Privacy Notice
Last updated: 24 March 2026
This notice is prepared in line with UK GDPR and the Data Protection Act 2018.
1. Scope
This notice explains how personal data is used on MyBadges.vip, including account access, badge issuing and receiving, progress/activity features, and platform notifications.
2. Controller and processor roles
Codex Education Ltd is the data controller for direct MyBadges account services. Where schools or trusts use MyBadges for pupil or staff workflows, the relevant school/trust remains the controller for that education data and Codex Education Ltd acts as a processor for service delivery.
3. Data we process
- Account and profile data (name, email, role, organisation links)
- Authentication and security data (password hash, session tokens, login metadata, IP and user-agent)
- Email verification and password reset tokens
- Badge records (badges, assertions, issuing history, votes, highlights, thanks, and related activity)
- Platform communications (notifications and contact form messages)
4. How data is used
- Create and manage user accounts
- Issue, track, and verify digital badges and achievements
- Provide school and organisation administration features
- Support secure sign-in and session management
- Send service emails and respond to support/contact queries
- Maintain service security, abuse prevention, and troubleshooting
5. Lawful bases
Processing is based on one or more lawful bases under UK GDPR, including contract (to provide the service), legal obligation, legitimate interests (service security and operation), and consent where specifically requested.
6. Sharing and third-party services
Personal data is not sold. Data may be shared where necessary with:
- Authorised school/trust staff and account administrators
- Email delivery services used for verification, password reset, and notification messages
- Related Codex service domains used for secure single sign-on where enabled
- Law enforcement or regulators where required by law
7. International transfers
Services are operated for UK education use. Where a provider processes data outside the UK, appropriate safeguards are applied in line with UK GDPR requirements.
8. Security
- Passwords are stored as one-way hashes
- Access is protected through authenticated sessions and role controls
- Session tokens are random technical identifiers only and do not alter personal records
9. Cookies
This service uses strictly necessary session cookies for authentication and secure access. No tracking or analytics cookies are used. Under the Privacy and Electronic Communications Regulations (PECR) 2003, strictly necessary cookies do not require user consent. If this changes, this notice will be updated.
10. Retention
- Account and profile data: while active, then reviewed on closure or following inactivity not exceeding 24 months; deleted or anonymised unless a legal hold applies.
- Badge and achievement records: retained for the operational life of the account; subject to deletion on verified request where no legal obligation applies.
- Email verification and reset tokens: discarded after single use or within 48 hours of generation.
- Security and audit logs: retained for 12 months, unless required for an active investigation.
- Session state: discarded at session end or on logout.
11. Your rights
Data subjects have rights under UK GDPR, including access, rectification, erasure, restriction, objection, and complaint. For school-controlled records, requests should also be directed to the relevant school or trust.
12. Contact and complaints
For privacy queries, contact:
- Email: darren@mybadges.vip
- Post: Codex Education Ltd, 128 City Road, London, EC1V 2NX
If a concern cannot be resolved directly, you can complain to the UK Information Commissioner's Office (ICO).