🐍 GCSE Python
← Back to revision

Legal

Privacy Policy

How we collect, use and protect your information on gcsepython.uk

Last updated: 22 March 2026
Who we are: gcsepython.uk is a free, independent revision tool for AQA GCSE Computer Science 8525, operated from the United Kingdom. This policy explains what data we collect, why, and how you can control it. It is written to comply with the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and the ICO's Age Appropriate Design Code (Children's Code).

Contents

  1. Data controller
  2. What data we collect
  3. Lawful basis for processing
  4. How we use your data
  5. Third-party services
  6. Cookies & consent
  7. Children's privacy & the Children's Code
  8. International transfers
  9. Data retention
  10. Your rights
  11. Automated decisions & profiling
  12. Security
  13. Changes to this policy
  14. Contact & complaints
1

Data controller

The data controller responsible for personal data collected through gcsepython.uk is:

Joshua Moorcroft-Jones
Vantara Educational Services
Suite A | 82 James Carter Road | Mildenhall | IP28 7DE
ICO registration number: ZC105934
2

What data we collect

We collect only the personal data necessary for the purposes described in this policy (the principle of data minimisation β€” UK GDPR Article 5(1)(c)).

CategoryData collectedSource
Account dataEmail address, display name, profile photo URLProvided by Google OAuth when you sign in
Learning progressCompleted units, XP points, earned badges, Quick Fire quiz scoresGenerated automatically as you use the site
Cookie consent recordYour cookie preferences and the timestamp of your choiceStored in your browser when you interact with our cookie banner
Usage & analytics data
Only after analytics consent		Pages visited, features used, session duration, device type, browser type, approximate country/region. IP addresses are anonymised before storage.Collected automatically by Google Analytics once you consent
Advertising data
Only after advertising consent		Cookie identifiers used by Google to serve and measure advertsSet automatically by Google AdSense once you consent
No account β€” local onlyIf you do not sign in, all progress is stored only in your browser's local storage and is never transmitted to us or any third partyStored entirely on your own device

We do not collect sensitive personal data (health data, racial or ethnic origin, political opinions, religious beliefs, biometric data). We do not collect financial information of any kind.

3

Lawful basis for processing

UK GDPR Article 6 requires us to identify a specific lawful basis for each processing activity we carry out.

Processing activityLawful basisJustification
Google Sign-In authenticationLegitimate interests (Art. 6(1)(f))Necessary to provide a cross-device learning experience. You can use the site without an account, so our interests do not override your rights.
Storing learning progress in FirestoreLegitimate interests (Art. 6(1)(f))Core functionality; users reasonably expect progress to persist. Processing is proportionate and minimised.
Analytics cookies and usage statisticsConsent (Art. 6(1)(a) & PECR Reg. 6)Explicit prior consent obtained via cookie banner before Analytics loads. Withdrawable at any time via Cookie Settings in the footer.
Advertising cookies and Google AdSenseConsent (Art. 6(1)(a) & PECR Reg. 6)Explicit prior consent obtained via cookie banner before AdSense loads. Withdrawable at any time via Cookie Settings in the footer.
Security monitoring and fraud preventionLegitimate interests (Art. 6(1)(f))Necessary to protect the integrity of the service and the safety of users.
Responding to data subject rights requestsLegal obligation (Art. 6(1)(c))Required by UK GDPR Articles 12–22.
Notifying the ICO of data breachesLegal obligation (Art. 6(1)(c))Required by UK GDPR Article 33.
Legitimate Interests Assessment (LIA): Where we rely on legitimate interests, we have assessed that our processing is necessary, proportionate, and does not override your rights. A documented LIA is available on request β€” email hello@gcsepython.uk.
4

How we use your data

We use personal data only for specific, stated purposes and will never use it for a purpose incompatible with why it was collected. We do not sell your personal data to any third party.

We do not use your data for direct marketing. We do not share data with third parties for their own marketing. We do not carry out automated decision-making with significant effects (see Section 11).

5

Third-party services

We use the following third-party services. Where they act as data processors on our behalf, we rely on Google's standard Data Processing Addendum as required by UK GDPR Article 28.

