GDPR Rights Centre - Elephant Math

1. Your Rights at a Glance

Under UK GDPR, you have the following rights over your personal data. Click any card to learn more.

Access

Get a copy of all your personal data

Learn more →

Rectification

Correct inaccurate or incomplete data

Learn more →

Erasure

Delete your account and data

Learn more →

Restrict

Limit how we process your data

Learn more →

Portability

Download your data in a portable format

Learn more →

Object

Object to certain types of processing

Learn more →

Automated Decisions

Challenge algorithmic decisions

Learn more →

2. Right of Access (Article 15)

You have the right to request a copy of all personal data we hold about you. This is sometimes called a Subject Access Request (SAR).

What you'll receive

Account and identity information
All learning data: question attempts, answers, times, scores
Topic mastery levels and progress history
Detected misconceptions and confidence scores
GCSE grade predictions
Revision recommendations
XP, streaks, and achievements
Subscription and billing history
Consent records

Format

Your data will be provided in JSON and/or CSV format, suitable for import into other systems.

How to request

See Section 9: How to Exercise Your Rights.

3. Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed.

What you can correct

Self-service: Name, email, school affiliation, and grade level can be updated directly in your account settings.
By request: For data you cannot change yourself (e.g., historical records, misconception detections), contact us and we will correct it within 30 days.

Academic data

If you believe a misconception has been incorrectly detected or a mastery level is inaccurate, you can request a human review. We will recalculate your data and correct any errors.

4. Right to Erasure (Article 17)

You have the right to request deletion of your personal data (also known as the "right to be forgotten").

What gets deleted

Your account and all identity information
All learning data, question attempts, and academic records
Misconception data, grade predictions, and revision recommendations
XP, streaks, and achievements
Consent records (after retention period)

What may be retained

Billing records: Retained for 6 years to comply with HMRC requirements.
Anonymised data: Aggregated, anonymised data that cannot identify you may be retained for research purposes.
Legal obligations: Data required to comply with legal proceedings or regulatory requirements.

Erasure timeline

Upon approval, your data will be permanently deleted within 30 days. Backup systems are purged within a further 30 days.

        Warning: Account deletion is permanent and irreversible. All learning progress, achievements, and analytics will be lost. Please export your data first if you want to keep a copy.
      

5. Right to Restrict Processing (Article 18)

You can ask us to limit how we process your data in certain circumstances:

Accuracy dispute: While we verify the accuracy of your data
Unlawful processing: If processing is unlawful but you prefer restriction over erasure
No longer needed: We no longer need the data but you need it for legal claims
Pending objection: While we consider your objection to processing (see Section 7)

What restriction means

When processing is restricted, we will store your data but not use it for any purpose other than storage, unless you consent or it is needed for legal claims, protection of others, or public interest.

Your account will remain active but certain features (analytics, predictions, recommendations) may be temporarily unavailable.

6. Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format.

What's included

Data Category	Format	Contents
Account data	JSON	Name, email, role, school, grade level
Learning data	CSV + JSON	All question attempts, answers, scores, times
Progress data	JSON	Topic mastery, accuracy %, trends
Misconceptions	JSON	Detected misconceptions, confidence scores, status
Predictions	JSON	GCSE grade predictions, confidence ranges
Gamification	JSON	XP history, streaks, achievements

Delivery

Your data export will be delivered as a downloadable ZIP archive containing the above files. We aim to prepare your export within 7 days of your request.

Transfer to another service

Where technically feasible, you can request that we transmit your data directly to another educational platform. Contact us to discuss.

7. Right to Object (Article 21)

You have the right to object to processing based on our legitimate interests (Article 6(1)(f)).

Processing you can object to

Misconception detection and adaptive learning algorithms
Personalised revision recommendations
Teacher and parent dashboard analytics (for your data)
Platform improvement using your usage patterns

What happens when you object

We will stop the processing unless we can demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for legal claims.

If we stop certain processing, some features may be affected. For example:

Objecting to misconception detection means you will not receive targeted remediation hints
Objecting to analytics means teachers/parents will not see your progress data

Marketing

You have an absolute right to object to direct marketing at any time, with no exceptions. We will stop all marketing communications immediately.

