GDPR Compliance

Last updated: December 2025

1. What is GDPR?

The General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 came into force to strengthen data protection rights for individuals in the United Kingdom.

GDPR sets out comprehensive rules for how organizations collect, store, process, and protect personal data. It gives individuals greater control over their information and imposes strict obligations on data controllers and processors.

2. Sharp Test's GDPR Commitment

Sharp Test is fully committed to GDPR compliance. We take data protection seriously and have designed our platform from the ground up with privacy and security in mind.

As a sole trader operation serving UK families, we understand the importance of protecting your data—especially when it comes to children's information.

3. Data Controllers and Processors

3.1 Sharp Test as Data Controller

For data provided directly by parents and users, Sharp Test acts as the data controller. This means we determine how and why your personal data is processed.

Data Controller: Talha (trading as "Sharp Test"), Sole Trader, United Kingdom

3.2 Third-Party Data Processors

We use carefully selected third-party services that act as data processors under our instruction:

  • Hosting Provider: Stores data on secure UK/EEA-based servers
  • Payment Processor: Processes subscription payments (if applicable)

All data processors are contractually obligated to comply with GDPR and protect your data.

4. How We Comply with GDPR

4.1 Lawful Basis for Processing

We process personal data only under lawful bases defined by GDPR:

  • Contractual Necessity: To provide the Service you've requested
  • Consent: For optional communications or features (you can withdraw consent at any time)
  • Legitimate Interest: To maintain security, prevent fraud, and improve the Service
  • Legal Obligation: To comply with UK laws and regulations

4.2 Data Minimization

We collect only the minimum data necessary to provide the Service:

  • Parent Accounts: Email address and password only
  • Children: NO personal data collected (no names, ages, schools, or identifiable information)
  • Usage Data: Minimal technical data (session info, browser type) for functionality only

4.3 Data Storage in UK/EEA

All personal data is stored and processed within the United Kingdom and European Economic Area (EEA):

  • Cloud hosting on UK/EEA-based servers only
  • No data transfers outside the UK/EEA
  • Compliance with UK data residency requirements

4.4 No Third-Party Data Sharing

We do NOT share your personal data with third parties for marketing, advertising, or any other purpose, except as required by law or with your explicit consent.

4.5 Encryption and Security

We protect your data with industry-standard security measures:

  • 256-bit SSL/TLS encryption for data in transit (HTTPS)
  • Encrypted storage for data at rest
  • Hashed password storage using secure algorithms (passwords are never stored in plain text)
  • Access controls limiting who can access personal data
  • Regular security audits and vulnerability assessments

4.6 Access Controls

Access to personal data is strictly controlled:

  • Only authorized personnel can access data, on a need-to-know basis
  • All access is logged and monitored
  • Authentication and authorization mechanisms protect against unauthorized access

4.7 User Authentication and Session Management

We implement secure authentication practices:

  • Strong password requirements
  • Secure session management with automatic logout after inactivity
  • Protection against brute-force attacks

4.8 Data Retrieval and Portability

You can request a copy of all personal data we hold about you:

  • Data provided in a structured, commonly used, machine-readable format
  • Delivered within 30 days of your request
  • Free of charge (unless requests are excessive or unfounded)

4.9 Right to Erasure ("Right to Be Forgotten")

You can request deletion of your personal data at any time:

  • All account data and associated information will be permanently deleted
  • Deletion typically completed within 30 days
  • Some data may be retained if required by law (e.g., financial records for tax purposes)

To request data deletion, contact us at: our contact page.

4.10 Data Sanitization Before Analysis

If we analyze usage data to improve the Service, we ensure:

  • All personally identifiable information is removed (anonymization)
  • Data is aggregated and cannot be linked back to individuals
  • No tracking or profiling of individual users

5. Your Rights Under GDPR

As a data subject under UK GDPR, you have the following rights:

5.1 Right of Access

You have the right to request access to the personal data we hold about you, including:

  • What data we collect
  • Why we process it
  • Who we share it with (if anyone)
  • How long we retain it

5.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data.

5.3 Right to Erasure

You can request deletion of your personal data (subject to legal retention requirements).

5.4 Right to Restriction of Processing

You can request that we limit how we process your data in certain circumstances.

5.5 Right to Data Portability

You can receive your personal data in a portable, machine-readable format and transfer it to another service.

5.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

5.7 Right to Withdraw Consent

Where processing is based on consent, you can withdraw your consent at any time.

5.8 How to Exercise Your Rights

To exercise any of these rights, please contact us at: our contact page.

We will respond to your request within 30 days and provide clear information about the action we've taken.

6. Children's Data Protection

Sharp Test takes special care to protect children's data:

  • No Collection: We do NOT collect personal data from children (names, ages, schools, etc.)
  • Parental Control: All accounts are parent-controlled; children have no direct access
  • Consent: Parents provide consent on behalf of their children for all data processing
  • Transparency: Clear, plain-language explanations of how data is used

See our Safeguarding Policy for more information.

7. Data Breach Notification

In the event of a data breach that affects your personal data:

  • We will notify you via email within 72 hours of discovering the breach
  • We will report the breach to the Information Commissioner's Office (ICO) as required
  • We will take immediate action to contain the breach and prevent further data loss
  • We will provide clear guidance on steps you should take to protect yourself

8. Cookies and Tracking

Sharp Test uses minimal cookies:

  • No tracking cookies: We do NOT use analytics, advertising, or marketing cookies
  • Essential cookies only: Session management and authentication cookies necessary for the Service to function

See our Cookie Policy for full details.

9. Accountability and Governance

Sharp Test demonstrates GDPR accountability through:

  • Regular reviews of data protection practices
  • Documentation of data processing activities
  • Privacy by design and by default principles
  • Transparent privacy policies and terms
  • Prompt response to data subject requests

10. International Data Transfers

Sharp Test does NOT transfer personal data outside the UK or EEA. All data remains within UK/EEA jurisdiction at all times.

11. Data Retention

We retain personal data only as long as necessary:

  • Active accounts: Data retained while account is active
  • Closed accounts: Data deleted within 30 days of account closure
  • Inactive accounts: Accounts inactive for 3 years may be deleted after email notice
  • Financial records: May be retained longer to comply with tax and accounting laws

12. Updates to GDPR Compliance

We continuously monitor GDPR requirements and best practices. This page will be updated to reflect:

  • Changes in UK data protection law
  • New guidance from the Information Commissioner's Office (ICO)
  • Improvements to our data protection measures
  • Feedback from users and data protection authorities

13. Contact and Complaints

13.1 Contact Us

For questions about GDPR compliance or to exercise your rights, please contact us at: our contact page.

13.2 Lodge a Complaint with the ICO

If you believe we have not handled your data properly or have not responded adequately to your request, you have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Helpline: 0303 123 1113
Online Reporting: https://ico.org.uk/make-a-complaint/

14. Related Policies

For comprehensive information about data protection, please also review: