SATs Superstars MAX is a UK-based education service for pupils, parents, and teachers. Because many users are children, we keep high-privacy defaults, explain data use in plain English, and build parent and school controls into the product. This notice explains the data we currently collect and how we use it.
Quick version for pupils
- Use a nickname where possible. Do not type home addresses, phone numbers, full names, school secrets, or anything very private into practice answers or the AI tutor.
- Your parent or guardian can see your progress. If you use a school account, authorised teachers at your school may also see learning progress and relevant AI tutor messages.
- If you write something that sounds like you or someone else may be unsafe, we may flag it for safeguarding review by an appropriate adult.
- You have privacy rights too. A parent, guardian, school, or Dr Nile Ltd can help you ask for a copy, correction, restriction, objection, or deletion review.
1. Who is the data controller?
Dr Nile Ltd operates SATs Superstars MAX. For direct family accounts, Dr Nile Ltd is the data controller. For school accounts, the school remains the controller for its pupil deployment and Dr Nile Ltd acts as the data processor for pupil learning data unless a signed school DPA or legal review says otherwise. Dr Nile Ltd is also an independent controller for limited platform security, billing, legal, and operational records.
2. What data we collect
Account data
- Email address (required for sign-in and password reset)
- Display name / first name (pupil chosen, can be a nickname)
- Year group (self-declared at sign-up)
- School code (optional - only if entered at sign-up)
- Password and session handling through Supabase Auth; Dr Nile Ltd does not store plain-text passwords
Learning data
- Practice answers, XP, streak counts, achievements, mock-exam scores
- Error log of which questions were answered incorrectly (for the "Mistakes Book" feature)
- AI tutor conversation history (server-side history is pruned to the most recent 500 messages per pupil; used for continuity, abuse prevention, and safeguarding review)
Technical data
- IP address, URL, browser user-agent, and device type where needed for hosting, security, rate-limiting, and debugging
- Session token (stored in necessary browser local storage for sign-in)
- Sentry production error diagnostics if an app error occurs; no session replay/video capture is approved by this policy
3. What we DO NOT collect
- No full address, postcode, phone number, or date of birth
- No camera, microphone, location, or contacts access
- No third-party advertising cookies or trackers
- No social-media pixel (Meta, TikTok, Google Analytics are not present)
- No behavioural profiling for marketing
- No session replay or video recording
4. How we use data
We use your data only to:
- Provide the learning service (sync your progress across devices)
- Keep accounts secure (password reset, rate-limit abuse)
- Let teachers and parents see pupil progress (where a school code is attached)
- Flag safeguarding concerns in AI chat (self-harm, abuse, illegal content)
- Fix bugs and keep the app reliable using limited diagnostics
5. Legal basis (UK GDPR Art. 6)
- Contract - to deliver the service you signed up for
- Legitimate interests - security, fraud prevention, bug-fixing, service reliability, and proportionate safeguarding review
- Legal obligation - safeguarding disclosures where required by UK law
- Consent - for any optional email communication (you can opt out any time)
For school deployments, the school's lawful basis may differ because the school is normally the controller for pupil use. We support the school with processor evidence, DPA materials, retention information, and export/deletion workflows.
6. Where data is stored
We use third-party cloud providers to run the app, store account data, and deliver related services. Depending on the service, data may be processed in the UK, EEA, or other jurisdictions covered by the provider's infrastructure, contractual terms, and safeguards. We keep a processor register and review it for school/DPO handoff.
7. Retention
- Account and learning data: kept while the account is active, plus 12 months after last sign-in; then permanently deleted.
- AI chat history: rolling last 500 messages per pupil.
- Safeguarding flags: retained only where needed for safeguarding review, school records, or legal obligations.
- Account holders can request export or deletion at any time from Settings or by contacting us. School-account requests may need school-controller review first.
8. Sharing
We use the following processors or service providers to deliver the service:
- Supabase Inc. - database + authentication
- Cloudflare, Inc. - hosting + CDN + edge functions
- OpenAI - SATs Superstars MAX AI tutor features
- Stripe Payments UK Ltd. - subscription billing (card details are entered directly into Stripe - we never see them)
- Sentry - production error reporting only; no replay/video capture approved by this policy
We do not sell, rent, or swap your data with anyone. Ever.
9. Your rights
Under UK GDPR you have the right to access, correct, export, restrict, object to, or delete your data, and to complain to the ICO.
Children have these rights too. Depending on age, understanding, and account context, a child may exercise rights directly, or a parent/guardian or school may help them. You can request an export or deletion review from Settings or email [email protected] with the account email. We aim to respond within 30 days. School accounts may require coordination with the school because the school is normally the controller.
10. Cookies
We use necessary browser storage and limited necessary cookies/session technologies to keep users signed in, remember preferences, preserve accessibility choices, continue learning across refreshes, hand off paid checkout, remember privacy choices, and secure the service. No advertising cookies, social pixels, cross-site tracking, or third-party ad trackers are used. Optional analytics/performance tracing must stay disabled unless disclosed, consented where required, tested, and legally reviewed.
11. Safeguarding (Keeping Children Safe)
The SATs Superstars MAX AI tutor contains content filters and a safeguarding flagging system. If a pupil says something indicating self-harm, abuse, or intent to cause harm, a flag may be sent to the Designated Safeguarding Lead or authorised safeguarding staff at their school where a school account is used, or reviewed internally for direct family accounts. We may disclose relevant records to law enforcement, the NSPCC, social services, or another appropriate safeguarding authority where required or permitted by UK law.
12. Changes
We'll update the "Last updated" date at the top of this page. Material changes are notified by email to account holders at least 14 days before taking effect.
13. Contact
Email: [email protected]
Reply SLA: 3 working days (usually same day)