Back Privacy

Privacy policy

How we collect, use, and protect personal data on the IB Marker platform - in accordance with the EU General Data Protection Regulation (GDPR) and the UK GDPR.

Last updated: 21 May 2026 - Version 2026-05-21

1. Who we are

The data controller is Progression AI, s.r.o. (Slovak Republic registration No. 52416682), located at Dunajska 8, 811 08 Bratislava, Slovak Republic. You can reach us at privacy@ibmarker.com for any privacy-related question.

2. What we actually collect

We collect only what we need to run the product. The table below is the full list:

Email address

At signup. Used as your account identifier and for transactional emails (verification, password reset, billing).

Password (hashed)

Stored as a PBKDF2-SHA256 hash with a random per-user salt. We cannot recover your plaintext password.

Role

Student, Teacher, or School Administrator. Selected at signup, drives what you can see and do.

Display name / username

Optional. Shown on leaderboards and in multiplayer chat. You set it yourself.

School affiliation

A school code, if your school has signed up. Optional for individual users.

Your answers and marks

The text you submit when practising or sitting an exam, the AI-generated mark, feedback, and timing.

Usage data

Pages you visit, badges and quests earned, leaderboard position. Tied to your account.

Direct messages and friend connections

If you use the social features. Visible only to participants in the conversation.

Profile picture

Optional, only if you upload one.

IP address and browser type

Logged on sign-in and on access to sensitive pages, for security and abuse prevention. Auto-purged after 12 months.

Cookie consent decisions

Your accept/reject choices, version of the policy you agreed to, time and IP, so we can demonstrate consent (Article 7).

What we do not collect: date of birth, gender, billing address, postal address, country of residence, phone number, or any special-category data (health, religion, ethnicity, etc.). Payment details are entered directly into Stripe's checkout form and never touch our servers.

3. Lawful basis

Under Article 6 of the GDPR, our lawful bases are:

Contract (Art. 6(1)(b)) - the core service: marking your answers, tracking progress, giving feedback. Without this processing the product cannot work.
Legitimate interests (Art. 6(1)(f)) - security logs, abuse prevention, anonymous service-improvement analytics.
Consent (Art. 6(1)(a)) - product communications, non-essential analytics. You give this through the cookie banner and can withdraw it any time from the cookies page.
Legal obligation (Art. 6(1)(c)) - retaining billing records for tax purposes.

4. Automated marking and Article 22

Your answers are marked by AI (currently Anthropic's Claude model, with OpenAI as a fallback). The mark and feedback affect your assessment record, which is a significant decision under Article 22. You have the right to:

Be told which marks were AI-generated (we are adding a visible AI-marked badge to every relevant page).
Request human review of any AI mark via your teacher, or by emailing privacy@ibmarker.com.
Receive information about the marking logic on request. In summary: the model is shown the question, the official markscheme, and your answer, then asked to award marks according to specific criteria. Our prompts and rubric are available on request.

5. Who we share data with

We use a small number of vendors. Each acts as a processor under a written agreement:

Anthropic, PBC (US)

AI marking. Receives your answer text and the question. Bound by their Trust Center commitments; no training on your data.

OpenAI, LLC (US)

Backup AI marking when Anthropic is unavailable. Same data, same controls.

Stripe Payments Europe Ltd (Ireland)

Subscription billing. Receives email and payment details that you enter directly into their form.

Rackspace (US)

Transactional email delivery (verification, password reset).

Google LLC, Microsoft Corp (US)

Optional sign-in via Google / Microsoft account. Only receives the email you choose to share.

Cloudflare (US)

Bot protection on signup forms (Turnstile). Receives a session token, not your identity.

Transfers to the United States are protected by EU Standard Contractual Clauses and the EU-US Data Privacy Framework where the recipient is certified. We publish our full sub-processor list and notify schools 30 days before adding a new one.

6. How long we keep it

Account data - while your account is active, plus 90 days after closure to handle disputes and accidental closures, then deleted.
Practice answers and marks - same as account data, unless you request earlier deletion.
Exam submissions - 5 years if you sat an exam through a school subscription, for academic-integrity reasons; otherwise same as account data.
Access logs (IP, user agent) - 12 months from creation.
Billing records - 7 years, as required by Slovak tax law.
Cookie consent records - 3 years from the last decision, so we can demonstrate consent if challenged.

7. Your rights

Under GDPR Articles 15-22, you can:

Access - get a copy of everything we hold about you (Article 15).
Rectify - correct anything inaccurate (Article 16).
Erase - have your account and associated data deleted (Article 17). Some records (billing, exam submissions through schools) may be retained where law requires it; we will tell you which.
Restrict - pause processing while a dispute is resolved (Article 18).
Port - receive your data in a structured machine-readable format (Article 20).
Object - to processing based on legitimate interests, including profiling (Article 21).
Not be subject to solely automated decisions - request human review (Article 22).
Withdraw consent at any time, without affecting prior lawful processing (Article 7(3)).

To exercise any of these, email privacy@ibmarker.com from the address on your account, or use the in-app tools as they become available. We respond within 30 days (Article 12(3)). There is no fee unless the request is manifestly unfounded or excessive.

If you are not satisfied with our response you may complain to your local Data Protection Authority. The Slovak supervisory authority is the Office for Personal Data Protection of the Slovak Republic.

8. Children and the age of consent

IB Marker is intended for students aged 16 and over and their teachers. Under the GDPR, the digital age of consent is between 13 and 16 depending on the EU member state. We are rolling out an age gate at signup and, where required, a verifiable parental consent flow. Until that is in place, please do not create an account on behalf of a child under the age of consent in your country.

9. Security

We use TLS 1.2+ for all transport, PBKDF2-SHA256 password hashing, role-based access controls, and access logging. We do not store payment details. Our security and incident response programme is reviewed annually.

10. Changes to this policy

We will tell you in-app and via email before any material change takes effect, and re-ask for consent where the change requires it. The current version number is shown at the top of this page.

Want to review or change the cookies you have accepted on this device?