Privacy notice

Mikko Mäkipää

We process only data of registered users (guardians). Children who use the service for practice do not have user accounts, and no personal data about them is stored.

Data minimisation for children: No personal data is collected or stored about children who use the service for practice. Children do not create user accounts and their performance is not linked to their identity. The guardian’s additional instructions describe topics to practise, not the child’s personal data.

Anonymous student profile and progress storage

When a child plays practice exercises, the service creates an anonymous student profile so that badges, results, and practice rhythm are preserved even after the browser is closed or the device changes. The profile is not linked to the child’s identity.

The profile consists of two parts:

• Identifier data (table student_profiles): a random UUID, a hash of a human-readable code (for example SININEN-KARHU-42), the displayed code, and the profile creation and use times. The record does not contain a name, email address, school information, or any other data referring to the child. The human-readable code is stored only as a hash, so the original code exists only on the child’s own device.
• Progress data (table student_progress): completed practice rounds, personal bests, unlocked badges and badge unlock times, active and completed school challenges, list of practice days, collected mistake banks (at question-answer level), and topic-specific mastery level.

The profile code is stored only in the child’s own browser (localStorage). The child can transfer their progress to another device by entering the same code in the service’s Import progress feature. The profile stored on the server cannot be linked to the child without this code, and the service provider cannot recover the code if it is lost.

Legal basis: Processing is based on a legitimate interest relating to use of the service (Art. 6(1)(f)). In our assessment, the anonymous profile does not constitute a personal data filing system because the data cannot reasonably be linked to an individual child without the code held by the child (see CJEU C-582/14, Breyer). We nevertheless apply the precautionary principle and handle profiles with the same care as personal data.

Retention period: Anonymous student profiles and related progress data are retained for at most 2 years after the last use, after which they are deleted automatically.

Deletion before the retention period ends: The child or guardian can clear the profile on their own device by deleting browser data. Deletion of a profile stored on the server can be requested by contacting support and providing the profile code.

Personal data is retained for as long as the user account is active. When the account is deleted, the following are deleted immediately:

• the user account and login data,
• school data,
• the encrypted API key.

Practice content (question sets, topics) may remain in the service even after account deletion if the same content is available to other users. The legal basis for retention is legitimate interest (Art. 6(1)(f)) — practice content does not contain personal data.

We do not sell or disclose your data to third parties for marketing purposes.

We use the following subcontractors as processors:

For OpenAI and Anthropic, Test Buddy forwards requests made with the user’s own API key to servers located in the United States. The transfer takes place on the basis of each service provider’s own Standard Contractual Clauses; the user also has a direct contractual relationship with those service providers under their respective terms of service. Test Buddy is not responsible for those service providers’ independent processing of personal data.

Otherwise, data is not transferred outside the EU/EEA.

You have the right to:

• Right of access (Art. 15): receive information about data concerning you.
• Request rectification (Art. 16): correct inaccurate or incomplete data.
• Right to erasure (Art. 17): request deletion of your data (the “right to be forgotten”).
• Restriction of processing (Art. 18): request restriction of processing under certain conditions.
• Data portability (Art. 20): receive your data in machine-readable format.
• Right to object (Art. 21): object to processing based on legitimate interest.

Send requests concerning your rights by email to the controller. We respond to requests within the 30 days required by the GDPR. For data portability requests, we provide the data in machine-readable format (JSON or CSV). The API key cannot be returned in plaintext for security reasons.

You also have the right to lodge a complaint with the Office of the Data Protection Ombudsman (tietosuoja.fi) if you consider that your data has been processed unlawfully.

API keys are stored encrypted in Supabase Vault and cannot be read back in plaintext through the service. All communications use TLS protection. User authentication is handled with Supabase Auth.

A personal data breach will be reported to the Data Protection Ombudsman within 72 hours of becoming aware of the breach and to data subjects as required by Article 34 of the GDPR if the breach is likely to result in a high risk to their rights and freedoms.

The service uses only cookies necessary for session management (Supabase Auth). We do not use third-party analytics or advertising cookies.

We may update this notice as the service develops. Material changes will be communicated to registered users by email or by a notice shown in the service before the changes take effect.

Questions about data protection and requests to exercise rights are handled through the service’s official support channels.