Privacy Policy
Last updated: March 2026
Students: we collect nothing about you
SPPIN Sim is designed so that students never create accounts, never provide an email address, and never share any personal information with us. Students join simulations using only a team code and 4-digit PIN chosen by their tutor. We do not know who they are, where they are from, or anything else about them. No student data is stored on our servers — ever.
This makes SPPIN Sim fully compliant with FERPA, GDPR, and university data governance policies without requiring any data processing agreements for student usage.
1. Who we are
SPPIN Sim is a business management simulation platform for university and business school educators. References to “we”, “us” or “SPPIN Sim” in this policy refer to the platform operator. For data protection enquiries, contact us at hello@myedmentor.com.
2. The data we collect — and what we don't
What we DO collect
| Tutor / instructor accounts | Name, work email address, institution name. Required to create and manage simulation runs. |
| Admin accounts | Email address and role. Used only for platform administration. |
| Run configuration data | Module choice, turn settings, team codes and PINs created by tutors. No student personal data. |
| Decision inputs | The choices teams enter each turn (e.g. slider values, selections). Stored against a team code — no student names or identifiers. |
| Usage logs | Standard server access logs (IP address, timestamp, page visited) retained for 30 days for security and debugging. |
What we DO NOT collect
- Student names, email addresses, or any other personal identifiers
- Student demographic information (age, gender, nationality, disability status)
- Device fingerprints or persistent tracking identifiers for students
- Behavioural analytics or clickstream data tied to individuals
- Payment card details (payments processed by Stripe — we never see card numbers)
3. Legal basis for processing (GDPR)
We process personal data only where we have a valid legal basis under UK GDPR / EU GDPR:
| Contract performance | Processing tutor account data to deliver the service you have purchased. |
| Legitimate interests | Server security logs and fraud prevention. We balance these interests against your rights. |
| Consent | Marketing emails, if you opt in. You may withdraw consent at any time. |
4. How we use your data
- To create and manage your tutor account and simulation runs
- To send transactional emails (account setup, licence confirmation)
- To provide customer support when you contact us
- To maintain platform security and investigate abuse
- To send product updates or announcements, only if you have opted in
We do not sell, rent, or trade your personal data to third parties for marketing purposes. Ever.
5. Data retention
| Tutor account data | Retained for the duration of your account. Deleted within 30 days of account closure on request. |
| Simulation run data | Retained for 12 months after a run closes, then automatically deleted. |
| Decision / scoring data | Retained for 12 months, then deleted. No student personal data is ever stored. |
| Server logs | Retained for 30 days, then automatically purged. |
| Payment records | Retained for 7 years as required by UK tax law (held by Stripe, not us). |
6. Third-party services
We use a small number of carefully selected third-party services. Each is bound by its own privacy policy and, where applicable, a Data Processing Agreement with us.
| Supabase | Database and authentication. Hosted in the EU (Frankfurt). GDPR-compliant. supabase.com/privacy |
| Vercel | Hosting and edge delivery. GDPR-compliant. vercel.com/legal/privacy-policy |
| Stripe | Payment processing. PCI-DSS Level 1 certified. stripe.com/privacy |
| Anthropic | AI services used to generate simulation content and event cards. No personal data is passed to AI services. anthropic.com/privacy |
7. International transfers
Our primary infrastructure is hosted in the EU (Frankfurt, Germany) via Supabase and Vercel. Some Anthropic AI processing may occur in the United States; this is governed by Standard Contractual Clauses (SCCs) as required under UK and EU data protection law. No student data is ever transferred to any third party or jurisdiction.
8. Your rights
Under UK GDPR and EU GDPR, tutor account holders have the right to:
- Access the personal data we hold about you
- Rectify inaccurate data
- Request erasure of your data (“right to be forgotten”)
- Restrict or object to processing
- Data portability (receive your data in a machine-readable format)
- Lodge a complaint with the ICO (UK) or your national supervisory authority
To exercise any of these rights, email hello@myedmentor.com. We will respond within 30 days.
9. Security
We apply industry-standard security measures including TLS encryption in transit, encrypted storage at rest, row-level security on all database tables, and access controls limiting data access to authorised personnel only. Student team access is secured by a tutor-generated PIN. We conduct periodic security reviews and promptly address any vulnerabilities identified.
10. Children and FERPA
SPPIN Sim is designed for use in higher education (university and business school) settings. We do not knowingly collect data from individuals under 16. Because students do not create accounts or share personal data, the platform also supports FERPA compliance for US institutions — no student education records are created or stored.
11. Changes to this policy
We may update this policy from time to time. Material changes will be communicated to account holders by email at least 14 days before taking effect. The latest version is always available at this URL. Continued use of the platform after changes take effect constitutes acceptance.
12. Contact
For any privacy-related question, data subject request, or concern, contact us at: hello@myedmentor.com