Privacy Policy

1. Introduction

Welcome to Keystral. We are Keystral Ltd, a company registered in the United Kingdom. We are committed to protecting the privacy and security of your personal data, particularly when it comes to children's information.

This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our adaptive learning platform for 11+ exam preparation and GCSE revision. It applies to all users of our website, applications, and services (collectively, the "Platform").

We are the data controller responsible for your personal data. This means we determine how and why your data is processed. Our registered address is Keystral Ltd, United Kingdom.

This policy complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the ICO's Age Appropriate Design Code (Children's Code).

2. What Data We Collect

We collect and process the following categories of personal data:

Account Information

• Parent/guardian name and email address
• Password (stored securely using industry-standard hashing)
• Account creation date and last login information
• Subscription plan and payment information (processed by our payment provider)

Child User Information

• Child's first name (we do not require surnames)
• Year group or age range
• Learning goals and target exams (11+ or GCSE subjects)
• Profile preferences (avatar selection, display settings)

Learning Data

• Questions attempted, answers submitted, and assessment results
• Progress tracking data and skill mastery levels
• Time spent on learning activities
• Adaptive learning algorithm parameters (knowledge state estimates)
• Spaced repetition schedules and review history
• AI tutor interactions (conversations, hints requested, feedback received)

Usage and Technical Data

• IP address and approximate geographic location (country/region only)
• Device type, browser type, and operating system
• Pages visited, features used, and session duration
• Error logs and performance metrics

Communications

• Support tickets and correspondence with our team
• Email preferences and notification settings

3. How We Use Your Data

We process your personal data for the following purposes:

Personalised Learning

• Adapt question difficulty based on your child's knowledge level
• Generate personalised learning paths and revision schedules
• Provide targeted hints and feedback through our AI tutor
• Track progress and identify areas for improvement

Platform Operation

• Create and manage user accounts
• Authenticate users and maintain security
• Process subscription payments and manage billing
• Provide customer support and respond to enquiries
• Send essential service notifications (account updates, security alerts)

Platform Improvement

• Analyse aggregate usage patterns to improve features
• Test and refine our adaptive learning algorithms
• Monitor performance and fix technical issues
• Conduct educational research (using anonymised data only)

Legal Compliance

• Comply with legal obligations and regulatory requirements
• Enforce our Terms of Service and protect our rights
• Prevent fraud, abuse, and security incidents

Our legal bases for processing include: (a) performance of a contract with you, (b) compliance with legal obligations, (c) legitimate interests in operating and improving our Platform (balanced against your privacy rights, with enhanced protections for children's data), and (d) consent where required by law.

4. Children's Data

We recognise that children deserve special protection when using online services. We have implemented enhanced safeguards in accordance with the ICO's Age Appropriate Design Code:

Parental Consent and Control

• We require parent/guardian registration and consent before children can use the Platform
• Parents have full control over their child's account and can view, modify, or delete data at any time
• We communicate privacy information in clear, age-appropriate language

Minimal Data Collection

• We collect only the minimum data necessary to provide our educational services
• We do not require children's surnames, full dates of birth, or contact details
• Profile information is limited to learning-relevant data (year group, subjects)

Child Safety

• We do not use children's data for marketing or profiling purposes
• We do not share children's data with third parties for their own purposes
• We have disabled location tracking and geolocation services by default
• We do not employ techniques designed to encourage extended use beyond educational benefit
• Our AI tutor is designed with child safety guardrails and content filtering

High Privacy Standards

• Privacy settings are set to "high" by default for child users
• We conduct regular data protection impact assessments for features affecting children
• Our team receives regular training on children's data protection

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

Service Providers

We work with carefully vetted third-party service providers who process data on our behalf:

• Cloud hosting providers: to store and serve Platform data securely
• Payment processors: to handle subscription payments (they receive only necessary payment information)
• AI service providers: to power our AI tutor features (we use providers with strong privacy commitments)
• Email service providers: to send essential account notifications
• Customer support tools: to manage and respond to support requests

All service providers are bound by data processing agreements and are required to protect your data in accordance with UK GDPR standards.

