Privacy Policy

Version 2026.3 · Effective July 2026

1. Data Controller

Schooly is operated by Actilynk Ltd, a company registered in England and Wales (company number 12475434), with registered office at 8 Lewis Road, Swanscombe, Kent, DA10 0JH, trading as "Schooly". We are the data controller for the personal data we process.

Contact: [email protected]

2. Information We Collect

2.1 Account Information

  • Name, email address, and password
  • Date of birth (for age verification)
  • Role (student, teacher, administrator)
  • School or organisation affiliation

2.2 Usage Data

  • Practice responses and answers submitted for marking
  • Assessment results and progress data
  • Questions and resources created by teachers
  • Usage patterns (questions attempted, time spent, features used)

2.3 Technical Data

  • IP address and browser information (for security and audit purposes)
  • Essential cookies for session management

2.4 Public Demo

If you use our public marking demo (available without an account), we store the question and answer text you submit, together with limited technical metadata — a one-way hashed IP address, browser type, and the subject and exam board you select. We use this to understand how the demo is used, prevent abuse, and improve our AI marking. Demo submissions are anonymous and are not linked to any account, and any files you upload for the demo are deleted within one hour.

3. Lawful Basis for Processing

We process personal data under the following legal bases (UK GDPR):

User TypeLawful Basis
Students (13+)Legitimate interest (providing educational service)
Students (under 13)Parental consent
TeachersContract performance (service provision)
Schools/DepartmentsContract performance (organisational subscription)

4. How We Use Your Information

We use the information we collect to:

  • Provide AI-powered marking and personalised feedback
  • Track learning progress and generate performance insights
  • Enable teachers to manage classes and monitor student progress
  • Process payments for subscriptions
  • Send essential service communications
  • Improve the accuracy and quality of our AI marking

5. AI Processing

5.1 What We Send to AI

Your answer is sent to our AI marking service for evaluation. We send only the minimum data required: your answer (the text you type, or a photo of your handwritten work where you upload one), the question, and the mark scheme. Where you upload a photo, the image is sent so the AI can read your handwriting.

5.2 What We Do Not Do

  • We do not use your answers or personal data to train AI models
  • We do not send your name, email, or other account identifiers to the AI provider
  • We do not sell or share your data with third parties for marketing purposes

5.3 AI Sub-processor

Our AI marking is performed by Google's Gemini models, accessed directly through the Google Gemini API. Your answer (text or image), the question, and the mark scheme are processed in accordance with Google's API data-processing terms, under which Google does not use your submissions to train its models. Google is based in the United States (see section 11, International Transfers).

5.4 In-Product AI Assistants

Some features use an AI assistant you can chat with — for example, guided onboarding and, for teachers, tools that help create classes, questions, and resources. When you use these features, the messages you type are sent to the same AI provider (Google) under the same terms described above: your content is not used to train AI models, and we do not send your name, email, or other account identifiers. Do not enter personal information about yourself or others into these chats beyond what is needed for the task.

6. Data Sharing

We share data only with:

RecipientPurposeData Shared
AI provider (Google)Answer markingYour answer (text or image), question, mark scheme — no account identifiers
Payment processor (Stripe)Subscription billingEmail, payment details
Email delivery (Resend)Account & transactional email (sign-in links, password resets, notifications)Your email address
Your teachersClass managementAnswers, marks, progress
Your school (if applicable)Organisation analyticsAggregated performance data

7. Data Storage and Security

  • Data is stored securely using Supabase (PostgreSQL) with encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Backups are encrypted and retained for disaster recovery
  • Access to production data is restricted to authorised personnel
  • We conduct regular security reviews

8. Data Retention

Data TypeRetention Period
Account dataDuration of account + 30 days after deletion
Practice responsesDuration of account
Assessment dataDuration of account
Audit logs (IP, consent)3 years
Payment records7 years (legal requirement)

9. Your Rights (UK GDPR)

You have the right to:

  • Access your personal data
  • Rectify inaccurate data
  • Erase your account and data ("right to be forgotten")
  • Port your data in a machine-readable format
  • Object to processing based on legitimate interest
  • Withdraw consent at any time (for under-13 parental consent)

To exercise these rights, contact [email protected]. We will respond within 30 days.

10. Children's Privacy

  • The Service is designed for students of all ages
  • Users under 13 require verifiable parental consent
  • We collect only the minimum data necessary for the educational service
  • Parents can review, modify, or withdraw consent at any time via the links in their consent email
  • We comply with the UK Age Appropriate Design Code

11. International Transfers

Our AI processing provider, Google, may process your answer (text or image) in the United States. This transfer is governed by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses and Google's data processing terms. No account identifiers (name, email) are included in AI requests.

12. Cookies

We use only essential cookies to maintain your session and preferences. We do not use third-party tracking cookies or advertising cookies.

For website analytics we use Plausible Analytics, a privacy-friendly service that is cookieless and does not collect or store any personal data or cross-site identifiers. Plausible measures aggregate usage (such as page views) only and cannot be used to identify you.

13. Changes to This Policy

We will notify you of material changes by prompting you to review and accept the updated policy within the Service. The version number and effective date will be updated accordingly.

14. Contact

For privacy-related questions or to exercise your rights, contact us at [email protected].

Ready to stop marking?

Free for your first class. No credit card needed.