Privacy Policy

GCSEMathsAI ("we", "us", "our") is an educational technology service operated from England, United Kingdom. Our website is gcsemathsai.co.uk.

We are the data controller for personal information collected through this service. If you have any questions about this policy or how we handle your data, please contact us at privacy@gcsemathsai.co.uk.

We collect the following categories of personal data:

Account data — Email address and encrypted password (stored securely via Supabase Auth) — Onboarding preferences: year group, exam board, tier, and target grade (stored in your browser's local storage)

Usage data — Practice questions you attempt — The answers you submit — AI-generated marking feedback and scores — Topics and subtopics practised — Timestamps of activity (used to calculate streaks and progress)

Technical data — IP address and approximate location (country/region) — Browser type and version — Pages visited and time on site — Cookies and similar tracking technologies (see Section 8)

We do not collect your full name, date of birth, school name, or any payment details unless you explicitly provide them.

We use your personal data to:

— Provide, operate and improve the GCSEMathsAI service — Mark your practice answers using AI and return personalised feedback — Show you your progress, topic scores and practice streaks on your dashboard — Send you service-related emails (e.g. password reset, account confirmation) — Detect and prevent fraudulent or abusive use of the service — Comply with legal obligations

We do not use your data for advertising. We do not sell your data to third parties. We do not use your answers to train AI models without explicit consent.

We process your personal data on the following legal bases:

Contract performance (Article 6(1)(b)) — Processing your account details and practice data is necessary to provide the service you signed up for.

Legitimate interests (Article 6(1)(f)) — We have a legitimate interest in understanding how the service is used in order to improve it, provided this does not override your rights and freedoms.

Legal obligation (Article 6(1)(c)) — We may process data where required to comply with applicable law.

If you are under 13, we require parental or guardian consent before creating an account. See Section 7 for more detail.

We share data with the following carefully selected third parties in order to operate the service:

Supabase (supabase.com) — Our database and authentication provider. Your email, encrypted password, and practice attempt data are stored on Supabase infrastructure hosted in the EU. Supabase is GDPR-compliant and processes data under a Data Processing Agreement with us.

Anthropic (anthropic.com) — The AI provider that marks your practice answers. When you submit an answer, the question, mark scheme, and your answer text are sent to Anthropic's Claude API to generate feedback. Anthropic does not use this data to train its models by default. See Anthropic's privacy policy at anthropic.com/privacy.

Vercel (vercel.com) — Our hosting provider. Vercel processes server request logs including IP addresses. Vercel is GDPR-compliant.

We do not share your data with any other third parties without your explicit consent.

— Account data: kept for as long as your account is active, plus 30 days after deletion to allow for recovery. — Practice attempts: kept for the lifetime of your account. You can delete individual attempts or all your data at any time from your account settings. — Technical/server logs: retained for a maximum of 90 days for security and debugging purposes.

When you delete your account, all personal data associated with it is permanently erased within 30 days, except where we are required by law to retain it.

GCSEMathsAI is designed for students aged 14 and over. We do not knowingly collect personal data from children under 13 without verifiable parental consent.

If you are under 13, please ask a parent or guardian to create an account and supervise your use.

If you are a parent or guardian and believe your child under 13 has created an account without your consent, please contact us immediately at privacy@gcsemathsai.co.uk and we will delete the account and all associated data within 5 working days.

We take children's privacy seriously and follow the ICO's Age Appropriate Design Code (Children's Code).

We use the following cookies and similar technologies:

Strictly necessary cookies — Session cookies used by Supabase Auth to keep you logged in. These cannot be disabled as they are essential for the service to function.

Analytics cookies — We may use privacy-friendly, anonymised analytics (without advertising tracking) to understand aggregate usage patterns. No personally identifiable information is included.

We do not use advertising cookies, tracking pixels, or third-party remarketing technologies.

You can control cookies through your browser settings. Disabling strictly necessary cookies will prevent you from logging in.

Under UK GDPR and the Data Protection Act 2018, you have the following rights:

— Right of access — Request a copy of the personal data we hold about you — Right to rectification — Ask us to correct inaccurate or incomplete data — Right to erasure ("right to be forgotten") — Ask us to delete your personal data — Right to restriction — Ask us to restrict how we process your data — Right to data portability — Receive your data in a structured, machine-readable format — Right to object — Object to processing based on legitimate interests — Right not to be subject to automated decision-making — We do not make legally significant decisions about you solely by automated means

To exercise any of these rights, email privacy@gcsemathsai.co.uk. We will respond within 30 days. There is no charge for exercising your rights.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

We take appropriate technical and organisational measures to protect your personal data, including:

— All data in transit is encrypted using TLS/HTTPS — Passwords are hashed and never stored in plain text — Access to production databases is restricted to authorised personnel only — We conduct regular security reviews of our infrastructure

Despite these measures, no internet transmission is completely secure. If you suspect your account has been compromised, change your password immediately and contact us.

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email (to the address on your account) and update the "Last updated" date at the top of this page.

Continued use of the service after changes take effect constitutes your acceptance of the revised policy.

For privacy-related questions, data subject requests, or to report a concern:

Email: privacy@gcsemathsai.co.uk Post: GCSEMathsAI, c/o Data Controller, England, United Kingdom

We aim to respond to all enquiries within 5 working days.