MathBunsMathBuns alpha
Start free
Last updated · 5 May 2026

Privacy Policy

Plain-English version of how we look after your data — and your child's.

The short version
For children, we collect no email, no real name, no date of birth. The parent creates the account; the child signs in with an auto-generated username and a 4-digit PIN. Parents can reset the PIN or delete the account at any time. We never sell data, never run third-party ad trackers, and follow the UK Children's Code by default. There is a kid-friendly version too.

Who we are

MathBuns is operated by SIELAY Ltd. (registered in England & Wales). We're the data controller for the personal data described here. You can reach us at privacy@mathbuns.com.

What we collect

  • Parent / teacher account: email address, password (hashed), and billing details if you subscribe.
  • Child profile: an auto-generated username (e.g. BraveTiger47), a 4-digit PIN (hashed), and an optional year group chosen by the parent. No real name, no email, no date of birth, no surname, no address, no photo, no device ID. The optional "nickname" field is for the parent's dashboard only — it is never required and never shown publicly.
  • Practice data: questions answered, time taken, accuracy, streaks, stars earned.
  • Device & technical data: browser type, screen size, crash logs — for fixing bugs.

How children sign in

Children never have an email or password in the usual sense. The parent generates a username from a kid-safe word list, sets a 4-digit PIN, and writes both down. The child types those at the login page. If the child forgets the PIN, only the parent can reset it (from the parent dashboard). There is no email-based password reset flow for children — there is no email to send to.

Why we collect it

  • To run the app and keep your child's progress in sync across devices.
  • To pick the right next question (the adaptive difficulty engine).
  • To send your weekly parent summary (you can switch this off).
  • To take payment if you're on the Family plan (handled by Stripe — we don't store your card number).
  • To diagnose and fix bugs, and to improve the app over time.

Children's data & the UK Children's Code

MathBuns is intended for children aged roughly 4–13 — Nursery, Reception and the rest of UK primary school, with stretch into Year 7. A parent or guardian must set up child profiles and consent on the child's behalf — children cannot sign themselves up. We follow the ICO's Age Appropriate Design Code by default, with specific commitments below.

  • Data minimisation: we collect only the data needed to run a maths drill — no profile, no contact data, no DOB.
  • High-privacy defaults: child accounts have no public profile, no chat, no friend list. Leaderboards are scoped to the child's own family — or to their own class, on a school-managed account — and are never public.
  • No nudge techniques: streaks reward consistency but the app never pressures continued use; there is no infinite scroll, no pop-up upsells to children, no notifications begging them to come back.
  • No profiling, no behavioural ads: we do not build behavioural profiles of children and never use their data for marketing.
  • Parental controls: parents can reset PINs, delete the child account (data wiped), and export practice data on request.
  • No precise location: we never ask the device for GPS or any other precise location. The only location-like data processed is the country / region that our analytics provider derives from the IP address (see "Cookies & analytics" below); the IP itself is never stored against a child profile.
What we DON'T do
  • No advertising — we don't show ads to anyone, ever.
  • No advertising or behavioural-ad trackers — no Facebook pixel, no Google Ads, no ad networks, no behavioural profiling, anywhere on the site. We do run our own cookieless first-party analytics on marketing and parent/teacher pages (see "Cookies & analytics" below) — but it stops loading the moment a child profile signs in.
  • No AI / LLM processing of children's answers — questions are generated by simple rules, and answers stay in your account.
  • No selling data — your data is not for sale and never will be.
  • No marketing emails to children — only parents get email.

How long we keep it

Practice data is kept while the account is active. When a parent deletes a child profile, the child's data is wiped within seconds. When you delete your own account, we wipe everything connected to it the same way. Billing records are kept for 7 years as required by UK tax law. Backup snapshots can hold a row for up to 7 more days before they age out. The full table lives at /privacy/retention.

Who we share it with

We use a small number of trusted sub-processors to actually run the service. Each one only sees the data it needs for its job, and is bound by a data-processing agreement:

  • Vercel (USA/EU) — hosts the web app, runs the weekly parent-summary job, and provides cookieless Web Analytics + Speed Insights. Sees the technical data needed to deliver pages (IP address, browser type, request paths); for analytics it derives a country and region from the IP and a daily-rotating hashed visitor counter, but the IP itself is not stored.
  • Supabase (EU region) — hosts our database and handles authentication. This is where parent emails (hashed passwords) and child practice data live at rest.
  • AWS SES (EU region) — delivers transactional and parent-summary emails over SMTP. Sees the recipient email address and the email content. We also record, in our own systems (not at AWS), when each email was delivered, opened, or had a link clicked — used to spot delivery problems and to stop mailing addresses that bounce. You can opt out of marketing email at any time from your parent dashboard.
  • Stripe (UK/EU) — processes payments for the Family plan. We never see or store your card number; Stripe handles that under PCI-DSS.

That's it. We don't share data with anyone else, and we never sell it.

Cookies & analytics

  • Essential cookies — keep you signed in and protect against CSRF. These are strictly necessary to run the app, so consent isn't required by law and they're always on.
  • Vercel Web Analytics & Speed Insights — counts page views and Core Web Vitals so we can spot broken pages. Cookieless by design (PECR-compliant without a banner), no cross-site tracking, no behavioural profiling, no persistent ID. Vercel processes the IP address briefly to derive a country and region for the dashboard breakdown and to compute a daily-rotating hashed visitor counter; the IP itself is not stored and is never linked to your account or your child's profile. Loads for everyone.
  • MathBuns first-party analytics — counts page views and email-link clicks so we can see which features are used and which marketing emails are working. Cookieless by design (PECR-compliant without a banner): instead of a persistent ID, we derive a daily-rotating hash from your IP, browser, and the day's date, server-side, and bin events to that — the IP itself is never stored, no cross-site tracking, no behavioural profiling. The snippet is not loaded once a child profile signs in; it runs on marketing and parent/teacher pages only.
  • Other product analytics (optional) — if we ever add a third-party analytics tool (e.g. PostHog), it will only load after you click Accept all in the cookie banner. Today there's nothing in this category.

We never put advertising cookies anywhere. You can review or change your choices any time — open the from the footer of any page.

Your rights under UK GDPR

  • Access a copy of your data.
  • Correct anything inaccurate.
  • Delete your account and data.
  • Object to or restrict processing.
  • Port your data to another service.
  • Withdraw consent (where we rely on it).

Email privacy@mathbuns.com and we'll respond within 30 days, usually much sooner.

How to complain

If you think we've handled your data badly, please tell us first so we can put it right. You also have the right to complain to the UK Information Commissioner's Office:
ico.org.uk · 0303 123 1113

Changes to this policy

We'll email you about any meaningful change at least 14 days before it takes effect. The "Last updated" date at the top of this page always reflects the current version.

The bunnies say: Got a privacy worry? Email us at privacy@mathbuns.com — we read every message.