Privacy Policy

1. Who We Are

MathsTutor is an educational platform providing maths learning resources aligned with the UK National Curriculum, from Key Stage 1 through GCSE. We are the data controller for the personal data described in this policy.

Contact: support@mathstutor.me

2. Data We Collect

Account Information

• Name and email address — provided when you register or sign in with Google
• Password — stored securely using one-way hashing (we never see or store your actual password)
• Account type — whether you are a parent or student

Learning Data

• Exercise responses — answers submitted, scores, and completion times
• Progress data — lessons completed, difficulty levels, key stages studied
• Gamification data — XP earned, badges achieved, streaks, levels

Technical Data

• Device and browser information — screen size, browser type (for responsive design)
• Usage patterns — pages visited, session duration (anonymised analytics)

Data We Do Not Collect

• We do not collect precise location data
• We do not collect financial information directly (payments are processed by Stripe)
• We do not sell, rent, or trade any personal data

3. Children's Data

MathsTutor is designed for children aged 5 to 16. We take additional care with children's data in line with the ICO's Age Appropriate Design Code:

• Parental consent — children under 13 must have a parent or guardian create and manage their account via the family linking feature
• Minimal data collection — we only collect data necessary to provide the educational service
• No behavioural advertising — we never use children's data for marketing or advertising purposes
• No profiling for non-educational purposes — learning data is used solely to personalise the educational experience
• Privacy by default — children's accounts have the highest privacy settings by default
• No social features — there are no chat, messaging, or public profile features

4. How We Use Your Data

We use personal data for the following purposes:

• Providing the service — delivering lessons, exercises, and tracking progress
• Personalisation — adapting difficulty levels and content to the student's ability
• Gamification — awarding XP, badges, and maintaining streaks
• Parent reporting — showing parents their child's progress and achievements
• Account management — managing subscriptions, family linking, and settings
• Service improvement — understanding how features are used to make them better
• Security — protecting accounts and detecting unauthorised access

5. Legal Basis for Processing

We process personal data under the following lawful bases:

• Contract — processing necessary to provide the service you signed up for
• Legitimate interests — improving and securing our service, provided this does not override your rights
• Consent — where required, particularly for children's data and optional communications

6. Cookies

We use cookies that are strictly necessary for the service to function:

• Authentication cookies — HTTP-only, secure cookies that keep you signed in. These cannot be accessed by JavaScript (protecting against XSS attacks)
• Anti-forgery tokens — protect against cross-site request forgery
• Theme preference — remembers your light/dark mode choice

We do not use third-party tracking cookies, advertising cookies, or analytics cookies that track individual users.

7. Third-Party Services

We use the following third-party services:

• Google Sign-In — if you choose to sign in with Google, Google provides us with your name and email address. See Google's Privacy Policy
• Stripe — processes subscription payments securely. We never see or store your card details. See Stripe's Privacy Policy
• Google Cloud Platform — hosts our application and database in the Europe (London) region

8. Data Retention

• Active accounts — data is retained for as long as your account is active
• Deleted accounts — personal data is deleted within 30 days of account deletion. Anonymised usage statistics may be retained
• Payment records — retained as required by UK tax and accounting regulations (up to 7 years)

9. Your Rights

Under UK GDPR, you have the right to:

• Access — request a copy of your personal data
• Rectification — correct inaccurate personal data
• Erasure — request deletion of your personal data ("right to be forgotten")
• Restriction — request we limit how we use your data
• Portability — receive your data in a structured, machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time

Parents and guardians may exercise these rights on behalf of their children. To make a request, contact us at support@mathstutor.me. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

10. Data Security

We protect your data using industry-standard measures:

• All data transmitted over HTTPS (TLS encryption)
• Passwords hashed using ASP.NET Core Identity (bcrypt-based)
• HTTP-only, secure authentication cookies (not accessible to JavaScript)
• Database hosted on Google Cloud SQL with encryption at rest
• Regular security updates and dependency patching
• Principle of least privilege for all system access

11. International Transfers

Your data is stored and processed within the United Kingdom and European Economic Area. Our database and application are hosted in Google Cloud's Europe (London) region.

Where third-party services process data outside the UK (such as Google and Stripe), appropriate safeguards are in place including Standard Contractual Clauses and adequacy decisions.

12. Changes to This Policy

We may update this privacy policy from time to time. Material changes will be communicated via email or a notice on our website. We encourage you to review this page periodically.

13. Contact Us

If you have any questions about this privacy policy or how we handle your data, please contact us:

• Email: support@mathstutor.me