HeadstartScience

1. Data Controller

HeadstartScience Ltd is the data controller responsible for your personal data. We are registered in England and Wales.

2. Commitment to UK GDPR Compliance

We are committed to protecting your personal data in accordance with:

• UK General Data Protection Regulation (UK GDPR)
• Data Protection Act 2018
• Privacy and Electronic Communications Regulations (PECR)

We ensure that all personal data is processed lawfully, fairly, and transparently.

3. What Data We Collect

3.1 Account Information

• Full name
• Email address
• Username
• Encrypted password

3.2 Educational Data

• Study progress and completion records
• Quiz attempts and scores
• Subject preferences
• Timetable and study schedules

3.3 Subscription Information

• Subscription status and tier
• Trial start and end dates
• Live lessons usage

4. Legal Basis for Processing

We process your personal data under the following lawful bases as defined by UK GDPR:

• Contract (Article 6(1)(b)): Processing necessary to provide our educational services and fulfil our contractual obligations to you
• Legitimate Interests (Article 6(1)(f)): To improve our platform, ensure security, and provide customer support
• Consent (Article 6(1)(a)): For marketing communications (you can withdraw consent at any time)
• Legal Obligation (Article 6(1)(c)): To comply with UK tax law and other legal requirements

5. How We Protect Your Data

We implement robust technical and organizational measures including:

• End-to-end encryption for data in transit (HTTPS/TLS)
• Encryption of sensitive data at rest
• Secure password hashing using bcrypt
• Regular security audits and updates
• Access controls and authentication protocols
• Secure cloud infrastructure with backup systems
• Staff training on data protection principles

Payment Security: All payment card data is processed and stored exclusively by Stripe in compliance with PCI-DSS requirements. We never have access to your full card details.

6. Data Retention

We retain your personal data in accordance with UK legal requirements:

• Active accounts: Data retained while your account is active and for legitimate business purposes
• Closed accounts: Retained for up to 7 years to comply with legal and accounting obligations
• Payment records: Retained for minimum 6 years as required by HMRC
• Marketing data: Deleted within 30 days of unsubscribing

After the retention period, data is securely deleted or anonymised.

7. Your Data Protection Rights

Under UK GDPR, you have the following rights:

To exercise any of these rights, please email: info@headstartscience.co.uk

We will respond to your request within one month as required by UK GDPR.

8. Third-Party Service Providers

8.1 Stripe (Payment Processing)

8.2 Other Service Providers

• Cloud hosting providers (for platform infrastructure)
• Email service providers (for transactional emails)
• Analytics providers (for improving user experience)

All third-party providers are carefully selected and required to maintain appropriate security measures and UK GDPR compliance.

9. Data Transfers Outside the UK

Some of our service providers may process data outside the UK. Where this occurs, we ensure:

• Adequate safeguards are in place (Standard Contractual Clauses)
• The receiving country has an adequacy decision from the UK Government
• Appropriate technical and organizational security measures

10. Cookies and Tracking

We use cookies to provide essential functionality and improve your experience:

Essential Cookies (Required)

• Authentication and session management
• Security features
• Platform functionality

Analytics Cookies (Optional)

• Understanding how users interact with our platform
• Improving user experience

You can control non-essential cookies through your browser settings.

11. Children's Data Protection

Our platform is designed for GCSE students (typically aged 14-16). We take extra care with data from users under 16:

• Users under 16 should have parental/guardian consent
• We do not knowingly collect data from children under 13 without parental consent
• Parents can request access to or deletion of their child's data
• Age-appropriate privacy information is provided

12. Data Breach Procedures

In the unlikely event of a data breach:

• We will notify the ICO within 72 hours if required by law
• Affected individuals will be informed without undue delay
• We will take immediate steps to contain and remedy the breach
• A full investigation will be conducted

13. Your Responsibilities

To help us protect your data, you should:

• Keep your password secure and confidential
• Log out after using shared devices
• Update your account information if it changes
• Report any security concerns immediately
• Ensure you have parental consent if under 16

14. Marketing Communications

We will only send you marketing communications if you have given consent. You can:

• Opt-out at any time by clicking unsubscribe in any email
• Update your preferences in your account settings
• Email us at info@headstartscience.co.uk to stop all marketing

15. How to Contact Us

For any questions about data protection or to exercise your rights:

We aim to respond to all requests within one month. For complex requests, we may extend this by up to two months and will inform you if this is necessary.

16. Complaints to the ICO

You have the right to lodge a complaint with the supervisory authority if you believe your data protection rights have been violated:

However, we encourage you to contact us first so we can try to resolve any concerns.

17. Changes to This Policy

We may update this Data Protection Policy to reflect changes in our practices or legal requirements. Material changes will be communicated by:

• Posting the updated policy on this page with a new "Last updated" date
• Email notification for significant changes
• Prominent notice on our platform

Continued use of our services after changes constitutes acceptance of the updated policy.