Privacy Policy

Effective date: 01 June 2026
Last updated: 01 June 2026

1. Who We Are

This Privacy Policy explains how E.L.A.H.A (“we”, “us”, “our”) collects and uses personal data when you use our website and platform.

Data Controller (Platform Website & Direct Accounts):

If you are a school, local authority, or organisation using E.L.A.H.A, you may be the Data Controller for personal data you upload or manage on the platform, and we may act as your Data Processor. See section 4.

2. Scope

This policy applies to:

  • Visitors to elaha.uk and related pages
  • Users of the E.L.A.H.A platform (owners, principals, staff, parents/carers, students, and invited professionals)
  • Anyone who contacts us, opens support tickets, or interacts with our services

3. Key Definitions

  • Personal data: information that identifies a person (directly or indirectly).
  • Special category data: health data, SEN/SEND-related data, safeguarding/welfare notes, and other sensitive data protected under UK GDPR.
  • Controller / Processor: as defined in UK GDPR.

4. Controller / Processor Roles (Very Important)

Depending on how E.L.A.H.A is used:

A. Platform-operated accounts (direct relationship with us)
If you create an account directly with us (for example, a home education parent, or an invited professional not managed by a school), we may be the Data Controller for your account and platform usage.

B. School/Organisation-managed accounts
If a school or organisation uses E.L.A.H.A for its learners, that school/organisation is typically the Data Controller for learner records and related data. We act as a Data Processor and process data under the school/organisation’s instructions, subject to a Data Processing Agreement (DPA).

If you are a school/organisation and need our DPA, contact: privacy@elaha.uk.

5. Information We Collect

We collect information in these categories:

A. Account and identity data

  • Name, email, username, role (e.g., parent, student, staff, professional)
  • Account verification details (where used)
  • Relationship links (e.g., parent/guardian associations)

B. Child/learner data (as entered by parents, schools, or authorised professionals)

  • Personal profile (e.g., name, date of birth, year group)
  • Parent/guardian details
  • Education mode (school-enrolled, home educated, hybrid) and education journey history
  • Learning records, submissions, evidence uploads (photos/scans, documents)
  • Resources/lesson usage and completion status
  • Progress tracking and pathway planning

C. Special category data (only when provided/necessary)

  • SEN/SEND/SEN-L observations and support information
  • Health information (where entered)
  • Wellbeing notes
  • Safeguarding/welfare-related records (where used by a school/organisation)

D. Communications

  • Messages between users (e.g., parent–student, parent–school staff, parent–professional)
  • Support tickets and replies

E. Payments and financial data (where applicable)
If you purchase services or products (e.g., school marketplace items, subscriptions, invoices, wallet top-ups), we may collect:

  • Transaction references, payment status, and invoice metadata
    We do not store full card details. Payments are handled by third-party payment providers (see section 8).

F. Technical and usage data

  • IP address, device/browser details, logs, timestamps
  • Cookie identifiers and similar technologies (see Cookie Policy)

6. How We Use Personal Data

We use personal data to:

  • Provide and operate the platform (dashboards, resources, messaging, collaboration)
  • Create and manage accounts, roles, and permissions
  • Link parents/carers to children and manage invitations
  • Support learning, records, evidence capture, and reporting
  • Provide safeguarding, SEN/SEND support tooling where enabled
  • Process payments and provide receipts/invoices
  • Provide customer support and handle tickets
  • Monitor security, prevent abuse, and maintain service integrity
  • Improve the platform (analytics, diagnostics, performance)

7. Lawful Bases (UK GDPR)

We rely on one or more of the following lawful bases, depending on context:

  • Contract: to provide the platform and features you request
  • Legitimate interests: security, fraud prevention, improving services, platform administration
  • Legal obligation: compliance duties where applicable
  • Consent: where required (e.g., optional cookies; some communications; specific sharing/invites depending on deployment)
  • Vital interests / public task: may apply where a school/organisation processes safeguarding or welfare data under its own legal basis (typically as Controller)

8. Who We Share Data With

We share personal data only as needed:

A. Other platform users (role-based sharing)
Data may be visible to other users depending on permissions and relationships (e.g., linked parents, school staff, and invited professionals). Visibility is controlled by role, child linkage, education mode, and invitation scope.

B. Schools/organisations
If a learner is linked to a school, that school may access learner data according to role permissions and the school’s policies.

C. Service providers (sub-processors)
We may share data with vendors that help us provide the service, such as:

  • Hosting and infrastructure providers
  • Email delivery providers
  • Storage/CDN providers (for uploaded files)
  • Analytics providers (where enabled)
  • Payment providers (e.g., Stripe/Stripe Connect)
  • Security/monitoring tools

D. Legal and safety
We may disclose information if required by law or to protect users, prevent fraud, or respond to lawful requests.

9. International Transfers

Some service providers may process data outside the UK. Where international transfers occur, we use appropriate safeguards (such as UK Addendum/SCCs) where required.

10. Data Retention

We retain personal data only for as long as necessary:

  • While your account is active and for a reasonable period after closure
  • According to school/organisation retention requirements (where they are the Controller)
  • To meet legal, security, or dispute-resolution obligations

Schools/organisations may control retention schedules for their learner data.

11. Security

We use appropriate technical and organisational measures to protect data, including access controls and role-based permissions. No method of transmission or storage is 100% secure, but we work to protect your information.

12. Children’s Privacy

E.L.A.H.A supports children/young people. Accounts and access are controlled through roles and permissions. Where a child is under the UK digital consent age (13), schools/parents remain responsible for lawful onboarding and permissions consistent with their obligations. Schools and parents should ensure appropriate supervision and safeguarding practices.

13. Your Rights

Depending on the context, you may have rights including:

  • Access to your data
  • Correction of inaccurate data
  • Deletion (where applicable)
  • Restriction or objection
  • Data portability
  • Withdrawal of consent (where consent is the lawful basis)

If your data is controlled by a school/organisation, requests may need to be directed to that Controller first.

14. Complaints

If you have concerns, contact us at privacy@elaha.uk.
You may also complain to the UK Information Commissioner’s Office (ICO): https://ico.org.uk/

15. Changes to This Policy

We may update this policy. We will post the updated version with a new “Last updated” date.