When does Obiter launch?

May 2026. Join the waitlist to get priority access the moment we go live.

Is Obiter legal advice?

No. Obiter is a study tool for law students. It does not provide legal advice and should not be relied upon for legal matters.

Which qualifications does it cover?

All core UK LLB foundation subjects (Contract, Criminal, Tort, Land, Equity & Trusts, Constitutional & Administrative, EU, Company, Jurisprudence, Evidence), plus GDL and SQE preparation.

What's the free tier actually include?

Dashboard, calendar, study timer, bulletin, manual flashcards, and statute search. Everything you need to get started - no credit card required.

Legal

Privacy Policy

Last updated: May 2026

Also available: Terms of Service | Cookie Policy | GDPR Rights

Jasmine Sakpoba, trading as Obiter (“we”, “us”, “our”), is committed to protecting your privacy. This Privacy Policy explains how we collect, use, process, and protect your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are registered with the Information Commissioner’s Office (ICO) under registration number ZC127489.

For data-protection requests (access, deletion, objection), contact privacy@obiter.site.

1. Legal Basis for Processing

We process your personal data based on:

Consent: you have explicitly given us permission (e.g. marketing emails)
Contract Performance: processing is necessary to provide the Service (e.g. storing your essays, authentication)
Legal Obligation: we are required by law (e.g. tax records)
Legitimate Interests: we have a legitimate business interest not overridden by your rights (e.g. fraud prevention, security, analytics)

2. What Data We Collect

2.1 Data You Provide Directly

Account Registration: email address, hashed password, name (optional), university/institution (optional), year of study (optional)
Your Content & Activity: essays and answers, flashcards and study notes, quiz responses and SBAQ answers, bookmarks and saved articles, study timer sessions, calendar events from connected calendar providers, search queries, support communications
Payment Information: billing address and subscription details only — we do not store your full card details (handled by Stripe)

2.2 Data Collected Automatically

Device & Browser: device type, operating system, browser type and version, IP address, user agent
Usage Data: pages/screens you visit, time spent on features, search queries, button interactions (anonymised), error reports
Cookies: session cookies, analytics cookies, and preference cookies — see Section 8

We do not actively track your precise location. Your IP address may reveal approximate country/city.

2.3 Data From Third Parties

Supabase — database and authentication
Anthropic — when you request essay feedback or SBAQ explanations, your content is sent to Anthropic's servers. See Anthropic's Privacy Policy. Your essays are not used to train Anthropic's models.
Stripe — payment processing
Resend — transactional emails
Google LLC — when you connect Google Calendar, we receive calendar event data via the Google Calendar API
Microsoft Corporation — when you connect Outlook Calendar, we receive calendar event data via Microsoft Graph

3. How We Use Your Data

3.1 Essential Uses

We process your data to: create and maintain your account; authenticate you; provide the Service; send transactional emails; comply with legal obligations; detect and prevent fraud; enforce our Terms of Service; and respond to law enforcement requests.

3.2 Service Improvement

We use your data to understand how you use Obiter, identify and fix bugs, improve algorithms, test new features, and personalise your experience.

3.3 Marketing (Consent Required)

We will only send you marketing emails if you explicitly opt-in. You can opt-out at any time via the unsubscribe link or in Settings. We will not sell, share, or rent your email address to third parties.

3.4 AI-Powered Features

When you use essay feedback or AI explanations, your content is sent to Anthropic's API. Obiter does not use your essays or answers to train AI models. AI feedback is generated by machine learning and may not be perfect — review it critically and always verify against authoritative sources.

4. Third-Party Calendar Integrations

4.1 What We Access

When you connect Google Calendar or Microsoft Outlook Calendar to Obiter, we receive read-and-write access to your calendar events. This means we can: read event title, description, start time, end time, location, and unique identifier; create new events you add inside Obiter that you choose to save to that calendar; modify events you edit inside Obiter; and delete events you delete inside Obiter. We do not access attendee email addresses, attachments, or anything outside event-level data. We only write to the calendar when you take an explicit action inside Obiter (creating, editing, or deleting an event). For iCal URL subscriptions, we fetch the publicly accessible calendar feed at the URL you provide; whatever the source publishes in that feed is what we receive — iCal subscriptions are read-only.

4.2 Why We Access It

The sole purpose is to display your existing calendar events inside Obiter's calendar view alongside your academic deadlines, study sessions, and exam dates — giving you a single planning view. This is the only purpose for which we use Google or Microsoft calendar data.

4.3 What We Do Not Do

We only modify, create, or delete events when you explicitly trigger that action in the Obiter UI — we never write to your calendar automatically
We do not use your calendar data for advertising, profiling, machine-learning training, or any purpose other than displaying and managing it within the Obiter app
We do not sell or share calendar data with any third party

4.4 Storage and Retention

Calendar events you sync are stored in our database, encrypted at rest, and linked only to your Obiter account. OAuth refresh tokens are stored encrypted. You can disconnect a calendar at any time from Obiter's calendar page, which removes the OAuth token and deletes the synced events from our database. If you delete your Obiter account entirely, all calendar data is removed with it.

