MathBunsMathBuns alpha
Start free
Last updated · 25 April 2026

Privacy Policy

Plain-English version of how we look after your data — and your child's.

The short version
We collect the bare minimum to run the app, never sell your data, and don't use third-party ad trackers around children. UK GDPR applies, and you can ask us to delete everything any time.

Who we are

MathBuns is operated by MathBuns Ltd., registered in England & Wales. We're the data controller for the personal data described here. You can reach us at privacy@mathbuns.com.

What we collect

  • Parent account: email address, password (hashed), and billing details if you subscribe.
  • Child profile: first name or nickname, year group, and an avatar choice. No surnames, no addresses, no photos required.
  • Practice data: questions answered, time taken, accuracy, streaks, stars earned.
  • Device & technical data: browser type, screen size, crash logs — for fixing bugs.

Why we collect it

  • To run the app and keep your child's progress in sync across devices.
  • To pick the right next question (the adaptive difficulty engine).
  • To send your weekly parent summary (you can switch this off).
  • To take payment if you're on the Family plan (handled by Stripe — we don't store your card number).
  • To diagnose and fix bugs, and to improve the app over time.

Children's data (under 13)

MathBuns is intended for children. A parent or guardian must set up child profiles and consent on the child's behalf. We don't ask children for any contact details, location, or unnecessary personal information. Children only see practice content and friendly mascots — no advertising, no chat with strangers, no public profiles.

What we DON'T do
  • No advertising — we don't show ads to anyone, ever.
  • No third-party trackers around children — no Facebook pixel, no ad networks, no behavioural profiling.
  • No selling data — your data is not for sale and never will be.
  • No marketing emails to children — only parents get email.

How long we keep it

Practice data is kept while the account is active and for 12 months after you delete it (so you can come back without losing progress). Billing records are kept for 7 years as required by UK tax law. You can ask us to delete everything sooner — see "Your rights" below.

Who we share it with

We use a small number of trusted sub-processors to actually run the service. Each one only sees the data it needs for its job, and is bound by a data-processing agreement:

  • Vercel (USA/EU) — hosts the web app and runs the weekly parent-summary job. Sees only the technical data needed to deliver pages (IP address, browser type, request paths) and, briefly, the data assembled for that summary.
  • Supabase (EU region) — hosts our database and handles authentication. This is where parent emails (hashed passwords) and child practice data live at rest.
  • AWS SES (EU region) — sends transactional and parent-summary emails. Sees the recipient email address and the email content.
  • Stripe (UK/EU) — processes payments for the Family plan. We never see or store your card number; Stripe handles that under PCI-DSS.

That's it. We don't share data with anyone else, and we never sell it.

Cookies & analytics

  • Essential cookies — keep you signed in and protect against CSRF. These are strictly necessary to run the app, so consent isn't required by law and they're always on.
  • Vercel Web Analytics — counts page views and Core Web Vitals so we can spot broken pages. Cookieless by design (PECR-compliant without a banner), no cross-site tracking, no behavioural profiling. Loads for everyone.
  • Future product analytics (optional) — if we ever add deeper analytics (e.g. PostHog) it will only load when you click Accept all in the cookie banner. Today there's nothing in this category.

We never put advertising cookies anywhere. You can review or change your choices any time — open the from the footer of any page.

Your rights under UK GDPR

  • Access a copy of your data.
  • Correct anything inaccurate.
  • Delete your account and data.
  • Object to or restrict processing.
  • Port your data to another service.
  • Withdraw consent (where we rely on it).

Email privacy@mathbuns.com and we'll respond within 30 days, usually much sooner.

How to complain

If you think we've handled your data badly, please tell us first so we can put it right. You also have the right to complain to the UK Information Commissioner's Office:
ico.org.uk · 0303 123 1113

Changes to this policy

We'll email you about any meaningful change at least 14 days before it takes effect. The "Last updated" date at the top of this page always reflects the current version.

The bunnies say: Got a privacy worry? Email us at privacy@mathbuns.com — we read every message.