SDET Coach

Privacy Policy

Last updated 23 April 2026

I’m Mitchell Agoma, a 20-year SDET and the director of Mitoba Consulting Ltd. Mitoba Consulting Ltd is the data controller for the personal data collected by SDET Coach, the mobile interview-prep app it publishes. I wrote this policy myself. It’s written plainly on purpose — you should be able to read it in a few minutes and know exactly what happens to your data.

If you’re in the UK or EU this policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU GDPR where it applies. If you’re in the US or elsewhere, the same rules are applied to your data by default.

1. Who I am

Data controller: Mitoba Consulting Ltd, a company registered in England and Wales.
Contact: info@mitobaconsulting.com
Data protection queries: info@mitobaconsulting.com (Mitchell Agoma acts as the data protection contact — there isn’t a separate DPO because the business is below the UK GDPR mandatory-DPO threshold).

2. What data I collect and why

2.1 Account data

  • Email address. Used to sign you in (magic-code one-time passcode) and to contact you about your subscription, service outages or material policy changes.
  • User ID. A random UUID assigned by Supabase Auth. This is what links your account to your data internally.
  • Account-creation timestamp and last sign-in time. For security monitoring.

2.2 Subscription data

  • Entitlement status (trial, monthly, annual, lifetime, or none) and when it expires. Provided to us by RevenueCat.
  • Platform (iOS or Android) and the store customer-info events RevenueCat forwards.
  • No card details. I never see or store your payment card, PayPal account or carrier billing details — those are handled entirely by Apple or Google.

2.3 App-usage and progress data

  • Which questions you’ve opened, bookmarked, marked as learned, or skipped.
  • Your practice answers (text you type) and the AI feedback returned on them.
  • Daily rotation history so you don’t see the same question twice in a row.
  • Your learning-path progress — which questions in a chosen path you’ve completed.

2.4 Job Match inputs (documents you provide)

The Job Match feature lets you paste a job description (and optionally your CV), or upload them as a PDF, or take photos of them. Here’s exactly what happens:

  • The text, PDF or images are sent server-to-server from a Supabase Edge Function to Anthropic’s Claude API. Claude reads the document and returns a short list of anonymised tags — things like “playwright”, “senior”, “fintech scale-up”.
  • The raw job description and CV are NOT stored in the SDET Coach database. They’re passed through the AI call and discarded. Only the extracted tags and the list of matched question IDs are kept against your account, so you can resume the match later.
  • If you take photos, the camera is only used when you tap “Take photo” inside the Job Match flow. The app never opens the camera in the background. Photos are downscaled and re-encoded on-device before being sent.
  • Anthropic’s commercial API terms state that inputs are not used to train their models. See section 4.3 for details.

If you’d rather not send your CV to a third-party AI provider, you can skip the CV field — Job Match still gives you a useful set of questions from the JD alone.

2.5 Diagnostic data

  • Crash reports and error traces (via Sentry), including device model, OS version, app version, stack traces and screen where the error happened.
  • Product analytics events (via PostHog), e.g. “question opened”, “answer submitted”, “paywall viewed”. These events are tied to your user ID so I can debug funnels but are never sold or shared with advertisers.
  • Approximate IP-based region (country only) so I can understand where the app is being used. Full IPs are not stored beyond what’s needed to serve the request.

2.6 What I do NOT collect

  • No contacts. No location (beyond country-level). Camera and photo-library access are only used when you explicitly pick “Take photo” or “From library” inside Job Match — see section 2.4.
  • No advertising identifiers. No IDFA / Android Ad ID. No ad tracking, period.
  • No microphone, no screen recording, no keystroke logging.
  • No third-party ad SDKs. No Facebook SDK, no AppsFlyer, no Branch, no TikTok.

3. Legal basis for processing (UK/EU GDPR)

  • Contract (Art. 6(1)(b)) — for everything necessary to deliver the app you’ve signed up for: authentication, storing your progress, running AI feedback, checking your subscription entitlement.
  • Legitimate interests (Art. 6(1)(f)) — for crash reporting, abuse prevention, aggregated product analytics and fraud detection on in-app purchases. I balance this against your privacy, which is why analytics are never shared with advertisers and never used to build user profiles sold to third parties.
  • Consent (Art. 6(1)(a)) — where I ask you directly, e.g. marketing emails (I don’t currently send them; if I ever do, it’ll be opt-in).
  • Legal obligation (Art. 6(1)(c)) — when I have to keep records for tax and company accounting (UK limited companies must retain transaction records for 6 years under HMRC and Companies Act rules) or respond to a lawful government request.

4. Sub-processors

SDET Coach uses a small, deliberate set of sub-processors. I’ve listed every one so you can see exactly where your data lives.

4.1 Supabase (Europe, eu-west-2 / London)

Hosts the Postgres database, the auth service (magic-link email), and the Edge Functions that sit between the mobile app and the AI provider. Your account, progress, answers and AI feedback are stored here, in the UK region. Supabase is my primary data processor.

4.2 RevenueCat (United States)

Handles in-app purchase receipts and tells the app whether you have an active subscription. Sees your user ID and the events Apple/Google send about your purchases. Does not see your email address, your practice answers, or any app-usage data beyond subscription events. Data transferred under Apple’s and Google’s standard receipt-validation flows and covered by RevenueCat’s Standard Contractual Clauses.

