Legal

Privacy Policy

Last updated: 26 February 2026 · Version 1.0

Contents

1Introduction 2Data Controller 3Data We Collect 4How We Use Data 5Children's Privacy 6Parental Consent 7Data Sharing 8Data Retention 9Data Security 10International Transfers 11Your Rights 12Cookies and Tracking 13Analytics 14Links to Other Websites 15Changes to This Policy 16Complaints 17Contact Us

Prac2XL is an adaptive practice platform designed for UK primary school children aged 5–11, currently covering Mathematics with additional subjects (including Verbal Reasoning, Vocabulary, and Spelling, Punctuation and Grammar) planned or in development. We are committed to protecting the privacy and safety of all our users, with particular care given to children's personal data. This Privacy Policy explains what data we collect, why we collect it, how we use it, and your rights regarding that data.

2Data Controller

Prac2XL is the data controller for the personal data processed through the Platform.

🔒

Privacyprivacy@prac2xl.com

✉️

Generalsupport@prac2xl.com

3Data We Collect

3.1. Parent Account Data

Data	Purpose	Lawful Basis
Full name	Account identification	Contract
Email address	Authentication (magic link), communication	Contract
Password (hashed)	Account security	Contract

3.2. Child Profile Data

Data	Purpose	Lawful Basis
First name	Personalisation, display within Platform	Consent (parental)
Last name	Account identification, parent dashboard	Consent (parental)
Date of birth	Age verification, age-appropriate content	Consent (parental)
School year group	Curriculum alignment, age-appropriate content	Consent (parental)
Country	Curriculum relevance	Consent (parental)
Username & password (hashed)	Child login access	Consent (parental)

3.3. Practice and Performance Data

Data	Purpose	Lawful Basis
Questions attempted & answers	Adaptive learning, progress tracking	Legitimate interest
Scores and accuracy rates	Performance analytics for parents	Legitimate interest
Time spent on sessions	Learning efficiency analysis	Legitimate interest
Mastery stage progression	Adaptive difficulty, curriculum coverage	Legitimate interest
Skill strengths & weaknesses	Smart Practice algorithm	Legitimate interest
PracPoints earned & spent	Motivational features	Legitimate interest

3.4. Technical Data

Data	Purpose	Lawful Basis
IP address	Security, fraud prevention	Legitimate interest
Browser type & version	Technical compatibility	Legitimate interest
Device type	Responsive design optimisation	Legitimate interest
Session timestamps	Usage analytics, security	Legitimate interest

3.5. Data We Do NOT Collect

✗School name

✗Photographs or images of children

✗Location data (GPS)

✗Social media profiles

✗Contact details of children

✗Biometric data

4How We Use Data

4.1. To Provide the Service

We use data to generate age-appropriate and ability-appropriate questions across all subjects offered, track progress and mastery across curriculum topics, adapt difficulty based on performance, provide hints and learning support, display performance analytics to parents, operate the PracPoints motivational system, and process error reports submitted through the Platform.

4.2. To Improve the Service

We use aggregated, anonymised data to improve question quality and variety, identify common areas where children struggle, enhance our adaptive algorithms, and monitor Platform performance and reliability.

4.3. To Communicate

We use parent email addresses to send authentication magic links, important service announcements, subscription and billing communications, and optional progress summaries (which parents can opt out of).

✉️

We will never send marketing emails to children.

4.4. To Ensure Safety and Security

We use data to prevent unauthorised access, detect and address abuse of the Platform, and comply with legal obligations.

5Children's Privacy — Our Commitment

We recognise the special importance of protecting children's personal data. In accordance with the ICO Children's Code, we apply the following principles:

💛

Best interests of the childEvery design decision prioritises the child's wellbeing and educational benefit over commercial interests.

🎨

Age-appropriate designChild-friendly interfaces, no complex privacy settings exposed to children, no features that encourage excessive use.

📦

Data minimisationWe collect only the minimum data necessary. We do not collect school names or any data beyond what is essential.

🚫

No profiling for commercial purposesWe do not build marketing profiles of children, sell children's data, use it for advertising, or allow third-party ads.

🛡️

No detrimental useChildren's data is used solely for educational purposes and never in ways that could cause harm or distress.

🔒

Default high privacyAll privacy settings default to the most protective option. No data sharing occurs unless explicitly enabled by a parent.

📖

TransparencyThis Policy is written to be understood by parents. Where appropriate, we provide child-friendly explanations.

⛔

No nudge techniquesWe do not use dark patterns or manipulative design to weaken privacy protections or encourage excessive use.

6Parental Consent

6.1. Because our users include children under 13, we require verified parental consent before processing any child's personal data.

6.2. Consent is obtained during the child profile creation process, where the parent must actively confirm that they are the child's parent or legal guardian, they have read and understood this Privacy Policy, and they consent to the processing of their child's data as described.

