1. What is GDPR?
The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 are the laws that govern how organisations in the UK collect, store, and use personal data. They give individuals specific rights over their data and place legal obligations on organisations to be transparent, secure, and accountable.
This page summarises how ExamVault complies. For day-to-day details of what data we collect and why, see the Privacy Policy.
2. Our role under GDPR
Direct consumers
When a parent, guardian, or independent tutor signs up directly to ExamVault, we are the data controller for the account holder's data and for any child accounts they manage. We decide how and why the data is processed.
Tuition centres
When a tuition centre subscribes via /tutors-tuition-centres and provisions accounts for their students, the centre is the data controller for student data, and ExamVault acts as a data processorprocessing that data on the centre's instructions. A written data processing agreement (DPA) is available on request — contact us via the contact form.
3. Lawful bases we rely on
Under UK GDPR Article 6 we rely on one of:
- Contract — most processing is necessary to deliver the service you bought or are evaluating.
- Legitimate interests — limited processing for security, debugging, and product improvement, balanced against your privacy.
- Consent — for non-essential cookies (analytics) and any future marketing.
- Legal obligation — where required by law (e.g. HMRC tax records).
For child users, we also apply Children's Code (AADC) principles by default — see our Safeguarding Policy.
4. Sub-processors
We use the following third parties to deliver the service. Each is a UK GDPR-compliant data processor, operating under a written agreement that requires equivalent protection of personal data:
| Provider | Purpose | Data hosted in |
|---|---|---|
| Vercel | Web hosting + serverless compute | EU / US (with SCCs) |
| Neon | Managed Postgres database | EU |
| Stripe | Payment processing | EU / US (with SCCs) |
| Resend | Transactional email delivery | EU / US (with SCCs) |
| Anthropic | AI for chatbot + content generation | US (with SCCs) |
| Google Analytics 4 | Anonymised usage analytics (consent-gated) | US (with SCCs) |
We notify centre administrators by email at least 30 days before adding any new sub-processor that handles centre data, so they can object if needed.
5. International transfers
Where data leaves the UK we rely on:
- The UK Government's adequacy decisions (e.g. EU, US Data Privacy Framework participants).
- Standard Contractual Clauses (SCCs) for transfers not covered by an adequacy decision.
- Provider-side certifications (e.g. ISO 27001, SOC 2) where applicable.
6. Your rights
Under UK GDPR you have the right to:
- Be informed about how we use your data — this page + the Privacy Policy.
- Access the personal data we hold about you.
- Rectify inaccurate data.
- Erase your data (subject to legal retention obligations).
- Restrict or object to certain processing.
- Data portability — receive your data in a machine-readable format.
- Rights related to automated decision-making (we don't use this for any decision with legal effect on you).
- Withdraw consent at any time where we relied on consent (e.g. analytics cookies — see banner / Cookie Policy).
To exercise any of these rights, contact us via the contact form. We'll respond within one month (extendable by two months for complex requests, with notice).
7. Data breach notification
If we detect a personal data breach that's likely to result in risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware, as required by UK GDPR Article 33. If the risk is high, we'll also notify affected individuals directly without undue delay.
8. Complaints
If you're not satisfied with how we handle your data or respond to your rights request, you can complain to the UK Information Commissioner's Office:
- ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
We'd always prefer to address concerns directly first — please reach out before escalating.
9. Contact
For any GDPR-related questions, including data subject access requests (DSARs), DPA copies for centres, or sub-processor objections, contact us via the contact form with the topic set to “Privacy / GDPR”.