Privacy Policy

Last updated: 8 June 2026

For Kids

What is this? This page explains what information we keep about you when you use PrepStep.

What do we know about you? Just your first name and how you're doing with your practice questions. That's it.

Who can see it? You and your parent or guardian. If your parent connects a tutor, that tutor can also see your quiz scores and practice progress.

Can you delete it? Yes! Your parent can delete everything at any time.

Do we share it? No. We don't sell your information or show it to advertisers. Ever.

The AI tutor? When you chat with the AI tutor, your questions are answered and then forgotten. We don't save your conversations.

1. Who we are

PrepStep is operated by Ben Jackson (sole trader), the data controller for your personal data.

Email: [email protected]

ICO Registration Number: ZC117769

2. What data we collect

Account data (provided by parent)

Parent's email address — for account creation, password reset, and notifications
Parent's name — for account identification
Child's first name — for personalisation within the app

Learning data (generated by using the app)

Quiz scores and history — which topics your child has studied and how they scored
Individual question attempts — which questions were answered correctly or incorrectly
Lesson completions — which learning lessons have been completed
Practice session logs — when and how often your child practises
Practice day counts — how many days your child has practised recently
Spaced repetition queue — questions scheduled for review based on performance

AI tutor conversations

When your child asks the AI tutor a question, the question text is sent to our AI provider (Anthropic) for processing
Conversations are not stored on our servers — they are processed and discarded
The AI tutor only discusses the exam question being studied and does not ask for personal information

Technical data (automatic)

IP address — recorded in standard web server logs for security purposes
Error reports — if the app encounters an error, a report is sent automatically containing the error message, page URL, browser type, and your child's first name (to help us diagnose issues). No personal data beyond the first name is included. Error reports are logged for operational review and are not stored permanently.
Cloudflare Web Analytics — we use Cloudflare's privacy-first analytics to understand how the app is used (page views, performance). This uses no cookies, no tracking, and no personal data. It is operated by Cloudflare as part of our hosting.
No third-party analytics services (Google Analytics, etc.) are used
No cookies are used for tracking

What we do NOT collect

Child's surname or date of birth
School name
Location or geolocation
Device identifiers
Browsing behaviour outside this app
Photos or biometric data

3. Why we collect this data (lawful basis)

Data	Lawful basis	Why
Account data	Contract	Necessary to provide the service you signed up for
Learning data	Contract	Core function of the app — tracking progress and adapting to your child's needs
AI tutor conversations	Legitimate interest	Educational support requested by the child during a study session
Error reports	Legitimate interest	Identifying and fixing bugs to maintain a reliable service
Web analytics (Cloudflare)	Legitimate interest	Understanding app usage to improve the service (no personal data collected)
IP address	Legitimate interest	Security and abuse prevention
Tutor invitations (parent email + child's first name)	Legitimate interest	Sending a tutor's invitation to the family on the tutor's behalf; deleted automatically if not accepted

Parental consent is obtained at sign-up for all processing of the child's data, as required under UK GDPR Article 8 (child is under 13).

4. Who we share data with

We use a small number of trusted service providers to run the app. They only process data on our instructions and are bound by data processing agreements.

Provider	Purpose	Location	Safeguards
Cloudflare	Hosting, database, content delivery	EU (location hint)	Standard DPA
Clerk	Authentication (sign-in, password reset)	US	SOC 2 Type 2, Data Privacy Framework, DPA
Anthropic	AI tutor (processes questions, does not store)	US	Standard Contractual Clauses, DPA
Backblaze B2	Encrypted off-site backups (data is encrypted before transmission; Backblaze cannot read it)	US	Standard DPA

We do not sell your data. We do not share data with advertisers. We do not use data for any purpose other than providing and improving this educational service.

Tutors

If you choose to connect your child to a private tutor on PrepStep, that tutor will be able to see your child's learning data for the purposes of supporting their progress. Specifically, a connected tutor can see:

Your child's first name, year group, and target school
Your name (as the parent or guardian on the account)
Quiz scores, topic performance, and practice history
Homework assignments set by the tutor and their completion status

Connecting your child to a tutor is entirely voluntary and requires an explicit action from you — no data is shared with any tutor unless you have connected your child to them. You can disconnect a tutor at any time from within the app, after which they will no longer have access to your child's data.

Tutors are independent practitioners. They agree to PrepStep's tutor terms before accessing the platform, which require them to treat pupil data confidentially and use it only for educational purposes.

Tutor invitations. When a tutor invites a family to PrepStep, they provide us with the parent's email address and the child's first name so we can send the invitation on their behalf. We use these details only to send and track that invitation; unaccepted invitations are automatically deleted after they expire. If you receive an invitation you didn't expect, you can simply ignore it and no account or data is created.

5. International data transfers

Some of our service providers are based in the United States. Data transfers to the US are protected by:

Clerk: EU-US Data Privacy Framework + Data Processing Agreement
Anthropic: Standard Contractual Clauses + Data Processing Agreement

Learning data is stored in Cloudflare D1 with an EU location preference.

6. How long we keep data

Data	Retention period
Account and learning data	While your account is active
AI tutor conversations	Not stored (transient processing only)
Server logs (IP addresses)	Cloudflare default retention (up to 72 hours)
Inactive accounts	Deleted after 2 years of inactivity (notification sent at 23 months)

When you delete your account, all data is permanently removed from our database immediately. This includes all learning data, quiz history, and your child's profile.

7. Your rights

Under UK GDPR, you have the right to:

Access — request a copy of all data we hold about your child
Rectification — ask us to correct inaccurate data
Erasure — delete your account and all associated data (available in account settings)
Data portability — download your child's data in a machine-readable format (JSON export available in account settings)
Withdraw consent — you can withdraw consent and delete your account at any time
Complain — if you're unhappy with how we handle data, you can complain to the ICO

To exercise any of these rights, email us at [email protected] or use the account settings in the app.

8. Children's privacy

This app is designed for use by children and we take their privacy seriously.

Accounts are created by a parent or guardian, not by the child
We collect the minimum data needed for the educational service (child's first name and learning progress only)
Privacy settings are protective by default — there is nothing to "turn on"
We do not use nudge techniques to encourage children to share more data
We do not use data profiling for any purpose other than adapting the learning experience
We do not display advertising or share data with advertisers
The AI tutor does not ask for personal information and conversations are not stored
If you connect a tutor, they can see your child's progress data as described in section 4. Connecting a tutor requires an explicit action from you — no data is shared with any tutor automatically

This app has been designed with reference to the ICO's Age Appropriate Design Code (Children's Code).

9. Cookies

We use only essential cookies necessary to operate the service:

Authentication cookies — set by Clerk to keep you signed in. Without these, the app cannot identify you between page loads. These are strictly necessary and do not require your consent under UK law.

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Cloudflare Web Analytics (which we use for basic page-view data) works entirely without cookies or personal data.

10. Notifications

If you opt in, we will send weekly progress emails to the parent's email address summarising your child's learning activity. You can unsubscribe from these at any time using the link in the email or in account settings.

We may also send essential account emails (password reset, account changes). These cannot be unsubscribed from as they are necessary for account security.

11. Changes to this policy

If we make significant changes to this privacy policy, we will notify you by email and update the date at the top of this page. Continued use of the app after changes constitutes acceptance of the updated policy.

12. Contact and complaints

Data Controller: Ben Jackson (PrepStep)

Email: [email protected]

ICO: If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office:

Website: ico.org.uk/make-a-complaint
Phone: 0303 123 1113