Privacy Notice

Last updated: May 2026

This notice explains what personal data Peak Prep collects, why, and how it is protected. It applies to account holders, parents, guardians, and the student profiles they create. Please read it before registering an account.

1. Who we are

Peak Prep is an educational platform helping families prepare children for transfer tests in Northern Ireland. The service is operated by the Peak Prep team based in Northern Ireland, United Kingdom.

Peak Prep is the data controller for account data and student profile data created inside the platform.

For privacy questions, contact us through the Peak Prep contact page or email seagrevisionapp@gmail.com.

2. What data we collect

Account holder accounts

• Name and email address (used for login, account recovery, and progress emails)
• Password (stored as a secure hash by Firebase Authentication — we never see your password)
• Profile avatar or photo (optional, stored in your account document)
• Notification and contact preferences
• Subscription plan and billing status (managed via Stripe — we do not store card details)

Student profiles

• Display name, year group, and study interests (chosen by you)
• Curriculum target (SEAG, AQE, or England 11+)
• Profile avatar or photo (account-holder approved)
• A short numeric PIN (stored as a cryptographic hash — we cannot read the original PIN)
• A student code (a short code the student can use on another device)
• Rewards, points, and study buddy preferences

Learning data

• Practice test results, topic scores, and answer records
• Challenge progress and completion status
• Topic strengths and weaknesses over time
• Free-text written answers submitted during tests

Technical data

• Firebase Authentication session data (browser-managed)
• Timestamps on records (for ordering and retention)

3. Why we collect it and our legal basis

We process data under the UK GDPR on the following bases:

• Contract — to provide the service you have signed up for (accounts, tests, progress reports)
• Legitimate interests — to improve the platform using aggregated, anonymised performance data; to prevent misuse
• Legal obligation — to comply with applicable laws including safeguarding obligations
• Consent — for optional features such as marketing emails, where we ask separately

4. Children's data

Student profiles are created and managed by an account holder, parent, or guardian. Students use a short code code and do not create their own accounts. Students do not see billing information, account settings, or personal details from the account.

We do not knowingly collect personal data directly from children without appropriate adult consent. If you believe a child has registered without that consent, please contact us and we will remove the data promptly.

Written test answers entered by students may be reviewed by AI tools (see section 6) to generate personalised feedback. No identifying information is sent in these requests.

5. How long we keep data

• Active account data is retained while the account exists and a subscription or free tier is active.
• If an account is deleted, we aim to remove personal data within 30 days, except where retention is required by law.
• Anonymised, aggregated learning statistics may be retained indefinitely to improve the platform.
• Backups may retain data for up to 90 days after deletion.

6. Third parties we use

• Google Firebase — authentication, database, and hosting. Data is stored in Google Cloud (europe-west2 region where configured). Firebase privacy
• Stripe — payment processing. Card details are handled entirely by Stripe. We only store your plan status. Stripe privacy
• SendGrid (Twilio) — transactional and progress emails. SendGrid privacy
• OpenAI — AI-generated feedback on written test answers. Prompts do not include names or identifying information. We use OpenAI's API with data handling subject to their enterprise terms. OpenAI privacy

We do not sell personal data to any third party.

7. Your rights

Under UK GDPR you have the right to:

• Access — request a copy of the data we hold about you
• Rectification — ask us to correct inaccurate data
• Erasure — request deletion of your account and associated data
• Restriction — ask us to limit how we process your data in certain circumstances
• Data portability — receive your data in a machine-readable format
• Object — object to processing based on legitimate interests
• Withdraw consent — where processing is based on consent, withdraw it at any time

To exercise any right, contact us through the Peak Prep contact page. We will respond within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).

8. Security

Passwords are hashed by Firebase Authentication and never stored in plaintext. Profile PINs are hashed server-side using PBKDF2 before storage. Data in transit is encrypted using TLS. Access to the database is controlled by Firestore security rules that restrict each user to their own data.

9. Changes to this notice

We may update this notice as the platform develops. We will post the updated version here and, for material changes, notify account holders by email.

10. Contact

For any privacy-related question, use the Peak Prep contact page.