SATs Superstars MAX is a UK-based education service for Year 6 pupils and their parents/teachers. Because our users include children under 13, we follow the UK ICO's Age-Appropriate Design Code ("Children's Code") and apply UK GDPR with children's best interests as the primary design principle.
1. Who is the data controller?
The operator of this service (contactable at [email protected]) is the data controller for information collected through satsuperstars.com.
2. What data we collect
Account data
- Email address (required for sign-in and password reset)
- Display name / first name (pupil chosen, can be a nickname)
- Year group (self-declared at sign-up)
- School code (optional - only if entered at sign-up)
- Encrypted password hash (never stored in plain text; bcrypt via Supabase Auth)
Learning data
- Practice answers, XP, streak counts, achievements, mock-exam scores
- Flashcard review history and spaced-repetition state
- Error log of which questions were answered incorrectly (for the "Mistakes Book" feature)
- AI tutor conversation history (last 500 messages per pupil; used to prevent abuse and to let teachers safeguard)
Technical data
- Anonymised IP address (retained 30 days for rate-limiting and security)
- Browser user-agent and device type (used only to render the site correctly)
- Session token (stored in browser local storage; not transmitted to third parties)
3. What we DO NOT collect
- No full address, postcode, phone number, or date of birth
- No camera, microphone, location, or contacts access
- No third-party advertising cookies or trackers
- No social-media pixel (Meta, TikTok, Google Analytics are not present)
- No behavioural profiling for marketing
4. How we use data
We use your data only to:
- Provide the learning service (sync your progress across devices)
- Keep accounts secure (password reset, rate-limit abuse)
- Let teachers and parents see pupil progress (where a school code is attached)
- Flag safeguarding concerns in AI chat (self-harm, abuse, illegal content)
- Fix bugs and improve the app (aggregated usage metrics only, never individual tracking)
5. Legal basis (UK GDPR Art. 6)
- Contract - to deliver the service you signed up for
- Legitimate interests - security, fraud prevention, bug-fixing
- Legal obligation - safeguarding disclosures where required by UK law
- Consent - for any optional email communication (you can opt out any time)
6. Where data is stored
All personal data is stored on Supabase infrastructure hosted in the EU (Frankfurt region). Site hosting is Cloudflare Pages with data residency in the UK/EU. No data leaves the UK/EU without your explicit consent.
7. Retention
- Account and learning data: kept while the account is active, plus 12 months after last sign-in; then permanently deleted.
- AI chat history: rolling last 500 messages per pupil.
- Safeguarding flags: retained for 3 years as required by DfE guidance for schools.
- Parent can request immediate deletion at any time - see §9.
8. Sharing
We share data only with the following processors under GDPR Article 28 contracts:
- Supabase Inc. - database + auth (EU region)
- Cloudflare, Inc. - hosting + CDN + edge functions
- OpenAI Ireland Ltd. - Dr Nile AI tutor (chat content only; zero-retention mode)
- Stripe Payments UK Ltd. - subscription billing (card details are entered directly into Stripe - we never see them)
We do not sell, rent, or swap your data with anyone. Ever.
9. Your rights
Under UK GDPR you have the right to access, correct, export, restrict, or delete your data, and to complain to the ICO.
For children's accounts, the parent/guardian may exercise these rights on the child's behalf. Email [email protected] with the account email and we'll action it within 30 days (usually 48 hours).
10. Cookies
We use strictly necessary cookies only - one session token and one theme preference. No analytics, ad, or third-party cookies. We do not display a cookie banner because we don't need consent for strictly-necessary cookies under PECR/UK GDPR.
11. Safeguarding (Keeping Children Safe)
The Dr Nile AI tutor contains content filters and a safeguarding flagging system. If a pupil says something indicating self-harm, abuse, or intent to cause harm, a flag is sent to the Designated Safeguarding Lead at their school (if a school code is attached) or an internal welfare team. We may disclose relevant records to law-enforcement, NSPCC, or social services where required by UK law (Children Act 1989, Keeping Children Safe in Education 2023).
12. Changes
We'll update the "Last updated" date at the top of this page. Material changes are notified by email to account holders at least 14 days before taking effect.
13. Contact
Email: [email protected]
Reply SLA: 3 working days (usually same day)