CodeStart Academy logo

Legal

Privacy Policy

This Privacy Policy explains how CodeStart Academy collects, uses, stores, protects, and discloses information when users access the website, create an account, save lesson notes, save sandbox code, use the CodeStart Community forum, submit community reports, play arcade games, save arcade scores, join public arcade leaderboards, make donations through Stripe, or otherwise interact with the service.

Effective date: 31 May 2026

1. Introduction and scope

This Privacy Policy applies to CodeStart Academy and related website functionality. The website is operated from the United Kingdom and is available to users worldwide. References to “CodeStart Academy,” “we,” “us,” and “our” mean the UK-based operator of this website. References to “you” and “your” mean any visitor, learner, account holder, or other person who accesses or uses the website from any country or territory.

The website is an educational platform that provides front-end web development learning materials, a CodeStart Community forum, and a CodeStart Arcade game area. Many pages, community posts, arcade games, and public arcade leaderboards can be viewed without an account. Features such as saved lesson notes, lesson checkpoint results, bookmarks, private sandbox projects, community posting, community replies, community reports, support requests, private arcade score saving, and publishing an arcade leaderboard result require users to sign in or create an account.

2. Information we collect

We may collect information directly from you, automatically from your device or browser, and through third-party service providers used to operate the website.

2.1 Account information

When you create an account or log in, Firebase Authentication may process information such as your email address, password authentication credentials, display name, user identifier, account creation date, last login date, and authentication provider metadata. If you choose Google sign-in, Firebase and Google may process Google Account information needed for authentication, such as your email address, display name, profile identifier, provider metadata, and profile photo where supplied by Google. Passwords are handled by Firebase Authentication or Google and are not displayed to us.

2.2 Lesson notes, learning activity, sandbox projects, community posts, arcade scores, and user-generated content

If you use account features, Firestore may save lesson notes, lesson-completion progress, lesson checkpoint results, lesson bookmarks, sandbox project titles and code, community posts, community replies, private arcade score summaries, or public arcade leaderboard entries. Saved data may include code snippets, HTML practice files, template identifiers, associated lesson identifiers for guided practice projects, checkpoint best and latest scores, attempt counts, bookmark links, community content, display names, game identifiers, best scores, best times, play counts, and timestamps.

Lesson notes, checkpoint results, bookmarks, sandbox projects, and account score history are private to the signed-in user. Public arcade leaderboard entries display the player's display name and best published result to visitors. They do not display the player's email address. Signed-in users may delete individual notes, bookmarks, and sandbox projects through the relevant website controls. Community posts and replies are public forum content and may be visible to other visitors. Signed-in users may delete their own community posts and replies through the forum; deleting a post also removes replies stored under that post. Public community posts and replies may be reviewed, edited, hidden, or deleted for moderation, support, safety, legal, or operational reasons. You should not enter sensitive personal information, financial information, health information, passwords, private keys, access tokens, confidential third-party information, or content you do not have permission to share into notes, sandbox projects, community posts, or community replies.

2.3 Usage and technical information

We may collect technical and usage information such as browser type, device type, operating system, referring pages, pages visited, approximate interaction times, authentication status, error logs, and general analytics events. This information helps us understand how learners use the website and how to improve performance, reliability, accessibility, and content quality.

2.4 Communications

If you contact us through an internal support request or another communication channel, we may collect your account identifier, display name, email address, request category, subject, message content, replies, status, outcome, timestamps, and any other information you choose to provide.

2.5 Donation and payment information

If you choose to make a donation, payment checkout is provided by Stripe. Stripe may collect and process payment details, billing information, card information, payment method details, fraud prevention signals, transaction identifiers, and receipt information according to Stripe's own terms and privacy notices. CodeStart Academy does not receive or store full card numbers or payment authentication details. We may receive limited donation records from Stripe, such as donor name, email address, donation amount, currency, payment status, receipt status, and transaction timestamps.

2.6 Arcade gameplay information

Arcade games may process gameplay information in your browser, such as score, timer state, health, collected items, control input, pause state, and game completion state. If you are signed in, private arcade score summaries may be saved to Firestore so they can appear on the game page and account dashboard. Your display name and best result may also be published in the relevant public arcade leaderboard when a qualifying result saves. Public leaderboards do not display email addresses and are provided for entertainment only.

2.7 Community reports

Signed-in users may privately report a public community post or reply for review. Firestore may store the reported content reference, reporter account identifier, target author identifier, selected reason, optional details, status, timestamps, resolution outcome, and the account that resolved the report. Community reports are not public and may be retained where reasonably necessary for abuse prevention, security, dispute resolution, or operational records.

2.8 Support requests

Signed-in users may create private support requests. Firestore may store the request text, request category, replies, status, outcome, account identifiers, display names, email addresses, timestamps, and notification read state so the request can be reviewed and answered. Support requests are not public and may be retained where reasonably necessary for account support, privacy requests, dispute resolution, safety, security, or operational records.