4.5 Google API Services User Data Policy

Obiter's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

4.6 Microsoft Graph Data

Obiter's use of Microsoft Graph data complies with Microsoft's Services Agreement and follows the same limited-use principles described above.

5. Third-Party File Storage Integrations

5.1 What We Access

When you connect Google Drive or Microsoft OneDrive to Obiter, we receive: the ability to browse your file list and folders (file names, IDs, modified dates, MIME types), read the contents of files you explicitly import into Obiter, and create or update files in a folder you nominate. For Google Drive specifically, we request the drive.readonly scope (read access to your Drive so you can browse and import) and the drive.file scope (write access only to files Obiter creates or that you explicitly select). For OneDrive we request the equivalent Microsoft Graph scopes (Files.ReadWrite).

5.2 Why We Access It

To let students import lecture notes, past papers, case briefs, and other study materials from their Drive or OneDrive into Obiter's note-taking system, and to save Obiter-generated notes and essays back to their cloud storage when they choose to.

5.3 What We Do Not Do

We only read or write files when you take an explicit action (clicking “Connect Drive”, picking a file from the browser, choosing “Save to Drive”)
We do not scan, index, or process files outside what you explicitly import
We do not use file contents for advertising, profiling, or machine-learning training
We do not sell or share file contents or metadata with any third party

5.4 Storage and Retention

Files you import are stored in our database, encrypted at rest, and scoped to your account. OAuth refresh tokens are stored encrypted. You can disconnect Drive or OneDrive at any time from Settings, which removes the OAuth token and deletes any imported file content from our database (you can choose to keep notes created from those files). If you delete your Obiter account, all imported file content is removed with it.

5.5 Google API Services User Data Policy

Obiter's use and transfer of information received from Google APIs (including Drive) adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5.6 Microsoft Graph Data

Obiter's use of Microsoft Graph data (including OneDrive files) complies with Microsoft's Services Agreement and follows the same limited-use principles described above.

6. Data Retention

Account & Personal Data: retained while your account is active; deleted within 30 days of account deletion
User Content: retained while your account is active; deleted within 30 days of account deletion (backups up to 90 days)
Payment Records: retained for 6 years (UK tax law)
Server Logs: 30 days; detailed analytics 1 year; summary analytics indefinitely (anonymised)

7. Data Sharing & Third Parties

7.1 Who We Share With

We share data only with service providers bound by Data Processing Agreements: Supabase (database), Anthropic (AI processing), Stripe (payments), Resend (email), and legal or regulatory authorities if required by law. We also receive data from Google LLC (Google Calendar API, Google Drive API) and Microsoft Corporation (Microsoft Graph) when you connect those services — see Sections 4 and 5 for details on how that data is used.

7.2 What We Do Not Do

We do not sell your personal data to advertisers or data brokers
We do not share your essays with Anthropic for model training
We do not share your data with competitors

7.3 International Transfers

Some service providers are based outside the UK. Where transfers occur, we ensure Standard Contractual Clauses (SCCs) or appropriate safeguards are in place. Contact us for details.

8. Your GDPR Rights

Under UK GDPR, you have the right to:

Access: request a copy of all personal data we hold about you
Rectification: correct inaccurate or incomplete data (update in Settings or email us)
Erasure: request deletion of your personal data (delete your account in Settings)
Data Portability: receive your data in a portable format (CSV/JSON) via Settings → Data & Privacy
Object: object to certain processing, including marketing (click Unsubscribe or email us)
Restrict Processing: request that we limit how we use your data
Lodge a Complaint: with the ICO at ico.org.uk/make-a-complaint

To exercise any right, email privacy@obiter.site. We will respond within 30 days.

9. Cookies

We use:

session_token — authentication (required, keeps you logged in)
obiter_theme — remember your theme preference (essential)
analytics_id — usage analytics (opt-in via cookie banner)
stripe_session — payment processing (required for checkout)

You can manage cookies in your browser settings. Disabling essential cookies may limit functionality. See our full Cookie Policy.

10. Security

We implement industry-standard security: HTTPS/TLS encryption in transit, AES-256 encryption at rest for sensitive data, bcrypt password hashing, access controls with multi-factor authentication, and regular security audits. If a breach occurs, we will notify you within 72 hours as required by law.

11. Children's Privacy

Obiter is not intended for children under 13. We do not knowingly collect data from children under 13. If we discover we have done so, we will delete it immediately.

12. Changes to This Policy

We may update this Privacy Policy as needed. Material changes will be posted on this page and notified via email at least 30 days in advance.

13. Contact

For privacy questions or requests: privacy@obiter.site