GDPR Compliance
Last updated: January 2025
1. Our Commitment to GDPR
Educode Learning Ltd ("we", "our", or "us") is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We ensure that all personal data processing activities meet the highest standards of data protection, particularly within the context of educational technology.
2. Data Controller Information
• Data Controller: Educode Learning Ltd
• Company Registration Number: 16481177
• Registered Office: Educode Learning Ltd, Crest View Drive, Orpington, Kent, London, UK
• Data Protection Officer: privacy@codebash.co.uk
3. Lawful Basis for Processing
We process personal data under the following lawful bases:
| Data Type | Lawful Basis | Purpose |
|---|---|---|
| Student academic data | Legitimate Interest | Educational provision and progress tracking |
| Account credentials | Contract | Platform access and security |
| Usage analytics | Legitimate Interest | Service improvement and safeguarding |
| Marketing communications | Consent | School communications (opt-in only) |
4. Your Rights Under UK GDPR
As a data subject, you have the following rights:
4.1 Right of Access (Article 15)
Request a copy of all personal data we hold about you and how it is processed.
4.2 Right to Rectification (Article 16)
Request correction of inaccurate or incomplete personal data.
4.3 Right to Erasure (Article 17)
Request deletion of your personal data under certain conditions, subject to lawful retention requirements.
4.4 Right to Restrict Processing (Article 18)
Request that we temporarily stop processing your data, for example while resolving a dispute.
4.5 Right to Data Portability (Article 20)
Request a copy of your data in a structured, commonly used, machine-readable format.
4.6 Right to Object (Article 21)
Object to processing based on our legitimate interests, including data used for direct marketing.
5. Special Category Data
We do not routinely collect special category (sensitive) data. Where accessibility needs or safeguarding concerns require such processing, we rely on explicit consent or legal obligations and apply additional protections.
6. Children's Data Protection
We take particular care when processing data about children:
• Schools act as data controllers for student accounts
• Parental consent is managed through school policies in compliance with UK law
• We apply data minimisation and implement strict access controls
• Children's data is protected by enhanced security measures
7. Data Processing Activities
7.1 Data Collection
We collect the following data types:
• Account registration information (e.g. name, email, role, school)
• Student progress and assessment data
• Platform usage and interaction logs
• Technical and security logs
7.2 Data Sharing
We only share personal data with:
• Your school and authorised educational staff
• Trusted technical service providers under strict data processing agreements
• Legal authorities when required by law
8. Data Hosting and International Transfers
All personal data is securely hosted on servers located in Frankfurt, Germany, within the European Union.
Because Germany is covered by the EU GDPR and the UK has received an adequacy decision from the EU, this hosting arrangement ensures full compliance with both UK and EU data protection laws. We do not transfer personal data outside of the UK or EU unless appropriate safeguards (e.g. Standard Contractual Clauses) are in place.
9. Data Retention
| Data Type | Retention Period |
|---|---|
| Student academic records | 6 years after the student leaves the school |
| Account information | Duration of school subscription + 1 year |
| Usage logs | Up to 12 months |
| Security logs | Up to 24 months |
We retain data only as long as necessary to fulfil our contractual and legal obligations or support educational record-keeping.
10. Data Security Measures
We implement robust technical and organisational security measures, including:
• Encryption of data in transit and at rest
• Role-based access controls and audit logging
• Regular penetration testing and vulnerability assessments
• Staff training on data protection and information security
• An established incident response plan
11. Data Breach Procedures
In the event of a data breach involving personal data, we will:
• Contain and assess the incident within 72 hours
• Notify the Information Commissioner's Office (ICO) if legally required
• Inform affected schools and individuals where appropriate
• Take corrective measures to prevent recurrence
12. Exercising Your Rights
To exercise your rights under UK GDPR, please contact us using the details below:
• Email: privacy@codebash.co.uk
• Subject Line: "GDPR Rights Request"
• Response Time: Within 1 month (extensions may apply in complex cases)
• Verification: We may require identity verification before releasing data
13. Complaints and Supervisory Authority
If you are dissatisfied with our response, you have the right to lodge a complaint with:
Information Commissioner's Office (ICO)
• Website: ico.org.uk
• Helpline: 0303 123 1113
• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
14. Regular Reviews
We regularly review our data protection practices and documentation to ensure continued compliance with UK GDPR, education sector guidance, and evolving best practices.