Back to homepage

Privacy Policy

Last updated: 1 May 2026

1. Who We Are

Exam Ladder Ltd ("Exam Ladder", "we", "us") operates the GCSE Maths revision platform at examladder.co.uk. We are the data controller for personal data processed through this service. This policy explains what data we collect, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

Contact our data team: privacy@examladder.co.uk

2. Data We Collect

Account data:

Email address, display name (optional), exam board, and tier selection provided when you register.

Usage and learning data:

Practice session results, topic mastery scores, mock exam grades, time-on-task, streak data, and XP. This data powers your personalised revision recommendations.

Technical data:

IP address (used for rate limiting and fraud prevention), browser type, and device type (collected via standard web server logs). We do not set analytics cookies beyond those strictly necessary for authentication.

Payment data:

Subscription status and billing history. Raw card details are processed exclusively by Stripe Inc. and are never stored on our servers.

3. Lawful Basis for Processing

We process your data under the following lawful bases (UK GDPR Article 6):

  • Contract — account management, subscription billing, and delivering the core revision service.
  • Legitimate interests — fraud prevention, platform security, and aggregated analytics to improve the service.
  • Consent — marketing emails (you can withdraw consent at any time via the unsubscribe link).
  • Legal obligation — retaining billing records as required by HMRC.

For users under 16, we rely on parental/guardian consent (UK GDPR Article 8) for all processing beyond strict service delivery.

4. How We Use Your Data

  • To provide personalised spaced-repetition practice and predicted grade tracking.
  • To send transactional emails (account confirmation, password reset, trial-ending reminders).
  • To send marketing emails about new features or offers (consent-based; opt out any time).
  • To detect abuse, fraud, and ensure platform security.
  • To comply with legal obligations.

We do not sell your personal data to third parties. We do not use your data to train third-party AI models.

5. Third-Party Processors

We share data only with processors who contractually agree to handle it securely and only for stated purposes:

  • Supabase Inc. — database and authentication (EU data residency: eu-west-2).
  • Stripe Inc. — payment processing (PCI DSS Level 1 compliant).
  • OpenAI Inc. — AI study coach and question generation (data is not used to train OpenAI models per our API agreement).
  • Resend Inc. — transactional email delivery.
  • Sentry Inc. — error monitoring (no personal data in error payloads; PII scrubbing enabled).
  • Railway Inc. — application hosting (EU region).

6. Data Retention

We retain your account and learning data for as long as your account is active plus 30 days after closure, so you can reactivate without losing progress. Billing records are retained for 7 years as required by UK tax law. Anonymised, aggregated analytics may be retained indefinitely.

If you delete your account via Settings > Delete Account, all personally identifiable data is permanently removed within 30 days.

7. Your Rights Under UK GDPR

You have the following rights, exercisable by emailing privacy@examladder.co.uk:

  • Access — request a copy of all personal data we hold about you (also available via Settings > Export Data).
  • Rectification — ask us to correct inaccurate data.
  • Erasure — request deletion of your data ("right to be forgotten").
  • Restriction — ask us to pause processing of your data while a complaint is resolved.
  • Portability — receive your data in a machine-readable format (JSON export).
  • Objection — object to processing based on legitimate interests.
  • Withdraw consent — for any consent-based processing (e.g. marketing emails) at any time.

We will respond to all requests within 30 days. If you are unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Children's Privacy

We take the privacy of users under 18 seriously and comply with the UK Children's Code. We do not use children's data for profiling or targeted advertising. Where users are under 13, parental consent is required and learning data is used only to deliver the revision service. Parents may request deletion of their child's data at any time by contacting privacy@examladder.co.uk.

9. Cookies

We use only strictly necessary cookies for authentication (Supabase session token) and a cookie consent preference cookie. We do not use tracking or advertising cookies. You can review and manage your cookie preferences at any time via the cookie banner.

10. Changes to This Policy

We will notify you of material changes to this policy by email or prominent in-app notice at least 14 days before they take effect.

11. Contact

Data protection enquiries: privacy@examladder.co.uk
Exam Ladder Ltd, [Registered Address, England and Wales]