This Privacy Policy explains how we collect, use, store, and protect personal data when learners, parents, guardians, teachers, schools, or subscribers use Exafy. Exafy is an online educational platform for English learning, exam preparation, practice questions, vocabulary, listening activities, mock tests, progress tracking, gamified learning, and AI-assisted feedback.
Who we are
The data controller for personal data processed through the platform is Exafy Ltd, a company registered in England and Wales under company number 17177134, registered office 20 Wenlock Rd, London N1 7GU, UK.
For privacy queries, please contact info@exafy.ai with the subject line "Privacy". We aim to respond within one calendar month, in line with UK GDPR Article 12.
Personal data we collect
We may collect:
- Account details: name, email address, password (hashed), role, subscription status
- Learner details: age band, level, course, exam goal, practice history, scores, progress, badges, learning preferences
- Parent / guardian / teacher / school details: name, email, role, organisation, assigned learners
- Payment details: subscription plan, payment status, invoices, billing country, limited payment records. Full card details are handled by our payment provider
- Learning submissions: answers, essays, written responses, spoken responses, uploaded work, listening attempts, feedback history
- Technical data: IP address, device type, browser, operating system, login activity, error logs, security logs
- Support messages: emails, forms, complaints, customer-service conversations
Children and younger learners
Our service may be used by learners under 18. We apply privacy-by-design and age-appropriate protections aligned with the UK Information Commissioner's Office Age-Appropriate Design Code(the "Children's Code") and its 15 standards.
Where a learner is under 18, use of the platform should be authorised by a parent, guardian, school, or responsible adult. Where UK law requires parental consent — particularly for younger children — we will seek appropriate consent or rely on the school, parent, or guardian to provide the required authority. We have completed a Data Protection Impact Assessment (DPIA) for child data processing; a summary is available on request to info@exafy.ai.
We do not knowingly collect more child data than necessary. We do not sell children's personal data. We do not use children's data for behavioural advertising. Our full safeguarding approach is published in our Learner Safety Policy.
How we use personal data
We use personal data to:
- Create and manage accounts
- Provide subscriptions and platform access
- Deliver practice questions, exams, vocabulary, listening activities, and progress tracking
- Personalise learning recommendations
- Generate AI-assisted feedback where relevant
- Process payments and prevent fraud
- Provide support and respond to complaints
- Improve safety, quality, security, and reliability
- Send service notices, renewal information, and important account messages
- Comply with legal, tax, accounting, and regulatory obligations
Lawful bases for processing
We process personal data under UK GDPR using the following lawful bases:
- Contract — to provide the platform, subscriptions, learning tools, and customer support
- Legitimate interests — to improve the service, prevent misuse, secure accounts, and understand platform performance
- Consent — for non-essential cookies, marketing communications, and any processing where consent is legally required
- Legal obligation — for tax, accounting, consumer-law, security, and regulatory requirements (including safeguarding reports where required)
AI-assisted features
Some learning feedback, explanations, recommendations, or audio-related features may use AI systems. We use AI to support learning, not to make legally significant decisions about learners (see §7).
Learner submissions may be processed by AI service providers to generate feedback or learning support. We minimise the data sent to such providers where possible (for example, by stripping unnecessary metadata, and never sending payment details). The Terms §11 sets out the educational-only nature of AI feedback in contractual terms.
Automated decision-making
We do not make decisions producing legal or similarly significant effects on you using solely automated means, in line with UK GDPR Article 22. AI-generated practice scores, vocabulary placement, and recommendation feeds are educational supports and are not used to deny service, deny refunds, or restrict accounts without human review.
Sharing personal data — named processors
We share personal data with the following categories of recipient. We do not sell personal data.
| Category | Provider | Location / safeguard |
|---|---|---|
| Payments | Stripe Payments UK Ltd | UK |
| Hosting | Vercel Inc. | USA — UK Adequacy + SCCs |
| Database / auth | Supabase Inc. | USA — SCCs + UK IDTA |
| Object storage | Amazon Web Services Inc. (S3) | UK / EU regions where possible |
| Resend, Inc. | USA — SCCs + UK IDTA | |
| AI | Anthropic PBC, OpenAI, L.L.C. | USA — SCCs + UK IDTA |
| Auth (OAuth) | Google LLC | USA — UK Adequacy + SCCs |
Personal data may also be shared with schools, teachers, parents, or guardians linked to a learner account; with our professional advisers, insurers, and auditors; and with regulators or authorities where we are legally required to do so. We do not sell personal data.
International transfers
Some processors are based outside the UK. Where we transfer personal data internationally, we rely on UK Adequacy decisions where available (for example, EEA countries), and otherwise on UK GDPR Article 46 Standard Contractual Clauses (SCCs) plus the UK International Data Transfer Addendum (IDTA). We carry out a Transfer Risk Assessment for each third-country processor and apply additional measures including encryption in transit and at rest where supported.
Retention
We keep personal data only as long as needed for the purpose collected, plus periods required by law:
| Data | Retention period |
|---|---|
| Account data | While the account is active + 30 days after closure |
| Learning progress | While the account is active |
| Billing records | 6 years (HMRC / Companies Act) |
| Support tickets | 2 years |
| Security and audit logs | 12 months unless needed for investigation |
| Backups | 30-day rolling window |
Your rights (UK GDPR)
You have rights to:
- Access your personal data
- Have inaccurate data corrected
- Request deletion (subject to legal exceptions)
- Restrict processing
- Object to processing
- Request data portability
- Withdraw consent at any time (where consent is the lawful basis)
To exercise any of these rights, please email info@exafy.ai with the subject line "Privacy request". We aim to respond within one calendar month.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Helpline: 0303 123 1113
- Online: ico.org.uk
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Security
We use reasonable technical and organisational measures to protect personal data. These include encryption in transit (TLS 1.2+), encryption at rest where supported by the provider, role-based access controls, audit logs, the principle of least privilege, restricted staff access, and ongoing monitoring. Where we are required to do so by UK GDPR Article 33, we will notify the ICO of a personal data breach within 72 hours of becoming aware of it.
Marketing communications
We may send service emails (subscription, security, account changes) under the "soft opt-in" recognised by the Privacy and Electronic Communications Regulations (PECR). For marketing emails, we will obtain your explicit consent and provide a one-click unsubscribe link in every marketing message. You can also disable marketing in your account settings at any time.
Changes to this policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notice where required. The current version, with an updated effective date, will always be available at /privacy.