ServiceRolePurposePrivacy policy
Firebase Auth (Google)Data processorUser authenticationfirebase.google.com/support/privacy
Cloud Firestore (Google)Data processorStoring learning progressfirebase.google.com/support/privacy
Google AnalyticsData processorUsage statistics β€” only after analytics consentpolicies.google.com/privacy
Google AdSenseIndependent controllerServing adverts β€” only after advertising consentpolicies.google.com/technologies/ads
Google FontsData processorLoading Sora and Nunito Sans typefacesdevelopers.google.com/fonts/faq/privacy
6

Cookies & consent

We use cookies in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR). Non-essential cookies are only placed after you give freely given, specific, informed, and unambiguous consent through our cookie banner.

TypeSet byPurposeConsent required?
EssentialFirebase (Google)Maintaining your signed-in sessionNo β€” strictly necessary
Functionalgcsepython.uk (localStorage)Remembering cookie preferences and storing offline progressNo β€” strictly necessary
AnalyticsGoogle AnalyticsAnonymous usage statistics to improve the siteYes β€” only set after you consent
AdvertisingGoogle AdSenseServing adverts and measuring performanceYes β€” only set after you consent
How consent works on this site: On your first visit, a cookie banner appears before any non-essential scripts load. Google Analytics and AdSense do not load until you click "Accept All" or specifically enable them in "Manage preferences". Your choices are stored in your browser. You can change your preferences at any time using the Cookie Settings link in the page footer.
Withdrawing consent: Click "Cookie Settings" in the footer at any time to change your preferences. Withdrawal prevents further data collection but does not undo data already collected. You can also delete cookies via your browser settings β€” visit aboutcookies.org for instructions. To opt out of Google personalised advertising more broadly, visit adssettings.google.com.
7

Children's privacy & the Children's Code

This site is designed for students aged 14–16. We recognise this brings specific obligations under the ICO's Age Appropriate Design Code (Children's Code), enforceable since September 2021.

Minimum age: You must be at least 13 years old to create an account. If you are under 13, please use the site without an account β€” your progress will be saved locally on your device only.

How we meet the 15 standards of the Children's Code:

StandardHow we comply
Best interests of the childThe site's sole purpose is to support GCSE revision. We have considered children's best interests in a documented DPIA. We use no dark patterns or manipulative design.
Data protection impact assessmentsA DPIA has been completed for this service given that we process children's data at scale. It is reviewed when the service changes materially.
Age-appropriate applicationMinimum age is 13. Users are actively encouraged to use the site without an account to avoid any personal data collection.
TransparencyThis policy is written in plain English accessible to teenagers. Key information is presented in tables rather than dense legal text.
Detrimental use of dataWe do not use children's data in ways detrimental to their wellbeing. We do not sell data, build behavioural profiles, or use data to manipulate children.
Policies and community standardsThe site contains no user-generated content or social features. Users are not exposed to other users' content.
Default settingsAnalytics and advertising cookies are off by default. Only strictly necessary cookies fire on first load. Users must actively opt in.
Data minimisationWe collect only email address, display name, and progress data β€” the minimum needed to deliver the service. We do not collect date of birth, phone number, contacts, precise location, or any unnecessary data.
Data sharingWe do not share children's data with third parties except as described in Section 5. We never share data for third-party marketing.
GeolocationWe do not request or use precise geolocation data. Google Analytics may record approximate country/region only, and only with consent.
Parental controlsParents or guardians may request deletion of a child's account and all associated data by emailing hello@gcsepython.uk. We will action such requests within 5 working days.
ProfilingWe do not profile children for advertising or any other purpose. No user is targeted with personalised advertising based on their behaviour on this site.
Nudge techniquesWe do not use design techniques that encourage children to share more data than necessary, weaken privacy settings, or extend time on site in harmful ways. Gamification (XP, badges) is used only to motivate learning.
Connected toys and devicesNot applicable β€” this is a browser-only web service.
Online toolsNot applicable β€” the site does not provide tools for generating user content or social interaction.

Advertising and children: The ICO has stated that behavioural advertising targeting children is incompatible with the Children's Code. We address this specifically: AdSense only loads after a user actively enables advertising cookies in the cookie banner (which is off by default). AdSense is configured to serve non-personalised ads only, meaning ads are targeted at page content, not individual user profiles.

