Privacy Policy

Last updated: 24 April 2026

Version: v4-2026-04-24

1. Identity and Contact Details

The data controller for the APC AI Coach service is:

  • Controller: Tekton Thrive FZCO
  • Registered in: United Arab Emirates (FZCO)
  • Data contact email: info@tektonthrive.com
  • Website: https://tektonapc.com

We are subject to UAE Federal Decree-Law No. 45 of 2021 (PDPL). Because our primary market is UK and EU RICS APC candidates, we also comply with the UK GDPR (retained in UK law by the Data Protection Act 2018) and EU GDPR (Regulation 2016/679) as applicable.

2. Consent

By creating an account you consent to the processing of your personal data by the service providers described in Section 7 below. Withdrawal of consent means deletion of your account. You may request account deletion at any time via info@tektonthrive.com or through your account settings.

3. Data We Collect

Account and identity data

  • Name and email address
  • Password hash (if using email sign-in) or OAuth provider token
  • Professional information you provide: RICS pathway, intended interview date, declared competencies

Submission content

  • Uploaded PDF documents: case study, CV, Statement of Experience (SoE)
  • AI-generated readiness scores, competency feedback, and gap analysis reports
  • Downloadable PDF assessment reports

Interview data

  • Voice audio: streamed in real time to our voice-processing provider for transcription and text-to-speech; audio is not stored on our servers after the session ends
  • Interview transcripts (question/answer text pairs) retained for your progress tracking
  • AI-generated interview readiness scores and assessor feedback

Payment data

  • Payment card details are processed directly by our payment processor. We receive only a tokenised reference, your billing address, and transaction status. We do not store raw card numbers.

Usage and technical data

  • IP address, browser type, device type, pages visited, session duration
  • Login attempt records for security monitoring
  • Cookie consent records (see Section 10)

4. Legal Bases for Processing (UK/EU GDPR Art. 6)

We rely on the following lawful bases:

  • Contract (Art. 6(1)(b)): Account creation and management, AI analysis of your submission documents, delivery of interview practice sessions, payment processing, transactional emails (verification, password reset). Processing is necessary to deliver the service you have contracted for.
  • Consent (Art. 6(1)(a)): Processing by our AI analysis providers and voice-processing provider beyond what is strictly required for the immediate service transaction. You provide this consent at registration by agreeing to this Privacy Policy. You may withdraw consent by deleting your account.
  • Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and login-attempt tracking. These are necessary to protect the service and our users and do not override your fundamental rights.
  • Legal obligation (Art. 6(1)(c)): Retention of financial records for regulatory purposes (7 years), cookie consent logging.

Under UAE PDPL (Federal Decree-Law No. 45/2021), processing is conducted on the basis of your explicit consent at registration and as necessary for the performance of the service agreement.

5. How We Use Your Data

  • Provide, operate, and improve the APC AI Coach service
  • Analyse uploaded submission documents to generate readiness scores and gap reports
  • Conduct AI-powered mock interview sessions with voice and text modes
  • Process one-time bundle payments and manage access entitlements
  • Send transactional emails (account verification, password reset, important notices)
  • Detect plagiarism or AI-generated content in submitted documents via our plagiarism-detection provider
  • Monitor for security threats and prevent unauthorised access
  • Comply with legal and regulatory obligations

We do not sell your personal data to third parties. We do not use your data to train third-party AI models. Our AI analysis providers process your data under zero-retention agreements (data is not retained by those providers after processing your request).

6. Retention

  • Account data: Retained for the duration of your account plus 30 days after deletion to allow for recovery requests, then permanently deleted.
  • Uploaded submission documents (PDF files): Retained while your account is active and stored encrypted at rest. Deleted on account deletion (after the 30-day grace window above) or on explicit request. Free accounts inactive for 3+ years are flagged for GDPR Art.17 deletion with a 30-day grace period.
  • AI feedback reports and interview transcripts: Retained until you delete your account or submit a deletion request.
  • Voice audio: Streamed in real time and never stored on our servers.
  • Payment records: Retained for 7 years to comply with financial regulations.
  • Security logs (IP addresses, login attempts): 90-day rolling retention.
  • Cookie consent records: 2 years (ICO guidance on consent audit trails).

7. Service Providers (Data Processors)

To deliver the service we engage the following categories of data processors. Each processor is engaged under a binding Data Processing Agreement or equivalent terms. Where a processor is located outside the UK/EU, the transfer is protected by the mechanism shown.

