Privacy Policy

1. Who we are

11PlusExam.ai (the "App", "Service", or "we") is a revision platform for UK 11+ entrance exams, designed for Year 5 and Year 6 children and their parents. This policy explains what personal data we collect when you use the App and what we do with it.

We're the data controller for the personal data we collect. If you have any questions about this policy, contact us at support@11plusexam.ai.

2. What data we collect

From parents

• Account details — email address, password (stored as a bcrypt hash, never plaintext), the number of children you plan to add, and the date you registered.
• Email verification — short-lived one-time codes sent when you sign up or reset a password.
• Usage activity — when you log in, which dashboards you view, and homework you assign.
• Support messages — anything you send us via the contact form or email.

About children (added by their parent)

• Nickname — chosen by the parent; may or may not be the child's real first name. We don't collect surnames.
• Year group and target exam date — used to tailor content difficulty.
• Avatar — an emoji or an uploaded image chosen by the parent.
• PIN — a 4-digit PIN set by the parent to lock the child's profile, stored as a hash.
• Test and practice activity — which questions were answered, whether correctly, time taken, flagged-for-review status, and earned XP.
• In-app preferences — chosen theme, timer settings, difficulty level, daily goal, and the names a child has assigned to their in-game "hero" and "friend" characters.

Device and technical data

• JWT access tokens — stored on your device to keep you logged in.
• Error logs — if the app crashes, we receive an anonymised stack trace without personally identifying content.
• IP address — temporarily processed by our API for rate-limiting; never stored in our database.

3. How we use your data

We use personal data only to provide and improve the Service:

• To authenticate the parent and render the right content for each child profile.
• To calculate progress statistics (XP, streaks, accuracy, weak topics) shown on the child home screen and the parent dashboard.
• To generate AI-powered explanations and parent status briefings — the child's anonymous progress summary (e.g. "attempted 12 questions today, 80% accuracy in Maths") is sent to an AI provider (Anthropic Claude); no names, email addresses, or raw question text are shared.
• To send transactional email — verification codes, password-reset codes, and support replies. We do not send marketing email without explicit opt-in.
• To protect the Service against abuse via rate-limiting.
• To respond to your support requests.

4. Children's data

This App is designed for children aged approximately 9 to 11, but is used by a child only with parental consent via a parent-created account. A child does not log in directly — they access their profile via a PIN set by the parent, on the parent's device.

We collect the minimum data needed to personalise a child's experience and let their parent see progress. We do not advertise to children, do not share a child's data with third parties for marketing, and do not require a real name.

5. Who we share data with

We share personal data only with trusted processors that help us run the Service:

• Microsoft Azure — hosts our application servers and PostgreSQL database in the UK South region. Data is encrypted in transit and at rest.
• Azure Communication Services — delivers verification and password-reset emails from no-reply@11plusexam.ai.
• Anthropic (Claude) — generates AI explanations and parent briefings. We pass anonymised activity summaries only; Anthropic does not retain the content we send beyond the time required to return a response, per their API terms.
• Namecheap Email Forwarding — forwards support@11plusexam.ai messages to our support inbox.

We do not sell personal data. We do not share with advertising networks, data brokers, or social-media platforms.

If we're ever required to disclose data by law — e.g. in response to a valid legal order — we'll notify you where we're legally able to.

6. How long we keep data

• Account data — kept for as long as your account exists.
• Verification / reset codes — auto-expire after 10–15 minutes; rows are kept briefly for audit, then purged.
• Activity data — kept for the life of the account to power progress charts.
• Support emails — kept in our support inbox for up to 2 years after resolution.
• When you delete your account — we irreversibly delete all associated data (parent row, all children, settings, attempts, homework, rewards, uploaded files) within 24 hours. A small audit record with just the parent ID and a timestamp is retained for 30 days for fraud-prevention, then removed.

7. Security

• Encryption in transit — all API traffic uses TLS 1.2+.
• Passwords — bcrypt-hashed; never stored or logged in plaintext.
• Database isolation — PostgreSQL Row Level Security ensures one parent's data is physically unreachable from another parent's session. Our API user role cannot bypass this policy.
• Rate limiting — login, registration, and password-reset endpoints are capped to prevent brute-force and email-bomb attacks.
• No third-party trackers — we do not include Google Analytics, Facebook SDK, Mixpanel, or any ad-tech SDK in the app.

No system is perfectly secure. If we ever discover a data breach affecting your personal data, we'll notify you without undue delay, and notify the ICO where required.

8. Your rights

Under UK GDPR you have the right to:

• Access your personal data.
• Correct inaccurate data — you can edit most of it directly in the app.
• Delete your data — the "Delete account" button in Parent Settings does this in two taps, no support request required.
• Export your data — email us and we'll provide a machine-readable export of your family's activity within 30 days.
• Object to certain processing, or restrict how we process your data.
• Complain to the UK Information Commissioner's Office (ico.org.uk) if you feel we've mishandled your data.

9. International transfers

Our primary infrastructure lives in the UK. Anthropic's AI endpoints are hosted in the US. When we call them, we rely on the UK's International Data Transfer Agreement and Anthropic's own data- protection commitments under their Data Processing Addendum. The payload we send is always a short anonymised activity summary — no email addresses, names, or identifiable personal information.

10. Cookies & tracking

The mobile app uses no cookies. Our marketing website uses a single essential cookie to remember whether you've accepted these terms; it does not track you across sites. We don't use analytics or remarketing tools.

11. Changes to this policy

We'll update this page whenever we change how we handle data. If the change is material we'll give you at least 14 days' notice by email to your registered address before it takes effect. Minor edits (e.g. typos, clarifications) are made without notice. The "Last updated" date at the top always reflects the current version.

12. Contact us

Questions, requests, or complaints about how we handle your data: support@11plusexam.ai. We aim to respond within 3 working days.