Privacy Notice

Last Updated: April 2026

                For Pupils and Parents: This platform is designed for schools. We do not ask for your personal email address, home address, or date of birth. We only use your first name and a masked version of your surname (e.g., "John S.") so your teacher can see how you are doing in your times tables.
            

1. Introduction

Welcome to 25MTC (the "Platform"). We provide a Multiplication Tables Check simulator and intervention tool for UK Primary Schools. We are committed to protecting the privacy of our users, especially children, in compliance with the UK General Data Protection Regulation (UK GDPR) and the ICO's Age Appropriate Design Code.

2. Our Role in Data Processing

Under UK data protection law:

The School is the Data Controller. They decide to use 25MTC and add pupil accounts.
25MTC is the Data Processor. We only process data on behalf of the school to provide the service.

3. Information We Collect

We practice strict data minimisation. We only collect what is absolutely necessary to run the platform.

For Teachers & School Admins: Full name, email address, school name, and an encrypted password.
For Pupils: First name and surname. The system immediately masks the surname in the classroom interface (e.g., "Sarah J.") to protect privacy on shared screens. Pupils are assigned an anonymous, auto-generated username (e.g., sarjon12) and password. We never collect real email addresses or dates of birth for pupils.
Performance Data: When pupils use the simulator, we record their answers and response times to generate teacher heatmaps and power our "Focus Mode" algorithm.

4. Analytics (Umami)

We use a privacy-first analytics tool called Umami to understand how our website is performing.

No Cookies: Umami does not use cookies, which is why we do not require a cookie consent banner.
No Personal Data: It does not track IPs across websites or collect any personally identifiable information (PII).
Anonymised: All visitor data is entirely anonymised and stored securely.

5. Third-Party Sub-Processors

We do not sell, rent, or share data with advertisers. We use the following secure infrastructure providers to run the platform:

Google Cloud (Firebase): Used for secure database hosting, authentication, and server logic. Data is hosted in the UK/EU region. (Google Privacy Policy)

6. Data Security

We protect data using enterprise-grade security measures, including HTTPS encryption in transit, encrypted passwords, and multi-tenant data silos ensuring that no school can access another school's data. Sessions are tightly controlled; closing the browser immediately ends a user's session to protect shared school devices.

7. Data Deletion & Retention

School administrators can permanently delete pupil and staff accounts at any time via their dashboard.
When an account is deleted, all associated performance data is permanently wiped from our database.
If a school cancels their subscription, we securely delete all school, staff, and pupil data within 30 days of the contract ending.

8. Contact Us

If you are a parent with questions about your child's data, please contact your child's school directly, as they are the Data Controller. For other inquiries regarding this policy, please contact us at: [Insert Contact Email]