Privacy Policy

Rocket Learning is operated by Rocket Software Ltd, a company registered in the Isle of Man (company number 136537C), with its registered office at 9 Auldyn Walk, Ramsey, Isle of Man, IM8 2TN.

We are the data controller for the personal data processed through the Rocket Learning platform (web application and iPad app). Our ICO registration number is R990140. We are also registered with the Isle of Man Information Commissioner where required.

We are not required to appoint a statutory Data Protection Officer under UK GDPR Article 37. Our Data Protection Contact is Leon, founder of Rocket Software Ltd. For any data protection matter, contact [email protected]and mark your message “Data Protection”.

We process personal data in compliance with the Isle of Man Data Protection Act 2018, the UK General Data Protection Regulation (UK GDPR), and the EU GDPR where applicable.

Each processing purpose has a specific lawful basis:

For children's data, we additionally rely on Article 8 UK GDPR (parental consent for information society services where consent is the lawful basis, for children under 13).

Parent/Guardian accounts:

• Username, email address, first name, last name
• Password (stored as a one-way bcrypt hash; we cannot read your password)
• Apple ID (if using Apple Sign-In)
• Marketing and weekly report email preferences
• IP address and user agent (for consent audit trail only)

Student accounts:

• Username, first name, last name
• Date of birth (optional, provided by parent)
• Year group
• Avatar component selections

Guest accounts:

• Auto-generated or chosen username
• Year group and selected subjects
• Parent/guardian email address (required for under-13 users)
• Parental consent timestamp (for under-13 users)

Usage data (all users):

• Lesson completion records, scores, and accuracy
• Interactive puzzle responses
• Exam attempt results and marks
• RocketFuel balance and transaction history
• League tier, leaderboard position, and earned badges
• Streak data and daily activity
• Skill progress and mastery levels

Payment data:

We do not store credit or debit card details. Card payments are processed by Trust Payments (SecureTrading) and Apple (for iPad In-App Purchases). We store only subscription status, billing dates, and transaction reference IDs for our records.

AI tutor data (where AI features are enabled):

• Student first name and year group (context for educational responses)
• Messages sent to the AI tutor by the student
• AI tutor responses, retained for continuity within a tutoring session and for safeguarding review

Safeguarding and moderation data:

• Automated moderation flags raised on student messages (category and confidence score)
• Records of any safeguarding events detected, including timestamp and action taken (e.g. parent notified, crisis resources displayed)
• Parent acknowledgement of safeguarding notifications

Device and technical data:

• Device type, operating system, app version
• Crash and diagnostic data (no personal content, used only to fix technical issues)
• iPad push notification tokens (if you have enabled notifications)

• To provide and operate the platform (lessons, exams, puzzles, progress tracking)
• To manage your account, subscription, and billing
• To personalise learning through adaptive lesson selection (see §7 for how we approach profiling for children)
• To generate and send weekly progress reports to parents who have enabled them
• To operate gamification features (leaderboards, leagues, RocketFuel rewards, badges)
• To power the AI tutor, where parental consent has been granted
• To screen student messages for content that may indicate harm, including safeguarding concerns, and to act on detected concerns (see §9)
• To send marketing communications, where consent has been granted
• To improve the platform through aggregated, anonymised usage analysis that cannot be traced back to individuals

We share the minimum data necessary with the following third-party services. All processors below act on our instructions under written data processing agreements. Apple and Trust Payments are independent controllers for their specific processing (payment authorisation and fraud checks).

Provider privacy policies: Anthropic · OpenAI · Trust Payments · Apple · DigitalOcean · Mailchimp

Our AI processors (Anthropic and OpenAI) do not train their models on data submitted through their APIs under their standard API terms. We do not opt in to any data-sharing-for-training programmes.

We do not sell personal data. We do not use personal data for advertising. We do not share data with advertising networks or data brokers.

Rocket Learning is designed for use by children aged 5 to 16 under parental supervision. We process children's data in compliance with UK GDPR, the Isle of Man Data Protection Act 2018, and the ICO Age Appropriate Design Code (“the Children's Code”). We do not rely on COPPA (a US framework); we mention it only to note that our standards meet or exceed COPPA requirements for any US visitors.