CategoryFunctionCountryTransfer mechanism
AI analysis (LLM inference)Document analysis, interview scoringUSAUK/EU SCCs
Voice transcription & synthesisReal-time interview audio processingUSAUK/EU SCCs
Payment processingBundle checkout, subscription billingUSA / IrelandEU-US Data Privacy Framework / UK SCCs
Transactional emailAccount notifications, verificationUSAUK/EU SCCs
Cloud hosting & databaseApp hosting, data storageEUIntra-EU / adequacy
Content authenticityPlagiarism + AI-content detectionUSAUK/EU SCCs

Copies of our Standard Contractual Clauses are available on request at info@tektonthrive.com. You may also request our full service-provider list by emailing info@tektonthrive.com.

Your registration consent covers all processors used for the service. If you wish to withdraw consent, the correct mechanism is account deletion (see Section 2).

8. International Transfers

As shown in the table in Section 7, several processor categories are located in the USA. Where personal data is transferred to the USA, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission under EU GDPR and recognised under UK GDPR. The UK and EU maintain mutual adequacy arrangements permitting free data flows between them.

Under UAE PDPL, cross-border transfers to the USA are conducted on the basis of contractual protections equivalent to PDPL requirements, as permitted by Article 22 of the PDPL. By creating an account, you acknowledge that your data may be transferred to and processed in the USA by the processors described above, subject to the safeguards described in this section.

9. Data Security

We implement the following technical and organisational measures:

  • Encryption at rest: Database and file storage are encrypted at rest by our infrastructure and storage providers
  • Encryption in transit: TLS enforced on all connections; HTTP Strict Transport Security (HSTS) enabled
  • Access controls: Row-level security for tenant data isolation; session versioning and login-attempt tracking
  • Payment security: PCI-compliant payment processing via our payment processor; no raw card data stored by us
  • Regular security assessments

In the event of a personal data breach we will notify the UAE Data Office within 72 hours of becoming aware of the breach, and notify affected individuals without undue delay where the breach poses a high risk to their rights. We maintain a breach register in accordance with UAE PDPL and UK/EU GDPR obligations.

No method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.

10. Cookies

We use cookies and similar technologies. Your preferences are managed through the cookie consent banner displayed on your first visit. For full details of the cookies we use, their purpose, and how to manage your preferences, please see our cookie banner settings, which you can reopen at any time from the footer of this page. We do not use cookies for advertising or cross-site tracking.

11. Your Rights

Rights under UK GDPR and EU GDPR

  • Right of access (Art. 15): Request a copy of your personal data
  • Right to rectification (Art. 16): Correct inaccurate or incomplete data
  • Right to erasure (Art. 17): Request deletion of your data, subject to legal retention obligations
  • Right to restrict processing (Art. 18): Ask us to limit how we process your data in certain circumstances
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format
  • Right to object (Art. 21): Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time; withdrawal does not affect lawfulness of prior processing

Rights under UAE PDPL

  • Access to your personal data and information about how it is processed
  • Correction of inaccurate personal data
  • Deletion of personal data where processing is no longer lawful
  • Objection to processing and withdrawal of consent
  • Restriction of processing in certain circumstances

How to exercise your rights

Submit a Subject Access Request (SAR) or any other rights request to info@tektonthrive.com. We will respond within 30 days of receiving your request, extendable to 90 days for complex requests (we will notify you if an extension is required). We may ask you to verify your identity before processing your request.

12. Complaints

If you have a concern about how we handle your personal data, please contact us first at info@tektonthrive.com so we can attempt to resolve it.

You also have the right to lodge a complaint with a supervisory authority:

  • UK residents: Information Commissioner's Office (ICO) - ico.org.uk/make-a-complaint, helpline: 0303 123 1113
  • EU residents: Your national data protection authority in your EU member state of habitual residence or place of work
  • UAE residents: UAE Data Office - dataoffice.ae. You may submit a complaint via the UAE Data Office complaint portal if you believe we have not complied with UAE Federal Decree-Law No. 45/2021 (PDPL).

13. Children

APC AI Coach is intended for professional RICS APC candidates. The service is not directed at persons under 18 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a person under 18, please contact us immediately at info@tektonthrive.com.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email to registered users and by a prominent notice on the service at least 14 days before the change takes effect. The version number and date at the top of this page reflect the current version. Continued use of the service after the effective date of a change constitutes acceptance of the revised policy.

15. Contact

For all privacy-related questions, Subject Access Requests, or data deletion requests, contact us at: info@tektonthrive.com

Tekton Thrive FZCO, United Arab Emirates