Privacy Policy

1. Introduction and Data Controller

This Privacy Policy explains how we collect, use, store, and protect personal information when you use the Studia platform.

We are committed to protecting personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018 (“DPA 2018”), the Privacy and Electronic Communications Regulations 2003 (“PECR”), and the ICO Age Appropriate Design Code (“AADC”). Because our platform is designed for students aged 7–18, children's privacy and safety are at the centre of everything we do.

This Privacy Policy should be read alongside our Terms of Service, Children's Privacy Notice, and Cookie Notice.

2. Who This Policy Applies To

This Privacy Policy applies to:

• Parents and Guardians— who create accounts for students under 13 (required) and who may link to accounts of students aged 13–17 for oversight
• Students— who use Studia for educational content, Livestreams, and 1-to-1 Sessions
• Tutors— who provide teaching content and tutoring services through the Platform
• Website visitors— who visit studia.io (for information about cookies and analytics)

If you are under 18, we encourage you to read this policy with your parent or guardian. A simpler version is available in our Children's Privacy Notice.

3. Information We Collect

We collect only the personal data that is necessary to provide our services, maintain safety, and comply with our legal obligations. We collect information in three ways: directly from you, automatically when you use the Platform, and from third parties.

3.1 Information You Provide Directly

We do not collect more personal data than is necessary to provide our services.

3.2 Information Collected Automatically

When you use the Platform, we automatically collect:

• Session recordings: Video and audio from Livestreams and 1-to-1 Sessions (see Section 9 for full details)
• Livestream participation data: Chat messages, poll responses, quiz answers, and AI Q&A interactions
• Device and connection data: IP address, browser type, device type, operating system
• Usage data: Lessons viewed, features used, session attendance, time spent on the Platform
• Error and performance data: Technical logs to maintain Platform stability

3.3 Information from Third Parties

4. Special Category Data

Certain categories of personal data receive enhanced protection under UK GDPR Article 9 because of their sensitivity. These are known as “special category data.”

4.1 What Special Category Data We May Process

The only special category data we may process is health or medical information voluntarily disclosed by a Student or their Parent relating to Special Educational Needs and Disabilities (SEND) — for example, a diagnosis of dyslexia, ADHD, autism, or a physical or sensory impairment.

Disclosure of SEND information is:

• Entirely voluntary— we will never require it as a condition of using the Platform
• Used solely to help Tutors and the Platform support the Student's learning more effectively
• Never shared with third parties for any commercial purpose
• Never used for profiling, advertising, or any purpose other than educational support

4.2 Legal Basis for Processing Special Category Data

Where a Student or Parent voluntarily discloses SEND information, we process it under:

• UK GDPR Article 9(2)(a): Explicit consent— the Student or Parent has clearly and actively chosen to share this information to improve their learning support.
• UK GDPR Article 9(2)(g): Substantial public interest — specifically, our obligations under the Online Safety Act 2023 and safeguarding duties to ensure appropriate support for vulnerable children in an educational context.

Because this is Article 9 special category data, we apply enhanced security and access controls: only the relevant Tutor and, where a safeguarding concern arises, our Safety Team may access SEND information. It is not accessible to other staff, contractors, or third-party processors.

4.3 Your Right to Withdraw

You or your parent may at any time request that SEND information is removed from your profile by contacting us at [email protected]. Removing this information will not affect your ability to use the Platform.

5. How We Use Personal Data

We use your personal data for the purposes set out below. Each purpose is linked to a lawful basis under UK GDPR Article 6.

5.1 Processing Activities and Legal Bases

5.2 Legitimate Interests Balancing

Where we rely on legitimate interest as a legal basis, we have conducted a balancing assessment to ensure our interests do not override your rights and freedoms. In particular:

• Session recording (Livestreams): The educational benefit of replay access and quality assurance outweighs the limited privacy impact, given that Livestreams are group events and students participate via text only.
• Session recording (1-to-1 Sessions): The safeguarding imperative of protecting children in private video sessions outweighs the privacy impact. Recordings are accessible only to the Safety Team and are automatically deleted after 90 days.
• Tutor-specific AI model training: The educational benefit of personalised AI support outweighs the limited impact on Tutors, who may opt out at any time.
• Analytics: We use aggregated and, where possible, anonymised data. The benefit of improving the Platform outweighs the minimal privacy impact.
• User research: Understanding how the Platform is used helps us improve it. We use only anonymised or aggregated data for research unless explicit consent has been obtained for more.

