Privacy Policy

1. Who we are

Educare11plus Training Centre ("Educare", "we", "us") is the data controller for the personal information collected through this website and our exam administration services.

Contact: privacy@educare11plus.co.uk

Registered address: Educare11plus, Altrincham, United Kingdom.

ICO registration: [To be added once registered with the UK Information Commissioner's Office]

2. Information we collect

From parents/guardians:

• Name, email address, phone number, postal address
• WhatsApp number (optional, for result notifications)
• Grammar school preferences (for exam booking)
• Account credentials (password is stored as a bcrypt hash — never in plain text)

About children sitting our exams:

• First and last name
• Date of birth, gender (optional)
• School name, year group
• Special requirements (if declared by the parent)
• Scanned answer sheets (OMR), extracted answers, scores and rankings

Automatically collected:

• IP address and browser user-agent (for consent audit and rate limiting)
• Authentication cookies (strictly necessary — see Cookie Policy)

Payment data:

Card details are processed directly by Stripe and never touch our servers. We only retain the Stripe payment reference, amount, and status.

3. Lawful basis for processing

We rely on the following lawful bases under UK GDPR:

• Contract — to provide booking, exam administration, and result delivery.
• Consent — for storing a child's personal data, explicit opt-in at booking; and for non-essential cookies, via the consent banner.
• Legitimate interests — fraud prevention, service security, internal audit.
• Legal obligation — UK accounting and tax retention requirements.

4. How long we keep your data

• Account data: retained while your account is active; deleted (or anonymised) on request.
• Booking & payment records: 7 years, as required by UK tax and accounting rules.
• Child personal data: deleted 2 years after the child's last exam with us, unless earlier deletion is requested.
• Scanned OMR sheets: 2 years after results are published, for audit and re-verification.
• Consent audit logs (IP, user-agent, policy version): retained as long as the corresponding account/booking exists.

5. Third-party processors

We share personal data with carefully selected processors who act on our instructions:

• Stripe (payment processing) — card data, billing name, email. USA/Ireland. PCI DSS Level 1.
• Twilio (WhatsApp result notifications) — phone number, notification message. USA/Ireland.
• SMTP email provider (transactional email) — email address, message content.
• Backblaze B2 (scanned answer sheet storage) — OMR images only, encrypted at rest.
• OpenAI / Anthropic (OMR answer extraction via AI vision) — the scanned sheet image only. No parent data or student PII is sent to AI providers beyond what's printed on the scanned answer sheet itself.
• MongoDB Atlas (database) — all application data, encrypted at rest.
• Render / Vercel (application hosting) — transit-only.

Where processors transfer data outside the UK/EEA, we rely on Standard Contractual Clauses and supplementary measures.

6. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you (Privacy Center → "Download my data").
• Rectify inaccurate information (Profile settings).
• Erase your data (Privacy Center → "Delete my account").
• Restrict or object to processing, including for marketing (Notification preferences or tokenised unsubscribe link in emails).
• Data portability — receive your data in a machine-readable JSON format.
• Withdraw consent at any time, without affecting the lawfulness of prior processing.
• Complain to the UK Information Commissioner's Office at ico.org.uk or 0303 123 1113.

7. Security

We use industry-standard safeguards: HTTPS/TLS in transit, encryption at rest, bcrypt password hashing, role-based access control, rate limiting, and regular security reviews. No system is 100% secure; we will notify you and the ICO of any personal data breach within 72 hours as required by law.

8. Children's data

Our service involves processing personal data of children (exam candidates). We only do so with verifiable consent from a parent or legal guardian, captured at the booking stage. Children never log in or interact with the service directly.

9. Changes to this policy

We may update this policy to reflect changes in law or our services. Material changes require you to re-consent before continuing to use the service. The current version and last-updated date appear at the top of this page.

10. Contact

For any privacy question or to exercise your rights:

privacy@educare11plus.co.uk

We will respond within 30 days.