Prep+ Home

Privacy Policy

Last updated: 7 May 2026

This Privacy Policy explains how Prep+ ("we", "us", "our") collects and uses personal data when you use our website and apps at elevenplusprep.app (the "Service"). It is written for parents and guardians, who create and manage accounts on behalf of their children.

This policy is provided for transparency and is not legal advice. Please review it before relying on it.

1. Who we are

The Service is currently operated by an individual based in the United Kingdom ("the operator of Prep+"). We will update this section with company details once a legal entity is incorporated. You can contact us at any time at hello@elevenplusprep.app.

2. Data we collect

Parent account data

  • Email address and display name.
  • Password (stored as a salted hash) or Google sign-in identifier if you use Google.
  • Parent PIN (stored as a salted hash) used to access the parent area.
  • Account preferences and settings.

Child profile data (provided by you)

  • Display name (we recommend a first name or nickname only).
  • School year and target exam date.
  • Target schools and the exam profile selected for your child.
  • Practice preferences and weekly practice goal.

Practice activity

  • Each question attempted, the answer given, whether it was correct, and time spent.
  • Practice session metadata (start, end, category, completion).
  • Skill-level mastery, weekly category mastery snapshots, and exam readiness scores and history.

Social features

  • Friend connections and group streaks. With friends, we share only your child's display name and streak status — never their scores, accuracy, or specific answers.

Communications

  • Transactional emails (welcome, PIN reset, weekly summaries) and your unsubscribe choices.
  • Email send logs and a suppression list for bounced or unsubscribed addresses.

Technical data

  • IP address and user agent, captured by our hosting and authentication providers for security and abuse prevention.
  • Strictly necessary cookies used to keep you signed in. We do not use advertising cookies or third-party trackers.

Payments (coming soon)

When paid plans launch, payments will be handled by a regulated third-party processor (such as Stripe). We will receive limited billing information needed to manage your subscription and will never store full card numbers.

3. How we use your data

  • To provide the Service and adapt practice to your child's level.
  • To generate parent insights, mastery summaries and readiness signals.
  • To send transactional emails about your account and your child's progress.
  • To detect and prevent abuse, fraud and security incidents.
  • To comply with legal obligations.

We do not sell your data, do not use it for behavioural advertising, and do not profile children for marketing.

4. Legal bases (UK GDPR)

  • Contract — to provide the Service you have signed up for.
  • Legitimate interests — improving the Service, securing our systems, and sending essential service emails, balanced against your rights.
  • Consent — where required (for example, for optional features), and parental consent for child data.
  • Legal obligation — where we must keep certain records.

5. Children's data

Prep+ is designed to be used by children aged roughly 8 to 12 under the supervision of a parent or guardian. Children cannot create their own accounts; a parent creates and consents to the child profile and chooses what to share. We follow the principles of the UK ICO's Age Appropriate Design Code: data minimisation, no behavioural advertising, and no marketing profiling of children. Parents can review or delete a child profile at any time from the parent area.

6. Sharing and sub-processors

We share data only with carefully chosen providers needed to run the Service:

  • Lovable Cloud (Supabase) — application hosting, database, authentication and file storage.
  • Email delivery provider — sending transactional emails and managing suppression.
  • Google — only if you choose Google sign-in.
  • Payment processor (e.g. Stripe) — when paid plans launch, for billing only.

We do not share data with advertisers. We may disclose data if legally required or to protect the safety of users.

7. International transfers

Some of our providers may process data outside the UK or EEA. Where they do, we rely on appropriate safeguards such as the UK International Data Transfer Agreement or EU Standard Contractual Clauses.

8. Retention

We keep account and practice data for as long as your account is active. If your account is inactive for an extended period (typically 24 months) we may delete or anonymise it. You can ask us to delete your data sooner by emailing us. Some records (for example email logs) may be kept for a short period to meet legal or operational needs.

9. Your rights

Under UK GDPR you have the right to access, correct, delete, restrict or object to processing of your personal data, and the right to data portability. To exercise any of these rights, email hello@elevenplusprep.app. You can also complain to the UK Information Commissioner's Office at ico.org.uk.

10. Security

We use row-level security in our database, hashed passwords and PINs, and encrypted transport (HTTPS) for all traffic. No system is perfectly secure, but we follow industry best practices and review them regularly.

11. Cookies

We only use strictly necessary cookies to keep you signed in and to keep the Service working. We do not use advertising or third-party tracking cookies, so we do not show a cookie banner.

12. Changes to this policy

We may update this policy from time to time. If changes are material we will let you know by email or in the app. The "Last updated" date at the top always reflects the current version.

13. Contact

Questions or requests? Email hello@elevenplusprep.app.