Privacy Policy
On this page
learn orbit is an AI-powered maths tutor for children aged 8–14 in the United Kingdom. Because we work with children, we take privacy seriously. This policy explains exactly what data we collect, where it goes, how long we keep it, and how you can exercise your rights under UK GDPR and the ICO Age-Appropriate Design Code (the "Children's Code").
1. Who we are
learn orbit ("we", "us", "our") is the data controller for personal data collected through learnorbit.ai. We operate from the United Kingdom.
To reach us about privacy, please use our contact page. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk if you believe we have mishandled your data.
2. Scope & age guidance
learn orbit is designed for children aged 8–14. A parent or legal guardian must create the account; children do not register themselves. Parents confirm consent on behalf of their child at the point of registration.
We comply with the UK GDPR, the Data Protection Act 2018, and the ICO Age-Appropriate Design Code. Where this policy and the Code disagree, we apply whichever protects the child more.
3. What data we collect
Parent account
- First name and last name
- Email address
- Password (stored only as a salted hash; we never see the original)
- WhatsApp number (optional, only if you opt in to notifications)
- Subscription tier and renewal date
- Notification preferences (email / WhatsApp toggles)
Child profile
- First name only (no surname required)
- Year group (e.g. Year 5) — not a date of birth
- Learning goal (11+, GCSE, or general practice)
- Exam board (AQA or OCR), country
- 4-digit PIN (stored only as a salted hash; used for child login)
Activity data
- Exam attempts: questions seen, time taken, scores, predicted grades
- Student answers (typed or photographed from a printed answer sheet)
- Conversations with Nova (the AI tutor) — both the child's messages and Nova's replies
- Topic mastery scores (per-topic correct-answer percentages)
- Login timestamps
- Short "memory" notes the child can ask Nova to remember (e.g. "I struggle with fractions") — limited to 20 entries, cleared after 180 days of inactivity
Technical data
- IP address (in server logs for security and abuse prevention)
- Browser type and version (from HTTP headers)
- Cookies and similar storage — see section 10
What we deliberately do NOT collect
- Child's date of birth (we only need year group)
- Child's surname
- Biometric data (no face scans, voice prints, fingerprints)
- Precise location (no GPS)
- Advertising identifiers or device fingerprints
- Voice recordings — there is no voice interaction with Nova
4. How we use your data
Our lawful bases under UK GDPR Article 6 are:
- Performance of a contract (Article 6(1)(b)) — to provide the tutoring service you've signed up for: assessing the child's level, generating questions, marking exams, sending progress updates, processing payments.
- Legitimate interests (Article 6(1)(f)) — to keep the service secure (rate-limiting, fraud detection), prevent abuse, and improve the product. We weigh these against the rights of children and only use what's necessary.
- Consent (Article 6(1)(a)) — for optional analytics cookies and WhatsApp notifications. You can withdraw consent at any time.
- Legal obligation (Article 6(1)(c)) — to keep records required by law (e.g. accounting records).
5. Children's protections (UK Children's Code)
Because our users include children, we apply extra safeguards:
- No third-party advertising — ever. We do not show ads to children or parents.
- No behavioural profiling for marketing — we never build advertising profiles or share data with ad networks.
- No analytics on child-facing pages — Google Analytics is loaded only on marketing pages and the parent dashboard. Pages used by children during a session never load analytics scripts.
- Content guardrails on Nova — Nova is built to discuss maths only. If a child raises an off-topic subject, Nova redirects to maths. If Nova detects a distress signal (e.g. the child says something concerning), Nova replies with "I think you should talk to a grown-up about this" and the conversation is flagged for parent review.
- PII detection in chat — we automatically detect and block patterns that look like phone numbers, email addresses, or postcodes in the child's messages, with a polite warning ("for your safety I won't save that"). These messages are flagged in our records.
- Session timeout — child sessions expire after a period of inactivity to limit unattended use.
- Parental review — parents can view their child's Nova chat history in their dashboard.
- Minimum data — we store first name only, never the child's surname or date of birth.
6. AI processing
Nova is powered by a large language model from a third-party AI processing partner. We use it for tutoring conversations, exam marking, question generation, and weekly progress summaries. Our agreement with the AI partner restricts how they may use the data we send.
What we send to the AI partner
- The child's first name only
- The current exam question text and (for marking) the correct answer
- The child's answer to the question
- Anonymous summary of recent performance (scores, weak topics) for personalisation
- The child's "memory" notes if any exist
- Photographs of handwritten answer sheets (for AI marking)
What we never send to the AI partner
- The child's surname, email, address, phone number, or postcode
- Parent contact details
- Payment data
- Other children's data
- Your browsing history
The AI partner's terms do not permit them to train their models on the data we send. AI grading is automated — you can request a human review of any grade by contacting us (see section 11, automated decisions).
