SC
supercurriculum
Learn more. Be more.

LEGAL

Privacy Policy

How we collect, use and protect personal data on Supercurriculum.

Draft for company review. This is a working draft only and is not legal advice. The company must have a qualified solicitor review and finalise this document before publication.

1. Who we are

Supercurriculum is operated by [Company Legal Name], a company registered in England and Wales (company number [Company Number]), registered office: [Registered Address]. We are the data controller for personal data processed through our platform.

Our Data Protection Officer can be contacted at [dpo@yourdomain.com]. We are registered with the UK Information Commissioner's Office (ICO) under registration number [ICO Registration Number].

2. What data we collect

To deliver personalised learning, we collect:

  • Account data: email address, password (hashed), whether the account is held by a parent or guardian.
  • Learner profile: first name, last name, date of birth, country, school name, calculated and confirmed year group.
  • Learning data: placement test answers, practice answers, strand mastery scores and progress over time.
  • Technical data: device and browser information, IP address and basic usage logs needed to operate the service securely.

Where an account is for a child, this information is provided by the parent, guardian or school and is treated as data about the child.

3. How we use this data

  • To calculate the correct year group and personalise learning.
  • To track progress and present results to the learner, parent or teacher.
  • To generate practice questions appropriate to the learner's level.
  • To keep the service secure and prevent abuse.
  • To respond to support requests.

We do not sell personal data and we do not use children's data for advertising.

4. Lawful basis

We process personal data under UK GDPR on the following bases:

  • Contract: to provide the learning service to the account holder.
  • Legitimate interests: to keep the service secure and improve its quality, balanced against the rights of users (especially children).
  • Consent: for any optional processing (e.g. parental consent for under-13 accounts, marketing communications you have opted into).
  • Legal obligation: where we must retain or disclose data to comply with the law.

5. Children under 13 and parental consent

Children under 13 may use Supercurriculum only with verifiable consent from a parent or guardian, or under the responsibility of their school. When a parent or guardian creates an account on behalf of a child, they confirm they have the authority to do so and to provide the child's personal data.

Parents and guardians may at any time review the data we hold about their child, ask us to correct it, or ask us to delete the account. Contact [privacy@yourdomain.com] to make a request.

6. Sharing

We share data only with service providers that help us run the platform (hosting, authentication, AI question generation, email delivery). All providers are bound by contracts that require them to protect personal data and to act only on our instructions. A current list of sub-processors is available on request from [privacy@yourdomain.com].

7. Retention

We retain learner data for as long as the account is active. If an account is inactive for [24] months, we will contact the account holder and may then delete or anonymise the data. Account holders may request deletion at any time. Some records (for example billing or safeguarding logs) may be retained longer where required by law.

8. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you or your child.
  • Have inaccurate data corrected.
  • Have data deleted in certain circumstances.
  • Restrict or object to processing.
  • Data portability.
  • Withdraw consent at any time, where processing is based on consent.
  • Complain to the ICO (ico.org.uk).

9. Security

We use encryption in transit, hashed passwords, role-based access controls and regular review of our systems. No system is perfectly secure, and we will notify users and the ICO of any personal data breach in line with our legal obligations.

10. Contacting us about your data

Data requests and questions should be sent to [privacy@yourdomain.com] or by post to [Registered Address], marked for the attention of the Data Protection Officer.

11. Changes

We may update this policy. The current version is dated [Date]. We will notify account holders of material changes.

Questions about this document?

Contact us