Privacy Policy
Last updated: 2 June 2026
The short version (for students)
- We keep your name, your username, and the code you write when you do challenges so we can save your progress.
- We do not sell your data or use it to show you adverts.
- If you're at a school, your school set up your account and is in charge of your data — we just run the service for them.
- When you ask the AI tutor for help, your code is sent to a company called OpenAI so it can write you a hint or check your work.
- Want to know what we hold about you, or want it deleted? Ask your teacher, or contact us at support@smashyourexams.com.
1. Who we are
This service ("SYE Code", "we", "us") is a coding-practice platform operated by Smash Your Exams Education Ltd (a company registered in England & Wales, company no. 15461413), with its registered office at 42 Hampstead Close, Blyth, NE24 3XE. Where we are registered with the Information Commissioner's Office (ICO), our registration number is ZB758252.
For any privacy question, or to exercise your data-protection rights, contact us at support@smashyourexams.com.
The ICO is the UK's supervisory authority for data protection. You can contact them at ico.org.uk if you have a concern (see "Your rights" below).
2. Controller or processor — the two models
Who is legally responsible for your data depends on how the account was created:
- Individuals / teachers signing up directly: we are the data controller and this policy governs how we use your data.
- School pupils: the school is the data controller and decides what data is collected and why. We act as a data processor on the school's instructions, under a Data Processing Agreement (DPA) with that school. For pupils, the school's own privacy notice also applies.
See the "Children & schools" section below for more detail.
3. What we collect, and from whom
| Category | What it includes | Source |
|---|---|---|
| Account holders (teachers / individuals) | Email address, display name, password (stored as a scrypt hash, never in plain text), email-verified flag. Login sessions store a hashed IP address and your browser user-agent. | You, at sign-up |
| Students | Display name, a per-school username, and a password hash. No email address. | Provided by the school |
| Schools / organisations | Organisation name, country, members and their roles, classes, and join codes. | The school |
| Learning data | Progress (challenge status, tests passed), the code you write in submissions and saved programs, assignments, and gradebook records. | You, as you use the service |
| AI features | When you use the AI tutor, "explain", auto-mark or auto-tag, your code and the challenge are sent to OpenAI to generate hints, explanations or marking. We store counts of AI usage. | You, when you trigger an AI feature |
| Feedback widget | Your vote, an optional comment, an optional email address, a hashed IP address, and your user-agent. | You, if you leave feedback |
| Payments | Subscription status and identifiers. Card payments are handled by Stripe — we never store your card number. | You / Stripe |
| Security & audit | Login attempts (email + hashed IP), authentication tokens, and an audit log of significant actions. | Generated automatically |
4. Why we use your data, and our lawful basis
| Purpose | Lawful basis (UK GDPR) |
|---|---|
| Creating accounts, saving progress and code, running classes, assignments and the gradebook, providing AI help, and taking payment — i.e. delivering the service you (or your school) signed up for. | Contract (for pupils, the school's contract with us) |
| Keeping accounts secure (login-attempt monitoring, session and audit logging, fraud prevention) and improving the product. | Legitimate interests — running a secure, reliable service. We don't profile children for product analytics. |
| Optional analytics cookies (Google Analytics, PostHog) and any marketing communications. | Consent — these run only after you opt in via the cookie banner, and you can withdraw consent at any time. |
5. Who we share your data with
We use the following processors to run the service. We only share what each needs for its task, under contract. Some are based in the United States; those transfers rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) / the UK International Data Transfer Addendum (IDTA), or an adequacy decision where one applies.
| Processor | What it does | Location / transfer |
|---|---|---|
| OpenAI | Powers AI features — receives student code + the challenge to generate hints, explanations and marking | United States (SCCs / IDTA) |
| Stripe | Payment processing and subscription billing | EU/US (SCCs / IDTA) |
| Resend | Sending transactional email (e.g. verification, account emails) | US (SCCs / IDTA) |
| Google Analytics | Optional, consent-gated usage analytics | United States (SCCs / IDTA) |
| PostHog | Optional, consent-gated product analytics and feature flags | EU/US (SCCs / IDTA as applicable) |
| Vercel | Application hosting and content delivery | US/global (SCCs / IDTA) |
| Neon | Database hosting (stores account, learning and school data) | EU/US (SCCs / IDTA as applicable) |
We do not sell your personal data, and we do not share children's data for advertising.
6. How long we keep it
- Account & learning data: kept while the account is active, and deleted or anonymised within 6 months of the account (or the school's licence) being closed.
- Login sessions: roughly 30 days, then they expire.
- Login-attempt records: kept only for a short security window (around 15 minutes for rate-limiting purposes) and purged within 7 days.
- Feedback: kept for up to 24 months before being deleted or anonymised.
- Payment/billing records: retained for as long as required to meet UK accounting and tax obligations (typically 6 years).
Schools (and individual account holders) can request an export or erasure of their data — the product supports both GDPR export and erasure.
7. Your rights
Under UK GDPR you have the right to: access your data; have inaccurate data rectified; have data erased; restrict processing; data portability; and object to processing (including a right to withdraw consent at any time).
To exercise any of these, contact support@smashyourexams.com. If you're a pupil, the quickest route is usually to ask your teacher or school, since the school is the controller of your data. We'll respond within one month.
If you're unhappy with how we've handled your data, you can complain to the ICO at ico.org.uk — but we'd appreciate the chance to put things right first.
8. Children & schools
SYE Code is used by school pupils, including children. We take that seriously and follow the ICO's Children's code (Age Appropriate Design Code):
- Two-controller model: for pupils, the school is the data controller and SYE acts as a processor under a Data Processing Agreement, processing pupil data only on the school's instructions. For individual/teacher sign-ups, SYE is the controller.
- Data minimisation: student accounts have no email address — just a name, a per-school username, and a password.
- No marketing to children and no behavioural advertising.
- Analytics off by default: non-essential analytics run only after consent, and we avoid profiling student accounts.
- Plain-language transparency — see the student summary at the top of this page.
9. Changes to this policy
We may update this policy as the service changes. When we make a material change we'll update the "Last updated" date above and, where appropriate, notify account holders (and, for pupils, the school) by email or an in-app notice. Significant changes may require you to re-accept the policy before continuing.