TopMyGrade

Legal

Privacy policy

Effective 6 May 2026 · Last updated 6 May 2026

TopMyGrade ("we", "us", "our") helps UK secondary-school students prepare for GCSE and A-Level exams. This policy explains what personal data we collect, how we use it, who we share it with, and your rights under the UK GDPR and Data Protection Act 2018.

1. Who we are

TopMyGrade is operated by Aartiq Consulting Ltd, registered in England & Wales. We are the data controller for personal data processed through topmygrade.com.

Contact for privacy matters: privacy@topmygrade.com.

2. What we collect

The minimum we need to run the service:

  • Account data: full name, email address, password (hashed by Supabase Auth — we never see the plain password), role (student / parent / admin), avatar (if you sign up via Google).
  • Profile preferences: chosen exam board(s), subjects, target grade, exam year, theme.
  • Study activity: which topics you view, papers attempted, answers submitted, marks awarded, flashcards reviewed, AI tutor conversations.
  • Technical data: IP address, user-agent string, request/session identifiers (used for security audit logging only).
  • Parent–child links: when a parent and child connect accounts, we record the link and the invite-code used.

We do not collect: real-time location, contacts, browsing history outside TopMyGrade, financial details, or any sensitive category data (UK GDPR Art. 9) unless you voluntarily provide it inside an answer to an AI tutor — and even then, we never link it to a profile field.

3. How we use it (lawful bases)

Mapped to UK GDPR Article 6:

  • Performance of contract (Art. 6(1)(b)) — to provide the platform you signed up for: showing topics, marking your answers, syncing flashcards.
  • Legitimate interests (Art. 6(1)(f)) — security, fraud prevention, aggregate analytics so we can improve the product. We balance this against your rights and document the assessment internally.
  • Consent (Art. 6(1)(a)) — for non-essential cookies and any future marketing emails. You can withdraw consent at any time.
  • Legal obligation (Art. 6(1)(c)) — when responding to lawful requests from authorities.

4. Children and parental consent

TopMyGrade is intended for students aged 11 and over. Under UK GDPR, the age at which a child can consent to information-society services is 13. For users under 13 we require a parent or guardian to create the account and consent on the child's behalf. Parents can request access to or deletion of their child's data at any time via privacy@topmygrade.com.

We do not show targeted advertising to under-18s. We do not sell student data. We do not share data with advertising networks.

5. Who we share it with

We use a small number of carefully chosen processors. Each is bound by a data-processing agreement.

  • Supabase (Postgres + Auth) — primary database and authentication, hosted in the EU.
  • Vercel (application hosting) — runs the web application. Logs and telemetry kept inside the EU when possible.
  • Anthropic (Claude AI) — generates worked solutions, marks open-ended answers, powers the AI tutor. We send the question text + your answer; we never send your name, email, or account ID.
  • Hostinger (PDF mirror) — stores past-paper PDFs for fast delivery. No personal data.

We do not share data with advertising networks, brokers, or any party that could re-identify you for commercial profiling.

6. International transfers

Anthropic's API is hosted in the United States. Where we transfer data outside the UK / EEA, we rely on the UK's International Data Transfer Agreement (IDTA) and the EU Standard Contractual Clauses plus the UK Addendum.

7. Retention

  • Active accounts: data is kept while your account is active.
  • Inactive accounts: deleted after 24 months of no sign-in (we'll email you 30 days before).
  • Audit log: security-relevant events (sign-ins, role changes, deletions) are retained for 7 years to meet SOC 2 and ISO 27001 expectations.
  • Analytics events: kept for 13 months in identifiable form, then aggregated.

8. Your rights (UK GDPR)

You have the right to:

  • Access a copy of your data (Art. 15)
  • Correct inaccurate data (Art. 16)
  • Have your data deleted (Art. 17 — “right to be forgotten”)
  • Restrict processing (Art. 18)
  • Receive your data in a portable format (Art. 20)
  • Object to processing based on legitimate interests (Art. 21)
  • Not be subject to automated decisions with legal effect (Art. 22) — our AI marker is assistive only and does not produce legally binding decisions.

To exercise any of these rights, email privacy@topmygrade.com. We respond within 30 days.

You also have the right to complain to the UK Information Commissioner's Office: ico.org.uk.

9. Cookies

We use a minimal set of first-party cookies and browser storage:

  • Auth session (essential) — keeps you signed in.
  • Theme preference (essential) — remembers light/dark mode.
  • Filter preferences (functional) — saves your past-paper filters so they persist across visits. Stored in browser localStorage, never sent to us.

We do not use third-party analytics cookies, advertising cookies, or social-media trackers.

10. Security

Data in transit is protected by TLS 1.2+ across the entire site. Data at rest in Supabase is encrypted with AES-256. Access to administrative tools is gated by role (student / parent / admin), enforced by row-level security policies in the database, and every admin action is recorded in an append-only audit log aligned with SOC 2, ISO 27001, GDPR Art. 30 and DORA.

We do not store passwords in plaintext. We do not store payment card details. When we add billing, we'll use a PCI-DSS-compliant payment processor.

11. AI and your data

When you use AI features (worked solutions, answer marking, the tutor), we send the relevant content (the question, your answer, your message) to our AI provider so it can generate a response. We do not include personal identifiers like your name, email or user ID in the prompt. Anthropic, our current provider, contractually undertakes not to use API traffic for model training.

AI-generated content is assistive — please cross-check important answers against the official mark scheme. Marks and feedback are not legally binding.

12. Changes to this policy

We'll update this page when our practices change. If a change is material (e.g., adding a new processor or a new data category), we'll email registered users at least 14 days before it takes effect.

13. Contact

Aartiq Consulting Ltd
Email: privacy@topmygrade.com
Website: topmygrade.com/contact

This policy is written in plain English deliberately. The legal references in each section are pointers to the controlling provisions of UK law — not legal advice. If anything is unclear, ask us at privacy@topmygrade.com.