LearnarooHub · Legal
Privacy Policy
Our promise, in one line: we keep only the data you give us to run your account — your details as the account holder, and the learner accounts you create — that data belongs to you, we protect it with the security measures described below, and we never sell it or share it outside our business for anyone else's purposes.
This Privacy Policy explains, in plain and transparent terms, exactly what personal data Learnaroo Hub Ltd ("we", "us", "our" — part of the Learnaroo Hub Group) collects when you use learnaroohub.com and related services (the "Platform"), and how we protect it. The Platform brings together two integrated products of the Learnaroo Hub Group: the learning side (LMS) that delivers lessons, quizzes, games, flashcards, printables and progress tracking, and the management side (MIS) that runs accounts, classes, dashboards and reporting. Because the Platform is designed for use by children, we take particular care with children's data and follow the ICO's Age Appropriate Design Code (the Children's Code).
Contents
- Who we are (the Learnaroo Hub Group)
- Your ownership and data minimisation
- Personal data we collect
- Children's data and the Children's Code
- How and why we use data (lawful bases)
- Consent and parental consent
- Analytics and progress tracking
- Who we share data with
- Data we process for schools
- International transfers
- How long we keep data
- How we protect data
- Your rights
- Complaints and the ICO
- Marketing communications
- Cookies
- Changes to this policy
- How to contact us
1.Who we are (the Learnaroo Hub Group)
The data controller is Learnaroo Hub Ltd, part of the Learnaroo Hub Group, company number 17300700, registered office 20 Wenlock Road, London, England, N1 7GU. We are registered with the Information Commissioner's Office under reference to be confirmed. Our data protection contact is privacy@learnaroohub.com, and our Data Protection Officer is Humaira Ahmed.
The Learnaroo Hub Platform is delivered as two integrated products of the Learnaroo Hub Group: the LMS (learning management system — lessons, quizzes, games, flashcards, printables and progress tracking) and the MIS (management information system — account, class and pupil administration, dashboards and reporting). Both run on the same secure infrastructure under this single Privacy Policy, personal data is handled consistently across them, and it is not shared outside the Group except with the essential service providers listed in section 8.
2.Our role, your ownership and data minimisation
You own your data. The personal data in your account — your details as the account holder, and the learner accounts (for example your children, pupils or students) that you create — belongs to you and the people it is about. We hold it only as custodian to run the service for you: we do not claim ownership of it, we do not sell or rent it, and we do not share it outside our business for anyone else's purposes. You can access, export or delete it at any time (see section 13).
We keep only what is needed. By design we collect the minimum required to operate your account and deliver learning: the account holder's contact details, the learner accounts they create, and the learning and usage data those accounts generate. Beyond that we process only the limited operational data that any secure paid website must — payment status (handled by our payment provider), security and server logs, and, with your consent, anonymous analytics — as detailed in sections 3, 7 and 8.
We act as a data controller for account holders who register directly with us (for example parents/carers and individual teachers) and for visitors to our website. Where a school or organisation buys access and provides pupil data to us, we generally act as a data processor on that organisation's instructions (see section 9). This policy explains both situations.
3.Personal data we collect
| Category | Examples | Source |
|---|---|---|
| Account & contact data | Name, email address, account type, password (stored hashed), school/organisation (if relevant) | You, when you register |
| Child / student data | First name or display name, year group/key stage, assigned classes, learning progress | The supervising adult or school |
| Learning & progress data | Modules completed, quiz scores, mastery levels, attempt counts, time-on-task, streaks, error logs | Generated as the learner uses the Platform |
| Transaction data | Subscription/licence, billing details, payment status (card details are handled by our payment processor, not stored by us) | You and our payment processor |
| Technical data | Device/browser type, IP address, log data, general location (city/region level) | Automatically, when you use the Platform |
| Usage & cookie data | Pages viewed, features used, preferences | Cookies and similar technologies |
| Support & correspondence | Messages, enquiries, feedback | You, when you contact us |
We do not seek to collect special category data and ask that you do not submit it through the Platform.