Parental or guardian concerns: If a parent or guardian believes their child has created an account without appropriate consent, contact hello@gcsepython.uk and we will delete the account and all associated data within 5 working days.

8

International transfers

Data processed by Google services (Firebase, Analytics, AdSense, Fonts) may be transferred to and stored on servers in the United States and other countries outside the UK.

Google LLC participates in the UK–US Data Bridge (approved by the UK Secretary of State on 12 October 2023), which provides an appropriate safeguard for such transfers as required by UK GDPR Article 46. You can review Google's transfer commitments in their Privacy Policy and Data Processing Addendum.

9

Data retention

We retain personal data only for as long as necessary for the purpose for which it was collected (UK GDPR Article 5(1)(e)).

Data typeRetention periodHow to delete
Account data and learning progressUntil your account is deletedEmail hello@gcsepython.uk. Data removed within 30 days.
Cookie consent recordUntil you clear your browser's local storageClear localStorage in your browser settings, or update preferences via Cookie Settings in the footer.
Local progress (no account)Until you clear your browser's local storageUse "Reset My Progress" on the site, or clear localStorage via browser settings.
Google Analytics data14 months (Google's minimum retention period)Withdraw analytics consent via Cookie Settings. Previously collected anonymised data cannot be deleted from Google's servers individually.
Google AdSense advertising cookiesGoverned by Google β€” typically up to 13 monthsWithdraw advertising consent via Cookie Settings, or delete cookies in your browser.
10

Your rights

Under UK GDPR Chapter III, you have the following rights. Rights may be limited in specific circumstances, for example where we have a competing legal obligation to retain data.

πŸ“‹

Right of access (SAR)

Request a copy of the personal data we hold about you in a commonly used electronic format.

✏️

Right to rectification

Ask us to correct inaccurate or complete incomplete data without undue delay.

πŸ—‘οΈ

Right to erasure

Request deletion of your personal data where there is no overriding reason to retain it.

⏸️

Right to restriction

Ask us to suspend processing while accuracy is disputed or where processing is unlawful.

πŸ“¦

Data portability

Receive data you provided to us in a structured, machine-readable format (applies to consent-based processing).

🚫

Right to object

Object to processing based on legitimate interests at any time. We do not conduct direct marketing.

↩️

Withdraw consent

Withdraw consent at any time without affecting the lawfulness of prior processing. Use Cookie Settings in the footer.

βš™οΈ

Automated decisions

Not to be subject to solely automated decisions with legal or significant effects. We do not make such decisions (see Section 11).

To exercise any right, email hello@gcsepython.uk with the subject line "Data Rights Request". We will respond within one calendar month (UK GDPR Article 12(3)), and may ask you to verify your identity. No charge applies unless a request is manifestly unfounded or excessive.

Right to complain to the ICO: If you are unsatisfied with how we have handled your data, you may complain to the Information Commissioner's Office:

ico.org.uk/make-a-complaint  Β·  0303 123 1113
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would always appreciate the opportunity to resolve concerns directly before a complaint is made to the ICO.
11

Automated decisions & profiling

We do not carry out automated decision-making that produces legal or similarly significant effects on individuals (UK GDPR Article 22). We do not create profiles of users for advertising, credit, employment, insurance, or any other significant purpose.

The site automatically calculates XP totals and awards badges based on your learning activity. This is an integral feature of the revision tool and has no legal or significant real-world effect on you.

12

Security

We implement appropriate technical and organisational measures to protect personal data (UK GDPR Article 32), including:

In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and notify affected individuals without undue delay where required by UK GDPR Article 34.

If you discover a potential security vulnerability, please report it to hello@gcsepython.uk.

13

Changes to this policy

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of this page. For material changes that affect how we process your personal data or reduce your rights, we will notify registered users by email at least 14 days before the change takes effect.

Where a material change requires fresh consent, we will seek that explicitly rather than relying on existing consent or continued use of the site. Previous versions of this policy are available on request by emailing hello@gcsepython.uk.

πŸ“¬ Contact & complaints

For questions about this policy, to exercise your rights, or to raise a concern, please contact us. We aim to respond within 5 working days.

hello@gcsepython.uk