Privacy Policy

1. Who we are

BlueAcorn Education ("we", "us") provides an educational platform for schools. This Privacy Policy explains how we handle personal data when you use the platform.

Contact: [email protected]

2. School customers and student users

When a school (or local authority/academy trust) uses the platform, the school is typically the data controller for student personal data it provides and student activity data generated through use of the service. We typically act as a data processor and process that data on the school’s instructions to provide the service.

If you are a student, your school is usually the best point of contact for questions and requests about your data.

3. What data we collect

Depending on role (student/teacher/admin) and how the school configures the platform, we may process:

• Account details: name, email address, role, institution/school identifiers.
• Learning and progress data: lesson/module completion, quiz results, topic-level performance and progress tracking.
• Operational and security data: session identifiers, IP address, user-agent, login timestamps, audit/security events.
• Support/communications: messages you send to us for support.

4. How we use data (purposes)

• Provide the platform (accounts, classes, lessons, assignments, progress tracking).
• Generate analytics/progress reporting for educators and school administrators.
• Maintain security, prevent abuse, and protect accounts (including re-authentication prompts for sensitive actions).
• Troubleshoot, monitor reliability, and improve the service.

5. Lawful bases (UK GDPR)

For school-provided student data, the school typically determines the lawful basis and provides instructions. For our own processing (e.g. security logs), we generally rely on legitimate interests (security and fraud prevention) and/or contract (to provide the service to the school).

6. Sharing and processors

We do not sell personal data and we do not run advertising. We may share data with service providers who help us run the platform (e.g. hosting, databases, email delivery), under appropriate contractual protections.

7. International transfers

If any of our service providers process data outside the UK, we use appropriate safeguards (such as the UK Addendum to the EU Standard Contractual Clauses) where required.

8. Retention

We retain personal data only as long as needed to provide the Service and meet legal, security, and operational requirements.

• School/student learning data: retained while the school remains an active customer and for up to 12 months after the school ends its use of the Service, unless the school asks us to delete it sooner.
• Security and audit logs (e.g. session identifiers, IP address, user-agent, timestamps): retained for up to 180 days to protect accounts and investigate abuse.
• Backups: system backups may retain data for up to 35 days before being overwritten.

If a school (as controller) instructs us to delete student data, we will take steps to delete it within 30 days (subject to any legal obligations and the backup retention period above).

9. Your rights

UK GDPR provides rights such as access, rectification, erasure, restriction, objection, and portability (where applicable). For student data, requests typically go through the school (the controller). For staff accounts, you can also contact us.

You also have the right to complain to the ICO (Information Commissioner’s Office).

10. Cookies

We use essential cookies for login sessions (for example, a session cookie to keep you signed in). We do not use advertising cookies. If we add non-essential analytics cookies in future, we will update this policy and implement appropriate consent mechanisms.

11. Changes

We may update this policy from time to time. We will post changes on this page and update the “Last updated” date.