Privacy Policy — EDF Quest

This Privacy Policy applies to EDF Quest operated by [Company Name — set in Control Panel → Legal & GDPR]. Registered with the ICO under [ICO Registration Number]. Compliant with UK GDPR + EU GDPR.

1. Who We Are

[Company Name — set in Control Panel → Legal & GDPR]

[Registered Address]

Data Protection Contact: dpo@edfquest.org

2. What Data We Collect

We collect: account data (name, email, hashed password); usage data (quiz attempts, progress, session timestamps); communications you send us; technical data (IP address, browser type, session identifiers).

We do not collect payment card data, government IDs, or sensitive health data.

3. Why We Process Your Data (Lawful Basis)

Purpose	Lawful Basis
Providing your account and the platform	Contract (Art. 6(1)(b))
Service emails (password resets, notifications)	Contract / Legitimate Interest
Analytics to improve the platform	Consent (Art. 6(1)(a)) — optional
Security monitoring and fraud prevention	Legitimate Interest (Art. 6(1)(f))
Legal compliance	Legal Obligation (Art. 6(1)(c))

4. Data Retention

We retain personal data for up to 2 years from your last activity. After this, inactive accounts are flagged for deletion. Backup copies may persist up to 90 days in encrypted storage before permanent deletion.

5. Who We Share Data With

We do not sell or rent your data. We may share with: hosting/infrastructure providers (under DPAs); email service providers; law enforcement where required; and your linked school or tutorial centre (name, email, progress).

6. Cookies

Essential session cookies are always set. Analytics and preference cookies require your explicit consent via the cookie banner. Withdraw consent at any time by clearing cookies for this site.

7. Your Rights Under UK GDPR + EU GDPR

Access — request a copy of your personal data
Rectification — ask us to correct inaccurate data
Erasure — ask us to delete your data ("right to be forgotten")
Restriction — restrict processing in certain circumstances
Portability — receive your data in a machine-readable format
Object — object to processing based on legitimate interest
Withdraw consent — at any time for consent-based processing

Email dpo@edfquest.org to exercise your rights. We respond within 30 days. You may also complain to the ICO.

8. Data Security

We use TLS encryption, bcrypt password hashing, session token rotation, IP-based rate limiting, and ongoing security monitoring.

9. International Transfers

Where data is transferred outside the UK or EEA, we ensure appropriate safeguards (Standard Contractual Clauses or equivalent) in accordance with UK GDPR + EU GDPR.

10. Children's Data

We do not knowingly collect data directly from children under 13 without school or parental involvement. Schools using EDF Quest are responsible for obtaining appropriate parental consents.

11. Changes to This Policy

Significant changes will be communicated by email and/or in-app notice. The version and date at the top reflects the current version.

12. Contact

[Company Name — set in Control Panel → Legal & GDPR]
[Registered Address]
Email: dpo@edfquest.org

🛡️ Privacy Policy