Privacy Policy

  1. ABOUT THIS NOTICE
    1. If you are a student, parent/carer, or member of staff at a school which uses MiniTest, then, except for our processing of server and application logs (for which we act as independent Data Controller), this notice does not apply to you; in all other respects we act as the school's Data Processor, and you should contact your school (the Data Controller) for privacy information. Our Cookie Policy still applies to you.
    2. We collect, use, and are responsible for certain personal information about our contacts at schools, people who enquire or communicate with us about use of MiniTest, and those who visit minitest.co (the "Site") to learn more about MiniTest. When we do so we are acting as an independent Data Controller. If we collect any personal data about you when we are acting as a Data Controller, this Privacy Policy is addressed to you.
    3. Please also read our Website Terms of Use, Online Safety Notice, and Cookie Policy.
    4. This version is effective from 14 September 2025.
  2. WHO WE ARE
    1. The Site is operated by Mr J. Gurung, trading as MiniTest ("we", "us"). Our trading office is at 70 Burnfoot Avenue, Fulham, London SW6 5EA.
    2. Mr J. Gurung is our Data Protection Officer, and you can reach us with any data protection query at [email protected].
  3. THE DATA WE COLLECT
    1. Contact name, school name & address, work email address, billing details
      1. Purpose: Customer and contract management; support and billing
      2. Legal basis: Article 6(1)(b) Contract; Article 6(1)(f) Legitimate interest in operating our service
      3. Retention: 6 years after the school's last invoice (for tax & accounting)
    2. Emails sent to us, along with any attachments and metadata (such as timestamps and email headers)
      1. Purpose: Provide requested support, information, or marketing updates
      2. Legal basis: Article 6(1)(a) Consent (marketing); Article 6(1)(b) Contract; Article 6(1)(f) Legitimate interest in responding to enquiries
      3. Retention: 2 years
    3. Server logs (which may include IP addresses, user-agent strings, pages or features accessed, actions taken, timestamps, and user IDs)
      1. Purpose: Security, fraud prevention, service diagnostics
      2. Legal basis: Article 6(1)(f) Legitimate interest in keeping our service secure
      3. Retention: 30 days from collection
    4. We do not collect special-category data, nor do we sell personal data.
  4. WHO WE SHARE DATA WITH
    1. We use trusted processors to run MiniTest:
      1. Microsoft Azure – UK data centre for hosting
      2. Cloudflare – global DNS and security
      3. Zoho Mail – email provider
    2. We use other sub-processors outlined in our subscription agreement with schools, but they are only used in our capacity as a Data Processor and are not relevant to the scope of this notice.
    3. We use only processors that provide sufficient guarantees under Article 28 UK GDPR, and we have Article 28-compliant data processing agreements with each.
    4. We will disclose data if legally compelled (for example, by court order).
  5. INTERNATIONAL TRANSFERS
    1. Where data is transferred outside the UK/EEA, we rely on:
      1. UK adequacy regulations, such as the UK-US Data Bridge, or
      2. the UK Extension to the EU Standard Contractual Clauses.
    2. You may request a copy of the relevant safeguard by emailing us.
  6. YOUR RIGHTS
    1. You have the rights of access, rectification, erasure, restriction, data portability, and to object to processing or direct marketing. Where we rely on consent you may withdraw it at any time. To exercise a right, email [email protected] with proof of identity.
    2. You also have the right to complain to the Information Commissioner's Office. You can contact them at ico.org.uk or by calling 0303 123 1113.
  7. SECURITY
    1. All traffic to the Site is encrypted using TLS. Data at rest is encrypted on Microsoft Azure. Access to production systems is limited to authorised personnel and protected by MFA.
    2. We will notify the ICO of any notifiable breach within 72 hours, and inform affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  8. AUTOMATED DECISION-MAKING

    We do not carry out automated decision-making or profiling that has legal or similarly significant effects.

  9. CHANGES TO THIS NOTICE

    We may update this notice periodically. We will post the new version at minitest.co/Privacy.

  10. GOVERNING LAW

    This notice is governed by English law. You and we agree that the courts of England and Wales shall have exclusive jurisdiction to settle any disputes arising in connection with this notice.

  11. NO THIRD-PARTY RIGHTS

    This notice does not create any rights enforceable by any person who is not a party to it.