Privacy Policy

ExamVerge is a UK-based online mock examination platform operated by ExamVerge Ltd ("we", "us", "our"). We are the data controller for personal data processed through this website.

Registered in England and Wales. Our contact for data protection matters: privacy@examverge.co.uk.

Account data: name, email address, encrypted password, role (student or parent), date of birth (optional), year group (optional), exam type preferences.

Exam data: answers submitted during mock papers, time spent per question, scores, session timestamps.

Payment data: payment is handled entirely by Stripe. We store only your Stripe customer ID and subscription status — never your card details.

Usage data: pages visited, features used, browser type, IP address (anonymised after 24 hours). We do not use third-party advertising trackers.

What we do NOT collect: location beyond country level, biometric data, social media profiles, behavioural advertising data.

• Provide your personalised exam preparation dashboard and paper recommendations
• Process payments and manage your subscription via Stripe
• Send transactional emails (account confirmation, results, subscription receipts)
• Improve the platform through anonymised, aggregated usage analytics
• Respond to support queries
• Comply with legal obligations

We do not use your data for profiling, automated decision-making that produces legal effects, or targeted advertising.

Contract (Article 6(1)(b)): processing necessary to provide you with the ExamVerge service you signed up for.

Legitimate interests (Article 6(1)(f)): platform security, fraud prevention, anonymised analytics to improve the service.

Legal obligation (Article 6(1)(c)): where required by UK law (e.g. financial records).

Consent (Article 6(1)(a)): for users under 13, we require verifiable parental consent before processing any personal data. You may withdraw consent at any time.

ExamVerge is primarily used by children. We take the UK Age Appropriate Design Code (Children's Code) very seriously and design our platform with the highest privacy settings as the default.

• We collect the minimum data necessary to provide the service
• We do not use children's data for commercial profiling or targeted advertising
• Privacy settings default to the most protective option
• We do not share children's personal data with third parties for marketing
• Parents can request deletion of their child's data at any time
• For users under 13, a parent or guardian must consent to data processing
• We do not use nudge techniques or design patterns that encourage children to share more data than necessary

If you believe a child under 13 has created an account without parental consent, please contact us immediately at privacy@examverge.co.uk and we will delete the account promptly.

We share your data only with:

• Stripe (payment processing) — their privacy policy applies to payment data
• AWS (cloud hosting and S3 storage) — all data is stored in the EU (Ireland) region
• Email service provider (transactional emails only)

We do not sell your data. We do not share data with advertising networks, data brokers, or other third parties for their own purposes.

We may disclose data if required by law or to protect the safety of users.

Active accounts: data is retained for as long as your account is active.

Deleted accounts: personal data is deleted within 30 days of account deletion. Anonymised exam performance data may be retained for aggregate statistical purposes.

Financial records: kept for 7 years as required by HMRC regulations, but are pseudonymised where possible.

Under UK GDPR you have the right to:

• Access — request a copy of all personal data we hold about you
• Rectification — correct inaccurate or incomplete data
• Erasure ('right to be forgotten') — request deletion of your data
• Restriction — ask us to pause processing while a dispute is resolved
• Portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — at any time, without affecting lawfulness of prior processing

To exercise any right, email privacy@examverge.co.uk. We will respond within 30 days. There is no charge for reasonable requests.

We use only the cookies necessary to operate the service:

• Session cookie — keeps you logged in (expires when you close your browser or after 24 hours)
• CSRF token — protects against cross-site request forgery attacks

We do not use advertising cookies, third-party tracking cookies, or analytics cookies that identify individuals. Our analytics are aggregated and anonymised.

• All data is transmitted over HTTPS (TLS 1.2+)
• Passwords are hashed using bcrypt with a cost factor of 12
• Database access is restricted by IP allowlist and requires multi-factor authentication
• Student exam answers are never accessible directly from the browser — they are validated server-side only
• We conduct regular security reviews and vulnerability assessments

If you discover a security vulnerability, please report it responsibly to security@examverge.co.uk.

We may update this policy when we change our practices. We will notify registered users by email at least 14 days before any significant changes take effect. The effective date at the top of this page shows when it was last updated.

Data protection contact: privacy@examverge.co.uk

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Phone: 0303 123 1113
• Post: ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF