Privacy policy
This policy explains how Maths Vault (“we”, “us”, “our”) collects, uses, stores, and shares personal data when you use https://mathsvault.uk, related subdomains (for example school-branded vaults and stb.mathsvault.uk), and associated services (together, the “site”). We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data controller
The data controller responsible for your personal data is Maths Vault. Contact: admin@mathsvault.uk.
Data we may collect
Depending on how you use the site, we may process:
- Identity and contact data: for example name, email address, school or organisation name, and similar details you provide when registering, contacting us, signing up to resources, or completing forms.
- Account data: username, credentials or authentication identifiers, membership tier, role (for example teacher, admin, tester, or student where applicable), school association, preferences, and session information.
- Usage and technical data: IP address, browser type, device information, approximate location derived from IP, pages viewed, referring URLs, scroll depth, interaction counts, and timestamps. This may be collected through server logs, our first-party analytics (see below), and similar technologies.
- Content you provide: worksheets, homework, lesson materials, uploads, feedback, and other text or files you submit through site tools or communications with us.
- Transaction data: subscription status, billing contact details, payment provider identifiers, and records of orders or donations. Payment card data is processed by our payment providers and is not stored by us beyond what is necessary for billing records.
- Marketing and communications data: mailing-list subscription status, consent records, onboarding sequence progress, email open and click events (where tracking is enabled), and your preferences for receiving newsletters or promotional messages.
- Integration data: where you connect third-party services (for example Google Classroom), identifiers and tokens needed to maintain that connection and perform actions you request.
- AI chat data: where you use Vault Guide, the messages you send and related session metadata (see Vault Guide AI chat).
Accounts and schools
When you register for a teacher or staff account, we collect information such as your name, email address, school name, and chosen username. We may associate your account with a school record, including branding settings and optional school subdomains used to present a school-branded vault.
Accounts may have different roles and access levels (for example teacher, school admin, tester, or site administrator). We use session cookies and server-side session records to keep you signed in securely. You are responsible for keeping your login details confidential and for activity under your account.
First-party analytics
We operate our own analytics on many public pages of the site. This is not Google Analytics or another third-party advertising analytics network. Data is sent to our servers and stored in our site database.
Our analytics may record, among other things:
- page views, page path, page type, and time on page;
- scroll depth, clicks, and other interaction counts;
- browser, device, screen and viewport information;
- timezone, language, and platform details;
- limited canvas and WebGL rendering characteristics used as a technical fingerprint to help distinguish genuine visits from automated traffic.
Administration pages under /admin/ are not tracked. Logged-in users can exclude themselves from analytics by setting the cookie exclude_analytics=1 or the localStorage key mathsvault_exclude_analytics to 1 (for example via account settings or the analytics exclusion control). When exclusion is active, our client-side tracker does not send analytics events.
We use this data on the basis of our legitimate interests in understanding how the site is used, improving content and performance, and detecting abuse, balanced against your rights. Where required, we rely on consent for non-essential tracking.
Email tracking
Some marketing, onboarding, and operational emails we send may include:
- Open tracking: a small transparent image (pixel) that records when an email is opened;
- Click tracking: links that pass through our servers so we can record which links were clicked before redirecting you to the destination.
Where implemented, IP addresses associated with email opens and clicks are anonymised (hashed) before storage. We also attempt to ignore bot and security-scanner traffic that can produce false open or click events. Email tracking helps us measure engagement and improve our communications, generally on the basis of legitimate interests or consent where you have opted in to marketing.
Mailing list and lead magnets
You may join our mailing list or request free downloads (“lead magnets”) by submitting your email address and, where asked, your name, school, or consent preferences. We record when and how you subscribed, which resource you requested, and whether you have unsubscribed.
After signup, we may send onboarding email sequences with tips and links to site features. Every marketing email includes an unsubscribe mechanism. If you unsubscribe, we stop sending marketing messages but may retain a suppression record so we do not contact you again for that purpose.
A short-lived cookie (mv_lm_recent) may be set after a successful lead-magnet signup so you can request another download in the same browser without re-entering your email address.
Payments and donations
Paid memberships and subscriptions are processed by Stripe. We receive billing status, customer and subscription identifiers, and related metadata from Stripe; we do not store full payment card numbers.
Donations and some membership tiers may also be handled via Buy Me a Coffee, which sends us webhook notifications about supports and memberships. Card and payment details are processed by those providers under their own privacy policies.
We retain transaction and subscription records as needed to provide the service, manage your account, and meet legal and accounting obligations.
Google integrations
If you choose to connect Google Classroom, we use Google OAuth so you can authorise access to your Google account. We store tokens and Google account identifiers needed to list courses and post homework or coursework you explicitly request. You can disconnect the integration from your dashboard.
Some pages load Google Fonts from Google’s servers. When those fonts load, Google may receive technical data such as your IP address and browser information. See Google’s privacy policy for how they process that data.
Vault Guide AI chat
Vault Guide is an AI assistant embedded on selected pages (for example our promo and free-download pages). Before you can chat, you must confirm a consent gate explaining that you are interacting with an AI assistant.
When you use Vault Guide, your messages are sent from your browser via our proxy at /api/vault-guide to our AI service provider, Ivy Web (clients.theivyweb.uk). Ivy Web processes your chat content to generate replies. We and Ivy Web may retain conversation data as needed to operate, secure, and improve the service.
Do not enter unnecessary personal data, pupil names, or sensitive information into Vault Guide. For privacy questions about AI processing, contact admin@mathsvault.uk.
User-generated content
The site lets teachers and authorised users create, upload, and store resources such as worksheets, homework, presentations, and related files. We process this content to provide the service you request, including generating PDFs, displaying materials to classes, and storing them in your account or school context.
You are responsible for ensuring you have appropriate rights to upload content and that any personal data within resources (for example pupil names) is handled lawfully. Where you upload personal data about others, you are typically the data controller for that content and we process it as a service provider (processor) on your instructions.
Student-facing areas
Parts of the site are aimed at students and parents, including revision tools at /students/, single-topic booklets (STB) on stb.mathsvault.uk, and interactive calculators. Many of these areas do not require an account.
Where schools or teachers use Maths Vault with pupils — for example by sharing homework links, classroom codes, or student logins — the school or teacher is responsible for ensuring appropriate consent, safeguarding, and fair use. We process pupil-related data as a service provider to deliver the features the school or teacher uses.
If you believe we have collected a child’s personal data without appropriate authority, please contact us and we will take steps to delete it where required by law.
Games and interactive tools
Our maths games and interactive activities may store progress locally in your browser (for example via localStorage) for scores, settings, daily challenges, or streaks. Some games support optional accounts or friends lists stored locally on your device.
Certain features use short-lived cookies to support ratings or preferences (for example mv_stb_key_uid for anonymous booklet ratings, or mv_stb_worksheets_last_seen to highlight new STB worksheets). These are used to improve the experience rather than for third-party advertising.
How and why we use your data (lawful bases)
We use personal data only where we have a lawful basis under UK GDPR. These include:
- Contract: to provide the site, accounts, subscriptions, and services you request, and to manage our relationship with you.
- Legitimate interests: to secure and improve the site, operate first-party analytics, measure email engagement, prevent fraud or misuse, and communicate operational messages, where our interests are not overridden by your rights.
- Legal obligation: to comply with law, regulation, or regulatory or court requests.
- Consent: where we rely on consent (for example certain marketing communications, Vault Guide AI chat, or optional cookies), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
Cookies and similar technologies
We use cookies and browser storage where necessary for the site to function and, in some cases, for preferences or analytics. We do not use third-party advertising cookie networks.
We do not currently show a dedicated cookie consent banner on every page. You can control cookies through your browser settings, and you can opt out of our first-party analytics using the exclusion methods described in First-party analytics. Essential cookies may still be required for login or security.
| Name | Purpose | Typical duration |
|---|---|---|
mathsvault_session |
Essential session and authentication cookie for logged-in users | Session or up to 30 days |
PHPSESSID |
Essential PHP session identifier on some pages | Session |
exclude_analytics |
Stores your preference to opt out of first-party analytics | Up to 1 year |
mathsvault_exclude_analytics (localStorage) |
Browser storage equivalent of analytics exclusion | Until cleared |
mv_lm_recent |
Remembers a recent lead-magnet signup in the same browser | About 60 minutes (sliding) |
mv_stb_key_uid |
Anonymous identifier for STB booklet key ratings | Up to 1 year |
mv_stb_worksheets_last_seen |
Remembers when you last viewed new STB worksheets | Up to 1 year |
mv_ls_uid |
Anonymous identifier for lesson-solutions rating features | Varies |
Game localStorage keys |
Progress, settings, and statistics for interactive games | Until cleared |
Sharing your data and third parties
We may share personal data with service providers who help us operate the site, under contracts that require them to protect personal data and use it only for the purposes we specify. Key third parties include:
- Stripe — payment processing and subscription billing;
- Buy Me a Coffee — donations and membership webhooks;
- Google — OAuth sign-in, Google Classroom API, and Google Fonts on some pages;
- Ivy Web — Vault Guide AI chat processing;
- Font Awesome — icon kit loaded from their CDN on some pages;
- Hosting and email delivery providers — infrastructure that hosts the site and sends transactional or marketing email on our behalf.
We may also share data with professional advisers where required, and with authorities when we are legally required to disclose information or need to protect rights, safety, or security.
We do not sell your personal data.
International transfers
Some of our service providers (for example Stripe, Google, Font Awesome, or Ivy Web) may process data outside the United Kingdom. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place as required by UK data protection law (for example adequacy regulations or standard contractual clauses).
How long we keep data
We retain personal data only for as long as necessary for the purposes described in this policy, including to satisfy legal, accounting, or reporting requirements. Retention periods vary depending on the type of data and the nature of our relationship with you — for example, account data is kept while your account is active and for a reasonable period afterwards; analytics and email tracking data may be aggregated or deleted sooner; billing records may be kept longer where required by law.
Security
We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or alteration. No method of transmission over the internet is completely secure; we encourage you to use strong passwords and protect your account credentials.
Children
The site is primarily intended for educators and adults. Student-facing tools are generally designed for revision use under the supervision of parents, carers, or schools. See also Student-facing areas.
Your rights
Under UK data protection law you may have the right to:
- request access to the personal data we hold about you;
- request rectification of inaccurate data;
- request erasure in certain circumstances;
- request restriction of processing;
- object to processing based on legitimate interests or for direct marketing;
- request data portability where processing is based on consent or contract and carried out by automated means;
- lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority: ico.org.uk.
To exercise these rights, contact admin@mathsvault.uk. We may need to verify your identity before responding.
Automated decision-making and AI
We do not use automated decision-making that produces legal or similarly significant effects solely by automated means.
Vault Guide uses artificial intelligence to generate conversational replies. Outputs are informational only and should not be relied on as professional, safeguarding, or legal advice. A human operator may review conversations where needed for support, safety, or service improvement.
Changes to this policy
We may update this policy from time to time. The “Last updated” date will change accordingly. We encourage you to review this page periodically.
Contact
For privacy-related questions or requests: admin@mathsvault.uk.
Our Terms of service govern use of the site.