Privacy Policy

1. Introduction

Big Maths is operated by Andrell Education Ltd, a company registered in England and Wales (Company Number 05331897) with offices at Premier House, High Street, Crigglestone, Wakefield, WF4 3EB.

We are committed to protecting the privacy of all users, with particular care for children's data. This policy explains how we collect, use, and protect personal information through the Big Maths website (bigmaths.website) and mobile application.

Data Protection Contact: For all data protection enquiries, please contact us at hello@andrelleducation.com. While we are not required to appoint a formal Data Protection Officer under Article 37 UK GDPR, we have designated a data protection lead who oversees our compliance.

Data Protection Impact Assessment: We have conducted a Data Protection Impact Assessment (DPIA) for our processing of children's data, as required under Article 35 UK GDPR for high-risk processing. A summary is available upon request by contacting us at hello@andrelleducation.com.

2. Information We Collect

Parent/Guardian Account Information

• Email address
• Password (encrypted)
• Payment information (processed securely by Stripe)

Child Profile Information

• Display name (first name only)
• School year group
• Birth year (for age-appropriate content)
• Learning progress and scores
• Avatar selection

Family Voice Library

Parents may optionally record voice messages to encourage their child during practice. These recordings are stored securely and are only accessible by the parent who created them and played to their own child. Voice recordings can be deleted at any time through the app settings.

Technical Information

• Device type and operating system
• App usage patterns (for improving the service)
• Error logs (for troubleshooting)

3. How We Use Your Information (Legal Basis)

Under UK GDPR, we must have a lawful basis to process your personal data. The table below explains how we use your information and our legal basis for each purpose:

For children's data, processing is based on parental consent provided when creating a child profile, combined with contract performance for delivering educational services.

4. Children's Privacy

Big Maths is designed for children aged 4-11. We take extra precautions to protect children's data:

• Children cannot create accounts directly - a parent or guardian must create the account
• We collect only the minimum information necessary for the service
• We do not display advertising to children
• We do not sell children's data
• Children's profiles use display names only, not full names
• Parents have full control over their child's data and can delete it at any time

How We Obtain Parental Consent

Under UK GDPR Article 8 and the Children's Code, we must obtain verifiable parental consent before processing children's data. Our consent process works as follows:

1. Adult account creation: Only adults aged 18+ can create a Big Maths account. During signup, you confirm you are at least 18 years old.
2. Email verification: We verify your email address to confirm you have access to the account and can receive important communications.
3. Parental declaration: When adding a child profile, you must confirm that you are the parent or legal guardian of the child and consent to their use of the service.
4. Payment verification: For paid subscriptions, payment is processed through an adult's payment method, providing additional verification of adult involvement.

Granular consent for optional features:

• Family Voice Library: This feature is disabled by default. Parents must actively enable it and can delete recordings at any time.
• School/Tutor linking: Sharing your child's progress with a school or tutor requires you to explicitly share a linking code. You can revoke access at any time.

Withdrawing consent: You can withdraw consent for any processing at any time by:

• Deleting your child's profile through your account settings
• Disabling optional features (Voice Library, school linking)
• Deleting your entire account
• Contacting us at hello@andrelleducation.com

We comply with the UK Age Appropriate Design Code (Children's Code) and applicable data protection laws regarding children's privacy.

5. Data Sharing & Sub-Processors

We share data only with trusted service providers who help us deliver our service:

We do not sell personal information to third parties. All sub-processors have signed Data Processing Agreements (DPAs) with appropriate safeguards. We may share anonymised, aggregated data for research or educational purposes.

6. International Data Transfers

Your data may be transferred to and processed in countries outside the UK/EEA. We ensure appropriate safeguards are in place:

• Supabase - Our database provider stores data in the EU (Frankfurt region). Supabase Inc. is certified under the EU-US Data Privacy Framework.
• Stripe - Payment processing may involve transfers to the US. Stripe is certified under the EU-US Data Privacy Framework and maintains Standard Contractual Clauses.

