Privacy Policy
Last updated: 30 January 2026 | Effective: 30 January 2026
1. Who We Are
Elephant Math ("we", "us", "our") is an educational technology platform that provides interactive mathematics learning experiences for GCSE students, teachers, and parents.
We are the data controller for the personal data we process through our platform at shadow-em.onrender.com.
- Platform: Elephant Math
- Contact email: privacy@elephantmath.co.uk
- Data Protection Officer: dpo@elephantmath.co.uk
- ICO registration: Pending
2. What Data We Collect
2.1 Identity & Account Data
- Full name, email address, user role (student, teacher, parent)
- School affiliation, grade level
- Password (hashed — we never store plaintext passwords)
- Date of birth (to verify age and parental consent requirements)
2.2 Academic & Learning Data
- Question attempts: answers selected, time taken, correctness
- Topic mastery levels, accuracy percentages, and progress trends
- XP points, streaks, and achievement unlocks
- Module completion status and revision recommendations
2.3 Behavioural Data
- Session duration and frequency of use
- Navigation patterns within the platform
- Feature usage (which topics, games, or tools are accessed)
2.4 Diagnostic & Special Category Data
- Detected mathematical misconceptions and confidence scores
- Diagnostic question responses linked to misconception codes
- GCSE grade predictions and confidence ranges
2.5 Technical & Client-Side Data
- Browser type, device type, operating system
- IP address (for security and fraud prevention)
- Local storage preferences (e.g., sidebar state, tip dismissal)
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Data Used | Legal Basis |
|---|---|---|
| Account creation & authentication | Identity data, email, password | Contract |
| Delivering learning content | Academic data, progress tracking | Contract |
| Misconception detection & adaptive learning | Diagnostic data, question attempts | Legitimate interest |
| GCSE grade predictions | Mastery levels, attempt history | Legitimate interest / Consent |
| Personalised revision recommendations | Topic mastery, misconception data | Legitimate interest |
| Teacher & parent dashboard analytics | Aggregated student progress | Legitimate interest |
| Subscription & billing management | Account data, subscription status | Contract |
| Security, fraud prevention & abuse detection | IP address, usage patterns | Legitimate interest |
4. Legal Bases for Processing
Under UK GDPR, we rely on the following legal bases:
4.1 Contract (Article 6(1)(b))
Processing necessary to provide you with the Elephant Math service, including account management, content delivery, and subscription fulfilment.
4.2 Legitimate Interest (Article 6(1)(f))
Processing necessary for our legitimate interests, including:
- Improving our educational algorithms and content
- Detecting misconceptions to improve learning outcomes
- Providing teachers and parents with meaningful progress insights
- Maintaining platform security and preventing abuse
We have conducted a Legitimate Interest Assessment (LIA) for each of these purposes to ensure your rights and freedoms are not overridden.
4.3 Consent (Article 6(1)(a))
Where required, we obtain explicit consent for:
- Marketing communications and email notifications
- GCSE grade predictions for students under 13 (parental consent required)
- Optional analytics and improvement tracking
You can withdraw consent at any time through your account settings or by contacting us at privacy@elephantmath.co.uk.
5. Children's Data & Parental Consent
5.1 Age Verification
During registration, we collect date of birth to determine whether parental consent is required under UK GDPR Article 8 (age of digital consent is 13 in the UK).
5.2 Under-13 Users
- Accounts for children under 13 require verifiable parental consent before activation.
- Parents must provide their own email address and confirm consent.
- Parents have full access to view, export, and delete their child's data.
- We do not serve targeted advertising to any user, including children.
5.3 Users Aged 13–17
- Students aged 13–17 may create accounts independently.
- Parents and guardians may link their accounts to monitor progress.
- We apply the same data protection standards as for younger users.
5.4 Teacher-Created Accounts
Where teachers create student accounts through class management features, the school acts as a joint data controller and is responsible for obtaining necessary consents from parents or guardians.
