Privacy Policy

Last updated: 2026-05-23

1. Who we are

ExamVault is a UK-based platform providing 11+ practice papers, mock exams, and personalised learning for children typically aged 9–11. The service is operated by [Aureans Analytics Ltd](company number [Company number 11769683]), with its registered office at [85 Great Portland Street, London, England, W1W 7LT ]. We are the “data controller” for personal data processed through this service.

For any privacy questions, contact us via the contact form.

2. What data we collect

Account data

When you create an account, we collect your name, email address, and a hashed password.

Payment data

Payments are processed by Stripe. We never see or store your card details — Stripe sends us a transaction reference, the amount, and the package purchased. See Stripe's privacy notice.

Usage data

When your child uses the service we record which papers they attempt, their answers, time taken, and scores. This drives the adaptive practice feature and the skill-mastery dashboard.

Technical data

Browser type, device type, pages visited, and approximate location (country-level) via analytics — only with your cookie consent (see Cookies, below).

Communications with us

Messages you send via the contact form, chats with our Emma assistant, and replies to our emails. Emma chat transcripts are stored anonymously (your IP is hashed, not stored raw) and may be reviewed to improve the service.

3. How we use your data

  • Provide the service: serve papers, track progress, generate personalised content.
  • Process payments and manage subscriptions.
  • Send transactional emails (receipts, account notifications, password resets).
  • Respond to support requests and improve the service based on usage patterns.
  • Detect fraud, abuse, and security incidents.
  • Comply with our legal obligations.

We do not sell your data, and we do not show third-party advertising.

4. Lawful bases for processing

We process personal data under one of these UK GDPR lawful bases:

  • Contract: most processing is necessary to deliver the service you bought (or are evaluating for free).
  • Legitimate interests: limited processing to keep the service secure, fix bugs, and improve the product. We balance this against your privacy rights.
  • Consent: for non-essential cookies (analytics) and any optional marketing.
  • Legal obligation: where we're required by law (e.g. tax records).

5. Children's data — special protections

ExamVault is designed for children, so we follow the ICO's Age Appropriate Design Code(the “Children's Code”) by default.

What this means in practice:

  • An adult (typically a parent or guardian) creates the account and provides consent. The child uses the service under that account.
  • We collect the minimum data needed to deliver practice papers and track progress — no profiling, no advertising profiles, no behavioural tracking beyond what the service requires.
  • Privacy-friendly defaults: no public profiles, no friend lists, no chat between users.
  • We don't use design techniques that nudge children into spending more time or sharing more data than they need to.
  • If you're a child reading this: your parent or guardian set up your account. You can ask them, or our team, to delete your data at any time.

If you believe a child's account was created without an adult's consent, tell us and we'll investigate and, if needed, delete the account.

6. Who we share data with

We share limited data with these service providers, each under a data-processor agreement:

  • Stripe — payment processing. Card details go to Stripe directly, not through us.
  • Resend — transactional email delivery (receipts, password resets, account notifications).
  • Vercel — website hosting and serverless compute.
  • Neon — managed Postgres database (UK/EU region).
  • Anthropic — powers the Emma chatbot and adaptive-content generation. Chat messages are sent to Anthropic's API for processing; Anthropic does not train models on our API traffic.
  • Google Analytics 4 — anonymised usage analytics, only loaded with your cookie consent.

We do not share your personal data with third parties for their own marketing purposes.

7. International transfers

Some of our providers (Stripe, Anthropic, Google) are based in the US. Where data leaves the UK, we rely on the UK Government's adequacy decisions and Standard Contractual Clauses to provide equivalent protection. Our primary database (Neon) is hosted in a UK/EU region.

8. Cookies

We use a small number of cookies:

  • Essential cookies — keep you signed in (NextAuth session), remember your cookie choice, and let the cart/checkout flow work. These are always set; the service cannot function without them.
  • Analytics cookies — Google Analytics 4, only loaded if you click Accept on the cookie banner. We use anonymised IP, no advertising features, no user-ID linkage.

You can change your cookie choice at any time by clearing your browser's site data and refreshing — the banner reappears.

9. Data retention

  • Account data — kept while your account is active, plus 6 years after closure (for tax/accounting record-keeping).
  • Progress data — kept while your account is active. Deleted when you close your account.
  • Payment records — 6 years after the transaction, for HMRC compliance.
  • Emma chat transcripts — 90 days (anonymised; we hash IPs, not store them raw).
  • Email correspondence — 2 years after the last reply.

10. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Delete your data (subject to legal retention obligations like the 6-year tax requirement above).
  • Restrict or object to certain processing.
  • Receive your data in a portable format.
  • Withdraw consent for analytics cookies (just decline on the banner, or clear cookies).

To exercise any of these rights, contact us via the contact form. We'll respond within one month.

If you're not happy with how we've handled your data, you can complain to the UK's Information Commissioner's Office: ico.org.uk/make-a-complaint.

11. Security

We encrypt data in transit (HTTPS everywhere) and at rest (managed by our hosting providers). Passwords are hashed using bcrypt. We follow industry-standard practices to prevent unauthorised access. No system is perfectly secure; if we ever detect a breach affecting your data, we will notify you and the ICO within 72 hours as required by law.

12. Changes to this policy

We may update this policy from time to time. The date at the top of the page reflects the most recent update. For material changes (e.g. new third-party providers, expanded data collection) we'll email registered users in advance.