PyGCSE Python Lab
← Back to Home

Privacy Policy

Last updated: December 27, 2025

1. Introduction

Forge Class Software Ltd ("we," "our," or "us") operates GCSE Python Lab. We are committed to protecting your privacy and handling your personal data responsibly.

This Privacy Policy explains how we collect, use, store, and protect your information when you use our Platform. By using GCSE Python Lab, you agree to the collection and use of information in accordance with this policy.

We are a UK-based company and comply with UK GDPR and Data Protection Act 2018.

2. Information We Collect

2.1 Information You Provide

When you create an account, we collect:

  • Email address: Used for account creation and authentication
  • Name: For identification within classes
  • Account type: Teacher or Student
  • Profile information: Optional profile picture or display preferences

2.2 Information Collected Automatically

When you use the Platform, we automatically collect:

  • Usage data: Pages visited, features used, time spent
  • Device information: Browser type, operating system, IP address
  • Cookies: Session data and preferences (see Section 8)

2.3 Educational Data

As you use the Platform, we collect and store:

  • Student submissions: Code, answers, and responses to questions
  • Grades and feedback: Marks awarded and feedback comments
  • Progress data: Assignments completed, XP earned, achievements unlocked
  • Activity logs: When you worked on assignments, how long you spent
  • AI interaction logs: Hints requested, support level chosen

2.4 Information We Do NOT Collect

  • Payment information (not currently applicable during beta)
  • Social security numbers or other government IDs
  • Precise geolocation data
  • Personal messages between users (the Platform does not have messaging)

3. How We Use Your Information

We use your personal data for the following purposes:

3.1 To Provide the Service

  • Create and manage your account
  • Allow teachers to create classes and assignments
  • Enable students to access and complete assignments
  • Store submissions and provide feedback
  • Track progress and generate analytics

3.2 To Improve the Platform

  • Analyze usage patterns to improve features
  • Identify and fix bugs or technical issues
  • Develop new question types and content
  • Train and improve AI marking and support systems

3.3 To Communicate with You

  • Send account-related notifications (assignments due, marks released)
  • Respond to your support requests
  • Send important updates about the Platform (with your consent)
  • Notify you of changes to our Terms or Privacy Policy

3.4 Legal Basis (UK GDPR)

We process your data based on:

  • Contractual necessity: To provide the service you've signed up for
  • Legitimate interests: To improve the Platform and prevent fraud
  • Consent: For optional communications or features (you can withdraw consent at any time)
  • Legal obligation: To comply with applicable laws

4. Data Sharing and Disclosure

4.1 Who We Share With

We may share your information with:

  • Within Classes: Teachers can see student progress, submissions, and grades for their classes. Students can only see their own data.
  • Service Providers: Trusted third parties who help us operate the Platform:
    • Firebase/Google Cloud (database and authentication)
    • OpenAI (AI marking and hints - see Section 4.3)
    • Hosting providers and CDNs
  • Legal Authorities: If required by law or to protect our rights

4.2 What We Do NOT Do

  • We do not sell your personal data to third parties
  • We do not share student data with advertisers
  • We do not use your data for marketing unrelated to the Platform

4.3 AI Service Providers (OpenAI)

When you use AI features (hints, marking), we send your submission or question to OpenAI's API:

  • OpenAI processes the data to generate feedback but does not use it to train their models (per our API agreement)
  • We do not include personally identifiable information in AI requests where possible
  • OpenAI's data processing complies with their privacy policy

4.4 International Transfers

Some of our service providers (e.g., Google Cloud, OpenAI) may process data outside the UK. We ensure that appropriate safeguards are in place, such as:

  • Standard Contractual Clauses (SCCs)
  • Adequacy decisions by the UK government
  • Service providers' compliance with international data protection standards

5. Data Retention

We retain your data for as long as necessary to provide the service:

  • Active accounts: Data is retained while your account is active
  • Inactive accounts: After 2 years of inactivity, we may delete your account and associated data (with advance notice)
  • Deleted accounts: Upon account deletion, personal data is removed within 30 days. Anonymized usage data may be retained for analytics.
  • Legal retention: Some data may be retained longer if required by law (e.g., financial records)

6. Data Security

We implement appropriate technical and organizational measures to protect your data:

6.1 Technical Measures

  • Encryption in transit (HTTPS/TLS)
  • Encryption at rest for sensitive data
  • Secure authentication via NextAuth.js with OAuth providers
  • Firebase security rules to control data access
  • Regular security updates and patches

6.2 Organizational Measures

  • Limited employee access to personal data
  • Regular security training
  • Incident response procedures

6.3 Your Responsibility

  • Keep your login credentials confidential
  • Use a strong, unique password
  • Log out of shared devices
  • Report suspicious activity immediately

7. Your Rights (UK GDPR)

Under UK data protection law, you have the following rights:

7.1 Right of Access

You can request a copy of the personal data we hold about you.

7.2 Right to Rectification

You can ask us to correct inaccurate or incomplete data. You can update most information directly in your account settings.

7.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances. Note that we may need to retain some data for legal or legitimate business purposes.

7.4 Right to Restriction of Processing

You can ask us to temporarily stop processing your data in certain situations.

7.5 Right to Data Portability

You can request your data in a structured, machine-readable format to transfer to another service.

7.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

7.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time (this won't affect the lawfulness of processing before withdrawal).

7.8 How to Exercise Your Rights

To exercise any of these rights, contact us at enquiries@forgeclass.co.uk. We will respond within 30 days.

7.9 Right to Complain

If you're unhappy with how we've handled your data, you can complain to the UK Information Commissioner's Office (ICO):

Website: ico.org.uk

Phone: 0303 123 1113

8. Cookies and Tracking

8.1 What Are Cookies?

Cookies are small text files stored on your device that help us recognize you and remember your preferences.

8.2 Cookies We Use

  • Essential cookies: Required for authentication and basic functionality (cannot be disabled)
  • Functional cookies: Remember your preferences (theme, language)
  • Analytics cookies: Help us understand how the Platform is used (anonymous data)

8.3 Managing Cookies

You can control cookies through your browser settings. Note that disabling essential cookies may affect Platform functionality.

9. Children's Privacy

9.1 Age Requirements

GCSE Python Lab is designed for educational use:

  • Teachers must be 18 or older
  • Students under 13 may use the Platform only with parental consent and under teacher supervision

9.2 Parental Rights

Parents/guardians have the right to:

  • Review their child's personal information
  • Request deletion of their child's account
  • Refuse further collection of their child's data

9.3 School/Teacher Responsibility

When used in schools, teachers and schools are responsible for:

  • Obtaining necessary parental consent
  • Ensuring age-appropriate use
  • Complying with their own data protection obligations

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for legal reasons.

When we make significant changes:

  • We will update the "Last updated" date at the top
  • We will notify you via email or Platform notification
  • For material changes affecting children's data, we will seek renewed consent where required

11. Data Controller

The data controller responsible for your personal data is:

Forge Class Software Ltd

Email: enquiries@forgeclass.co.uk

Website: forgeclass.co.uk

12. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please contact us:

We aim to respond to all privacy inquiries within 30 days.