5.3 Whether Provision of Data Is a Requirement

Some personal data is necessary to create an account and use our services (for example, your name, email address, and date of birth). If you do not provide this data, we may not be able to provide the service. Where data is optional (for example, SEND needs or marketing preferences), we will make this clear at the point of collection.

6. Legal Bases for Processing Children's Data

Because Studia is designed for students aged 7–18, we apply additional protections to children's personal data.

6.1 Children Under 13

For children under 13, we require verified parental consent before any data processing, in accordance with UK GDPR Article 8 as implemented by the Data Protection Act 2018, section 9. A Parent must create the account and provide explicit consent.

6.2 Children Aged 13–17

Children aged 13–17 may create their own account and consent to data processing in accordance with the Data Protection Act 2018, section 9. We encourage parental involvement and offer a parental dashboard for oversight. Parents can link to their child's account at any time.

6.3 What We Never Do with Children's Data

We never:

• Use children's data for behavioural advertising or targeted marketing
• Use children's data for commercial profiling
• Sell children's data to any third party
• Use nudge techniques to encourage children to provide unnecessary data
• Track children's geolocation
• Share children's data with advertising networks, social media platforms, or marketing companies

These protections are in accordance with the ICO's Age Appropriate Design Code (AADC).

7. Age Appropriate Design Code (AADC) Compliance

We design our Platform with the best interests of children as a primary consideration, in line with the ICO's 15 standards of age-appropriate design:

8. AI and Automated Decision-Making

We use AI systems on the Platform for safety and educational purposes. This section explains what AI does, what data it uses, and your rights in relation to automated decisions.

8.1 AI Systems We Use

1. Content Moderation AI— Our content moderation system analyses text chat messages and transcribed audio to detect safety risks, including grooming behaviour, bullying, inappropriate content, and self-harm indicators. For low-severity flags, automated actions may be taken such as message deletion or temporary chat restrictions. For medium- and high-severity flags, a member of our trained Safety Team always reviews the content before any significant action is taken.

2. Tutor-Trained AI Assistants— Each Tutor's AI Assistant is trained on that individual Tutor's teaching materials to provide real-time educational support during Livestreams, including answer checking, hints, and Q&A. Student questions and interactions during Livestreams are used to generate AI responses but are not used to train general AI models. These AI models are tutor-specific and do not combine data across different Tutors.

8.2 AI Training Practices

8.3 Opt-Out of AI Training

You may request that your data is excluded from AI training at any time by contacting [email protected].

• Tutors: You may request that your teaching materials and Livestream transcripts are not used for AI model training. This will not affect your ability to use the Platform, but it will mean that the AI Assistant for your profile may be less personalised.
• Students and Parents:Student data is not used for AI training (see Section 8.2), so an opt-out is not typically necessary. If you have concerns about any use of your child's data in connection with AI during Livestreams, please contact us.

8.4 Automated Decision-Making (UK GDPR Article 22)

Content moderation may result in automated actions for low-severity violations (such as message deletion or temporary chat restrictions). These actions do not produce legal effects or similarly significant effects on individuals.

For any significant action (such as account suspension or termination), a human member of our Safety Team always reviews the decision before it is taken.

You have the right to: contest any automated decision that affects you; request human review of any automated moderation action; and express your point of view and receive an explanation of the decision. To exercise these rights, contact [email protected] or use the appeals process described in our Community Guidelines.

9. Session Recording and Safety Monitoring

All Livestreams and 1-to-1 Sessions on the Platform are automatically recorded. Recording is necessary for safeguarding, quality assurance, and regulatory compliance. You cannot opt out of recording, as it is required for child safety.

9.1 Recording Policy

9.2 Recording Storage and Security

• Recordings are stored on encrypted servers hosted by Google Cloud Platform in the UK/EU region.
• Access to 1-to-1 recordings is strictly limited to authorised members of the Safety Team through role-based access controls.
• Livestream replays are accessible only to Students and Parents with an active Subscription to the relevant Tutor.

9.3 AI Transcripts and Summaries

AI-generated text transcripts and lesson summaries are provided for Livestreams to support learning. These are accessible to Students and Parents with an active Subscription.