Where data is transferred outside the UK/EEA, we rely on adequacy decisions, Standard Contractual Clauses (SCCs), or other approved transfer mechanisms to ensure your data receives equivalent protection.

7. School and Tutor Access

If you choose to link your child's account to a school or tutor using a linking code:

• They will see your child's display name and learning progress
• They will NOT have access to parent email, payment details, or voice recordings
• You can revoke access at any time through your account settings
• The school/tutor cannot transfer or share this access

8. Data Security

We protect your data using:

• SSL/TLS encryption for all data transmission
• Encrypted password storage (bcrypt hashing)
• Row-level security policies on our database
• Regular security audits
• EU-based data storage

In the event of a data breach involving personal information, we will notify the appropriate authority within 72 hours and affected users as required by law.

9. Data Retention

We use a two-state model to balance your rights with educational continuity:

Standard Deletion (Soft Delete)

When you cancel your subscription or delete a child's profile through the app:

• Data is immediately hidden from all normal operations
• Data is retained securely in case you return to the service
• This preserves your child's learning journey if circumstances change

Why we do this: A child's maths learning represents months or years of progress. Families may pause subscriptions, children may change schools, or circumstances may change. Keeping this data means your child can pick up exactly where they left off, rather than starting from scratch. This approach prioritises the child's educational interests, as required by the ICO's Children's Code.

Permanent Deletion (GDPR Erasure)

If you want data permanently and irreversibly deleted, you can request GDPR erasure through your account settings. Here's what happens:

1. Day 0: You submit your request. Data is immediately hidden.
2. Days 1-28: Cooling-off period. You can cancel the request anytime.
3. Day 21: We send a reminder email (7 days remaining to cancel).
4. Day 29: Data is permanently deleted. This cannot be undone.

What gets deleted: Progress Tree, learning achievements, challenge history, voice messages, and all other personal data. An anonymised audit record is kept to prove we complied with your request.

Other Retention Periods

• Payment records: 7 years (legal requirement)
• Anonymised analytics: Indefinite (no personal data)
• Support correspondence: 2 years after resolution

10. Your Rights

Under UK GDPR, you have the right to:

• Access - Request a copy of your personal data
• Rectification - Request correction of inaccurate data
• Erasure - Request deletion of your data ("right to be forgotten")
• Portability - Receive your data in a machine-readable format
• Objection - Object to certain types of processing
• Withdraw consent - Withdraw consent at any time

How to Exercise Your Rights

You can exercise most rights directly through your account:

• Download your data: Account Settings → Privacy → Download My Data
• Request permanent deletion: Account Settings → Privacy → Request GDPR Erasure
• Delete voice recordings: App Settings → Voice Library → Delete
• Revoke school/tutor access: Dashboard → Child → Linked Accounts → Remove

Your data export includes: your account information, all child profiles, learning progress, challenge history, and voice messages. The export is provided in JSON format (machine-readable) with a human-readable PDF summary.

You can also contact us at hello@andrelleducation.com for any data rights request. We will respond within 30 days.

For full details on how to delete your account or a child's data, see our Account Deletion page.

11. Cookies and Similar Technologies

Our website uses cookies to provide and improve our service. A cookie is a small text file stored on your device.

Cookies We Use

We do NOT use:

• Advertising or marketing cookies
• Third-party tracking cookies
• Analytics cookies that identify individuals

You can control cookies through your browser settings. However, disabling essential cookies will prevent you from logging into your account.

12. Automated Decision-Making

Big Maths uses algorithms to personalise learning content for children. This includes:

• Selecting practice questions based on learning progress
• Adjusting difficulty levels automatically
• Identifying areas that need more practice

Important: These automated processes:

• Do NOT produce legal or similarly significant effects
• Are designed to enhance learning, not assess or label children
• Do not affect access to the service or subscription terms
• Can be overridden by parents who can reset progress or adjust settings

If you have concerns about how automated systems affect your child's experience, please contact us at hello@andrelleducation.com.

13. Changes to This Policy

We may update this policy from time to time. We will notify you of significant changes via email or through the app. Continued use of the service after changes constitutes acceptance of the updated policy.