DPIA Support Information (for Schools)

LEARN-CO.DE LTD ("learn-co.de", "we", "us", "our")

Version 1.0 — Effective 22 June 2026

Before adopting a new EdTech service that processes children's data, a school (as controller) should normally carry out a Data Protection Impact Assessment (DPIA). This page gives schools the supplier-side information they need to complete one. It is provided for convenience and does not replace the school's own assessment.

Roles

Controller: the School.
Processor: LEARN-CO.DE LTD.
Governed by our Data Processing Agreement.

What the Service does

Provides a computer science teaching and learning platform: class and assignment management, automatically marked questions and coding tasks, progress tracking, revision, and live in-class activities.

Personal data processed

Teachers/staff: name, school email/username, role, classes.
Pupils: name, school email/username, year group, class membership, answers/attempts, marks/grades, revision sessions, topic progress, saved code and free-text entries.
Administrator: contact and billing data.
Technical: limited security/operational logs.
No special category data is requested or required.

Purpose and lawful basis

Purpose: to deliver the teaching/learning service the school has chosen.
Lawful basis: determined by the school as controller (commonly public task for state-funded schools).
We process only on the school's documented instructions.

Data sharing and sub-processors

No sale or sharing of personal data for others' purposes; no advertising; no profiling of children.
Sub-processors are listed at /legal/sub-processors (Google Firebase/Firestore/Auth, Fly.io, Stripe, etc.).

Storage, location and security

Stored in Firebase/Firestore in the United Kingdom (Google Cloud London, europe-west2); hosted on Fly.io (London); Firebase Authentication is operated by Google and may process sign-in data outside the UK under appropriate safeguards.
Security measures: tenant isolation by school, role-based access, encryption in transit and at rest, least-privilege staff access, logging, backups and recovery. See our Security Statement.

Children's Code

We have regard to the ICO Age Appropriate Design Code: best interests of the child, data minimisation, high-privacy defaults, no marketing profiling. See our Safeguarding & Children's Code Statement.

Individuals' rights

Requests are handled by the school as controller; we assist. Schools can export and delete data using the admin tools.

Retention

Active for the subscription term; on cancellation, 90-day grace period then permanent deletion within a further 30 days. Billing records retained as legally required.

Risks and mitigations (starter list for schools)

Risk	Mitigation
Unauthorised access to pupil data	Tenant isolation, role-based access, server-side rules, encryption
Inappropriate pupil-entered content	Teacher monitoring; our right to remove content / restrict accounts
Data loss	Backups and documented recovery
Accidental deletion on payment issue	90-day grace period before deletion
Account sharing undermining accountability	Terms require one account per user

Contact for DPIA queries

dpo@learn-co.de

Version 1.0 — Effective 22 June 2026 · Use “Download PDF” above to save a copy.