6.3. Parents can withdraw consent at any time by deleting their child's profile or contacting us at privacy@prac2xl.com. Withdrawal of consent will result in the deletion of the child's data.

6.4. The current consent version is recorded so that if material changes are made to this Policy, we can notify parents and, where necessary, obtain renewed consent.

7Data Sharing

7.1. Third-Party Service Providers

Provider	Purpose	Data Shared	Location
Vercel	Hosting & deployment	All Platform data (in transit)	Global CDN, primary EU
Neon	Database hosting	All stored data	EU
Stripe	Payment processing	Parent name, email, payment	EU/US (adequate safeguards)
SMTP2GO	Email delivery	Parent email addresses	NZ/EU (adequate safeguards)

7.2. We Will Never

✗Sell personal data to any third party

✗Share children's data with advertisers or marketing companies

✗Provide data to social media platforms

✗Share identifiable data with other users (including other parents)

7.3. Legal Disclosure

We may disclose data if required by law, by a court order, or by a regulatory authority, or if we believe in good faith that disclosure is necessary to protect the safety of a child.

8Data Retention

Data Type	Retention Period	Reason
Parent account data	Account duration + 30 days	Service operation, billing
Child profile data	Profile duration + 30 days	Service operation
Practice & performance data	Profile duration + 30 days	Progress tracking
Payment records	6 years after last transaction	UK tax obligations
Error reports	12 months after resolution	Quality improvement
Technical logs	90 days	Security & debugging

When data reaches the end of its retention period, it is securely deleted or irreversibly anonymised.

9Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

Encryption of data in transit (TLS/HTTPS)
Encryption of passwords using industry-standard hashing
Access controls restricting who can view personal data
Regular security reviews of our infrastructure
Secure hosting with reputable providers (Vercel, Neon)
Magic link authentication (avoiding password-based risks for parents)

No system is completely secure. If we become aware of a data breach that is likely to affect your rights, we will notify you and the ICO in accordance with our legal obligations.

10International Transfers

Our primary data processing occurs within the EEA and the UK. Where data is processed outside these regions, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO, adequacy decisions by the UK Government, or binding corporate rules of the data processor.

11Your Rights

Under the UK GDPR, you have the following rights:

Right of accessRequest a copy of the personal data we hold about you and your child(ren).

Right to rectificationRequest correction of inaccurate or incomplete data. Most data can be updated through your account settings.

Right to erasureRequest deletion of your data or your child's data. We will comply unless we have a legal obligation to retain it.

Right to restrict processingRequest that we limit how we use your data in certain circumstances.

Right to data portabilityRequest your data in a structured, commonly used, machine-readable format.

Right to objectObject to processing based on legitimate interests. We will cease unless we have compelling grounds.

Right to withdraw consentWhere processing is based on consent (particularly children's data), you may withdraw at any time.

Automated decision-makingOur adaptive algorithms serve solely educational purposes and do not produce legal or similarly significant effects.

To exercise any of these rights, contact us at privacy@prac2xl.com. We will respond within one month.

12Cookies and Tracking

12.1. The Platform uses only essential cookies required for the Service to function, including authentication session cookies and security cookies (CSRF protection).

✗Tracking cookies

✗Advertising cookies

✗Third-party analytics cookies

✗Social media tracking pixels

12.3. Because we only use strictly necessary cookies, we do not require cookie consent under PECR.

13Analytics

13.1. We collect usage data (questions answered, time spent, features used) to improve the Platform. This data is analysed in aggregate and is not used to identify individual children outside the Platform.

13.2. We do not use Google Analytics, Facebook Pixel, or any third-party analytics tools that track users across the internet.

13.3. All analytics are first-party, processed on our own infrastructure, and used solely to improve the educational experience.

14Links to Other Websites

The Platform may contain links to external websites. We are not responsible for the privacy practices of other websites. We encourage parents to review the privacy policies of any external sites before sharing personal information.

15Changes to This Policy

15.1. We may update this Privacy Policy from time to time. Material changes will be communicated to parents via email and through the Platform.

15.2. Where changes affect the processing of children's data, we may require renewed parental consent.

15.3. The "Last updated" date at the top of this page indicates the most recent revision.

15.4. We recommend reviewing this Policy periodically to stay informed about how we protect your data.

16Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

🏛️Information Commissioner's Office

Website: ico.org.uk
Telephone: 0303 123 1113
Post: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us first at privacy@prac2xl.com.

17Contact Us

🔒

Data Protectionprivacy@prac2xl.com

✉️

General Supportsupport@prac2xl.com

This Privacy Policy is provided as a template for Prac2XL. We strongly recommend having it reviewed by a qualified UK solicitor or data protection specialist before publication, particularly regarding compliance with the UK GDPR, the Data Protection Act 2018, the Children's Code (Age Appropriate Design Code), and PECR.