Legal
A clear guide to your data protection rights and how to exercise them with TrueVIQ.
Last updated: 13 March 2026
Transparency
We tell you exactly what data we hold and why
Control
You decide what happens to your personal data
Protection
Children's data receives the highest level of safeguarding
The UK General Data Protection Regulation grants you a comprehensive set of rights over your personal data. Below is a detailed explanation of each right and how it applies to your use of TrueVIQ.
Right of Access (Subject Access Request)
You can request a complete copy of all personal data we hold about you and your children. This includes account information, learning progress data, session history, and any other data associated with your account. We will provide this in a commonly used, machine-readable format.
Right to Rectification
If any personal data we hold about you or your children is inaccurate or incomplete, you have the right to have it corrected. You can update most information directly through your account settings, or contact us for changes that require our assistance.
Right to Erasure ("Right to Be Forgotten")
You can request that we delete all personal data we hold about you and your children. Upon receiving a valid erasure request, we will delete your data within 30 days, except where we have a legal obligation to retain certain records (e.g., financial transaction records).
Right to Restrict Processing
You can ask us to temporarily stop processing your data while we resolve a concern. For example, if you dispute the accuracy of your data or have objected to processing, you can request restriction while we investigate.
Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format (such as JSON or CSV) and have it transferred to another service provider where technically feasible. This applies to data you have provided to us and that we process based on consent or contract.
Right to Object
You can object to processing of your personal data where we rely on legitimate interests as our legal basis. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests. You have an absolute right to object to direct marketing at any time.
Rights Related to Automated Decision-Making
You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. Our adaptive learning system personalises content to support your child's learning, but no automated decisions are made that have legal or significant consequences. You may request human review of any automated assessment at any time.
Right to Withdraw Consent
Where we process your data based on consent (such as marketing communications), you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before you withdrew consent. You can withdraw consent through your account settings or by contacting us directly.
Children's personal data receives enhanced protection under UK GDPR and the ICO Age Appropriate Design Code (Children's Code). As TrueVIQ serves children aged 9-11, we apply the highest standards of data protection for young users.
✓ Our commitment: Children's data is never sold, shared for marketing purposes, or used in any way that is not directly beneficial to the child's learning experience. See our Safeguarding Policy for further details on how we protect young users.
Exercising your GDPR rights is straightforward. Follow these steps:
Submit Your Request
Email privacy@trueviq.co.uk with the subject line "GDPR Rights Request" and specify which right you wish to exercise.
Include Relevant Details
Provide the email address associated with your account, your full name, and details of your request. If exercising rights on behalf of a child, include the child's first name and your relationship to them.
Identity Verification
To protect your data from unauthorised access, we may ask you to verify your identity. This typically involves confirming details only the account holder would know. We will never ask for excessive documentation.
Receive Our Response
We will acknowledge your request promptly and respond substantively within 30 calendar days. For complex or multiple requests, this period may be extended by up to 60 additional days (90 days total), in which case we will inform you of the extension and the reasons within the initial 30-day period.
✓ No fee for most requests. We will not charge a fee for exercising your rights in most circumstances. If a request is manifestly unfounded or excessive (particularly if repetitive), we may charge a reasonable fee or refuse to act, but we will always explain our reasons.
Under UK GDPR, we must have a lawful basis for processing your personal data. The table below sets out the purposes for which we process data, the legal basis we rely on, and the corresponding right available to you.
| Purpose | Legal Basis | Your Right |
|---|---|---|
| Provide the learning platform | Contract performance | Access, Portability |
| Track learning progress | Contract performance | Access, Portability, Erasure |
| Process payments | Contract performance | Access, Rectification |
| Send service communications | Legitimate interests | Object |
| Improve our platform | Legitimate interests | Object, Restrict |
| Prevent fraud and abuse | Legitimate interests / Legal obligation | Access |
| Adaptive learning personalisation | Contract performance | Access, Object, Human review |
| Marketing (parents only, opt-in) | Consent | Withdraw consent, Object |
For more detail on what data we collect and how we use it, please see our Privacy Policy.
We use a limited number of trusted third-party processors to operate our platform. Each processor is bound by a Data Processing Agreement and must meet UK GDPR standards.
| Processor | Purpose | Location | Safeguards |
|---|---|---|---|
| Supabase | Database and authentication | EU | UK adequacy decision for EU |
| Stripe | Payment processing | US | Standard Contractual Clauses (SCCs), PCI DSS |
| Resend | Transactional email | US | Data Processing Agreement |
| Anthropic (Claude) | AI-powered explanations | US | No personal data sent; only anonymised question content |
| Vercel | Hosting and delivery | Global (UK/EU edge) | Data Processing Addendum, UK/EU points of presence |
Where data is transferred outside the UK, we rely on UK adequacy decisions or Standard Contractual Clauses (SCCs) as approved by the ICO. You may request copies of the relevant safeguards by contacting our Data Protection Officer.
We conduct Data Protection Impact Assessments (DPIAs) as required by UK GDPR Article 35, particularly for any processing that is likely to result in a high risk to individuals' rights and freedoms.
Given that our platform processes children's personal data, we take a proactive approach to DPIAs:
✓ Children's data always triggers enhanced review. We treat any processing of children's data as high-risk by default, ensuring the most rigorous assessment process is applied.
In the unlikely event of a personal data breach, we are committed to acting swiftly and transparently in accordance with UK GDPR Articles 33 and 34.
If you are not satisfied with how we have handled your data or responded to a rights request, you have the right to lodge a complaint with the UK supervisory authority.
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
Live chat: ico.org.uk/global/contact-us
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
We encourage you to contact us first at privacy@trueviq.co.uk so we can try to resolve your concern directly. However, contacting the ICO is your right and you may do so at any time.
For any questions about your GDPR rights or to submit a data protection request:
Data Protection Officer: privacy@trueviq.co.uk
General Enquiries: info@trueviq.co.uk
Organisation: Digitally Inherent Pvt Ltd, a product of conduit488.ai
We are registered with the Information Commissioner's Office (ICO) and committed to upholding the highest standards of data protection, particularly for children's data.