with your consent)

We use marketing tools to measure ad effectiveness and reach new applicants:

  • Meta (Facebook) Pixel - captures page views, conversion events (purchases, sign-ups, downloads), and creates retargeting audiences for Facebook and Instagram ads. Operated by Meta Platforms Ireland Ltd; data may be transferred to Meta Platforms Inc. in the United States under Standard Contractual Clauses.
  • Vercel Analytics - basic aggregate visitor counts and Core Web Vitals performance metrics. Vercel uses no cookies for this product, so it's arguably also lawful under legitimate interest, but we treat it as analytics for transparency.

Lawful basis: Consent (Article 6(1)(a) UK GDPR + PECR regulation 6). You can withdraw at any time.

3. Cookies and similar technologies

We use a small number of cookies and one item of browser local storage:

  • Necessary: session cookie (Supabase auth), preferences cookie (currency, accessibility settings)
  • Analytics: PostHog distinct-ID cookie + localStorage entry - only set after you grant analytics consent
  • Marketing: Meta Pixel cookies (_fbp, _fbc) - only set after you grant marketing consent
  • Consent record: we store your consent decision in browser localStorage under the key ngmp-consent-v1 for 12 months. This is functional and doesn't require its own consent under PECR.

4. Who we share data with

We share data only with the following service providers (acting as data processors on our behalf), each under a written agreement:

  • Supabase (database + authentication, EU region) - stores account data, downloads, bookings
  • Vercel (hosting + basic analytics) - serves the site, may briefly process request metadata
  • Stripe (payments) - processes card transactions
  • Resend (transactional email, EU region) - sends booking confirmations and password resets
  • Cloudflare Stream (video hosting) - delivers tutor videos
  • PostHog Inc. (analytics, EU region) - only if you grant analytics consent
  • Meta Platforms Ireland (advertising) - only if you grant marketing consent

We do not sell your data, and we do not share it with any other third party for their own marketing purposes.

5. International transfers

Most of our processors store data in the EU (Frankfurt or Dublin) under UK GDPR adequacy. The exceptions are:

  • Meta Pixel - data may be transferred to Meta Platforms Inc. in the United States. This transfer is covered by Meta's adoption of the EU-US Data Privacy Framework and Standard Contractual Clauses.
  • Stripe - payment data may briefly be processed by Stripe's US infrastructure, also under SCCs.

6. How long we keep your data

  • Account data - while your account is active, plus 6 years after closure (HMRC requirement for any associated payment records)
  • Free guide download records - 24 months
  • Analytics events (PostHog) - 12 months at full detail, then indefinite at aggregate level
  • Marketing pixel data - per Meta's retention policies (we don't control this directly)
  • Email + booking confirmations - 6 years (HMRC)

7. Your rights

Under UK GDPR you have the right to:

  • Access - get a copy of what we hold about you
  • Rectification - correct anything that's wrong
  • Erasure - ask us to delete your data (we'll honour this unless we're legally required to keep it, e.g. for HMRC)
  • Restriction - ask us to stop processing your data
  • Portability - receive your data in a machine-readable format
  • Object - object to processing based on legitimate interest
  • Withdraw consent - change your mind about analytics or marketing at any time (see section 8)
  • Complain - to the Information Commissioner's Office at ico.org.uk

To exercise any of these, email contact@nextgenmedprep.com. We'll respond within one calendar month.

8. Change your consent

You can update your analytics and marketing preferences at any time. Click below to reset your consent - the cookie banner will reappear on your next page view, and you can re-decide.

You haven't set preferences yet - the cookie banner will appear when you visit any page on the site.

9. Children

Our service is intended for applicants to UK medical and dental schools, who are typically 16 or older. We don't knowingly collect personal data from children under 13 without explicit parental consent. If you believe we have, email us and we'll delete it promptly.

10. Security

We use HTTPS for all traffic, store passwords using industry-standard hashing (Supabase Auth), and limit access to personal data to staff who need it. We don't store card numbers or full IP addresses. No system is perfectly secure, but we take reasonable steps to protect what we hold.

11. Changes to this policy

We'll update the Effective Date above when we change this policy. For material changes (e.g., adding a new analytics tool), we'll prompt you to re-consent via the banner. For minor clarifications, we'll just update the text.

12. Contact

Questions, complaints, or requests: contact@nextgenmedprep.com

Privacy Policy | NextGenMedPrep