Privacy Policy
Last updated: 6 May 2026
This is the privacy policy for parents and adult users of the Singapore Maths Academy parent portal at my.singaporemathsacademy.co.uk. If you are under 13, please read our child-friendly privacy notice instead.
1. Who we are
Singapore Maths Academy ("we", "us", "SMA") is the data controller for personal data processed through this portal. We are an online tutoring service registered in the United Kingdom.
For privacy questions or data-rights requests, contact: privacy@singaporemathsacademy.co.uk
2. What we collect
Parent data
| Data | Lawful basis |
|---|---|
| Full name | Contract (Article 6(1)(b)) |
| Email address | Contract (Article 6(1)(b)) |
| Phone number | Legitimate interests — urgent lesson communications |
| IP address (at signup/login) | Legitimate interests — fraud prevention |
| Consent records (timestamp + version) | Legal obligation |
| Direct debit mandate reference | Contract — payment data is held by GoCardless, not by us |
Child data (collected by you, the parent)
| Data | Lawful basis |
|---|---|
| Display name | Contract + parental consent (Article 8) |
| Year group | Contract — assigning correct curriculum |
| Year of birth (year only, not full DOB) | Legitimate interests — applying age-appropriate rules |
| PIN (stored as a one-way hash, not in plaintext) | Legitimate interests — security |
| Lesson attendance and cancellations | Contract |
| Quiz scores and course progress (when LMS is launched) | Contract |
Children do not hold their own accounts. They access a profile inside their parent's signed-in session via a 4-digit PIN. We do not collect children's email addresses, phone numbers, device identifiers, or location data.
3. How long we keep it
| Category | Retention period |
|---|---|
| Parent account (active) | Duration of contract + 1 year after last lesson |
| Parent account (inactive — no active students) | 13 months after last activity |
| Child profile data (name, year group) | Until parent requests deletion, or 1 year after last lesson |
| Child educational records (attendance, quiz scores) | 2 years after last lesson |
| Consent records | 6 years after consent withdrawn or account deleted (legal obligation) |
| Financial records (invoice amounts, dates) | 6 years (HMRC requirement) |
Retention is enforced automatically by a scheduled function that runs against our database. Data is deleted permanently — not just hidden — once the period expires.
4. Who we share it with
We use a small number of carefully chosen processors to run the service. Each one has a Data Processing Agreement in place with us. Where data leaves the UK, transfers are protected by Standard Contractual Clauses (SCCs).
| Processor | Location | What they process | Transfer mechanism |
|---|---|---|---|
| Supabase | UK (London) | All personal data — database hosting | UK-to-UK (no transfer) |
| Vercel | United States | Request logs and session tokens (no database content) | SCCs |
| GoCardless | UK (London) | Direct debit mandates and payments | UK-to-UK (no transfer) |
| Stripe (when LMS launches) | United States | One-off card payments — adults only, no child data | SCCs |
| Amazon SES | UK (eu-west-2, London) | Transactional emails — parent addresses only | UK-to-UK (no transfer) |
| Cloudflare | Global edge | Bot protection on signup (Turnstile) | SCCs |
Children's data is never transmitted to Stripe, GoCardless, or any payment processor — those processors only ever see the paying adult's information.
5. Your rights
Under UK GDPR you have the right to:
- See a copy of the data we hold about you and your children
- Correct any data that is wrong
- Ask us to delete your account and your children's data
- Withdraw consent for any processing that relies on consent
- Object to processing that relies on our legitimate interests
- Complain to the Information Commissioner's Office (ICO) at ico.org.uk
To exercise these rights, email privacy@singaporemathsacademy.co.uk. We respond within one calendar month.
6. How to delete your account
You can delete your account from your Account settings page at any time. This deletes your profile and all child profiles linked to you, plus any educational records linked to those profiles. We retain consent records and financial records for the legally required period — these cannot be deleted by request because they are evidence we are obligated to keep.
7. Children's privacy
We process the personal data of children with particular care, in line with the ICO Children's Code (Age Appropriate Design Code). All privacy settings default to maximum privacy. We do not profile children for marketing, advertising, or any commercial purpose. Educational profiling (tracking lesson progress) is carried out solely to deliver the tutoring service.
We publish a separate child-friendly privacy notice written for under-13s.
8. Changes to this policy
We will email you about any material changes to this policy at least 14 days before they take effect. Minor wording changes will be reflected in the "last updated" date at the top of this page.