1. Who runs this site
This site is hosted at
demo.hexfoxlabs.com
and is operated by the owners of that domain. Testing Page is provided as a
service to hello school for the purpose of running this competition
and the related learning programme. hello school is not the operator
of this website and does not host or administer the system, but does receive
the data collected here.
Questions about this notice or your data should be directed to demo@hexfoxlabs.com.
2. What we collect
- Account data: your email address (required) and optional display name.
- Authentication data: hashes of one-time codes (never the codes themselves) and, if you sign in with Microsoft, your Microsoft object ID.
- Submissions: the title, written content, optional file uploads and metadata for entries you submit. Document metadata (author, last-modified-by, embedded thumbnails) is stripped from uploads on receipt.
- Progress: which Academy items you have marked complete, and which task you have submitted for.
- Operational logs: IP addresses, timestamps and user-agent fragments for security, abuse prevention and audit. Retention is configurable; the default is 365 days.
- Consent records: your cookie / consent choices, with version and timestamp.
3. Lawful bases
We rely on contract (running the competition you have entered), legitimate interests (security, fraud prevention, audit) and consent (any optional cookies or analytics, where applicable).
4. How long we keep it
- Account data and submissions: for the duration of the event and a reasonable archive period afterwards, or until you request erasure.
- Audit logs: by default 365 days (configurable by administrators).
- One-time codes: invalidated within minutes; expired records purged nightly.
- Cookies: session cookies last for the browser session; the CSRF cookie persists per session.
5. Encryption and security
Sensitive free-text fields (judge feedback, ban reasons, the content of submissions and audit notes) are encrypted at rest using authenticated encryption (Fernet, AES-128-CBC with HMAC-SHA256). All traffic is served over TLS. Authentication uses one-time codes delivered by email, with hashed storage and constant-time comparison.
6. Cookies
We set a session cookie (so you stay signed in) and a CSRF cookie (to prevent
cross-site request forgery). Both are essential and use SameSite=Lax,
Secure and HttpOnly flags where applicable. We do not run
third-party advertising or tracking scripts. Embedded videos use YouTube's
privacy-enhanced (no-cookie) domain.
7. Email delivery
One-time sign-in codes and notification emails are sent through one of the following, configured by the operator of this site: a third-party transactional mail provider (such as Brevo, Postmark, SendGrid, or Amazon SES) reached over their HTTPS API or SMTP, OR a self-hosted SMTP server operated by this site's owners. The email content is limited to your sign-in code or the body of an organiser notification. Whichever path is in use, the transactional provider may process delivery metadata (sender, recipient, timestamps) on its own infrastructure under its own privacy policy.
8. Sharing
We do not sell personal data. We share data only with our hosting provider, with the email-delivery provider described in section 7, and with Microsoft if you choose to sign in via Microsoft Entra ID. We make submissions available to hello school for evaluation and judging.
9. Your rights
Under UK GDPR you have the right to:
- request a copy of the data we hold about you (access);
- have inaccurate data corrected (rectification);
- have your data deleted (erasure);
- receive a portable copy of your data (portability);
- object to processing or restrict it;
- withdraw consent at any time.
Exercise any of these rights via our data request form. We will respond within 30 days.
10. Complaints
If you believe we have mishandled your data you may complain to the UK Information Commissioner's Office at ico.org.uk.
11. Changes
We will update this notice if our processing changes. Material changes will be announced on the site or by email.
