Privacy Policy
Last updated: 2 April 2026
1. Who we are
Maths Monster is operated by Bill Hargreaves ("we", "us", "our"), a sole trader based in the United Kingdom. Our website is www.maths.monster.
For data-protection enquiries, contact us at: privacy@maths.monster.
2. What this policy covers
This policy explains how we collect, use, store and share personal data when you use www.maths.monster, including data that relates to children who complete homework and assessments through the service. Subscribers (account holders) are adults, but the homework images, self-assessment ratings and AI-generated feedback may belong to children — potentially under 13.
3. Data we collect
3.1 Account data (adult subscriber)
- Email address
- Name (optional)
- Password (hashed — we never store plaintext passwords)
- Subscription tier and payment status (via Stripe — we do not store card numbers)
- Reviewer/tutor email and name (if you choose to add one)
3.2 Child homework data
- Uploaded homework images — photos of handwritten work (max 2 files, max 5 MB each)
- Self-assessment ratings — per-question confidence ratings (1–4 scale) used for spaced-practice scheduling
- AI marking feedback — automated feedback on mathematical communication, generated by our AI marking system
3.3 Technical data
- IP address, browser type, device type (standard server logs)
- Pages visited and timestamps
4. How we use your data
| Purpose | Data used | Lawful basis (UK GDPR) |
|---|---|---|
| Provide the spaced-practice learning service | Account data, self-assessments, homework images | Contract (Art. 6(1)(b)) |
| AI marking of homework | Homework images, model answers | Contract (Art. 6(1)(b)) |
| Send question and feedback emails | Email address, unit/variation progress | Contract (Art. 6(1)(b)) |
| Process payments | Email, Stripe customer ID | Contract (Art. 6(1)(b)) |
| Maintain security and prevent abuse | IP address, technical logs | Legitimate interest (Art. 6(1)(f)) |
We do not use child data for profiling, advertising, or any purpose beyond delivering the educational service.
5. Children's data — special protections
We recognise that homework data belongs to children who may be under 18, and potentially under 13. We apply the following safeguards in line with the UK Age Appropriate Design Code (Children's Code), UK GDPR, and COPPA (for any US-based users):
- Parental account model: Only adults create accounts and manage subscriptions. Children do not create their own accounts.
- No children's names stored: We do not collect or store children's real names. If multi-child support is added in future, we will use nicknames or pseudonyms only.
- Data minimisation: We collect only what is needed for the learning service — homework images, self-assessment scores, and generated feedback.
- Automatic deletion: Uploaded homework images are automatically deleted from our submission storage after 30 days.
- No tracking beyond education: Self-assessment data and AI feedback are used solely to calculate spaced-practice intervals. We do not build behavioural profiles.
- Privacy by default: The highest privacy settings apply automatically. No data sharing, no third-party analytics tracking, no social features.
6. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion or 2 years of inactivity |
| Uploaded homework images (submission bucket) | 30 days (auto-deleted) |
| Archived homework images (progress tracking) | Until account deletion or erasure request |
| Self-assessment ratings | Until account deletion or erasure request |
| AI marking feedback | Until account deletion or erasure request |
| Spaced-practice scheduling data | Until account deletion or erasure request |
| Server logs (IP, technical data) | 90 days |
| Payment records | 6 years (UK tax law requirement) |
7. Third parties who process your data
We share personal data only with processors who need it to deliver the service:
| Processor | Purpose | Data shared | Location |
|---|---|---|---|
| Railway | Website and database hosting | All service data | EU (Amsterdam) |
| Cloudflare (R2) | Homework image storage | Uploaded images | EU (Western Europe) |
| Anthropic (Claude API) | AI marking of homework | Homework images and model answers (transient — not retained by Anthropic for API calls) | US |
| Brevo | Transactional email delivery | Email address, email content | EU |
| Stripe | Payment processing | Email, payment details | US (PCI DSS compliant) |
| Resend | Authentication emails (magic links) | Email address | US |
We do not sell, rent or share personal data with any other third parties.
8. International transfers
Some processors (Anthropic, Stripe, Resend) are based in the United States. These transfers are protected by the UK-US Data Bridge (UK Extension to the EU-US Data Privacy Framework) where applicable, or by Standard Contractual Clauses (SCCs). Homework images sent to the Anthropic API for marking are processed transiently and are not retained by Anthropic under their API data usage policy.
9. Your rights
Under UK GDPR, you (and, where applicable, the parent/guardian on behalf of a child) have the right to:
- Access — request a copy of personal data we hold about you or your child
- Rectification — ask us to correct inaccurate data
- Erasure ("right to be forgotten") — ask us to delete all personal data, including child homework data, self-assessments and AI feedback
- Restriction — ask us to limit processing
- Portability — receive your data in a machine-readable format
- Object — object to processing based on legitimate interests
- Withdraw consent — where consent is the lawful basis
To exercise any right, email privacy@maths.monster. We will respond within 30 days. For erasure requests, we will delete data from all systems including our database, email service, image storage and automation logs.
10. Cookies
We use only essential cookies required to keep you logged in and to protect against cross-site request forgery. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. See our Cookie Policy for details.
11. Security
We protect your data with:
- HTTPS encryption on all connections
- Hashed passwords (never stored in plaintext)
- Server-side authentication on all API endpoints
- Cloudflare Turnstile CAPTCHA on login and registration
- No public API access to subscriber or child data
- EU-based hosting (Railway Amsterdam region)
- Presigned URLs for image access (time-limited, not publicly accessible)
12. Data breaches
In the event of a personal data breach that poses a risk to your rights, we will notify the Information Commissioner's Office (ICO) within 72 hours and affected individuals without undue delay. See our internal Data Breach Notification Procedure for full details.
13. Complaints
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
14. Changes to this policy
We may update this policy from time to time. Material changes will be communicated by email to registered subscribers. The "Last updated" date at the top of this page shows when it was last revised.