PRIVACY GDPR - transparency - user control

Protecting your data.

How we collect, use, and protect personal data on iBMarker - in accordance with the EU General Data Protection Regulation (GDPR) and the UK GDPR. Last updated 21 May 2026, version 2026-05-21.

Who we are

The data controller is Progression AI, s.r.o. (Slovak Republic registration No. 52416682), located at Dunajska 8, 811 08 Bratislava, Slovakia.

For any privacy-related question, contact privacy@ibmarker.com.

What we actually collect

We collect only what we need to run the product. The full list:

  • Email address - your account identifier and for transactional emails.
  • Password (hashed) - stored as a PBKDF2-SHA256 hash with a random per-user salt. We cannot recover your plaintext password.
  • Role - Student, Teacher, or School Administrator. Drives what you see.
  • Display name / username - optional, shown on leaderboards and in chat. You set it.
  • School affiliation - a school code if your school has signed up. Optional for individuals.
  • Your answers and marks - text you submit during practice or exams, the AI-generated mark, feedback, and timing.
  • Usage data - pages visited, badges and quests earned, leaderboard position.
  • Direct messages and friend connections - only if you use social features.
  • Profile picture - optional, only if you upload one.
  • IP address and browser type - logged on sign-in and on sensitive pages, auto-purged after 12 months.
  • Cookie consent decisions - your accept/reject choices, policy version, time, and IP, so we can demonstrate consent under Article 7.

What we do not collect: date of birth, gender, billing address, postal address, country of residence, phone number, or any special-category data. Payment details are entered directly into Stripe's checkout form and never touch our servers.

Lawful basis

Under Article 6 of the GDPR, our lawful bases are:

  • Contract (Art. 6(1)(b)) - the core service: marking, progress, feedback.
  • Legitimate interests (Art. 6(1)(f)) - security logs, abuse prevention, anonymous service-improvement analytics.
  • Consent (Art. 6(1)(a)) - product communications and non-essential analytics. Given through the cookie banner and withdrawable any time from the cookies page.
  • Legal obligation (Art. 6(1)(c)) - retaining billing records for tax purposes.

Automated marking and Article 22

Your answers are marked by AI (currently Anthropic's Claude, with OpenAI as fallback). The mark and feedback affect your assessment record, which is a significant decision under Article 22. You have the right to:

  • Be told which marks were AI-generated (we are rolling out an AI-marked badge on every relevant page).
  • Request human review of any AI mark via your teacher, or by emailing privacy@ibmarker.com.
  • Receive information about the marking logic on request. In summary: the model is shown the question, the official markscheme, and your answer, then asked to award marks according to specific criteria. Our prompts and rubric are available on request.

Who we share data with

We use a small number of vendors, each acting as a processor under a written agreement:

  • Anthropic, PBC (US) - AI marking. Receives your answer text and the question.
  • OpenAI, LLC (US) - backup AI marking.
  • Stripe Payments Europe Ltd (Ireland) - subscription billing.
  • Rackspace (US) - transactional email delivery.
  • Google LLC, Microsoft Corp (US) - optional sign-in via Google / Microsoft account.
  • Cloudflare (US) - Turnstile bot protection on signup forms.

Transfers to the United States are protected by EU Standard Contractual Clauses and the EU-US Data Privacy Framework where the recipient is certified. We publish our full sub-processor list and notify schools 30 days before adding a new one.

How long we keep it

  • Account data - while your account is active, plus 90 days after closure to handle disputes.
  • Practice answers and marks - same as account data, unless you request earlier deletion.
  • Exam submissions through schools - 5 years, for academic-integrity reasons.
  • Access logs (IP, user agent) - 12 months from creation.
  • Billing records - 7 years, as required by Slovak tax law.
  • Cookie consent records - 3 years from the last decision.

Your rights

Under GDPR Articles 15-22 you can:

  • Access - get a copy of everything we hold about you (Art. 15).
  • Rectify - correct anything inaccurate (Art. 16).
  • Erase - have your account and associated data deleted (Art. 17). Some records (billing, school exam submissions) may be retained where law requires.
  • Restrict - pause processing while a dispute is resolved (Art. 18).
  • Port - receive your data in a structured machine-readable format (Art. 20).
  • Object - to processing based on legitimate interests (Art. 21).
  • Not be subject to solely automated decisions - request human review (Art. 22).
  • Withdraw consent at any time without affecting prior lawful processing (Art. 7(3)).

Email privacy@ibmarker.com from the address on your account, or use the in-app tools as they become available. We respond within 30 days. No fee unless the request is manifestly unfounded or excessive.

If you are not satisfied with our response you may complain to your local Data Protection Authority. The Slovak supervisory authority is the Office for Personal Data Protection of the Slovak Republic.

Children and the age of consent

iBMarker is intended for students aged 16 and over and their teachers. Under the GDPR, the digital age of consent is between 13 and 16 depending on the EU member state. We are rolling out an age gate at signup and, where required, a verifiable parental consent flow. Until that is in place, please do not create an account on behalf of a child under the age of consent in your country.

Security

We use TLS 1.2+ for all transport, PBKDF2-SHA256 password hashing, role-based access controls, and access logging. We do not store payment details. Our security programme is reviewed annually.

Changes to this policy

We will notify you in-app and via email before any material change takes effect, and re-ask for consent where the change requires it.