4.3 Anthropic (United States / Europe)

Processes two kinds of input via the Claude API:

  • Practice-answer feedback: your typed answer plus the accompanying question, to generate coaching notes.
  • Job Match: the job description (and optional CV) you submit — as text, PDF, or photo — so Claude can extract the skill tags used to match questions. The raw input is sent once per match and is not retained by SDET Coach.

All calls are made server-to-server from a Supabase Edge Function so your device never holds the Anthropic API key. Under Anthropic’s commercial API terms, inputs are not used to train their models. Anthropic may retain API request logs for a limited period for abuse-monitoring; see anthropic.com/legal/privacy.

4.4 Apple / Google

Operate the app stores and the payment mechanisms. They independently control data they collect when you buy or download the app — see their own privacy policies.

4.5 Sentry (United States / EU)

Receives crash reports and error traces when the app misbehaves. I’ve configured Sentry to scrub obvious PII (email, auth tokens) from error payloads. Sentry may see your user ID so I can tell whether an error is isolated or widespread.

4.6 PostHog (EU / cloud.posthog.com EU region)

Receives product-analytics events so I can understand which features are used, where people drop off in onboarding, and which paywall copy converts. Events are sent from the app bound to your user ID. No third-party cookies. No ad targeting.

4.7 Resend / email transport (as applicable)

Used to deliver the one-time sign-in codes and (rarely) operational emails. Sees your email address and the code being sent. Not used for marketing.

5. International transfers

Your data is stored in the UK (Supabase eu-west-2). Some sub-processors above are US-based and receive limited data to do their specific job. Where data leaves the UK/EU, I rely on the UK International Data Transfer Agreement / EU Standard Contractual Clauses, plus each provider’s supplementary measures, including encryption in transit and at rest.

6. How long I keep your data

  • Account data & progress: kept as long as your account exists. Deleted within 30 days of you deleting your account.
  • Practice answers & AI feedback: kept alongside your account so you can review past feedback. Deleted with the account.
  • Job Match raw inputs (JD / CV / photos): not stored. Passed through Anthropic for tag extraction and discarded. Only the extracted tags and the list of matched question IDs are kept, and they’re deleted with the account.
  • Crash reports: retained by Sentry for 90 days.
  • Analytics events: retained by PostHog for 12 months, then automatically rolled into aggregated, non-identifiable stats.
  • Subscription / billing records: retained for 6 years after the end of the relevant tax year to comply with HMRC record-keeping rules, then deleted.
  • Support emails: retained for 2 years after the case closes.

7. Your rights under UK/EU GDPR

You have the right to:

  • Access the personal data I hold about you and get a copy of it.
  • Rectify data that’s inaccurate or incomplete.
  • Erasure (“right to be forgotten”) — ask me to delete your data. You can also do this yourself from Settings > Account > Delete account.
  • Restrict processing in certain circumstances (e.g. while you contest accuracy).
  • Portability — receive your data in a structured, commonly-used machine-readable format (I provide a JSON export on request).
  • Object to processing based on legitimate interests, including analytics. Tell me and I’ll flag your user ID for opt-out from PostHog and, where possible, Sentry.
  • Withdraw consent at any time, where I’m relying on consent.

To exercise any right, email info@mitobaconsulting.com from the address you signed up with (or I’ll need to verify you). I’ll respond within one month, free of charge. If the request is complex or you’ve made several, I may extend by up to two further months and will tell you why.

8. Complaints

If you’re in the UK and you think I’ve mishandled your data, I’d rather you tell me first so I can fix it — but you’re also entitled to complain to the Information Commissioner’s Office (ICO):

  • Online: ico.org.uk/make-a-complaint
  • Phone: 0303 123 1113 (UK local rate)
  • Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom

If you’re in an EU member state, you can complain to your national supervisory authority.

9. Security

Passwords aren’t stored because I don’t use them — sign-in is a one-time code from Supabase Auth. Data is encrypted in transit (TLS 1.2+) and at rest (Supabase disk-level AES-256). Row-level security policies in Postgres prevent one user from reading another user’s rows. Admin access to the Supabase project is limited to me and is protected with strong 2FA. There is no known 100%-secure system; if a breach occurs affecting your personal data, I’ll notify the ICO within 72 hours as required and contact affected users directly.

10. Children

SDET Coach is for working software professionals. It is not directed at children. I do not knowingly collect personal data from anyone under 17. If you believe a child has created an account, email me and I’ll delete it.

11. Automated decision-making

Two features in SDET Coach use Claude to produce automated outputs:

  • AI feedback on your practice answers — coaching notes you can read and ignore.
  • Job Match — extracting skill tags from a job description so the app can suggest relevant questions. The output is a list of practice questions, not a judgement about you.

Neither of these is a decision that produces a legal or similarly significant effect on you within the meaning of Art. 22 GDPR. You are always free to ignore the feedback or the Job Match suggestions. If something looks wrong, use the in-app report flow and I (or a human I assign) will review it.

12. Changes to this policy

I’ll update this policy when the app changes or the law changes. Material changes will be announced in-app and by email. The “Last updated” date at the top always reflects the current version.

13. App Store privacy nutrition label

For Apple’s App Store Privacy Details, SDET Coach declares:

  • Data Linked to You: Email address (account), User ID, Purchase history (entitlement status), Usage Data (product-analytics events), User Content (practice answers, and the Job Match tags extracted from any JD/CV you submit — the raw JD/CV text/files are not retained), Diagnostics (crash reports).
  • Data Not Linked to You: Aggregated analytics counts.
  • Data Used to Track You: None.

14. Contact

info@mitobaconsulting.com for anything in this policy. I read every message.