Privacy Policy
Last updated: 7 February 2026
1. Who We Are
IQAI is operated by SupaDupaAI Ltd, a company registered in England and Wales. We are the data controller for your personal data. If you have any questions about this policy or how we handle your data, please contact us at privacy@iqai.uk.
2. What Data We Collect
We collect the following categories of personal data:
Parent account data
Name, email address, encrypted password, family name, payment information (processed by Stripe — we do not store card details).
Child profile data
First name, year group, selected subjects, help mode preference, PIN (hashed). We do not collect a child's email address, date of birth, or surname.
Learning activity data
Workbook progress, question answers, AI tutor conversation history, exam assistant usage, and performance metrics.
Referral data
Unique referral code, referral relationships (who referred whom), referral status (registered, subscribed, rewarded), and dates associated with referral activity. This is used to operate our referral programme.
Technical data
IP address, browser type, device information, and session tokens stored in local storage.
3. Children's Data Protection
IQAI is designed with children's privacy as a priority. We comply with the UK GDPR and the Children's Code (Age Appropriate Design Code):
- Children's accounts are created and managed exclusively by a parent or legal guardian.
- We collect the minimum data necessary for children — only a first name, year group, and subjects.
- Children cannot share personal information through the AI tutor. The AI is instructed to refuse any requests for personal data and stay focused on educational content.
- All child data is visible to and controllable by the parent through the parent dashboard.
- We do not serve advertising to children or use their data for marketing purposes.
- We do not share children's data with any third parties except as described in section 5.
- Parents can request full export or deletion of their child's data at any time.
4. How We Use Your Data
We use your data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing the IQAI tutoring service | Performance of contract |
| Processing payments | Performance of contract |
| Sending progress reports to parents | Legitimate interest |
| Improving our AI tutoring quality | Legitimate interest |
| Sending account-related emails | Performance of contract |
| Processing children's data for learning | Parental consent + contract |
| Operating the referral programme | Performance of contract |
5. Data Sharing
We share personal data with the following third parties only as necessary:
- OpenAI — AI conversations are processed through OpenAI's API. Conversations are sent with a child's first name and year group only. OpenAI does not use our API data to train their models.
- Stripe — Payment processing. We do not store your card details; they are handled directly by Stripe.
- Email provider — For sending verification emails and progress reports. Only parent email addresses are shared.
We do not sell your data to any third party. We do not share data with advertisers.
6. AI & Automated Decision-Making
Our AI tutor uses OpenAI's language models to provide educational guidance. The AI processes conversations in real-time and does not make automated decisions that have a legal or similarly significant effect on you or your child. AI responses are for educational guidance only and should not be relied upon as a substitute for professional teaching. The AI operates under strict system instructions to stay within the curriculum, never reveal personal data, and follow the help mode set by the parent.
7. Cookies & Local Storage
We use the following cookies and local storage items:
| Name | Type | Purpose | Duration |
|---|---|---|---|
| iqai_token | Essential | Authentication session token | Until logout |
| iqai_child | Essential | Active child session data | Until logout |
| iqai_cookie_consent | Essential | Records your cookie preference | Persistent |
| iqai_disclaimer_dismissed | Functional | Hides dismissed notices | Persistent |
We do not use any third-party tracking cookies, analytics cookies, or advertising cookies. All storage is local to your browser.
8. Your GDPR Rights
Under UK GDPR, you have the following rights:
- Right of access — Request a copy of all personal data we hold about you and your children.
- Right to rectification — Ask us to correct inaccurate data.
- Right to erasure — Request deletion of your personal data ("right to be forgotten").
- Right to data portability — Receive your data in a structured, machine-readable format.
- Right to restrict processing — Ask us to limit how we use your data.
- Right to object — Object to processing based on legitimate interest.
- Right to withdraw consent — Withdraw consent at any time where processing is based on consent.
To exercise any of these rights, email privacy@iqai.uk. We will respond within 30 days. You can also request a GDPR data export or account erasure directly from your parent dashboard under Account Settings.
9. Data Retention
- Active accounts — We retain your data for as long as your account is active.
- Cancelled accounts — After cancellation, we retain account data for 90 days in case you wish to reactivate, then permanently delete it.
- AI conversation history — Retained for 12 months for service quality, then automatically deleted.
- Payment records — Retained for 7 years as required by UK tax law.
- GDPR erasure requests — Processed within 30 days. All personal data is permanently deleted or anonymised.
10. Data Security
We take appropriate technical and organisational measures to protect your data, including: encryption of passwords using industry-standard hashing (bcrypt), secure HTTPS connections for all data transmission, JWT-based authentication tokens, role-based access controls separating parent and child data, and regular security reviews. Despite our efforts, no system is 100% secure. If you become aware of a security issue, please contact us immediately.
11. International Transfers
AI conversations are processed by OpenAI, whose servers are located in the United States. This transfer is protected by OpenAI's data processing agreement and standard contractual clauses. Payment data is processed by Stripe, which is certified under appropriate data protection frameworks. All other data is stored on servers located in the United Kingdom.
12. Changes to This Policy
We may update this privacy policy from time to time. If we make significant changes, we will notify you by email. The "last updated" date at the top of this page indicates when the policy was last revised.
13. Complaints
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint. We would appreciate the chance to address your concerns first — please contact privacy@iqai.uk.
14. Contact
SupaDupaAI Ltd
Email: privacy@iqai.uk
Website: iqai.uk