7. WhatsApp notifications
WhatsApp notifications are off by default. They are only enabled if a parent opts in and provides a WhatsApp number in their account settings.
When opted in, we send messages via the Meta WhatsApp Business Cloud API for events like "exam finished", "level reached", or "streak at risk". Messages contain the parent's first name, the child's first name, and a short summary written by Nova.
WhatsApp messages are also subject to Meta's privacy policy. You can turn WhatsApp notifications off at any time in your parent settings.
8. Who else sees your data
To deliver learn orbit we use carefully selected service providers. Each is bound by a written data-processing agreement and processes personal data only on our instructions. The categories of recipient are:
- AI processing partner — runs the language model that powers Nova, exam marking, and progress summaries. Receives child first name, the current question, the child's answer, and (for marking) photographs of answer sheets.
- Cloud storage and document processing — stores answer-sheet photographs and extracts text from PDF curriculum documents.
- Messaging provider — delivers opt-in WhatsApp notifications to parents.
- Email delivery — sends transactional email (registration confirmation, password reset).
- Third-party sign-in — if a parent chooses to sign in with Google, Google shares the parent's email and name with us.
- Site analytics — only with your consent, and never on pages used by children.
- Workflow orchestration — passes data between our application and the AI partner. No long-term storage.
- Hosting infrastructure — runs our servers and database.
- Payment processing (when subscriptions are enabled) — handles card details. We never see or store card numbers.
We will name specific providers on request. Contact us via our contact page and we'll provide the up-to-date list.
9. Data retention
- Parent account data — kept while your subscription is active. Deleted within 90 days after account closure (or immediately on request).
- Child profile and activity data — kept while the child is enrolled. Deleted within 90 days after the parent closes the account, or immediately if you exercise your right to erasure (section 11).
- Answer-sheet photographs — automatically deleted from Azure Blob Storage 12 months after upload. You can request earlier deletion at any time.
- Nova chat history — kept on a rolling 90-day window. Older messages are automatically purged.
- Email logs — confirmation and password-reset emails are not stored by us; Mailjet handles delivery only.
- Payment data — never stored by us. Held by Stripe under their retention terms.
- Server logs — retained for 30 days for security and debugging.
- Accounting records — invoice and tax records retained for 6 years as required by HMRC.
10. Cookies & similar technologies
We use a small number of cookies and browser storage entries.
Strictly necessary (always on)
Analytics (opt-in)
Google Analytics cookies (_ga, _ga_*) load only after you
click "Accept analytics" on the cookie banner, and never on pages used by
children. They help us understand which parts of the site are useful so we can improve
them. You can change your mind at any time via the "Cookie settings" link in the footer.
11. Your rights under UK GDPR
You have the following rights:
- Right of access (Article 15) — receive a copy of the personal data we hold about you and your child
- Right to rectification (Article 16) — correct inaccurate or incomplete data
- Right to erasure (Article 17) — request deletion of your or your child's data
- Right to restriction (Article 18) — pause processing while a dispute is resolved
- Right to data portability (Article 20) — receive your data in a structured, machine-readable format
- Right to object (Article 21) — object to processing based on legitimate interests
- Rights related to automated decisions (Article 22) — Nova's AI grading is automated. You can request a human review of any grade or correction by emailing us.
To exercise any of these rights, get in touch via our contact page. We'll respond within 30 days. If you're not satisfied with how we handle your request, you can complain to the UK ICO at ico.org.uk/make-a-complaint.
12. International data transfers
Some of our sub-processors (notably Anthropic and Microsoft Azure) may process data outside the United Kingdom. We rely on UK adequacy decisions where they exist (e.g. EEA), and on Standard Contractual Clauses and the providers' own compliance certifications (such as SOC 2, ISO 27001, and GDPR readiness commitments) for transfers to other jurisdictions.
13. Security
We take security seriously. Measures include:
- TLS encryption in transit for all traffic
- Passwords and PINs stored as salted BCrypt hashes (never in plain text)
- Time-limited (SAS) tokens for access to answer-sheet photographs
- Role-based access control (parent / child / admin) enforced server-side
- CSRF protection on all form submissions
- Anti-forgery tokens, secure cookies, HTTPS-only in production
- Secrets stored in environment variables, never in source code
14. Changes to this policy
If we make material changes to this policy, we'll notify parents by email and via a banner in the parent dashboard at least 14 days before the change takes effect. The effective date at the top of this page always reflects the current version.
15. Contact
For privacy questions, requests, or complaints, please use our contact page.