Privacy Policy — My GapFinder

My GapFinder ("we", "us", "our") is committed to protecting your personal data. This policy explains what information we collect, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

Data controller: My GapFinder, hello@mygapfinder.app — ICO registration pending — reference number will be added upon completion.

1. What data we collect

Account data (parents, guardians, teachers)

Email address and name (provided at registration)
Authentication method (email/password or Google OAuth)
Account creation date and last login

Content data

Images of exam answer sheets you upload
Mark schemes you provide
AI-generated marking results and feedback
Subject, paper, and topic information associated with uploads

Usage data

Pages visited and features used
Device type and browser (no fingerprinting)
Error logs for debugging

2. How we use your data

Purpose	Legal basis
Providing the marking and gap analysis service	Contract performance
Processing exam images through AI marking	Contract performance
Storing results for your account history	Contract performance
Sending transactional emails (account verification, password reset)	Contract performance
Improving and debugging the service	Legitimate interest
Complying with legal obligations	Legal obligation

We do not use your data or student answers to train AI models. We do not sell your data to third parties. We do not use your data for advertising.

3. Third-party services (sub-processors)

We use the following third-party services to operate My GapFinder. Each has been selected for their GDPR compliance and we have Data Processing Agreements in place with each.

Supabase

Database, file storage, and authentication infrastructure

EU (AWS)

Google OAuth

Optional sign-in with Google

USA (SCCs apply)

Google Gemini API

AI processing of exam images and marking

USA (SCCs apply)

SCCs = Standard Contractual Clauses, the legal mechanism for transferring data outside the UK/EU.

4. Children and students under 18

My GapFinder is designed to be used safely by students of all ages, including those under 18. We handle this in the following way:

Accounts are created by adults only — parents, guardians, or teachers register using their own email address and are responsible for the account.
Students access via PIN only — students do not create accounts or provide personal information. They access results using a private PIN set by the account holder.
No direct data collection from under-13s — in compliance with UK GDPR Article 8, we do not knowingly collect personal data directly from children under 13.
Exam images are not linked to named individuals in our database — they are associated with the parent/teacher account only.

If you believe a child has provided personal data without appropriate consent, please contact us at hello@mygapfinder.app and we will delete it promptly.

5. How long we keep your data

Account dataRetained while your account is active. Deleted within 30 days of account deletion request.

Uploaded imagesRetained while your account is active. Deleted on account deletion.

Marking resultsRetained while your account is active. Deleted on account deletion.

Usage/error logsRetained for up to 90 days for debugging purposes.

6. Your rights

Under UK GDPR you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate data
Erasure — request deletion of your data ("right to be forgotten")
Portability — receive your data in a structured, machine-readable format
Objection — object to processing based on legitimate interests
Restriction — ask us to limit how we use your data

To exercise any right, email hello@mygapfinder.app. We will respond within 30 days.

7. Cookies

We use only essential cookies required for authentication (session management). We do not use tracking, advertising, or analytics cookies.

8. Security

All data is encrypted in transit (TLS) and at rest. Access to production data is restricted to authorised personnel only. We use Supabase Row Level Security to ensure users can only access their own data.

9. Changes to this policy

We may update this policy as the service evolves. Material changes will be notified by email to registered account holders. The "last updated" date at the top of this page will always reflect the current version.

10. Complaints

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would always appreciate the chance to address your concern directly first — please contact us at hello@mygapfinder.app.