LearnRex← Back
LEGAL

Privacy Policy

Last updated: May 2025

LearnRex is committed to protecting your personal data. This policy explains what we collect, how we use it, and your rights under UK GDPR and the Data Protection Act 2018.

1. Who Is the Data Controller?

LearnRex Ltd is the data controller responsible for your personal data. If you have questions about how we handle your data, contact our Data Protection Officer at dpo@learnrex.com.

2. What Data We Collect

We collect: (a) Account data — name, email address, and password (hashed) when you register; (b) Profile data — role, school or academy affiliation, language preferences; (c) Learning data — lesson content you upload (text, audio, YouTube URLs), quiz responses, homework submissions, and AI-generated feedback; (d) Usage data — pages visited, features used, session duration, and device/browser type; (e) Payment data — billing details processed securely by Stripe (we never store full card numbers); (f) SEND data (schools only) — IEP content, learning difficulty indicators, and intervention records, which are classified as Special Category data under UK GDPR.

3. How We Use Your Data

We use your data to: deliver and improve the Service; generate personalised learning content using AI; send progress reports and parent digests (where enabled by your school); process payments and manage subscriptions; detect and prevent fraud and abuse; comply with legal obligations; and communicate service updates and changes to these policies.

4. Legal Basis for Processing

We process your data on the following legal bases: Contract — to deliver the Service you have signed up for; Legitimate interests — to improve the platform and prevent abuse; Legal obligation — where required by law; Consent — for optional communications such as marketing emails (you can withdraw consent at any time). For Special Category SEND data, we rely on Substantial Public Interest (Schedule 1, DPA 2018) in the context of educational provision.

5. Children's Data

LearnRex school accounts may include data relating to children. School administrators and teachers are responsible for ensuring appropriate parental consents are in place in accordance with their school's data protection policies. We process children's data solely on behalf of the school (as data processor) under a Data Processing Agreement. Solo accounts are restricted to users aged 16 and over.

6. AI Processing and Third-Party Models

Lesson content, homework submissions, and quiz responses may be processed by third-party AI providers (including Anthropic and Deepgram) to generate educational content and transcriptions. We have Data Processing Agreements with these providers. Data sent to AI providers is used only for the purpose of generating your requested output and is not used to train third-party models.

7. Data Sharing

We do not sell your personal data. We share data only with: (a) service providers who process data on our behalf (Supabase for database hosting, Railway for infrastructure, Resend for email, Stripe for payments, Anthropic and Deepgram for AI features); (b) your school or institution, if you are accessing LearnRex through a school account; (c) law enforcement or regulators, where required by law. All third-party processors are bound by data processing agreements.

8. International Transfers

Some of our service providers operate outside the UK/EEA. Where data is transferred internationally, we ensure appropriate safeguards are in place — such as Standard Contractual Clauses approved by the UK ICO or adequacy decisions — to protect your data to UK GDPR standards.

9. Data Retention

We retain your personal data for as long as your account is active, plus a maximum of 3 years after closure to comply with legal and contractual obligations. SEND and IEP data held on behalf of schools is retained in line with the school's own data retention schedule, which we follow as data processor. You may request deletion at any time (see Your Rights below).

10. Your Rights Under UK GDPR

You have the right to: Access — request a copy of the data we hold about you; Rectification — correct inaccurate data; Erasure — request deletion of your data ("right to be forgotten"); Restriction — ask us to limit how we use your data; Portability — receive your data in a machine-readable format; Object — object to processing based on legitimate interests; Withdraw consent — at any time, for processing based on consent. To exercise any right, contact us at privacy@learnrex.com. We will respond within 30 days.

11. Cookies

We use strictly necessary cookies to maintain your session and keep you logged in. We do not use third-party advertising cookies. You can control cookies through your browser settings, though disabling session cookies will prevent you from logging in.

12. Security

We implement appropriate technical and organisational measures to protect your data, including encrypted storage, TLS in transit, role-based access controls, and regular security reviews. In the event of a data breach that poses a risk to your rights, we will notify the ICO within 72 hours and inform affected users without undue delay.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice in the Service. The date at the top of this page shows when this policy was last updated.

14. Complaints

If you believe we have handled your data improperly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

15. Contact

Data Protection Officer: dpo@learnrex.com
General privacy queries: privacy@learnrex.com

Terms of ServiceHomeContact