Free school trials available now - Start your pilot

CanDoLearn logoCanDoLearn

Privacy Policy

Last updated: 8 March 2026

This Privacy Policy explains how CanDoLearn Ltd ("CanDoLearn", "we", "us", "our") collects, uses, shares, stores, and protects personal data when you visit `candolearn.co.uk`, contact us, or use CanDoLearn as a school, teacher, parent, carer, or learner.

1. Who we are

CanDoLearn Ltd is responsible for personal data described in this policy when we decide why and how it is used.

Controller contact: support@candolearn.co.uk

Website: https://candolearn.co.uk

2. When we act as controller and when we act as processor

School use

When a school, academy trust, or other education provider uses CanDoLearn for its learners, that organisation will usually be the controller for learner, staff, and school account data used to deliver the service. In that case, CanDoLearn acts as a processor and handles personal data on the school's documented instructions under a data processing agreement.

  • Schools remain responsible for their lawful basis, privacy notices, and most learner rights requests.
  • CanDoLearn may still act as a separate controller for sales, contracting, billing, security, and legal compliance data.

Family or direct use

When a parent or carer signs up directly for a family account or trial, CanDoLearn is the controller for the personal data needed to create and run that account. We expect family accounts for children to be created and managed by a parent or legal guardian.

3. Personal data we collect

Data you provide directly

  • Contact details such as name, email address, phone number, organisation, and job title.
  • Enquiry and booking information, including demo, pilot, and support form content.
  • Account details such as login credentials, role, school, class, and preferences.
  • Learner profile information such as age or year group, reading or maths age, attainment information, interests, confidence indicators, accessibility preferences, and intervention settings.
  • Content and responses entered in the platform, including reading, spelling, writing, and progress data.

Data provided by schools, parents, or other authorised adults

  • Learner identifiers selected by the customer, such as a first name, initials, internal ID, or class membership.
  • Referral or support information needed to personalise learning or monitor intervention impact.
  • Notes or support requests submitted by teachers, school staff, or parents.

Data generated through use of the service

  • Progress, completion, scores, confidence markers, recommendation outputs, and reporting data.
  • Technical and security data such as IP address, browser type, device data, timestamps, and logs.
  • Usage data such as page visits, session activity, and feature interactions.

Special category data

We do not ask for special category data unless it is relevant to accessibility, safeguarding, SEND support, or educational provision. If special category data is included in a school deployment, the school is responsible for identifying the appropriate Article 9 condition. For direct family use, where we rely on consent for special category data, that consent can be withdrawn at any time.

4. Where we get personal data from

  • directly from you;
  • from a school, academy trust, or education partner using CanDoLearn;
  • from a parent or legal guardian managing a learner account;
  • from activity within the platform; and
  • from service providers that support booking, hosting, email delivery, and security.

5. Why we use personal data and our lawful bases

When CanDoLearn acts as controller, we use personal data for the following purposes:

PurposeLawful basis
Respond to enquiries, book demos, manage pilots, and provide support.Legitimate interests, and contract steps where you ask us to provide services.
Create and manage direct family or purchaser accounts.Contract.
Deliver platform features, including personalisation, accessibility settings, reporting, and secure access.Contract, or legitimate interests where appropriate.
Protect the service, investigate misuse, maintain logs, and improve security.Legitimate interests and legal obligations where applicable.
Comply with accounting, tax, safeguarding, and other legal requirements.Legal obligation.
Send product updates or marketing messages.Consent where required, or legitimate interests for limited B2B communications where lawful.

Where consent is our lawful basis, you can withdraw it at any time. Withdrawal will not affect processing already carried out lawfully before withdrawal.

When CanDoLearn acts as a processor for a school, the school is responsible for the lawful basis for learner and staff data processed on its behalf.

6. Personalisation, profiling, and automated decision-making

CanDoLearn uses learner profile information, progress data, confidence indicators, interests, and accessibility preferences to personalise content, adapt challenge level, generate recommendations, and support teacher workflow.

This is a form of profiling for educational support purposes. We do not make solely automated decisions that have legal effects or similarly significant effects on a child, parent, or member of staff. Teachers, schools, parents, and carers remain responsible for educational decisions and intervention use.

7. If you do not provide data

Some information is required for us to respond to your enquiry, create and secure an account, provide personalised learning content, generate reports, and provide customer support. If required data is not provided, we may be unable to set up the service, deliver the requested feature, or support the account properly.

8. Who we share personal data with

We do not sell personal data.

We share personal data only where needed to run the service, meet legal obligations, or follow customer instructions. This may include schools, academy trusts, teachers, authorised school staff, parents or carers authorised to access a learner's account, professional advisers, regulators, and law enforcement where required by law.

Our current service providers may include:

  • Fly.io for hosting and infrastructure.
  • HubSpot for CRM and form submissions.
  • Resend for transactional email delivery.
  • GitHub for code hosting and change management.
  • Anthropic and Gemini for AI-assisted content generation and operational tooling.

See the Trust Centre supplier list for procurement reviews.

9. International transfers

Some of our service providers operate internationally. Where personal data is transferred outside the UK, we use an approved safeguard such as a UK adequacy regulation, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.

10. How long we keep personal data

  • Website enquiries and demo requests: up to 24 months from the last meaningful contact.
  • Demo, pilot, and sales records: up to 24 months from the end of the pilot, trial, or sales conversation.
  • Direct customer account data: for the life of the account and up to 12 months after closure or inactivity, unless a longer period is required by law.
  • Product usage, learner progress, and reporting data: during the active service period and normally up to 12 months after the account ends, unless the customer instructs otherwise or law requires longer retention.
  • Support records: up to 24 months from closure.
  • Security logs and audit records: normally up to 12 months.
  • Backups: rolling retention, normally up to 90 days.
  • Financial and tax records: up to 6 years where legally required.

For school accounts, the customer may instruct different deletion or retention periods in the contract or data processing agreement.

11. Security

We use technical and organisational measures designed to protect personal data, including access controls, encryption in transit, encryption at rest where appropriate, change controls, and role-based permissions. No system can be completely secure, but we work to reduce risk and respond to incidents appropriately.

12. Children's data

  • We limit data collection to what is needed for the educational purpose.
  • We do not use children's data for advertising.
  • We apply role-based access controls and support parent, school, and teacher oversight.
  • We keep personalisation focused on educational support rather than behavioural advertising.

If you believe a child has provided personal data to us inappropriately, contact us at support@candolearn.co.uk.

13. Your data protection rights

Depending on the circumstances, you may have the right to:

  • access your personal data;
  • have inaccurate personal data corrected;
  • ask for personal data to be erased;
  • restrict how we use personal data;
  • object to processing based on legitimate interests;
  • receive personal data in a portable format where applicable; and
  • withdraw consent where consent is the lawful basis.

For school-managed learner data, please contact the school first because it will usually be the controller. We will assist our school customers with valid requests as required.

You also have the right to complain to the ICO: ico.org.uk/make-a-complaint

14. Cookies and similar technologies

Our Cookie Policy explains what cookies or similar technologies we use on the website and how to manage them.

15. Changes to this policy

We may update this Privacy Policy from time to time. We will post the latest version on this page and update the "Last updated" date.

16. Contact us

If you have questions about this Privacy Policy or about personal data handled by CanDoLearn, contact support@candolearn.co.uk.

See how this works with your pupils.

Book demo