Privacy & compliance

Privacy & data

Educator is built for UK schools. School students are minors, and their data is handled to a higher standard than adult consumer products. This page explains exactly what we collect, how we use it, and the rights you and your students have.

UK GDPR compliance

Educator operates under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. ICO registration is in progress and will be confirmed before the first paid subscription begins.

Educator acts as data controller for individual learners' accounts and as data processorfor school students' personal data, where the school is the data controller.

Schools sign a Data Processing Agreement (DPA) before their subscription begins. The DPA sets out the lawful basis for processing, the categories of personal data involved, the purposes for which we process it, and the school's rights as data controller. To request a copy for DPO review before your pilot, email support@educator-labs.com and we will send it within two working days.

For MATs and larger trusts: if you need a DPA that covers multiple schools under a single trust, contact us before signing up. We can issue a trust-level agreement that covers all schools in the MAT rather than requiring each school to sign separately.

What data is collected

Data collected varies by account type. We apply data minimisation across all accounts — if we don't need a piece of data to run the service, we don't collect it.

School students

Display name: Chosen by the student during sign-up. Does not have to be their real name — and we actively encourage students to use a nickname or alias. This is the only name ever shown on leaderboards.
Email address: Used for account authentication via magic link or Google Sign-In. Never displayed to other students. Teachers can see the email addresses of students in their class in order to manage the roster.
Year group & class: The class a student joins via their class code determines their year group and subject. This is what links a student to their teacher's dashboard.
Subject progress: XP earned, current streak, streak freeze count, mastery level per card (Unseen → Seen → Familiar → Proficient → Mastered), and session history. This is the core data that makes spaced repetition work — without it, the app cannot adapt card frequency to each student.
Real name: Optional. A student may choose to use their real name as their display name, but this is never required and is never surfaced on any public-facing page. Teachers who need to identify a specific student can match by display name or email.

Individual students

Username: The display name shown on the global leaderboard and league standings. Not required to be a real name.
Email address: Used for authentication and (if opted in) product update emails. Never sold or shared with third parties.
Date of birth: Collected during sign-up for age-gating purposes. Students under 13 are subject to additional protections under the ICO Children's Code. The date of birth is not displayed anywhere and is not used for any purpose other than age verification.
Subject progress: Same as school students: XP, streak, mastery per card, and session history. Drives the spaced repetition engine and the global leaderboard.
Billing information: Pro subscribers pay via Stripe. Educator never sees or stores card numbers — billing data is held entirely by Stripe and governed by their PCI-DSS compliance. Educator stores only the Stripe customer ID and subscription status.

Optional parent email

Students may add a parent or guardian's email address from their profile page. This triggers a double opt-in confirmation to the parent — no email is sent until they confirm. Once confirmed, parents receive a weekly encouraging summary (session count, current streak) via our email provider Resend. The parent email is never displayed publicly, never shared, and can be removed by the student at any time. This is a third party's personal data collected by the student's action — schools should include this in their own parent communications if relevant to their DPA scope.

Teachers

Name & email: Used for authentication, school account association, and service communication (e.g. the weekly digest email sent on Sunday evenings summarising class progress).
School & role: The school the teacher is associated with and their role (Teacher or Head of Department). Determines which classes, students, and analytics views are accessible.
Class structure: The classes a teacher has created, including class name, subject, exam board, and tier settings. This is configuration data rather than personal data, but it is associated with the teacher account.

