learn-co.de

Privacy Policy

LEARN-CO.DE LTD ("learn-co.de", "we", "us", "our")

Version 1.0 — Effective 22 June 2026

1. About this policy

This Privacy Policy explains, in plain English, how LEARN-CO.DE LTD handles personal data when a school uses our computer science teaching and learning platform ("the Service").

We are a company registered in England and Wales (company number 17293312), with our registered office at 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom. We are registered with the Information Commissioner's Office (ICO) under registration number ZC179900.

This policy is written primarily for the schools that use the Service and for the teachers, pupils and parents/carers connected to those schools. If you are a pupil or parent, the school is the main point of contact for your data; this policy tells you what we do on the school's behalf.

2. Our role: who is responsible for the data

For all personal data about teachers and pupils that is entered into or created within the Service, the school is the data controller and LEARN-CO.DE LTD is the data processor. This means:

  • The school decides why and how pupil and teacher data is used.
  • We only process that data on the school's documented instructions, to provide the Service.

We act as a controller only for a narrow set of data that we decide the purposes of ourselves — for example, the contact details of the person who registers and administers a school account, billing records, and our own website/security logs. Section 9 covers this.

We do not:

  • use pupil or teacher data for advertising or marketing;
  • sell, rent or share personal data with third parties for their own purposes;
  • carry out unrelated analytics, behavioural profiling or automated decision-making that produces legal or similarly significant effects on a child;
  • build advertising or commercial profiles of children.

3. Whose data we process, and who provides it

Data subjects Who provides the data
Teachers and school staff The school, and the staff member when they register or use the Service
Pupils / students The school (e.g. via bulk upload or class set-up), and the pupil when they use the Service
The school's account administrator The administrator, when registering the school

4. What data we process

Account and identity data - Names, school email addresses (or school-issued usernames), role (teacher/student/admin), year group, class membership, and the school the user belongs to. - Authentication data managed through Firebase Authentication (e.g. credentials, password hashes — we never see plaintext passwords).

Educational / usage data - Class and assignment structures, question sets and worksheets. - Pupil answers, attempts, marks, grades, revision sessions, topic progress and saved code submissions. - Free-text content that pupils enter while answering questions or writing code (for example comments inside code). This is owned by the school and should be monitored by the school (see our Acceptable Use Policy and Terms & Conditions).

Technical data - Limited security and operational logs (e.g. timestamps, error logs, and minimal records of significant administrative actions) needed to run the Service securely and reliably.

Billing data (school administrators only) - The administrator's contact details and subscription/transaction records. Card details are handled by our payment processor (Stripe) and are not stored by us.

We deliberately collect the minimum we need to deliver a computer science teaching tool. We do not request or require special category data, and schools should not enter it into free-text fields.

5. Why we process it, and our legal basis

We process personal data to deliver the Service the school has asked for: creating and managing classes, setting and marking work, tracking progress, running live lessons, and keeping accounts secure.

Because the school is the controller, the school is responsible for establishing the lawful basis for processing pupil and teacher data — for most state-funded schools this is the performance of a public task; for others it may be legitimate interests or consent. We process this data on the school's behalf under our contract with the school (see our Data Processing Agreement).

For the limited data where we are the controller (Section 9), our lawful bases are contract (to provide and bill for the Service to the account holder) and legitimate interests (to keep the Service secure, prevent abuse, and improve reliability), and legal obligation where applicable (e.g. tax records).

6. Children's data and the Children's Code

The Service is designed to be used by pupils, so we take particular care with children's data and have regard to the ICO's Age Appropriate Design Code (the Children's Code). In practice this means:

  • the best interests of the child are a primary consideration in how we design the Service;
  • we minimise the data collected and switch off any non-essential features by default;
  • we do not profile children for marketing, and we do not use nudge techniques to encourage children to give us more data;
  • settings are high-privacy by default;
  • we support schools in carrying out their Data Protection Impact Assessments (DPIAs) by providing the information they need (see our DPIA support information).

7. Where data is stored and processed

Your School's data (accounts and educational data) is stored in Google Firebase / Firestore, configured to the United Kingdom — Google Cloud's London region (europe-west2), and the Service is hosted on Fly.io in its London (lhr) region. Firebase Authentication (sign-in) is operated by Google and may process authentication data outside the UK, including in the United States. Where any transfer outside the UK occurs, it is protected by an appropriate safeguard recognised under UK data protection law (such as the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses).

8. Sub-processors

We use a small number of carefully selected sub-processors to deliver the Service. Our current sub-processors — including Google (Firebase / Firestore / Authentication), Fly.io and Stripe — are listed and kept up to date in our Sub-processor List. We require every sub-processor to provide data protection guarantees consistent with our own obligations, and we give schools advance notice of material changes so they can object.

9. Data for which we are the controller

We are the controller for: the account administrator's business contact details; billing and subscription records; correspondence with us (e.g. support requests); and website/security logs. We use this data to operate, secure, support and bill the Service, and to meet legal obligations. We retain billing records for as long as required by law (typically six years for UK tax purposes) and security logs for a limited period proportionate to their purpose.

10. How long we keep data

While a school's subscription is active, we keep pupil and teacher data for as long as the school needs it to use the Service.

When a subscription ends or is cancelled, we retain the school's data for a grace period of 90 days so that a genuine payment problem, renewal delay or accidental cancellation does not result in lost data, and so the school can export its data or resume. After the grace period, the school's data (including pupil and teacher data) is permanently deleted within a further 30 days, unless the school instructs us otherwise in writing or we are required by law to retain it.

A school administrator can also delete individual accounts, export all of the school's data, or delete the whole school (and all associated pupil and teacher data) at any time from the admin area. Deletion through these tools is permanent.

11. Schools' and individuals' rights

Individuals have rights under UK data protection law, including the right to access, rectify, erase, restrict, object to, and port their personal data. Because the school is the controller of pupil and teacher data, individuals should make requests to their school in the first instance. We will assist the school promptly in responding to any such request, and in fulfilling data subject access, deletion and export requests.

Schools can export their data and delete data themselves using the admin tools, or ask us for help at any time.

12. Security

We take the security of personal data seriously. Measures include strict tenant isolation by school, role-based access control, encryption of data in transit and at rest (as provided by our infrastructure), least-privilege access for our staff, logging of significant administrative actions, and a backup and recovery process. More detail is in our Security Statement. If a personal data breach occurs, we will notify the affected school without undue delay so it can meet its obligations.

13. Cookies

We make sparing use of cookies and similar technologies. We use only what is necessary to sign you in, keep the Service secure, and remember essential preferences. We do not use advertising or cross-site tracking cookies. See our Cookie Policy.

14. Changes to this policy

We may update this policy from time to time. Where changes are material, we will give schools reasonable notice. The "Effective" date at the top shows when this version took effect.

15. How to contact us

  • Privacy enquiries: privacy@learn-co.de
  • Data protection / DPO contact: dpo@learn-co.de
  • Post: LEARN-CO.DE LTD, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

If you are unhappy with how we have handled your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk, although we ask that you contact us first so we can try to help.

Version 1.0 — Effective 22 June 2026 · Use “Download PDF” above to save a copy.