4.Children's data and the Children's Code
Protecting children's data is central to how we operate. In line with the ICO Children's Code we:
- treat the best interests of the child as a primary consideration in how we design and run the Platform;
- apply high-privacy settings by default for student profiles;
- practise data minimisation โ we collect only what is needed to deliver the learning experience and progress tracking;
- do not use children's personal data for behavioural advertising and do not sell children's data;
- keep precise geolocation off and do not track children's location beyond coarse, security-related signals;
- avoid nudge techniques that encourage children to provide more data or weaken their privacy;
- present privacy information in clear, age-appropriate language alongside this full policy.
Children's accounts are set up and supervised by a responsible adult. Where consent is a lawful basis and the user is a child, we rely on the consent of the parent, carer, or school as appropriate. See our Child Safety & Safeguarding Policy for related protections.
5.How and why we use data (lawful bases)
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Creating and managing your account; providing the Platform and Content | Performance of a contract |
| Tracking learning progress and powering student, parent and teacher dashboards | Performance of a contract; legitimate interests |
| Taking payment and managing subscriptions/licences | Performance of a contract |
| Keeping the Platform secure and preventing fraud and abuse | Legitimate interests; legal obligation |
| Improving and developing our services (including first-party analytics) | Legitimate interests (and, where required, consent) |
| Responding to support enquiries | Performance of a contract; legitimate interests |
| Sending service messages (e.g. renewal reminders, security notices) | Performance of a contract; legal obligation |
| Optional marketing to adults | Consent |
| Meeting legal, tax and accounting obligations | Legal obligation |
Where we rely on legitimate interests, we have balanced those interests against your rights and, where the data relates to a child, given the child's interests particular weight. The Data (Use and Access) Act 2025 introduced certain "recognised legitimate interests"; where we rely on these we will do so consistently with the safeguards that apply to children's data.
6.Consent and parental consent
Where we rely on consent (for example for certain non-essential cookies or optional marketing), you can withdraw it at any time without affecting the lawfulness of earlier processing. For children using Student Accounts, the supervising adult or school provides any consent required and can withdraw it by contacting us or adjusting account settings.
7.Analytics and progress tracking
We generate learning analytics (such as completion states, mastery percentages, scores, time-on-task, streaks, and error logs) to deliver dashboards to students, parents/carers, and teachers, and to improve our Content. For children, this data is used to support learning, not to profile children for commercial purposes. We use first-party analytics to understand and improve how the Platform performs; following the Data (Use and Access) Act 2025 some low-risk first-party statistical analytics may operate without consent, while any higher-risk or third-party tracking is used only with consent as described in our Cookie Policy.
8.Who we share data with
We do not sell or rent your personal data, we do not share it outside our business for any third party's own purposes, and we never use it for advertising. Your data stays within the Learnaroo Hub Group and a small number of trusted service providers we rely on to run and protect the Platform. Those providers act only on our documented instructions, under contract, and may not use your data for their own purposes:
- Secure UK hosting — our hosting provider stores the Platform and its data on protected servers;
- Payment processing — our PCI-DSS-compliant payment provider processes card payments; we never see or store full card numbers;
- Security — our web application firewall and malware-protection service processes limited technical data (such as IP addresses) to detect and block attacks;
- Analytics (only if you consent) — anonymous website analytics that are off unless you allow them, and are never used to profile children.
Separately, and only as part of delivering the service to you, account data is visible to the people entitled to see it: parents/carers can see the progress of children on their account, and teachers or organisation administrators can see the progress of pupils in their care. We will disclose data to authorities or professional advisers only where the law requires, to protect a child's safety, or to establish or defend legal claims; and to a successor only if our business is reorganised, sold or transferred, in which case it remains protected by this policy.
9.Data we process for schools
When a school or organisation provides pupil data so its students can use the Platform, the organisation is the data controller and we are the data processor. We process that data only to provide the service and on the organisation's documented instructions, under data processing terms that meet UK GDPR Article 28. Schools remain responsible for their own privacy notices to pupils and parents.
