Last updated: [DD Month 2026] · Version 1.0
Privacy Policy
This Privacy Policy explains how [LEGAL ENTITY NAME] (“Cour.pro UK”, “we”, “us”) collects, uses, shares and protects personal data when you and your child use our website and learning platform (the “Service”).
We take the privacy of children especially seriously. This policy should be read together with our Children’s Privacy Notice (written for children and parents), our Cookie Policy and our Terms of Service.
Contents
- Who we are (data controller)
- What personal data we collect
- Why we use it & our lawful bases
- Children & parental consent
- Who we share data with
- International data transfers
- How long we keep data
- How we protect data
- Your rights
- Cookies & analytics
- Automated decisions & profiling
- EU users & our EU representative
- Changes to this policy
- How to contact us & complain
1. Who we are (data controller)
The data controller responsible for your personal data is:
- Entity: [LEGAL ENTITY NAME]
- Registered in England & Wales, company no.: [COMPANY NO.]
- Registered address: [REGISTERED ADDRESS]
- ICO registration (data protection fee) reference: [ICO NUMBER]
- Data Protection Officer / privacy contact: [DPO EMAIL]
We are registered with the UK Information Commissioner’s Office (ICO) as a data controller and pay the data protection fee as required by the Data Protection (Charges and Information) Regulations 2018.
2. What personal data we collect
We collect different data depending on whether you are a parent/guardian, a child learner, a teacher, or a website visitor.
From parents / guardians (account holders)
- Name and email address
- Account login credentials (passwords are stored only as a salted hash — we never see them)
- Billing information (processed by our payment provider — we do not store full card numbers)
- Consent records (what you consented to, and when)
- Communications you send us (support requests, enquiries)
From children (learners)
- First name or a display name chosen by the parent (we do not require a child’s full real name)
- Year group / age range
- Learning activity: answers, scores, time spent, progress and the topics practised
We deliberately do not collect a child’s precise location, contact details, photographs, or any special category data, and we do not ask children to provide more information than is needed to deliver their learning.
From everyone (technical data)
- Essential technical data needed to keep the site secure and working (e.g. session identifiers, security and fraud-prevention logs)
- With your consent only: functional preferences and privacy-friendly, aggregated analytics
3. Why we use your data & our lawful bases
Under UK GDPR Article 6 (and EU GDPR where it applies), we rely on the following lawful bases:
| Purpose | Lawful basis |
|---|---|
| Creating and running parent and child accounts; delivering lessons and progress tracking | Performance of a contract (Art. 6(1)(b)) |
| Allowing a child under 13 to use the Service | Consent of the holder of parental responsibility (Art. 6(1)(a) & Art. 8) |
| Taking payment and preventing fraud | Contract; and legitimate interests (Art. 6(1)(f)) in protecting the Service |
| Keeping the Service secure and reliable | Legitimate interests (Art. 6(1)(f)) |
| Functional preferences & analytics cookies | Consent (Art. 6(1)(a) & PECR) |
| Sending service emails (e.g. billing, security) | Contract / legal obligation |
| Marketing emails to parents | Consent, which you can withdraw at any time |
| Meeting legal, tax and safeguarding obligations | Legal obligation (Art. 6(1)(c)) |
We apply data minimisation and purpose limitation (UK GDPR Article 5): we only collect what we need, use it only for the purposes above, and do not repurpose children’s data.
4. Children & parental consent
The Service is designed for children and we follow the ICO’s Age Appropriate Design Code (the “Children’s Code”). Key points:
- A parent or guardian sets up and controls every account. Children do not register themselves.
- Under-13s (UK): In the UK, the age at which a child can consent to information society services is 13. For children under 13, we require verifiable consent from a person with parental responsibility before the child uses the Service.
- EU users: The age of consent varies by country (13 to 16). Where you are in the EU, we apply your country’s age threshold (see section 12).
- High-privacy defaults: children’s settings are set to the most protective option by default; geolocation is off; profiles are not public.
- No nudge techniques: we do not use design tricks to push children to share more data or weaken their privacy.
- No advertising or profiling of children for marketing purposes.
- Parents can review, export, correct or delete their child’s data at any time from the account or by contacting us.
For a plain-English version, see our Children’s Privacy Notice.
5. Who we share data with
We do not sell personal data and we do not share children’s data for advertising. We use a small number of trusted service providers (“processors”) who act only on our instructions under a written data processing agreement:
- Secure cloud hosting and database providers
- Our payment provider (for billing only)
- Email delivery for essential service messages
- Privacy-friendly analytics (only if you consent)
- Professional advisers, and authorities where we are legally required (e.g. safeguarding or law enforcement)
A current list of categories of processors is available on request from [DPO EMAIL].
6. International data transfers
We aim to store and process UK and EU users’ personal data within the UK and/or European Economic Area. Where any transfer outside the UK/EEA is necessary, we put in place appropriate safeguards required by UK GDPR — such as an adequacy decision, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses — and we carry out a transfer risk assessment.
7. How long we keep data
| Data | Retention |
|---|---|
| Active account & learning data | For as long as the account is active |
| After account closure | Deleted or anonymised within [e.g. 30–90 days], unless we must keep it longer by law |
| Billing/tax records | Up to 6 years (UK tax law) |
| Consent records | For as long as needed to demonstrate compliance |
We apply the principle of storage limitation and review retention periods regularly.
8. How we protect data
In line with UK GDPR Article 32, our technical and organisational measures include: encryption in transit (HTTPS/TLS) and at rest; hashed passwords; role-based access controls and least-privilege access; logging and monitoring; regular backups; secure software development practices; staff confidentiality and training; and a documented personal data breach procedure. If a breach is likely to result in a risk to people’s rights and freedoms, we will notify the ICO within 72 hours and affected individuals without undue delay where required.
9. Your rights
Under UK GDPR (and EU GDPR where it applies) you have the right to: be informed; access your data; have inaccurate data corrected; have data erased; restrict processing; data portability; object to processing; and rights relating to automated decision-making. Where we rely on consent, you can withdraw it at any time.
To exercise any right, contact [DPO EMAIL]. We will respond within one month. There is normally no charge. We may need to verify your identity (and, for a child’s data, your parental responsibility) to protect the data.
10. Cookies & analytics
We use only essential cookies by default. Functional and analytics cookies are used only with your consent, which you give through our cookie banner and can change at any time via “Cookie settings” in the footer. See our Cookie Policy for the full list.
11. Automated decisions & profiling
Our learning engine adapts the difficulty of questions to a child’s answers to personalise practice. This is used solely to support learning and does not produce legal or similarly significant effects on anyone. We do not use automated profiling of children for marketing, and there is no solely-automated decision-making with legal effect under Article 22.
12. EU users & our EU representative
If you are in the European Economic Area, EU GDPR applies to your data. We respect the age of consent set by your country (between 13 and 16). Where required by Article 27 of the EU GDPR, our EU representative is: [EU REPRESENTATIVE NAME & ADDRESS]. EU users may also lodge a complaint with their local supervisory authority.
13. Changes to this policy
We may update this policy from time to time. If we make significant changes we will tell account holders and, where appropriate, ask for fresh consent. The “last updated” date at the top shows the current version.
14. How to contact us & complain
For any privacy question or to exercise your rights, contact our Data Protection Officer at [DPO EMAIL] or write to [REGISTERED ADDRESS].
If you are unhappy with how we have handled your data, you can complain to the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint or call 0303 123 1113. We’d appreciate the chance to put things right first.