Privacy Policy
How we collect, use, and protect your data
1. Introduction
TE&MX ("we", "us", "our") is committed to protecting the privacy of our users. This Privacy Policy explains how we collect, use, store, and share your personal data when you use the TE&MX practice and assessment platform ("the Platform").
We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. By using the Platform, you acknowledge that you have read and understood this Privacy Policy.
2. Data Controller
TE&MX is the data controller for the personal data processed through this Platform. If you have any questions about how we handle your data, please contact us at:
TE&MX
Email: info@teandmx.co.uk
3. What Data We Collect
We collect the following categories of data:
| Data Type | Examples | Purpose |
|---|---|---|
| Account Data | Name, username, organisation | To identify you and provide access |
| Usage Data | Questions attempted, self-ratings, time spent | To track progress and generate reports |
| Response Data | Written answers to practice questions | To provide AI feedback and track progress |
| Technical Data | IP address, browser type, device type | To maintain security and improve the Platform |
4. How We Use Your Data
We use your personal data for the following purposes:
- Providing the service: To give you access to practice tools, generate AI feedback on your answers, and display your results.
- Progress tracking: To show you and, where applicable, your Organisation how you are progressing across different topics.
- Improving the Platform: To analyse usage patterns and improve our questions, content, and features.
- Communication: To send you important updates about the Platform or your account.
- Security: To protect the Platform against misuse, fraud, or unauthorised access.
5. Lawful Basis for Processing
We process your data under the following lawful bases:
- Contract: Processing necessary to provide the service you or your Organisation have subscribed to (Article 6(1)(b) UK GDPR).
- Legitimate interests: Processing necessary for our legitimate interests in improving the Platform and maintaining security, where these interests are not overridden by your rights (Article 6(1)(f) UK GDPR).
- Consent: Where we send optional marketing communications, we will obtain your consent first (Article 6(1)(a) UK GDPR).
6. AI Processing and Third-Party Services
When you submit a written answer for AI feedback, the text of your answer is sent via our secure Cloudflare Worker proxy to an AI provider for processing. TE&MX currently uses Google Gemini and may use Anthropic Claude as a fallback or specialist AI provider. You should be aware that:
- The answer text, question context, relevant qualification/standard context, and where needed recent learning history or weak KSB context may be sent for feedback generation.
- We aim not to include direct identifiers such as your name, email, or username in AI requests unless a future feature explicitly requires it and this policy is updated.
- AI requests are processed through our secure Cloudflare Worker proxy. Your data is encrypted in transit.
- Google and Anthropic may process this data in accordance with their own privacy and service terms.
- We do not use your answers to train our own AI models.
7. Data Sharing
We may share your data with:
- Your Organisation: If your access is provided through an employer, training provider, or educational institution, they may have access to your usage data and progress reports. This is necessary to support your learning and development.
- Service providers: We use trusted third-party services to operate the Platform, including Supabase (authentication and database), Cloudflare (secure proxy, hosting/security functions), Google Gemini (AI processing), and Anthropic Claude (AI processing where used). These providers process data on our behalf under their applicable service terms and data processing arrangements.
- Legal requirements: We may disclose your data if required to do so by law or in response to valid legal requests from public authorities.
We will never sell your personal data to third parties.
8. Data Retention
- Account data: Retained for the duration of your subscription and deleted within 90 days of account closure.
- Usage and response data: Retained for the duration of your subscription. Anonymised, aggregated data may be retained indefinitely for analytics purposes.
- Technical data: Server logs are retained for a maximum of 30 days.
9. Data Security
We take appropriate technical and organisational measures to protect your data, including:
- Supabase Pro database hosting in West EU (Ireland), region eu-west-1, for the current primary database.
- Encryption of data in transit using HTTPS/TLS.
- API keys and secrets stored securely using encrypted environment variables, never in client-side code.
- Rate limiting to prevent abuse of the Platform.
- Regular review of security practices.
10. Your Rights
Under UK GDPR, you have the following rights:
- Right of access: You can request a copy of the personal data we hold about you.
- Right to rectification: You can ask us to correct inaccurate data.
- Right to erasure: You can ask us to delete your data ("right to be forgotten").
- Right to restrict processing: You can ask us to limit how we use your data.
- Right to data portability: You can request your data in a structured, commonly used format.
- Right to object: You can object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time.
To exercise any of these rights, please contact us at info@teandmx.co.uk. We will respond within 30 days.
11. Cookies
The Platform uses browser storage to maintain login state, support active practice sessions, and keep short-term progress while you use the Platform. Supabase authentication may use browser storage to keep you signed in. We do not use third-party advertising cookies.
12. Children's Privacy
The Platform is intended for users aged 16 and over. If access is provided to users under 16, this must be arranged through their educational institution, which is responsible for obtaining appropriate parental consent.
13. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of significant changes via the Platform or by email. The "last updated" date at the bottom of this page will always reflect the most recent version.
14. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113
This Privacy Policy is effective from 15 February 2026.
Last updated: 5 May 2026.