Privacy Policy
Version 2026.3 · Effective July 2026
1. Data Controller
Schooly is operated by Actilynk Ltd, a company registered in England and Wales (company number 12475434), with registered office at 8 Lewis Road, Swanscombe, Kent, DA10 0JH, trading as "Schooly". We are the data controller for the personal data we process.
Contact: [email protected]
2. Information We Collect
2.1 Account Information
- Name, email address, and password
- Date of birth (for age verification)
- Role (student, teacher, administrator)
- School or organisation affiliation
2.2 Usage Data
- Practice responses and answers submitted for marking
- Assessment results and progress data
- Questions and resources created by teachers
- Usage patterns (questions attempted, time spent, features used)
2.3 Technical Data
- IP address and browser information (for security and audit purposes)
- Essential cookies for session management
2.4 Public Demo
If you use our public marking demo (available without an account), we store the question and answer text you submit, together with limited technical metadata — a one-way hashed IP address, browser type, and the subject and exam board you select. We use this to understand how the demo is used, prevent abuse, and improve our AI marking. Demo submissions are anonymous and are not linked to any account, and any files you upload for the demo are deleted within one hour.
3. Lawful Basis for Processing
We process personal data under the following legal bases (UK GDPR):
| User Type | Lawful Basis |
|---|---|
| Students (13+) | Legitimate interest (providing educational service) |
| Students (under 13) | Parental consent |
| Teachers | Contract performance (service provision) |
| Schools/Departments | Contract performance (organisational subscription) |
4. How We Use Your Information
We use the information we collect to:
- Provide AI-powered marking and personalised feedback
- Track learning progress and generate performance insights
- Enable teachers to manage classes and monitor student progress
- Process payments for subscriptions
- Send essential service communications
- Improve the accuracy and quality of our AI marking
5. AI Processing
5.1 What We Send to AI
Your answer is sent to our AI marking service for evaluation. We send only the minimum data required: your answer (the text you type, or a photo of your handwritten work where you upload one), the question, and the mark scheme. Where you upload a photo, the image is sent so the AI can read your handwriting.
5.2 What We Do Not Do
- We do not use your answers or personal data to train AI models
- We do not send your name, email, or other account identifiers to the AI provider
- We do not sell or share your data with third parties for marketing purposes
5.3 AI Sub-processor
Our AI marking is performed by Google's Gemini models, accessed directly through the Google Gemini API. Your answer (text or image), the question, and the mark scheme are processed in accordance with Google's API data-processing terms, under which Google does not use your submissions to train its models. Google is based in the United States (see section 11, International Transfers).
5.4 In-Product AI Assistants
Some features use an AI assistant you can chat with — for example, guided onboarding and, for teachers, tools that help create classes, questions, and resources. When you use these features, the messages you type are sent to the same AI provider (Google) under the same terms described above: your content is not used to train AI models, and we do not send your name, email, or other account identifiers. Do not enter personal information about yourself or others into these chats beyond what is needed for the task.
6. Data Sharing
We share data only with:
| Recipient | Purpose | Data Shared |
|---|---|---|
| AI provider (Google) | Answer marking | Your answer (text or image), question, mark scheme — no account identifiers |
| Payment processor (Stripe) | Subscription billing | Email, payment details |
| Email delivery (Resend) | Account & transactional email (sign-in links, password resets, notifications) | Your email address |
| Your teachers | Class management | Answers, marks, progress |
| Your school (if applicable) | Organisation analytics | Aggregated performance data |
7. Data Storage and Security
- Data is stored securely using Supabase (PostgreSQL) with encryption at rest (AES-256) and in transit (TLS 1.2+)
- Backups are encrypted and retained for disaster recovery
- Access to production data is restricted to authorised personnel
- We conduct regular security reviews
8. Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Duration of account + 30 days after deletion |
| Practice responses | Duration of account |
| Assessment data | Duration of account |
| Audit logs (IP, consent) | 3 years |
| Payment records | 7 years (legal requirement) |
9. Your Rights (UK GDPR)
You have the right to:
- Access your personal data
- Rectify inaccurate data
- Erase your account and data ("right to be forgotten")
- Port your data in a machine-readable format
- Object to processing based on legitimate interest
- Withdraw consent at any time (for under-13 parental consent)
To exercise these rights, contact [email protected]. We will respond within 30 days.
10. Children's Privacy
- The Service is designed for students of all ages
- Users under 13 require verifiable parental consent
- We collect only the minimum data necessary for the educational service
- Parents can review, modify, or withdraw consent at any time via the links in their consent email
- We comply with the UK Age Appropriate Design Code
11. International Transfers
Our AI processing provider, Google, may process your answer (text or image) in the United States. This transfer is governed by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses and Google's data processing terms. No account identifiers (name, email) are included in AI requests.
12. Cookies
We use only essential cookies to maintain your session and preferences. We do not use third-party tracking cookies or advertising cookies.
For website analytics we use Plausible Analytics, a privacy-friendly service that is cookieless and does not collect or store any personal data or cross-site identifiers. Plausible measures aggregate usage (such as page views) only and cannot be used to identify you.
13. Changes to This Policy
We will notify you of material changes by prompting you to review and accept the updated policy within the Service. The version number and effective date will be updated accordingly.
14. Contact
For privacy-related questions or to exercise your rights, contact us at [email protected].