9.4 Disclosure to Authorities

Recordings may be disclosed to law enforcement, safeguarding authorities, or other relevant bodies where we are legally required to do so (for example, in response to a court order or where we believe a child may be at risk).

10. Children's Data and Parental Controls

10.1 Parental Dashboard

Parents and Guardians can link to their child's account to access a parental dashboard for oversight and control. For Students under 13, parental linking is mandatory. For Students aged 13–17, parental linking is encouraged. Through the dashboard, Parents can:

• View session activity:See their child's session history, Tutor Subscriptions, and attendance.
• Access content: View Livestream recordings and AI-generated transcripts and summaries (with an active Subscription).
• Manage Subscriptions and spending: Control, pause, or cancel Subscriptions.
• Set notification preferences:Choose how and when to receive updates about their child's activity.
• Control cookie preferences:Manage cookie settings for their child's account (see Section 16).
• Report concerns: Submit safeguarding concerns directly to our Safety Team.
• Exercise data rights: Request a data export, correction, or deletion on behalf of their child (see Section 14).
• Withdraw consent:Close their child's account at any time. Account closure takes effect after 30 days' notice.

10.2 Age-Appropriate Protections

We apply the following protections for children: privacy settings default to the highest level; no behavioural advertising or commercial profiling; no sale or sharing of children's data for marketing purposes; child-friendly reporting mechanisms within the Platform; content moderation and safety monitoring across all interactions; and parental oversight of all account activity.

11. Third-Party Authentication

Studia uses Clerk as our authentication provider, which supports sign-in via third-party services such as Google. This section explains what happens when you choose to sign in using a third-party account.

11.1 What Data We Receive

If you choose to create a Studia account or sign in using a third-party service (such as a Google account), we will receive the following information from that provider:

• Your name (as registered with the third-party provider)
• Your email address
• A unique account identifier issued by the third-party provider

We do not receive your password for the third-party service, your payment details held by the third-party provider, your contacts, your social connections, or any other data from your account with the third-party provider beyond what is listed above.

11.2 How We Use This Data

Data received from a third-party sign-in provider is used only to create and authenticate your Studia account. It is handled in exactly the same way as data you would provide if you registered directly with an email address and password.

11.3 Third-Party Provider's Privacy Policy

When you use a third-party service to sign in, the third-party provider's own privacy policy also governs how they collect and use your data in connection with the authentication process. We encourage you to review the privacy policy of any third-party provider you use to sign in to Studia.

11.4 Children's Accounts

For Students under 13, Parents create and manage the account. If a Parent uses a third-party sign-in to create or access a child's account, the above applies to the Parent's account, not the child's. Students under 13 do not sign in independently and therefore do not use third-party authentication.

12. Data Sharing with Third Parties

We share personal data only with third-party service providers that are necessary to operate the Platform. We have data processing agreements in place with each provider.

We never:

• Sell personal data
• Share data for advertising purposes
• Share children's data with social media platforms or advertising networks

12.1 Third-Party Data Processors

12.2 When We May Disclose Data

In addition to our data processors, we may disclose personal data:

• To law enforcement or safeguarding authorities where required by law or where we believe a child may be at risk.
• To courts or regulatory bodies in response to a valid legal request, court order, or regulatory requirement.
• To a successor organisation if Studia (SOPHOS EDUCATION LTD) is involved in a merger, acquisition, or asset sale, provided the successor agrees to be bound by this Privacy Policy.

13. International Data Transfers

13.1 Where Your Data Is Stored

Our primary data storage is on Google Cloud Platform in the UK/EU region (London). The majority of your data remains within the UK and the European Economic Area.

13.2 Transfers Outside the UK

Some of our third-party service providers may process data in the United States or other countries outside the UK. Where personal data is transferred outside the UK, we ensure it is protected by one of the following safeguards, in accordance with UK GDPR Articles 44–49 and the Data Protection Act 2018:

• Standard Contractual Clauses (SCCs): We have entered into UK-approved Standard Contractual Clauses with providers that process data outside the UK (including Stripe, Daily.co, Clerk, Mux, and Vercel).
• UK Adequacy Regulations: Where the UK Government has determined that a country provides an adequate level of data protection, transfers may proceed under that adequacy decision.
• Data Processing Agreements: All third-party providers are bound by data processing agreements that require them to protect personal data to at least the standard required by UK GDPR.

13.3 Countries Where Data May Be Processed

You may request further information about our international transfer safeguards by contacting [email protected].

14. Your Rights under UK GDPR

Under the UK GDPR, you have the following rights in relation to your personal data. Parents and Guardians may exercise these rights on behalf of their children.

14.1 Your Rights

14.2 How to Exercise Your Rights

Contact us at [email protected]. We will respond to your request within one calendar month. If your request is complex or we receive a large number of requests, we may extend this period by up to two additional months, in which case we will notify you within the first month. Exercising your rights is free of charge. We may need to verify your identity before processing your request.

14.3 Right to Erasure — Limitations

The right to erasure is not absolute. We may need to retain certain data where:

• We are required to do so by law (for example, financial records for HMRC — see Section 15)
• The data is needed for the establishment, exercise, or defence of legal claims
• The data is subject to a safeguarding hold or ongoing investigation
• Archiving purposes in the public interest or for compliance (for example, OSA audit records)

If we cannot fully comply with an erasure request, we will explain why and what data must be retained.

15. Data Retention Schedule

We retain personal data only for as long as is necessary for the purpose for which it was collected, or as required by law. Once the retention period expires, data is securely deleted or anonymised.

16. Cookies and Similar Technologies

This section explains how we use cookies on studia.io and the Studia learning platform. It fulfils our obligations under the Privacy and Electronic Communications Regulations 2003 (PECR), Regulation 6. For a full list of the specific cookies we use, please see our Cookie Notice.

16.1 What Are Cookies?

Cookies are small text files stored on your device when you visit a website or use an online service. We also use similar technologies, such as local storage and session storage, for login functionality and session participation.

16.2 Types of Cookies We Use

Strictly Necessary Cookies (Always On — No Consent Required): These cookies are essential for the Platform to function. They include authentication tokens, security cookies, platform operation cookies for Livestreams and 1-to-1 Sessions, and cookie consent records.

Preferences Cookies (Optional — Consent Required): These store personal settings to improve your experience: display settings, language preferences, and accessibility preferences.

Analytics and Performance Cookies (Optional — Consent Required): We use analytics to understand how lessons are used and to improve the Platform — including lesson engagement data, usage patterns, and platform performance. We do not track browsing behaviour outside Studia, social connections, emotional state, attention scoring, or any data used for advertising.

16.3 Cookies We Do Not Use

We never use:

• Targeted advertising cookies
• Third-party advertising network cookies
• Cross-site tracking cookies
• Behavioural profiling trackers
• Cookies used to score, rank, or profile children

Studia is an education platform, not an advertising platform.

16.4 Consent

When you first visit Studia, we display a cookie banner asking whether you want to allow optional cookies. You may choose to accept or reject each category of non-essential cookie separately. Strictly necessary cookies are always enabled. Consent is informed, specific, and freely given — we do not use pre-ticked boxes. You may change your cookie settings at any time via Settings > Privacy & Cookies within the Platform. Parents can control cookie preferences for their child's account.

16.5 Cookie Retention

17. Data Security

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it, in accordance with UK GDPR Article 32. Our security measures include:

• Encryption: Data is encrypted both in transit (using TLS/SSL) and at rest.
• Access controls: Role-based access permissions ensure that only authorised personnel can access personal data. Access to 1-to-1 session recordings is strictly limited to the Safety Team.
• Infrastructure security: Our hosting providers (Google Cloud Platform and Vercel) maintain industry-standard security certifications and practices.
• Regular assessments: We conduct regular security reviews and assessments of our systems and processes.
• Incident response: We have breach detection, response, and notification procedures in place (see Section 20).
• Staff training: All staff and contractors with access to personal data receive data protection and information security training.

While we use commercially reasonable measures to protect your data, no method of electronic transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to protecting your information to the highest practicable standard.

18. Support Team Account Access

In exceptional circumstances — for example, when you contact us about a technical problem that cannot be diagnosed without examining your account — a member of our support team may need to access your account.

18.1 What Access Involves

If a support team member accesses your account, they may be able to see:

• Your account details and profile information
• Your Subscription history and booking records
• Usage data and session history relevant to the issue you have reported

Support team members cannot access 1-to-1 session recordings (which are restricted to the Safety Team only) or payment card details (which are held by Stripe and never stored by Studia).

18.2 Our Commitment

We will only access your account with a clear support purpose and will not browse, retain, or use account data for any purpose other than resolving the issue you have raised. Account access by support staff is logged and auditable.

