Child Data Protection & Privacy Statement
Data controller: Learnaroo Ltd (company registration and registered address pending). ICO registration: ZA000000 (placeholder — to be confirmed). Contact: support@learnaroohub.com. Data Protection Officer: Humaira Ahmed (Cambridge), support@learnaroohub.com. This statement sits alongside our full Privacy Policy and Cookie Policy.
1. The information we hold about a child
We keep only what we need to provide learning and, for school users, to support school administration:
- Username and name — to create the child’s account and personalise learning. Children are identified by a username; we do not require a child’s email address.
- Learning activity and results — to track progress, mark quizzes, and give teachers and parents helpful feedback.
- Year group / class / school — to show the right curriculum content and connect a pupil to the correct class.
- Pupil identifiers (date of birth, Unique Pupil Number) — for school MIS functions such as matching pupils and statutory transfers. These are encrypted.
- Special-category and welfare data (e.g. SEN, medical, dietary, ethnicity, safeguarding markers) — only where a school records it for the proper care of the pupil. Treated as highly sensitive and encrypted.
- Parent/carer contact details — to link a child to a responsible adult and to communicate about the account. Encrypted where sensitive.
2. Why we are allowed to use it (lawful basis)
We process children’s data to deliver the learning service requested and to support schools in their public task and statutory duties; where we rely on consent we obtain it appropriately, taking account of the child’s age. We do not sell children’s data and we do not use it for advertising.
3. How we protect a child’s information
- Encryption in transit — all traffic to and from the platform is encrypted using HTTPS/TLS.
- Encryption at rest — sensitive pupil and staff fields, including special-category and welfare data, contact details, and pupil identifiers (date of birth and Unique Pupil Number), are encrypted in our database using strong, modern authenticated encryption, with the encryption key stored separately from the data.
- Searchable without exposure — for identifiers that must be searchable (such as the Unique Pupil Number), we use a one-way keyed index so the system can find a record without storing the value in readable form.
- Access control — strict role-based permissions ensure only authorised adults can see a given child’s data, and never children from another school.
- Accountability — administrative actions are recorded in a tamper-evident audit log.
- Defence in depth — the platform is hardened, including secure HTTP headers, restricted administrative access, and multi-factor authentication for administrators.
4. Who we share it with
We share a child’s data only where necessary: with the child’s school (the data controller for school-recorded data), with the linked parent/carer through their dashboard, and with carefully chosen service providers who help us run the platform (for example secure hosting and payment processing) under data-processing agreements. We do not share children’s data for marketing.
5. How long we keep it
We keep a child’s data only as long as needed to provide the service and to meet legal obligations, after which it is securely deleted or anonymised. We keep a pupil’s records for the duration of their time at the school and for six years after they leave; financial records are kept for six years. After these periods the data is securely deleted or anonymised.
6. Your rights and controls
Children and their parents/carers have rights over personal data, including the right to access it, to ask for corrections, and in many cases to ask for deletion. Parents and carers can view their child’s information through the parent/family dashboard. To exercise a right, contact support@learnaroohub.com; we will respond within the statutory timeframe. For school-recorded data, requests may be directed to the school as controller. You can also complain to the Information Commissioner’s Office (ico.org.uk).
7. Cookies and tracking
We use only the cookies needed to run the service and, with consent, a limited set for analytics. Non-essential cookies are not set until consent is given. See our Cookie Policy for detail.