← Back to Pathora

Privacy Policy

Last updated: 15 May 2026

1. Who we are

Pathora is a smart learning assistant operated by First Exams Ltd (“we”, “us”, “our”). We provide AI-powered exam marking and feedback for students and their parents.

If you have any questions about this policy, contact us at privacy@pathora.com.

2. What data we collect

We collect only what is necessary to provide the service:

  • Account information – your name, email address, and password (stored as a secure hash).
  • Child profiles – first name, year group, and school stage you provide for each child.
  • Exam paper images – photos you upload for marking.
  • Usage data – pages visited, features used, and timestamps, to improve the product.
  • Payment information – handled entirely by our payment processor; we never store card details.

3. How we use your data

  • To mark exam papers and return feedback to you.
  • To track your child's progress over time within the app.
  • To send transactional emails (e.g. results ready, account changes).
  • To improve our AI models and marking accuracy (using anonymised data only).
  • To comply with legal obligations.

We do not sell your data to third parties. We do not use your data for advertising.

4. Children's data

Pathora is used by parents and guardians on behalf of children. We treat children's data with extra care:

  • We collect only the minimum information needed (first name and year group).
  • Children's data is never used for marketing or shared with advertisers.
  • Exam paper images are processed for marking and then stored securely; you can request deletion at any time.

5. Data sharing

We share data only with trusted service providers who process it on our behalf:

  • Google Cloud – cloud infrastructure and storage.
  • Google Gemini AI – AI-powered marking (images are transmitted securely and not retained by Google for training without our consent).
  • Payment processor – for subscription billing.

All providers are contractually bound to handle your data in accordance with applicable data protection law.

6. Data retention

We retain your data for as long as your account is active. Specifically:

  • Account and profile data – kept until you delete your account.
  • Exam paper images and results – kept for 24 months, then automatically deleted.
  • Usage logs – anonymised after 90 days.

You can request early deletion of any data at any time (see Section 8).

7. Cookies and analytics

We use two categories of cookies. The categories appear in the consent banner shown on your first visit; you can change your choice at any time via the cookie preferences link in the footer.

Essential cookies (always on, lawful basis: contract / legitimate interest):

  • Session cookie – keeps you logged in.
  • CSRF token – protects your account from cross-site request forgery.
  • fx_consent_v1 – records your cookie-banner choice so we do not re-ask on every visit.

Analytics cookies (opt-in, lawful basis: consent):

  • fx_telemetry_distinct_id (localStorage) – a random identifier we use to understand how a single visitor uses the app across sessions. No third party can read this.
  • fx_telemetry_first_touch / fx_telemetry_last_touch – record the marketing source that brought you to the site (e.g. utm_source), so we can understand which channels work without using third-party tracking pixels.

We do not use third-party advertising or tracking pixels (Google Analytics, Facebook Pixel, etc.). All analytics processing is first-party: data is sent only to our own ingestion endpoint and stored in Google BigQuery in the UK (europe-west2) under our standard Google Cloud Data Processing Addendum. We do not sell, share, or use this data for advertising.

For each cookie we list above, see the dedicated cookies page for purpose, retention, and opt-out details.

8. Your rights

Under applicable data protection law you have the right to:

  • Access – request a copy of the data we hold about you.
  • Correction – ask us to fix inaccurate data.
  • Deletion – ask us to delete your account and all associated data.
  • Portability – receive your data in a machine-readable format.
  • Objection – object to certain uses of your data.

To exercise any of these rights, email privacy@pathora.com. We will respond within 30 days.

9. Security

We use industry-standard encryption (TLS in transit, AES-256 at rest) and access controls to protect your data. In the event of a data breach that affects your rights, we will notify you within 72 hours of becoming aware of it.

10. Changes to this policy

We may update this policy from time to time. When we do, we will update the “last updated” date at the top and, for material changes, notify you by email or an in-app notice before the change takes effect.