What we do not collect

This is equally important. Educator does not:

Use third-party advertising pixels or tracking scripts. There are no Meta, Google Ads, TikTok, or other ad-network tags on Educator. No student behaviour is fed into any advertising audience or lookalike model.
Build behavioural profiles for ad targeting. Practice data (which cards a student answered, how quickly, and with what accuracy) is used only to drive the spaced repetition engine. It is not sold, licensed, or used to infer student characteristics for commercial purposes.
Sell or share data with third parties. Sub-processors (Neon, Vercel, Clerk, Stripe, Resend, Sentry) are listed in the DPA and are used only to operate the service. No data is passed to publishers, data brokers, or research organisations without explicit written consent from the school.
Track location. No GPS, IP-to-location inference for profiling, or any other location signal is stored or used. Session data captures only answers to cards, not where those answers were given.
Use social media login data beyond authentication. Students and teachers may sign in with Google. We receive only the email address and display name necessary to create the account — no Google profile data, contacts, or activity data is accessed or retained.

Student name privacy

School students are minors covered by a school DPA. Their real names are never exposed on any public-facing surface.

Class leaderboard: Visible only to students in the same class and to the class teacher. Shows each student's chosen display name and their XP and streak — not their real name, email, or any other identifying information.
School leaderboard: Visible only to authenticated members of the same school (teachers and students in any class at the school). Same display-name-only rule applies. School students do not appear on the global leaderboard under any name.
Live session board: During a teacher-hosted live session the teacher's screen shows a real-time ranked board of students by display name. This is teacher-controlled, classroom-contextualised, and the only place in Educator where ranked competitive signals are intentional.
Individual accounts: Individual learners (not school students) appear on the global leaderboard and league standings under their chosen username — not their real name. This is enforced by design: users are explicitly prompted to choose a username, not asked for a real name.

Why this matters: school DPAs typically prohibit processing children's personal data for purposes beyond the contracted service. Keeping student names off public leaderboards is not just good practice — it is necessary for schools to remain compliant with their own data protection obligations.

ICO Age Appropriate Design Code (Children's Code)

Educator is designed to be aligned with the UK ICO's Age Appropriate Design Code, which applies to online services likely to be accessed by children. The Code's fifteen standards are reflected throughout the product:

Data minimisation.We collect only what is functionally necessary. There is no “nice to have” data collection — every field in the schema has a specific purpose tied to the spaced repetition engine, authentication, or teacher management.
No nudge techniques.Educator does not use FOMO countdown timers, streak-loss pressure messages (“you're about to lose your streak!”), or competitive rankings pushed to students outside the classroom. Gamification celebrates forward progress only — rank up banners, not “you were overtaken” alerts.
No location tracking. Educator does not collect GPS data or derive location from IP addresses for any profiling purpose.
Privacy by default. New student accounts are private by default. Leaderboard visibility is limited to the authenticated school context. Students do not opt out of public exposure — they never have public exposure in the first place.
Age-appropriate content. All card content is curriculum-aligned and reviewed by qualified teachers. There is no user-generated content, no messaging between students, and no social graph.
Parental controls.Students under 13 are age-gated via date of birth collection at sign-up. Schools retain control over student access via class membership — a student's data is managed under the school's DPA and schools can request deletion at any time.

Note for DPOs: we are happy to complete a Data Protection Impact Assessment (DPIA) or answer a school's supplier questionnaire. Contact support@educator-labs.com and we will respond within five working days.

Data retention and deletion

Educator maintains clear, published retention periods for all account types.

Active school subscriptions: Student and teacher data is retained for the duration of the subscription. After a subscription lapses, data is retained for a further 12 months to allow for renewal and continuity if a school re-subscribes in the following academic year. After that window, all personal data is deleted or anonymised.
Pilot accounts: The four-week free pilot gives full access with no card required. If a school does not convert to a paid subscription after the pilot ends, data is frozen for 60 days then permanently deleted. The school is notified by email before deletion occurs so they have the opportunity to export any data they want to retain.
Individual accounts: Accounts that have been inactive for 24 months receive a deletion notice. If there is no response within 30 days, the account and all associated data are deleted. Users can also delete their account at any time from their profile settings page.
Data export: All users (school students, individual students, and teachers) can download their account data as a JSON file from their profile page at any time. The file includes account details, every session, and every card review. Note: school students can download their data but cannot self-delete — account deletion for school students is the school's responsibility under the DPA (see Account deletion below).
Account deletion: Individual accounts and teacher/HoD accounts can self-delete from the profile page. School student accounts are covered by the school's DPA — deletion is the school's responsibility. A school student who wants their account deleted should ask their teacher; the school can contact support@educator-labs.com to action it.
Bulk school deletion: Schools can request bulk deletion of a cohort's data — for example, when a year group leaves the school. Contact support@educator-labs.com with the class or cohort to be deleted. Deletion is carried out within five working days and confirmed by email.