3. How we use information

We use collected information for legitimate website operation, account administration, education delivery, security, support, and improvement purposes.

  • To create, authenticate, maintain, update, delete, and secure user accounts.
  • To allow signed-in users to save, retrieve, and manage lesson notes, checkpoint results, bookmarks, sandbox projects, community posts, community replies, private arcade scores, and public arcade leaderboard entries.
  • To display account-related information such as email address or display name.
  • To operate lesson pages, community forum pages, arcade game pages, navigation, dropdown menus, login status, and account redirects.
  • To provide community reporting, moderation review, official replies, support request handling, and account-support workflows.
  • To troubleshoot errors, prevent abuse, maintain security, and protect the integrity of the website.
  • To analyse general usage trends and improve learning materials, user experience, accessibility, and site performance.
  • To process, confirm, review, and respond to donation or payment-related enquiries.
  • To respond to inquiries, support requests, legal requests, or administrative communications.
  • To comply with legal obligations and enforce applicable terms, policies, and rights.

4. Firebase, Firestore, Stripe, analytics, and third-party infrastructure

CodeStart Academy uses Firebase services to support authentication, analytics, stored lesson notes, learning progress, checkpoint results, bookmarks, sandbox projects, public community posts and replies, private community reports, private support requests, private arcade scores, and public arcade leaderboard entries. These services may be provided by Google Firebase and related Google Cloud infrastructure. Firebase Authentication is used to manage account registration, login, logout, authentication state, and account identity. Firestore Database is used to store account-based learning data, sandbox projects, community forum content, community reports, support requests, arcade scores, and public arcade leaderboard entries for signed-in users. Firebase Analytics may be used to understand general website usage, subject to browser support and applicable configuration.

CodeStart Academy may use Stripe to process voluntary donations. Donation checkout is hosted by Stripe, and Stripe may process payment and fraud-prevention information as an independent service provider or controller depending on the context and applicable law. Review Stripe's own privacy information before donating.

These providers may process information according to their own terms, privacy policies, data processing terms, and security practices. We do not control every technical detail of third-party infrastructure. By using features that rely on Firebase or Stripe, you understand that data may be processed by those providers or their related systems as part of providing those services.

5. UK data protection law, international availability, and legal bases for processing

As a UK-based website, our handling of personal data may be subject to the UK General Data Protection Regulation, the Data Protection Act 2018, and related UK privacy and electronic communications requirements. Because the website is available globally, users outside the UK may also have rights under privacy laws in their own jurisdiction. Where a legal basis is required, we may process personal information based on one or more of the following grounds: performance of a contract or requested service, legitimate interests in operating and improving the website, consent where required, compliance with legal obligations, protection of rights and security, and prevention of misuse or fraud.

Examples of legitimate interests include maintaining account functionality, protecting user accounts, improving educational content, debugging errors, preventing unauthorised access, and ensuring the website remains usable and secure.

6. How information is stored

Account information is handled through Firebase Authentication. Lesson notes, learning progress, checkpoint results, bookmarks, sandbox projects, support requests, notification read state, and private arcade scores are stored using Firebase services so signed-in users can access their own saved learning, support, and arcade activity across sessions. Public arcade leaderboard entries are stored separately so visitors can view display names and best results. Community posts and replies are stored in Firestore as public forum content. Community reports are stored separately as private moderation records. Donation payment details are handled by Stripe, while limited donation records may be available through Stripe dashboard records or related payment reporting tools.

CodeStart Academy uses appropriate technical and organisational measures to protect stored information, including access controls designed to prevent unauthorised access. Access to account-related learning data is limited to the relevant signed-in user and authorised service operations needed to run the website. Community forum content is intended to be publicly readable.

7. Sharing and disclosure

We do not sell your personal information. We may disclose information in limited circumstances, including:

  • To service providers that host, authenticate, analyse, secure, process donations, or operate the website.
  • To other visitors where you publish public community posts or replies.
  • To comply with applicable law, regulation, legal process, court order, or governmental request.
  • To enforce our Terms of Use, protect rights, investigate abuse, or prevent fraud or security incidents.
  • In connection with a business transfer, merger, acquisition, reorganisation, or similar transaction involving the website or its assets.
  • With your direction or consent.

8. Cookies, local storage, and similar technologies

The website and its service providers may use cookies, browser storage, authentication persistence, analytics identifiers, local sandbox storage, community forum state, arcade gameplay state, payment checkout cookies, fraud-prevention signals, or similar technologies to keep users signed in, remember session state, operate Firebase and Stripe services, measure website usage, and maintain security. Browser settings may allow you to block or delete cookies and storage, but doing so may affect login, account pages, notes, sandbox code, community posting, arcade scores, donations, or other website features.