Legal Obligations

We may disclose your data if required to:

• Comply with a legal obligation, court order, or regulatory request
• Protect the rights, property, or safety of Keystral, our users, or the public
• Detect, prevent, or address fraud, security, or technical issues

Business Transfers

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor organisation. We will notify you and ensure continued protection of your data.

No Third-Party Marketing

We never share your data with third parties for their own marketing purposes. We do not display third-party advertising on our Platform.

6. Data Security

We take the security of your data seriously and implement robust technical and organisational measures:

Encryption

• Data in transit: All data transmitted between your device and our servers is encrypted using TLS 1.3 (Transport Layer Security)
• Data at rest: All personal data stored in our databases is encrypted using AES-256 encryption
• Password security: Passwords are hashed using bcrypt with strong work factors and never stored in plain text

Infrastructure Security

• Our data is hosted in secure, UK-based data centres with ISO 27001 certification
• We employ firewalls, intrusion detection, and regular security monitoring
• Access to personal data is restricted to authorised personnel on a need-to-know basis
• We conduct regular security audits and penetration testing

Organisational Measures

• All staff undergo data protection and security training
• We maintain an incident response plan for potential data breaches
• We conduct regular backups with encrypted, geographically distributed storage
• We maintain detailed audit logs of data access and modifications

While we implement industry-leading security measures, no system is completely secure. We encourage you to use strong, unique passwords and keep your account credentials confidential.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this policy:

Active Accounts

• We retain account and learning data while your subscription is active to provide continuous service
• Learning progress data is retained to ensure your child can resume their studies seamlessly

Inactive Accounts

• If you cancel your subscription, we retain your data for 90 days to allow for reactivation
• After 90 days, we automatically delete all personal data unless you request earlier deletion
• Anonymised, aggregated learning data may be retained for research purposes

Legal Retention

• We may retain certain data longer if required by law (e.g., financial records for tax purposes)
• Data related to legal disputes or investigations is retained until resolution

Deletion Requests

You can request immediate deletion of your data at any time by contacting us. We will delete your data within 30 days of your request, except where we have a legal obligation to retain it.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

Right of Access

You can request a copy of all personal data we hold about you and your child. We will provide this in a structured, commonly used format within 30 days.

Right to Rectification

You can update or correct inaccurate personal data through your account settings or by contacting us.

Right to Erasure ("Right to be Forgotten")

You can request that we delete your personal data. We will comply unless we have a legal obligation to retain it.

Right to Data Portability

You can request a copy of your data in a machine-readable format to transfer to another service.

Right to Object

You can object to processing based on legitimate interests. We will cease processing unless we have compelling legitimate grounds.

Right to Restrict Processing

You can request that we temporarily restrict processing of your data in certain circumstances (e.g., while we verify accuracy).

Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.

How to Exercise Your Rights

To exercise any of these rights, please contact our Data Protection Officer (see Contact Us section below). We will respond within 30 days. There is no fee unless your request is manifestly unfounded or excessive.

9. Cookies

We use cookies and similar technologies to operate our Platform. In accordance with the Children's Code, we have minimised our use of cookies:

Essential Cookies

We use only essential cookies necessary for the Platform to function:

• Authentication cookies: to keep you logged in and maintain session security
• Security cookies: to prevent cross-site request forgery (CSRF) and other attacks
• Preference cookies: to remember your settings (e.g., display preferences)

No Tracking Cookies

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not track users across other websites.

Managing Cookies

You can control cookies through your browser settings. However, disabling essential cookies may prevent you from using the Platform.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features.

Notification of Changes

• We will notify you of material changes via email to your registered address
• We will also display a prominent notice on the Platform before changes take effect
• The "Last updated" date at the top of this policy will always reflect the most recent version

Review and Consent

We encourage you to review this policy periodically. Continued use of the Platform after changes take effect constitutes acceptance of the updated policy. If you do not agree with changes, you may close your account.

11. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Protection Officer

Email: privacy@keystral.com
Address: Keystral Ltd, United Kingdom

Response Time

We aim to respond to all privacy enquiries within 5 business days and to formal data subject requests within 30 days.

Right to Complain

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the UK's supervisory authority:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk
Helpline: 0303 123 1113

We are committed to working with you and the ICO to resolve any privacy concerns fairly and promptly.