8. Automated Decision Rights (Article 22)

Elephant Math uses automated processing to enhance learning. Here is how each system works and what your rights are:

8.1 GCSE Grade Predictions

Input: Your topic mastery levels, accuracy percentages, and attempt history
Process: Comparison against historical grade boundaries for AQA, Edexcel, OCR, and WJEC
Output: Predicted grade (1–9 or U) with confidence range
Impact: Advisory only — no legal or significant effect on you

8.2 Misconception Detection

Input: Patterns in your wrong answers across diagnostic questions
Process: Pattern matching against 13+ coded misconceptions (e.g., FRAC-001, ALG-002)
Output: Confidence score (0–100%) per misconception, with status (active, improving, resolved)
Impact: Triggers remediation hints and revision recommendations

8.3 Revision Recommendations

Input: Mastery levels, misconceptions, inactivity periods, declining trends
Process: Priority algorithm considering 6 factors (low accuracy, misconception, inactivity, declining trend, prerequisite gap, spaced repetition)
Output: Ordered list of recommended topics with priority levels (1–5)
Impact: Advisory only — you choose what to study

8.4 Your Rights

For all automated decisions, you have the right to:

Request human review: Ask a member of our team to review any automated output
Express your view: Tell us why you think a result is incorrect
Contest the decision: Challenge any prediction, detection, or recommendation
Opt out: Request that specific automated processing be stopped for your account

9. How to Exercise Your Rights

Step-by-step process

Identify your request. Determine which right you want to exercise (access, rectification, erasure, restriction, portability, objection, or automated decision review).
Submit your request. Email privacy@elephantmath.co.uk with the subject line "Data Rights Request — [Right Name]". Include your account email address and a description of your request.
Identity verification. We will verify your identity by sending a confirmation link to your registered email address. For children's requests, we verify parental authority (see Section 10).
Acknowledgement. We will acknowledge your request within 5 business days and provide an estimated completion date.
Fulfilment. We will complete your request within 30 calendar days. If the request is complex, we may extend this by up to 60 additional days and will notify you of the reason.

No fee

Exercising your rights is free of charge. We may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act on such requests, in accordance with UK GDPR Article 12(5).

Contact details

Email: privacy@elephantmath.co.uk
Data Protection Officer: dpo@elephantmath.co.uk

10. Children's Rights & Parental Requests

10.1 Under-13 Users

For children under 13, a parent or guardian may exercise all data rights on the child's behalf. To do so:

The parent must be the verified account holder who provided consent for the child's account.
Requests should be sent from the parent's registered email address.
We will verify the parent-child relationship before processing.

10.2 Users Aged 13–17

Students aged 13–17 may exercise their own data rights. Parents may also submit requests on their behalf with the student's written agreement, except where:

The student's safety or wellbeing is at risk
The student is unable to make the request themselves

10.3 Teacher Requests

Teachers may request class-level data exports for their own classes. Teachers cannot exercise individual student data rights on behalf of students — those requests must come from the student or their parent/guardian.

10.4 Consent Withdrawal

Parents may withdraw consent for their child's account at any time, which will result in account deactivation and data deletion in accordance with our retention policy.

11. Response Times

Request Type	Acknowledgement	Completion
Subject Access Request (SAR)	5 business days	30 calendar days
Data export / portability	5 business days	7–30 calendar days
Rectification	5 business days	14 calendar days
Erasure / account deletion	5 business days	30 calendar days + 30 days backup purge
Restriction of processing	5 business days	7 calendar days
Objection to processing	5 business days	30 calendar days
Automated decision review	5 business days	30 calendar days
Marketing opt-out	Immediate	48 hours

Complex requests

If your request is complex (e.g., involves large volumes of data or requires coordination with third parties), we may extend the response period by up to 60 additional calendar days. We will inform you of the extension and reasons within the initial 30-day period.

12. Consent Management

12.1 What requires consent

Marketing emails and notifications
GCSE grade predictions for under-13 users (parental consent)
Optional analytics and improvement tracking
Account creation for under-13 users (parental consent)

12.2 Withdrawing consent

You can withdraw consent at any time through:

Account settings: Toggle consent preferences in your profile
Email: Contact privacy@elephantmath.co.uk
Unsubscribe links: Click "unsubscribe" in any marketing email

12.3 Effect of withdrawal

Withdrawing consent does not affect the lawfulness of processing carried out before the withdrawal. Some features that rely on consent may become unavailable after withdrawal.

12.4 Consent records

We maintain records of all consent given, including when, how, and what you consented to. You can request a copy of your consent records as part of a Subject Access Request.

13. How to Complain

Step 1: Contact us first

If you are unhappy with how we handle your data, please contact us first. We take all complaints seriously and aim to resolve them promptly.

Email: privacy@elephantmath.co.uk
Data Protection Officer: dpo@elephantmath.co.uk

We aim to respond to complaints within 14 business days.

Step 2: Complain to the ICO

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection.

Information Commissioner's Office
Website: ico.org.uk
Helpline: 0303 123 1113
Live chat: ico.org.uk/global/contact-us/live-chat
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

You can also raise a concern with the ICO at any time, even before contacting us, although the ICO recommends trying to resolve the issue with us first.