Privacy

Puzzitron is operated by an individual UK-based operator trading as Puzzitron. For privacy questions, data deletion requests, or anything else covered by this policy, email hello@puzzitron.com.

For adult (parent / teacher) accounts:

• Email address — used to send the magic sign-in link and (rarely) account-related notifications. No marketing emails without separate explicit opt-in.
• Display name — optional. Shown in the dashboard so an adult with multiple devices recognises their own account.
• Sign-in cookies — a JWT session cookie after sign-in. Cleared on sign-out. Used only to keep you signed in across pages.

For player (child) accounts:

• First name — what the adult typed when they added the child. Shown only on that child’s own screen and in the adult’s dashboard.
• A globally-unique handle (e.g. tiger.river.galaxy) — three random child-friendly words from a curated list, auto-generated. Used to sign in. The child’s display name is not in the handle, so it doesn’t identify them outside their family / adult context.
• A bcrypt hash of the child’s 4-digit PIN — we never store the PIN itself. The hash is used to verify sign-in.
• Avatar configuration — what colour / accessory the child picked for their pixel-art avatar.
• Practice history — which questions the child answered, whether they got each right, how long they took, plus session-level summaries (level, mode, score). This is what makes the app useful — without it we can’t show progress or adapt difficulty.
• A child sign-in cookie — random token, 1-year expiry, HttpOnly. Cleared on sign-out, or any time the parent revokes the session from the dashboard.

What we don’t collect. No date of birth (we ask the adult to confirm the child is in our 7–11 age range — we don’t store the answer). No location. No device fingerprinting. No behavioural-advertising signals. No third-party social sign-in.

Marketing-page measurement. The public marketing pages (the homepage, /for-parents, /for-schools, /cat4-practice, /11-plus-practice, /non-verbal-reasoning, /blog, this privacy page, /terms) load Google Analytics 4 and the Google Ads conversion tag only so we can see whether advertising spend brings in real visitors. IP addresses are anonymised at collection. The tag is never loaded on the part of Puzzitron your child uses (everything under /play,/profiles,/dashboard, or /invite) and we never send personal data through it. If you’d rather opt out of advertising measurement entirely on the marketing pages, browser-level "Do Not Track" + ad blockers work; we don’t fight either.

Adult accounts: contract (UK GDPR Art. 6(1)(b)) — we need the email to provide the sign-in service the adult asked for.

Child accounts: parent-mediated consent (UK GDPR Art. 6(1)(a) + Art. 8). The adult who creates the child account confirms they have the right to do so on the child’s behalf (parent / legal guardian / authorised teacher). We don’t collect age verification beyond that confirmation. We don’t use child data for any purpose other than running the practice game and showing the adult what their child has been doing.

Your data lives in our database for as long as your account does. When you delete an account or a child:

• The account / child row is removed immediately.
• All linked data (sessions, attempts, flags, coin spends) cascades and is removed at the same time.
• Database backups (daily) retain a copy for up to 30 days; after that point all traces are gone.
• An entry in our audit_log table records that a deletion happened, but contains no personal data beyond the event timestamp and the account / child id.

Under the UK GDPR you have the right to:

• See what we hold — the parent dashboard has a “Download data” button per child that produces a JSON export of everything we have on that child. Email us if you want your own adult-account export.
• Ask us to delete it — there’s a delete button on the dashboard, or you can email us and we’ll do it within 7 days.
• Ask us to correct it — most child-facing fields (name, avatar) you can edit yourself from the child’s settings page. For anything else, email us.
• Complain to the regulator — the UK Information Commissioner’s Office at ico.org.uk.

Puzzitron uses four sub-processors. None hold or process data on our behalf in a way the operator doesn’t control. All have UK GDPR-compliant data processing agreements in place.

• Vercel Inc. — runs the app servers and serves static assets. Hosting region: EU (Frankfurt). DPA.
• Neon Inc. — hosts the Postgres database that holds all account / child / session data. Region: EU (eu-west-2, London). DPA.
• Resend Inc. — sends the magic sign-in emails to adults. Receives the recipient email address and a one-time link. Doesn’t store email content beyond delivery diagnostics. DPA.
• Cloudflare Inc. — CDN in front of Vercel. Sees IP addresses and request paths in transit; doesn’t persist them. DPA.

We never sell or rent personal data. We never share it with advertisers, data brokers, or analytics platforms.

Puzzitron uses two cookies, both first-party and both necessary for sign-in to work:

• authjs.session-token — adult sign-in (Auth.js JWT). HttpOnly, Secure, SameSite=Lax. Cleared on sign-out.
• puzzitron_kid_session — child sign-in. HttpOnly, Secure, SameSite=Lax, 1-year expiry by default. Cleared on sign-out or when the parent revokes from the dashboard.

On the public marketing pages (NOT on /play, /profiles, /dashboard, or /invite), Google Analytics 4 and Google Ads conversion measurement set first-party cookies (_ga, _gid, _gcl_*). These are used solely to see whether advertising spend brings in real visitors and never on pages your child uses.

On those marketing pages we show a cookie banner the first time you visit. Choosing Reject means no Google Analytics or Google Ads cookies are set on your device, ever. Choosing Accept remembers your decision for a year via a strictly-necessary puzzitron-consent cookie (no third party — set by us, used only to remember your choice). You can change your mind by clearing site data in your browser; the banner reappears.

No third-party tracking cookies on any child-facing surface, ever, regardless of consent. The banner only appears on marketing pages because that’s the only place gtag could possibly load.

Adult passwords don’t exist — sign-in is magic-link only, so there’s no password to leak. Child PINs are stored as bcrypt hashes (cost 10), so even a full database leak doesn’t expose the PIN itself. All traffic is HTTPS. Database is in a private network and accessed only over TLS.

If we change something material, we’ll bump the “Last updated” date at the top and add a one- line summary explaining what changed.