GDPR
Effective date: July 12, 2026
Trace Learn is an 11+ learning platform used by parents, tutors, and children. Because children use the product, we hold ourselves to a higher standard than the legal minimum. This page summarises how we meet UK GDPR and where to go to exercise your rights.
1. Who is responsible for your data
Trace Learn is the data controller for personal data processed through tracelearn.app. For anything in this policy, contact [email protected].
2. Children's data comes first
Children never sign themselves up. A parent or tutor creates and controls every child account, and we deliberately collect the minimum a child account needs:
- A display name (this can be a first name or a nickname - it does not need to be a real name).
- A school year group, so practice is set at the right level.
- An avatar, username, and PIN for logging in - no child email address or phone number, ever.
- Learning activity: answers, scores, and progress, used only to adapt their learning.
We do not show children advertising, do not market to them, and do not use their data for anything except providing the learning service their parent or tutor set up. The responsible adult can rename or delete a child profile at any time.
3. What we process about adults
- Account data: name, email address, and password (stored hashed) for parents and tutors.
- Billing data: subscription status and payment records. Card details are handled by Stripe; we never see or store card numbers.
- Service records: emails we have sent you, support conversations, and technical logs kept for security.
4. Why we are allowed to process it (lawful bases)
- Contract: providing the service you signed up for - accounts, learning, progress reports, billing.
- Legitimate interests: keeping the service secure, preventing fraud and abuse, and fixing errors.
- Consent: optional marketing emails to adults. Every one includes a working unsubscribe, honoured immediately.
- Legal obligation: keeping financial records we are required to keep.
5. Who helps us run the service
We use a small number of service providers under data processing agreements: payment processing (Stripe), transactional email (Resend), hosting and security (Cloudflare), cloud infrastructure and database hosting (Google Cloud), and error monitoring. Where a provider processes data outside the UK or EEA, transfers are protected by standard contractual clauses or an adequacy decision. We do not sell personal data to anyone.
6. How long we keep data
Account and learning data is kept while the account is active. If you ask us to delete an account, we delete or anonymise its personal data, keeping only what we are legally required to retain (such as billing records) for the required period.
7. Your rights
Under UK GDPR you can ask us to:
- Give you a copy of the personal data we hold about you or your child (access and portability).
- Correct inaccurate data (rectification).
- Delete data (erasure) - including a full account and all child profiles.
- Restrict or object to processing, and withdraw consent for marketing at any time.
Email [email protected] and we will respond within one month. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.
8. Related policies
See our Privacy Policy, Cookie Policy, and Safeguarding page.