Privacy Policy

Last reviewed: 29 May 2026

This Privacy Policy explains how SB Marketing Limited ("we") collects, uses, and protects your personal data through the Transfera platform. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data controller

SB Marketing Limited, registered in Northern Ireland, is the data controller. Contact our data protection point of contact at privacy@transfera.co.uk. We are registered with the Information Commissioner's Office (ICO).

2. What we collect

  • Account data: full name, email, role, registration date, consent timestamp and IP
  • Child accounts: first name and year group only (no surname, no date of birth)
  • Usage data: exam attempts, scores, topic performance, login timestamps
  • Payment data: processed by Stripe; we never store card numbers
  • Technical data: browser, device type, country-level location (with consent)

3. Lawful basis

  • Contract performance (Art 6(1)(b)) — delivering the service
  • Legitimate interests (Art 6(1)(f)) — security, fraud prevention
  • Explicit consent (Art 6(1)(a) / Art 8) — analytics, children's data
  • Legal obligation (Art 6(1)(c)) — financial records

4. Special protections for children

We comply with the UK Children's Code. Verifiable parental consent is required; we collect minimum data; we never profile children or use their data for marketing; children's data is never sold; no photographs are collected (avatars use initials).

5. Sharing

We use these processors under written Data Processing Agreements: Supabase (Dublin) for database hosting; Vercel (Frankfurt) for application hosting; Stripe for payments; OpenAI for AI explanations (anonymised); Resend for transactional email; Posthog (EU) for opt-in analytics. We never sell data.

6. Retention

  • Account data: retained while active; erased within 30 days of deletion request
  • Exam attempts: 2 years
  • Billing records: 7 years (HMRC requirement)
  • Parental consent records: life of child account + 3 years

7. Your rights

Under UK GDPR you have rights of access, rectification, erasure, data portability, restriction, objection, and to withdraw consent. Email privacy@transfera.co.uk. We respond within one calendar month. You may also complain to the ICO at ico.org.uk.

8. Security

AES-256 encryption at rest, TLS 1.3 in transit, role-based access controls, password hashing with bcrypt, all data in EU data centres. Breach notification to the ICO within 72 hours where required.