10.International transfers
We aim to store and process personal data in the UK or European Economic Area. Where a provider processes data outside the UK, we ensure an appropriate safeguard is in place, such as UK adequacy regulations or the International Data Transfer Agreement / UK Addendum to the EU Standard Contractual Clauses. You can ask us for details of the safeguards used.
11.How long we keep data
We keep personal data only as long as necessary for the purposes set out above, then delete or anonymise it. Indicative periods:
| Data | Retention |
|---|---|
| Account and learning/progress data | For the life of the account, then deleted within 12 months of closure |
| Transaction and tax records | 6 years, to meet HMRC and accounting obligations |
| Support correspondence | 24 months |
| Marketing consent records | Until consent is withdrawn, plus a short audit period |
12.How we protect data, including student information
We collect a limited amount of student information โ such as a first name or display name, year group or key stage, assigned classes, and learning progress โ and we protect it with appropriate technical and organisational measures. Without disclosing details that would assist anyone trying to attack the Platform, our safeguards include:
- Encryption in transit using industry-standard TLS/SSL across the whole site, so data sent between your device and us is encrypted;
- Encryption at rest — sensitive pupil and staff information (legal names, date of birth, Unique Pupil Number, contact and address details, medical information, SEND and safeguarding fields, and staff DBS details) is encrypted within our database using authenticated 256-bit encryption, with the encryption keys held separately from the database;
- Searchable without exposure — where an identifier must be looked up (for example to prevent duplicate pupil records), we match on a one-way keyed index rather than the readable value;
- Per-school data separation — each school’s records are kept isolated, so staff only ever see pupils and information belonging to their own school and classes;
- A web application firewall and malware protection provided by Wordfence, which monitors for and blocks malicious traffic, intrusion attempts, and known threats;
- Hardened, managed hosting on Hostinger premium infrastructure, including server-level firewalling, DDoS mitigation, malware scanning, automated patching, and regular encrypted backups;
- Access controls and least-privilege access, so staff can reach only the data they need, with passwords stored only in hashed form;
- Secure payment handling โ card details are processed by our PCI-DSS-compliant payment provider and are never stored on our servers;
- Activity logging and monitoring, staff confidentiality obligations, and regular review of our security measures.
No online service can be guaranteed to be completely secure. If a personal data breach is likely to result in a risk to people's rights and freedoms, we will notify the ICO within 72 hours where required, and affected individuals (or, for pupils, the relevant parent, carer, or school) without undue delay where the law requires.
13.Your rights
Subject to conditions in the law, you have the right to: be informed; access your data; have inaccurate data corrected; have data erased; restrict processing; data portability; object to processing (including direct marketing); and not be subject to solely automated decisions with legal or similarly significant effects. Children have these rights too, and a parent, carer, or school may exercise them on a child's behalf where appropriate.
To exercise any right, contact privacy@learnaroohub.com. We will respond within one month (extendable for complex requests) and will not charge a fee unless a request is manifestly unfounded or excessive.
14.Complaints and the ICO
We operate a formal data-protection complaints procedure in line with the Data (Use and Access) Act 2025. If you are unhappy with how we handle your data, please contact privacy@learnaroohub.com first so we can try to put it right. We will acknowledge your complaint and respond within 30 days.
You also have the right to complain to the Information Commissioner's Office at any time: ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; helpline 0303 123 1113; ico.org.uk. We would, however, appreciate the chance to address your concerns first.
15.Marketing communications
We only send marketing to adults who have agreed to receive it, and never to children. You can opt out at any time using the unsubscribe link in any marketing email or by contacting us. We will still send essential service messages (such as renewal reminders, billing notices, and security alerts) regardless of marketing preferences.
16.Cookies
We use cookies and similar technologies as described in our Cookie Policy. You can manage non-essential cookies through our cookie banner and settings.
17.Changes to this policy
We may update this policy to reflect changes in the law or our services. We will post the updated version with a new effective date and, for significant changes affecting your rights, give additional notice.
18.How to contact us
For any privacy question or to exercise your rights, contact privacy@learnaroohub.com or write to the Data Protection Contact at 20 Wenlock Road, London, England, N1 7GU.