Privacy Policy

Last updated: March 2026 Version: 1.0 — Development Phase Pre-Trading Open Beta

⚠️

Development notice: Arcademy is not yet a registered company and is not currently trading. This platform is open for anyone to try during its development phase. This privacy policy reflects that position honestly.

1. Who We Are

Arcademy is an educational gaming platform currently under development. It is operated by an individual developer on a pre-commercial, non-trading basis. Arcademy is not yet a registered company.

The platform is open to the public for testing and evaluation purposes only. No commercial services are being sold or provided at this time. No formal contracts or data processing agreements are in place with schools or any other organisations.

For any privacy-related queries, contact: hello@arcademy.io

This policy will be updated when the platform transitions to a trading entity. A full commercial Privacy Policy and Data Processing Agreement will be published at that time.

2. What Data We Collect and Why

🛡️

No personal data is required to use Arcademy. We deliberately collect no real names, email addresses, dates of birth, photographs, or any information that could directly identify anyone — especially children.

Player Data (voluntary, pseudonymous)

Data	Example	Purpose	Legal Basis
Alias (pseudonym)	"Blue Falcon"	Identify the player within the session	Legitimate interests (development testing)
4-digit PIN (hashed)	Stored as bcrypt hash only	Authenticate the player	Legitimate interests (development testing)
Avatar emoji	🦅	Personalise the experience	Legitimate interests (development testing)
Game session data	Score, accuracy, level reached	Test platform functionality	Legitimate interests (development testing)
Badges earned	"Synonym Sharpshooter"	Test reward system functionality	Legitimate interests (development testing)
XP and belt rank	350 XP, Bronze	Test progression system	Legitimate interests (development testing)
Last active timestamp	Date/time of last login	Session management	Legitimate interests (development testing)

Dashboard Access (testers only)

Data	Purpose	Legal Basis
Email address	Authentication for dashboard access during testing	Legitimate interests (development testing)
Display name	Identify the tester in the dashboard	Legitimate interests (development testing)
Login timestamps	Security and session management	Legitimate interests

Technical Data (collected automatically)

Data	Purpose	Retention
Session tokens	Keep users logged in during a school day	8 hours
Login attempt logs	Prevent brute-force attacks	10 minutes
Server access logs	Security and performance monitoring	30 days

ℹ️

We do not use cookies for tracking or advertising. We do not use analytics tools that track individual users. We do not serve adverts.

3. Children's Data — Our Approach

Arcademy is designed specifically for use in schools with children under the age of 18. We take the following steps to protect children's data:

No personal identifiers — students are identified only by a pseudonymous alias chosen by their teacher. Real names are never entered into the system.
No direct contact with children — we do not communicate with students directly. All account management is handled through teachers.
No behavioural profiling or advertising — student data is used solely to support their learning and is never used for commercial purposes.
Minimal data collection — we collect only what is necessary to provide the educational service.
Hashed credentials — student PINs are stored using bcrypt hashing. The plain PIN is never retained after the teacher creates the account.
Data isolation — each student can only access their own data. No student can view another student's records.
School control — the school (as data controller) can request deletion of all student data at any time.

Our platform is designed in accordance with the ICO's Children's Code (Age Appropriate Design Code).

4. How We Share Data

We do not sell, rent, or share personal data with third parties for marketing purposes. Data is only shared with the following sub-processors who help us deliver the service:

Sub-processor	Purpose	Location	Safeguard
Supabase Inc.	Database and authentication hosting	EU (AWS eu-west-2)	Standard Contractual Clauses
Netlify Inc.	Website hosting and delivery	EU CDN edge nodes	Standard Contractual Clauses

We may also disclose data where required by law, a court order, or regulatory authority.

5. How Long We Keep Data

Data Type	Retention Period	Reason
Student profiles and game data	Until the school requests deletion, or the school's licence expires + 30 days	Needed to provide the service
Teacher accounts	Until the account is closed or licence expires + 30 days	Needed to provide the service
Session tokens	8 hours	Security — automatic expiry
Login attempt logs	10 minutes	Rate limiting only
Server logs	30 days	Security monitoring

When a school's licence ends, all associated data (students, classes, sessions, badges) is deleted within 30 days unless the school requests earlier deletion.

6. Security

We take security seriously and have implemented the following technical measures:

All data in transit is encrypted using TLS (HTTPS)
All data at rest is encrypted by our hosting providers
Student PINs are hashed using bcrypt — the plain PIN is never stored
Row-level security ensures each student can only access their own data
Session tokens expire after 8 hours and are scoped to individual players
Login rate limiting prevents brute-force attacks (max 10 attempts per minute)
Teacher accounts use Supabase's industry-standard authentication

In the event of a personal data breach, we will notify affected schools and the ICO within 72 hours where required by UK GDPR Article 33.

7. Your Rights

Schools and Teachers

Under UK GDPR, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — ask us to correct inaccurate data
Erasure — ask us to delete your data ("right to be forgotten")
Restriction — ask us to limit how we use your data
Portability — receive your data in a machine-readable format
Objection — object to processing based on legitimate interests

Students

Because students are identified by pseudonymous aliases only, we are unable to link a request to a specific child without assistance from the school. Data subject rights for students should be directed to the school, who can then request deletion or export from us on the student's behalf.

How to Exercise Your Rights

Email us at [YOUR EMAIL]. We will respond within 30 days.

You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

8. Cookies

We use only essential technical cookies necessary to operate the platform. We do not use advertising cookies, tracking cookies, or analytics cookies that identify individual users.

Cookie / Storage	Purpose	Expires
Player session token	Keeps a student logged in during the school day	8 hours
Theme preference	Remembers display preferences	1 year

No consent banner is required for strictly necessary cookies under UK GDPR / PECR.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify schools of material changes by email and will update the "Last updated" date at the top of this document. Continued use of the platform after changes constitutes acceptance of the updated policy.

10. Contact Us

[YOUR COMPANY NAME]
[REGISTERED ADDRESS]
Email: [YOUR EMAIL]
Company number: [COMPANY NUMBER]

Arcademy Privacy Policy · v1.0 · March 2026 · Data Processing Agreement →