Privacy Policy
Version 2026.1 · Effective April 2026
1. Data Controller
Schooly is operated by Actilynk Ltd, a company registered in England and Wales (company number 12475434), with registered office at 8 Lewis Road, Swanscombe, Kent, DA10 0JH, trading as "Schooly". We are the data controller for the personal data we process.
Contact: [email protected]
2. Information We Collect
2.1 Account Information
- Name, email address, and password
- Date of birth (for age verification)
- Role (student, teacher, administrator)
- School or organisation affiliation
2.2 Usage Data
- Practice responses and answers submitted for marking
- Assessment results and progress data
- Questions and resources created by teachers
- Usage patterns (questions attempted, time spent, features used)
2.3 Technical Data
- IP address and browser information (for security and audit purposes)
- Essential cookies for session management
3. Lawful Basis for Processing
We process personal data under the following legal bases (UK GDPR):
| User Type | Lawful Basis |
|---|---|
| Students (13+) | Legitimate interest (providing educational service) |
| Students (under 13) | Parental consent |
| Teachers | Contract performance (service provision) |
| Schools/Departments | Contract performance (organisational subscription) |
4. How We Use Your Information
We use the information we collect to:
- Provide AI-powered marking and personalised feedback
- Track learning progress and generate performance insights
- Enable teachers to manage classes and monitor student progress
- Process payments for subscriptions
- Send essential service communications
- Improve the accuracy and quality of our AI marking
5. AI Processing
5.1 What We Send to AI
Your answer text is sent to our AI marking service for evaluation. We send only the minimum data required: the answer text, the question context, and the mark scheme.
5.2 What We Do Not Do
- We do not use your answers or personal data to train AI models
- We do not send personally identifiable information (names, emails) to AI providers
- We do not sell or share your data with third parties for marketing purposes
5.3 AI Sub-processors
Our AI marking uses Anthropic's Claude API. Answer text is processed in accordance with Anthropic's data processing terms, which prohibit training on customer data.
6. Data Sharing
We share data only with:
| Recipient | Purpose | Data Shared |
|---|---|---|
| AI providers (Anthropic) | Answer marking | Answer text only (no PII) |
| Payment processor (Stripe) | Subscription billing | Email, payment details |
| Your teachers | Class management | Answers, marks, progress |
| Your school (if applicable) | Organisation analytics | Aggregated performance data |
7. Data Storage and Security
- Data is stored securely using Supabase (PostgreSQL) with encryption at rest (AES-256) and in transit (TLS 1.2+)
- Backups are encrypted and retained for disaster recovery
- Access to production data is restricted to authorised personnel
- We conduct regular security reviews
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Practice responses | Duration of account |
| Assessment data | Duration of account |
| Audit logs (IP, consent) | 3 years |
| Payment records | 7 years (legal requirement) |
9. Your Rights (UK GDPR)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your account and data ("right to be forgotten")
- Port your data in a machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time (for under-13 parental consent)
To exercise these rights, contact [email protected]. We will respond within 30 days.
10. Children's Privacy
- The Service is designed for students of all ages
- Users under 13 require verifiable parental consent
- We collect only the minimum data necessary for the educational service
- Parents can review, modify, or withdraw consent at any time via the links in their consent email
- We comply with the UK Age Appropriate Design Code
11. International Transfers
Our AI processing provider (Anthropic) may process answer text in the United States. This transfer is governed by Standard Contractual Clauses and Anthropic's data processing agreement. No personally identifiable information is included in AI requests.
12. Cookies
We use only essential cookies to maintain your session and preferences. We do not use third-party tracking cookies or advertising cookies.
13. Changes to This Policy
We will notify you of material changes by prompting you to review and accept the updated policy within the Service. The version number and effective date will be updated accordingly.
14. Contact
For privacy-related questions or to exercise your rights, contact us at [email protected].