If you have concerns about support team access to your account, you may contact us at [email protected].

18.3 Children's Accounts

For Students under 13, any support team account access will be handled in accordance with our children's data protections in Section 6. We will contact the Parent or Guardian if account access is required in connection with a child's account.

19. User Research and Feedback

19.1 How We Use Feedback

When you submit feedback, suggestions, ratings, or responses to surveys about the Platform or our services, we may use that information to:

• Improve the Platform's features, usability, and educational effectiveness
• Understand which aspects of the Platform are working well and which need improvement
• Develop new features or adjust existing ones
• Inform our internal reporting and business decisions

We process feedback under our legitimate interest in improving our services. You are never obliged to respond to surveys or submit feedback, and your use of the Platform is not conditioned on doing so.

19.2 User Research

We may occasionally invite users to participate in user research activities — for example, interviews, usability testing sessions, or surveys — to understand how the Platform is used and how it can be improved. Participation is entirely voluntary.

Where we conduct user research:

• We will explain the purpose and scope before you participate
• We will ask for your explicit consent before recording any research session
• We will anonymise or aggregate research findings before using them internally
• We will never identify individual users in any research output without their prior written consent

For children, any user research participation requires prior parental consent, and we will apply additional protections appropriate to the child's age.

19.3 Educational Research Partnerships

We may occasionally use anonymised, aggregated Platform data to contribute to or participate in educational research — for example, research into how young people learn online, the effectiveness of AI-assisted tutoring, or exam preparation outcomes.

Any such research:

• Uses only anonymised or aggregated data that cannot be linked back to individual users
• Is conducted in accordance with applicable research ethics standards
• Never involves sharing identifiable personal data with research partners without explicit consent

If you do not wish for anonymised data about your use of the Platform to be included in research, you may opt out at any time by contacting [email protected].

19.4 Intellectual Property in Feedback

By submitting feedback or suggestions to us, you grant Studia a non-exclusive right to use that feedback to improve the Platform and our services. We will not compensate you for feedback, and by submitting it you confirm that you are free to share it with us. You retain no ownership rights in any improvements Studia develops based on feedback you provide.

20. Data Breach Notification

We have incident detection, response, and notification procedures in place in accordance with UK GDPR Articles 33 and 34 and the Data Protection Act 2018.

20.1 Notification to the ICO

If a personal data breach occurs that is likely to result in a risk to the rights and freedoms of individuals, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, unless the breach is unlikely to result in such a risk.

20.2 Notification to Individuals

Where a personal data breach is likely to result in a high risk to your rights and freedoms, we will notify you directly, without undue delay. A “high risk” breach is one that could, for example:

• Result in unauthorised access to your personal data
• Expose sensitive information, including SEND data or session recordings
• Enable identity theft, fraud, or financial loss
• Put a child's safety at risk

For children's accounts specifically: if a breach affects the personal data of a child, we will notify the Parent or Guardian directly by email, without undue delay. We will explain what data was affected, what we are doing to address the breach, and what steps, if any, you should take.

Where a breach does not meet the threshold for individual notification (because the risk to individuals is not high), we will record it internally but are not required to notify you directly. In such cases, we may still choose to notify you as a matter of good practice.

20.3 What We Will Tell You

In any breach notification to individuals, we will include: a description of the nature of the breach; the categories and approximate number of individuals and records affected; the likely consequences of the breach; the measures we have taken or propose to take to address the breach; and a contact point for further information.

21. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements.

• Material changes: We will notify you by email and/or by prominent notice on the Platform before the changes take effect.
• Updated date:The “Last Updated” date at the top of this policy will be revised.
• Regular review: We encourage you to review this Privacy Policy periodically.
• Children's Privacy Notice:If we make changes that affect how we process children's data, we will also update the Children's Privacy Notice.

22. Contact and Complaints

22.1 Contact Us

22.2 Right to Complain to the ICO

If you are not satisfied with our response to a privacy concern, or you believe we are processing your personal data in a way that is not lawful, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: www.ico.org.uk
• Telephone: 0303 123 1113
• Post:Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you contact the ICO, and we encourage you to contact us at [email protected] in the first instance.

This Privacy Policy should be read in conjunction with our Terms of Service, Children's Privacy Notice, Cookie Notice, Community Guidelines, and, for Tutors, the Tutor Terms of Service.