9. Data retention

We retain personal information for as long as reasonably necessary to provide the website, maintain accounts, preserve saved learning data, sandbox projects, community posts, community replies, community reports, support requests, arcade scores, public arcade leaderboard entries, process donation records, comply with legal, accounting, tax, fraud-prevention, and payment obligations, resolve disputes, enforce agreements, and protect security. Private learning records, sandbox projects, arcade scores, and public arcade leaderboard entries may remain stored until you overwrite or delete them where available, your account is removed, or the data is otherwise deleted under applicable retention procedures. Community posts and replies may remain visible until removed, anonymised, or deleted under applicable moderation or account procedures. Community reports and support requests may be retained for operational reference.

Because Firebase, Stripe, and related service providers may maintain backups, logs, or replicated storage for operational reasons, deletion may not immediately remove every residual copy from backup systems.

10. Security

We use reasonable technical and organisational measures intended to protect information from unauthorised access, misuse, alteration, loss, or disclosure. These measures may include Firebase Authentication, Firestore security rules, HTTPS hosting, access controls, and provider-side infrastructure protections.

No website, database, authentication system, network, or transmission method is completely secure. You are responsible for keeping your account credentials confidential and for using a strong, unique password. Notify us if you believe your account has been accessed without authorisation.

11. Your choices, UK GDPR rights, and international privacy rights

Depending on your location and applicable law, you may have rights to access, correct, delete, restrict, object to, or request a copy of certain personal information. Under UK data protection law, these rights may include the right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, and rights relating to automated decision-making where applicable. You may also have the right to withdraw consent where processing is based on consent. Users outside the United Kingdom may have similar or additional rights under their local laws.

You can stop using account-based features at any time. Signed-in users may use the Account Settings page to update their email address, update their password, or delete their CodeStart Academy account. You may delete individual lesson notes, remove bookmarks, and manage saved sandbox projects while signed in. You may request deletion of account-based learning data, arcade score data, and community forum content through an account deletion or privacy request. Public community content may also be edited or deleted where needed for moderation, support, safety, legal, or operational reasons. If you are in the United Kingdom and believe your data protection rights have not been handled properly, you may have the right to complain to the Information Commissioner’s Office. You may contact us first through the Contact page so the issue can be reviewed.

12. Children and minors

CodeStart Academy is intended for general educational use and is not designed to knowingly collect personal information from children below the age required for valid consent in their jurisdiction. In the United Kingdom, children’s data and online services may be subject to additional requirements, including age-appropriate design expectations where applicable. If you are a parent or guardian and believe a minor has provided personal information without appropriate permission, contact us so the issue can be reviewed.

13. International data processing and transfers

The website is operated from the United Kingdom but is available worldwide. The website may use service providers and infrastructure that process information in countries other than the United Kingdom or your own country. Data protection laws in those countries may differ from the laws where you live.

Where personal data is transferred internationally, we aim to rely on appropriate safeguards where required, such as adequacy regulations, standard contractual clauses, international data transfer agreements, provider data processing terms, or other lawful transfer mechanisms. Third-party providers such as Firebase, Google Cloud, Stripe, analytics providers, hosting providers, and content delivery networks may operate globally and may process data in multiple regions.

14. Links to other websites

The website may include links to, or embedded features from, third-party websites, documentation, tools, platforms, or services, including Stripe checkout. We are not responsible for the privacy practices, content, security, or policies of third-party websites or services. Review their policies before providing information to them.

15. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. Updates may reflect changes in features, technology, legal obligations, or operational practises. The updated version will be posted on this page with a revised effective date. Continued use of the website after changes means you acknowledge the updated policy.

16. Account deletion

Signed-in users may delete their CodeStart Academy account from the Account Settings page. You may also use the Contact page for account deletion or privacy requests, especially if you cannot access your account.

When an account deletion action or verified deletion request is processed, we will take reasonable steps to delete or disable the account information associated with your account, including authentication-related account access, lesson notes, learning progress, checkpoint results, bookmarks, sandbox projects, private arcade scores, and public arcade leaderboard entries stored for that user account in Firestore, unless retention is required or permitted by law, security obligations, dispute resolution, fraud prevention, abuse prevention, backup retention, or other legitimate operational requirements. Community reports and support requests may require separate review because they may form part of safety, privacy, or operational records.

Deleting an account may permanently remove access to saved lesson notes, saved sandbox code, learning progress, community posting, private arcade scores, and account-based features. Public community posts or replies may be deleted, anonymised, or retained where moderation, safety, legal, or operational reasons require it. Some residual records may remain for a limited period in logs, backups, security records, provider systems, or records that must be retained for legal or operational reasons.

17. Contact and privacy requests

For privacy questions, account questions, data protection requests, account deletion requests, or other enquiries, use the Contact page.

When making an account-related or data protection request, include the email address associated with your CodeStart Academy account where possible. Additional verification may be required before account data is disclosed, changed, or deleted.