6. Automated Decision-Making
Elephant Math uses automated processing to enhance the learning experience. Under UK GDPR Article 22, we provide transparency about these systems:
6.1 GCSE Grade Predictions
- What it does: Predicts probable GCSE grades (1–9) based on topic mastery, attempt accuracy, and trends.
- How it works: Compares your performance across modules against historical grade boundaries for AQA, Edexcel, OCR, and WJEC exam boards.
- Output: A predicted grade with a confidence range (pessimistic to optimistic).
- Limitations: Predictions are indicative only and do not determine actual exam results.
6.2 Misconception Detection
- What it does: Identifies common mathematical errors (e.g., adding denominators when adding fractions).
- How it works: Analyses patterns in wrong answers against our catalogue of 13+ coded misconceptions.
- Output: Confidence scores (0–100%) and remediation hints for teachers.
6.3 Revision Recommendations
- What it does: Suggests which topics to revise and in what order.
- How it works: Considers accuracy, misconceptions, inactivity, declining trends, prerequisite gaps, and spaced repetition principles.
- Output: Priority-ranked recommendations (1–5 scale).
6.4 Your Rights
None of these automated systems produce decisions with legal or similarly significant effects. They are advisory tools to support learning. You have the right to:
- Request a human review of any automated output
- Express your point of view about the results
- Contest any prediction or recommendation
Contact us at privacy@elephantmath.co.uk to exercise these rights.
8. International Data Transfers
Your data may be transferred to and processed in the United States through our infrastructure providers:
- Supabase: US-based with EU hosting options. We rely on EU Standard Contractual Clauses (SCCs) as approved by the UK Government under the UK GDPR.
- Render: US-based hosting with servers in the EU and US. Data encrypted in transit (TLS 1.2+).
- Google: Transfers governed by Google's Data Processing Terms and SCCs.
We ensure all international transfers have appropriate safeguards under UK GDPR Chapter V (Articles 44–49).
9. Data Retention Periods
We retain your data only as long as necessary for the purposes described in this policy:
| Data Category | Retention Period | After Deletion |
|---|---|---|
| Account & identity data | Duration of account + 30 days | Permanently deleted |
| Learning & academic data | Duration of account + 90 days | Anonymised for research or deleted |
| Misconception & diagnostic data | Duration of account + 90 days | Anonymised for research or deleted |
| GCSE predictions | Duration of account + 1 year | Permanently deleted |
| Subscription & billing records | 6 years (HMRC requirement) | Permanently deleted |
| Security logs (IP addresses) | 12 months | Permanently deleted |
| Consent records | Duration of account + 3 years | Permanently deleted |
| Contact form submissions | 2 years | Permanently deleted |
When data is anonymised for research, it is stripped of all identifying information and cannot be linked back to you.
10. Your Rights Under GDPR
Under UK GDPR, you have the following rights:
- Right of access (Article 15) — Request a copy of your personal data
- Right to rectification (Article 16) — Correct inaccurate data
- Right to erasure (Article 17) — Request deletion of your data
- Right to restrict processing (Article 18) — Limit how we use your data
- Right to data portability (Article 20) — Receive your data in a portable format
- Right to object (Article 21) — Object to processing based on legitimate interest
- Rights related to automated decisions (Article 22) — Human review of automated decisions
We will respond to all data rights requests within 30 calendar days. Complex requests may be extended by a further 60 days, in which case we will notify you.
12. Changes to This Policy
We may update this privacy policy from time to time. When we make changes:
- We will update the "Last updated" date at the top of this page.
- For material changes (e.g., new data processing purposes, new third parties), we will notify you via email and/or an in-app notification.
- For minor changes (e.g., clarifications, formatting), we will update the page without separate notice.
We encourage you to review this policy periodically. Continued use of the platform after changes constitutes acceptance of the updated policy.
13. Contact & Data Protection Officer
If you have any questions about this privacy policy or how we handle your data:
- General privacy enquiries: privacy@elephantmath.co.uk
- Data Protection Officer: dpo@elephantmath.co.uk
- Data rights requests: Visit our GDPR Rights Centre
If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF