Last updated: 17 March 2026
This service is operated by an individual developer based in England and Wales, not by a limited company. Accounts are created by a parent or guardian on behalf of a child. By registering, the parent or guardian confirms they are aged 18 or over and accepts this Privacy Policy.
AceLearner is a free educational platform designed to help KS2 pupils in England prepare for SATs examinations. It is created and operated by an individual developer based in England and Wales (the “Operator”).
For the purposes of UK data protection law, the Operator is the Data Controller. To contact us about any privacy matter:
Email: privacy@acelearner.co.uk
We apply a principle of data minimisation: we collect only what is necessary to operate the service. No payment data is ever collected. The service is free of charge.
Parent or guardian account
Child account (created by the parent)
Technical data collected automatically
We do not collect location data beyond what is inherent in an IP address. We do not use advertising cookies, tracking pixels, or behavioural profiling technologies of any kind.
Account data is provided directly by the parent or guardian at registration. Passwords are passed securely over HTTPS and are hashed by Supabase Auth before being stored — we never see or store your password in readable form at any point.
Practice data is generated automatically as the child uses the platform. No data is collected from children directly — all account setup is performed by the parent.
The table below sets out the legal basis for each category of data we process.
| Data | Purpose | Legal Basis |
|---|---|---|
| Parent email and first name | Account creation, login, service communications | Contract (Article 6(1)(b)) |
| Parent password (hashed) | Authentication and account security | Contract (Article 6(1)(b)) |
| Child display name and year group | Personalising the practice experience | Contract (Article 6(1)(b)) |
| Practice session data | Tracking progress, displaying parent dashboard | Contract (Article 6(1)(b)) |
| Server logs (IP, browser) | Platform security and fault diagnosis | Legitimate interests (Article 6(1)(f)) |
| Email address (marketing) | Sending optional educational updates, if opted in | Consent (Article 6(1)(a)) |
Where we rely on legitimate interests, we have assessed that our interests (platform security, improving service quality) do not override the rights and freedoms of users, given the minimal nature of the data involved.
We do not carry out automated decision-making or profiling within the meaning of Article 22 UK GDPR.
We do not use personal data for advertising, commercial profiling, or any purpose not listed above.
AceLearner is designed for children aged 7 to 11. We operate in accordance with the ICO's Age Appropriate Design Code (Children's Code). Our approach:
We do not sell your data. We share data only with the following infrastructure providers, solely to the extent necessary to operate the platform. Each acts as a data processor on our behalf under a Data Processing Agreement.
| Provider | Role | Data Shared | Location |
|---|---|---|---|
| Supabase (Supabase Inc.) | Database, authentication, and password hashing | All account and session data, hashed passwords | EU – Ireland |
| Vercel (Vercel Inc.) | Website hosting and delivery | Server request logs | Global CDN (see Section 8) |
No other third party receives your personal data. We do not share data with analytics platforms, advertising networks, or data brokers.
Supabase stores your account and session data in the EU (Ireland). However, one aspect of our infrastructure involves processing outside the UK and EEA:
Vercel's content delivery network: Vercel operates a global CDN, meaning web requests may be routed through servers outside the UK and EEA, including the United States. Vercel relies on Standard Contractual Clauses (SCCs) as the lawful transfer mechanism.
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place in accordance with UK GDPR Article 46, including reliance on SCCs approved for use under the UK international transfer regime.
| Data Type | Retention Period |
|---|---|
| Parent account data (name, email, hashed password) | For the duration of the active account, then deleted within 30 days of account closure |
| Child account data (display name, year group) | For the duration of the active account, then deleted within 30 days of account closure |
| Practice session data | Up to 2 years from date of last login |
| Server logs | Up to 90 days, as retained by Vercel under their standard policy |
| Anonymised, aggregated data | Indefinitely (no personal data retained) |
You may request deletion of your account and all associated personal data at any time by contacting us at privacy@acelearner.co.uk. We will complete deletion within 30 days.
We have implemented the following technical safeguards:
No internet-based service can guarantee absolute security. We strongly advise using a unique password for your AceLearner account that you do not use for banking, email, or other important services. Password reuse across multiple services is a significant security risk that is entirely within your control.
We use only essential session cookies required to keep you logged in while you use the platform. We do not use advertising cookies, analytics cookies, or any third-party tracking technologies. No cookie consent banner is required because we do not use non-essential cookies. You may disable cookies in your browser settings, but doing so will prevent you from logging in.
As the parent or guardian who created the account, you have the following rights. To exercise any of them, email privacy@acelearner.co.uk. We will respond within 30 days.
| Right | What it means in practice |
|---|---|
| Access | Request a copy of all personal data we hold about you and your child |
| Rectification | Ask us to correct inaccurate or incomplete data |
| Erasure | Ask us to delete your account and all associated personal data |
| Restriction | Ask us to pause processing while a dispute or correction request is resolved |
| Portability | Receive your data in a machine-readable format (CSV or JSON) |
| Object | Object to processing based on legitimate interests |
| Withdraw consent | Withdraw consent for marketing emails at any time, without affecting any other processing |
| No automated decisions | We confirm that no automated decision-making under Article 22 is applied to any user on this platform |
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
We will update this policy when our data practices change or when required by law. Material changes will be communicated by email or by a prominent notice on the platform at least 14 days before they take effect. The “Last updated” date at the top of this document always reflects the current version.