Right to erasure (Article 17): any student, parent, or school acting on a student's behalf can submit a right to erasure request. We will action it within 30 days and confirm deletion in writing. To submit a request, email support@educator-labs.com with the subject line “Data erasure request”.

Security

Educator uses infrastructure designed for security by default, with no self-hosted servers for any part of the data path.

Database: All personal and session data is stored in Neon Postgres on AWS us-east-1 (Virginia, USA). Data is encrypted at rest and in transit. Neon is SOC 2 Type II certified. Cross-border transfers to the USA are covered under the UK International Data Transfer Agreement (UK IDTA).
Hosting & edge: The application is served via Vercel with EU edge functions. All traffic is encrypted with TLS 1.2 or higher. Vercel holds ISO 27001 certification and is SOC 2 Type II compliant.
Authentication: Authentication is handled by Clerk, which manages session tokens, magic links, and OAuth flows. Clerk also sends authentication emails (magic links, password resets) directly from its own infrastructure under its SOC 2 Type II certification. Educator never stores passwords. Clerk is GDPR-aligned.
Payments: Payments are processed entirely by Stripe, a PCI-DSS Level 1 certified payment processor. Educator never sees card numbers, CVCs, or full bank details. We store only the Stripe customer ID and subscription status required to manage access.
Error tracking: Application errors are captured by Sentry for debugging. Sentry is configured to scrub personal data from error payloads — user IDs are passed as opaque identifiers, not names or emails.
Email: Transactional emails (weekly teacher digest, account notifications) are sent via Resend from the educator-labs.com domain with full DKIM and DMARC authentication. We do not send marketing email to students.

Sub-processor list: the full list of sub-processors (Neon, Vercel, Clerk, Stripe, Resend, Sentry) along with their processing purposes, data locations, and certifications is available on request. To obtain it, contact support@educator-labs.com.

Contact and data requests

For all data-related queries — whether from a school, a student, a parent, or a Data Protection Officer — contact us at:

Email: support@educator-labs.com

We aim to respond to all data requests within 72 hours on school days, and within the statutory 30-day window for Subject Access Requests (SARs) and erasure requests regardless of when they arrive.

Data Processing Agreement: Request a copy of the DPA before starting a pilot. Include your school name and your DPO's email address and we will send the document for review within two working days.
Subject Access Request (SAR): Students and parents have the right to a copy of all personal data we hold. We will provide a complete data export within 30 days. Schools submitting on behalf of a student should include the student's display name and the email address used to register.
Erasure requests: Request deletion of a specific student account, a cohort, or an entire school's data. Actioned within 5 working days for individual accounts; up to 10 working days for bulk school or cohort deletions. Deletion is confirmed by email.
Safeguarding concerns: If you have a safeguarding concern related to Educator — for example, you believe a student's account has been accessed by an unauthorised third party — email support@educator-labs.com immediately with the subject line “Safeguarding”. We will respond within four hours on school days and escalate internally to our designated safeguarding lead.
ICO complaints: If you are not satisfied with our response to a data request, you have the right to complain directly to the ICO at ico.org.uk/make-a-complaint. We would always prefer to resolve a concern directly first — please give us the chance to do so.

School setup & permissions — roles, class creation, live sessions, homework, and school licensing
Onboarding — step-by-step setup for teachers, school students, and individual learners