Our Children's Code commitments:

• High privacy defaults. Child accounts are created with the highest privacy settings applied by default. Optional features that involve additional data sharing (AI tutor, marketing) are off until a parent actively turns them on.
• Data minimisation. We collect only the data we need to deliver the service. Date of birth is optional and used only to align content to the correct year group.
• Profiling off by default. We use skill-progress data to adapt lesson difficulty for the individual child. This is limited to the educational service itself and is not used to make decisions with legal or similarly significant effects. See §7.
• No detrimental use of data. We do not use children's data in ways we have reason to believe would be detrimental to their wellbeing.
• No nudge techniques that harm. Our gamification (RocketFuel, leaderboards, streaks) is designed to support engagement with learning. We review these features for excessive-engagement risks and do not use dark patterns.
• No behavioural advertising. We do not serve advertising to children. We do not share children's data with advertising networks.
• Age-appropriate transparency. We write our policies in plain English and provide an “In a Nutshell” summary at the top of this document.
• Parental controls. Parents can view their child's activity, manage consent, and request deletion at any time from the parent dashboard.

Under-13 users: Guest accounts for children under 13 require a parent or guardian's email address and explicit consent before creation, in line with UK GDPR Article 8. Student accounts for under-13s are created and managed only via a parent account.

AI features: AI tutoring for any child requires separate parental consent, which can be granted or withdrawn at any time from the parent dashboard.

Concerns: If you have a concern about how we handle your child's data, please contact [email protected] marked “Children's Privacy”.

To personalise learning, our platform adjusts the difficulty and selection of lessons, puzzles, and questions based on a student's skill progress. Under UK GDPR Article 4(4), this is a form of profiling.

It is not automated decision-making with legal or similarly significant effects under Article 22. It does not affect your statutory rights, your access to education more broadly, your grades from exam boards, or any outcome outside the platform itself.

The profiling we carry out is limited to:

• Selecting the next lesson or question at an appropriate difficulty level
• Recommending topics based on areas where the student is progressing or struggling
• Generating the weekly progress report

For children, in line with the ICO Children's Code, we do not use profiling for:

• Behavioural advertising
• Building long-term behavioural profiles beyond the educational service
• Any purpose outside the platform

Parents may object to profiling by contacting [email protected]. If profiling is turned off for a student, lesson selection will revert to a standard curriculum sequence rather than adaptive selection.

We operate a granular consent system. Parents can manage the following consents for their children:

• Contract Performance (not based on consent): Certain processing of personal data is necessary for us to provide the platform to you — for example, login, subscription management, lesson delivery, and progress tracking. The lawful basis for this processing is contractual necessity under UK GDPR Article 6(1)(b), not consent. If you do not wish this processing to take place, you will need to close your account.
• AI Tutor: For AI-assisted tutoring features. Optional; can be withdrawn at any time.
• Marketing: For promotional emails to parents. Optional; can be withdrawn at any time.
• Third-Party AI: For sharing data with AI providers. Optional; can be withdrawn at any time.

All consent actions (grants and withdrawals) are logged with a timestamp, IP address, and platform identifier for audit purposes.

Our safeguarding systems screen student messages sent to the AI tutor and other interactive features for indicators of harm (including self-harm, grooming, and other concerns). This screening uses automated content moderation (currently OpenAI) and is a separate process from AI tutoring.

When a concern is detected:

• The event is logged with a timestamp, category, and confidence score
• Crisis support resources may be surfaced to the student
• The parent account may be notified
• In rare cases, we may take further action if we reasonably consider it necessary to protect a user

Lawful basis: We process safeguarding data on the basis of legal obligation and, where applicable, vital interests (UK GDPR Article 6(1)(c) and (d)). This processing cannot be disabled by withdrawing consent.

Who sees safeguarding data: Safeguarding records are accessible only to authorised personnel on a strict need-to-know basis.

External disclosure: We do not routinely share safeguarding data with any external party. In rare cases, we may disclose information to emergency services, safeguarding authorities, or law enforcement where we reasonably believe this is necessary to protect life or prevent serious harm, and where such disclosure is lawful.

Retention: Safeguarding records are retained for 7 years, as set out in §12.

Your data is stored on servers operated by DigitalOcean, primarily in UK and EU data centres.

Our security measures include:

• Encryption in transit using TLS/SSL for all connections
• Encryption at rest for database storage
• One-way bcrypt hashing for passwords — we cannot read your password
• Role-based access controls limiting who can access production data
• Multi-factor authentication required for administrative access
• Regular dependency and platform updates
• Periodic internal review of security configuration

The iPad app caches lesson content locally using Apple's standard on-device storage (SwiftData, Keychain, and UserDefaults). Cached data is removed when you delete the app.

Despite our measures, no online service can be guaranteed completely secure. If a personal data breach occurs that is likely to result in risk to your rights or freedoms, we will notify the Isle of Man Information Commissioner and/or the UK Information Commissioner's Office within 72 hours as required by law, and we will notify affected users without undue delay where the breach is likely to result in a high risk to their rights or freedoms.

Your data is primarily stored in the UK and EU. Some of our processors are based outside the UK/EU (principally in the United States). Where transfers to third countries occur, we rely on one or more of the following safeguards:

• The UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses
• The UK Extension to the EU-US Data Privacy Framework, where the processor is DPF-certified
• The European Commission's Standard Contractual Clauses for EU-origin data

We carry out transfer risk assessments where required, and we rely on the data processing agreements in place with each provider. You can request details of the safeguards in place for any specific transfer by emailing [email protected].

We retain personal data only for as long as necessary for the purposes set out in this policy. Our retention schedule is:

Inactive accounts: We periodically review inactive accounts. If an account has had no activity for an extended period, we may contact the parent account holder to check whether they wish to keep the account open. We will not delete an account without giving the account holder reasonable notice and an opportunity to log in or respond. Parent email addresses may be retained for account recovery and essential service communications for as long as the account exists.

You may request deletion of your account at any time by contacting us at [email protected] or using the in-app deletion feature.

When a parent account is deleted, all associated child profiles and their data are deleted in the same operation.

Deleted immediately on account closure:

• Personal profile information (names, email, credentials)
• Lesson progress, scores, and attempt history
• RocketFuel balances, leaderboard entries, avatar customisations, badges
• AI tutor conversation history
• Marketing preferences
• Active session and cache data

Retained for the periods set out in §12 (Data Retention):

• Payment and subscription records (7 years, for tax and accounting compliance)
• Consent audit logs (7 years)
• Safeguarding records (7 years, where any safeguarding event was logged)

Retained records are minimised and access is restricted. They are permanently deleted at the end of the applicable retention period.

For users who signed in via Apple, we also revoke Apple Sign-In tokens on account deletion. If you have an active Apple subscription, you must cancel it separately via your Apple ID settings.

Under UK GDPR and Isle of Man data protection law, you have the right to:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Ask us to correct inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (see §13).
• Restriction: Ask us to limit how we process your data in certain circumstances.
• Portability: Request your data in a structured, machine-readable format.
• Object: Object to processing based on legitimate interests.
• Withdraw consent: Withdraw any consent previously given, at any time.
• Complain: Lodge a complaint with a supervisory authority at any time (see §19).

To exercise any of these rights, contact us at [email protected]. We will respond to requests within one calendar month of receipt. For complex or numerous requests, we may extend this by up to two further months and will tell you within the first month if we need to do so. Most requests are free; we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive, in line with UK GDPR Article 12(5).

Parents/guardians: A parent or guardian of a child under 16 may exercise any of the rights in §14 on behalf of the child.

Children under 13: Rights are exercised by the parent or guardian who holds the account.

Children aged 13 to 17: The child may exercise their own rights where they have the capacity to understand what is being asked. We will consider each request on its merits and may, where appropriate, consult with the parent or guardian. If there is disagreement between a child and parent about how rights are exercised, we will act consistently with UK GDPR and ICO guidance.

Verification: Before acting on any rights request, we will take reasonable steps to verify the identity of the person making the request and, where relevant, their authority to act on behalf of a child.

The Rocket Learning web application uses only strictly necessary cookies. We do not use tracking cookies, advertising cookies, or third-party analytics cookies. Because all our cookies are strictly necessary, we do not require a cookie consent banner under the Privacy and Electronic Communications Regulations.

The cookies we use are:

We use browser local storage to persist session state and UI preferences. No personally identifiable information is stored in local storage beyond what is necessary for the application to function.

The iPad app does not use cookies. Session data is stored securely using iOS Keychain and UserDefaults.

You can clear cookies at any time through your browser settings. Clearing the session cookie will log you out but will not delete your account data.

If you have opted in to marketing communications, we may send you emails about new features, content updates, and promotional offers via Mailchimp. You can unsubscribe at any time using the link in any marketing email, or by updating your preferences in your account settings.

Weekly progress reports are sent to parents who have enabled them. These are a platform feature, not marketing, and are managed separately from marketing preferences.

We may update this privacy policy from time to time. Material changes will be communicated via email or in-platform notification at least 30 days before they take effect, to give you time to review and, if you disagree, exercise your rights. Minor changes (such as typographical corrections) will take effect on posting. The “Last updated” date at the top of this page indicates the most recent revision.

If you are unhappy with how we handle your data, please contact us first at [email protected].

You also have the right to lodge a complaint with a supervisory authority. For Isle of Man residents, this is the Isle of Man Information Commissioner (inforights.im). For UK residents, this is the Information Commissioner's Office (ico.org.uk).

For any questions about this privacy policy or your personal data:

• Email: [email protected]
• Post: Rocket Software Ltd, 9 Auldyn Walk, Ramsey, Isle of Man, IM8 2TN
• Data Protection Contact: Leon, Founder
• ICO Registration: R990140