Privacy policy

What we collect

For teachers: your name, academic email address, and the assignments you create.

For student submissions: the final text submitted, an optional student-entered identifier, and behavioural telemetry (event types, timestamps, timing deltas, and paste lengths). We never record the individual characters a student types, and we are not a keylogger.

What we store, and Process Replay

By default we store only the final submitted text and the analysis results (the risk signal and its explanation tags). The detailed timing of the writing process is scored on our server in memory and then discarded. It is not persisted.

Licensed institutions may opt in, per assignment, to Process Replay, which retains a content-free timeline of the writing process so a teacher can review how the work was written. This timeline contains timing and event metadata only (never the characters a student types or pastes) and students are told what is recorded before they begin.

Lawful basis and data minimisation

We process the minimum data needed to provide homework-integrity signals. We treat behavioural telemetry as personal data under UK GDPR / the Data Protection Act 2018 and minimise it by design.

Retention and deletion

Licensed institutions can configure retention periods and request deletion of all student data. Free-tier data is retained per our default retention policy and can be deleted on request.

How we keep data secure

We apply appropriate technical and organisational measures: encryption in transit (TLS) and at rest, Row-Level Security enforced in the database so a teacher can only access their own classes' submissions, least-privilege access controls, and optional EU data residency. The most important safeguard is collecting and retaining as little as possible.

Cookies

We use only essential cookies for authentication. Product analytics run in a privacy-preserving, consent-aware mode (PECR). We do not use third-party advertising cookies.

Cloudflare Turnstile

We use Cloudflare Turnstile, a privacy-preserving bot-detection service, to protect our sign-up and sign-in forms. Turnstile replaces traditional CAPTCHAs without displaying puzzles or collecting unnecessary personal data.

Scope: this section is supplemental to Cloudflare's main Privacy Policy (cloudflare.com/privacypolicy). It applies where Turnstile is used to verify that a visitor is human.

Information Cloudflare collects via Turnstile: your IP address, TLS fingerprint, User-Agent string, and the public Sitekey for this site. No information you enter into the form itself is shared with Cloudflare.

How Cloudflare uses this information: solely to determine whether the interaction is human (bot detection) and to improve the accuracy of the Turnstile service.

Legal basis (EU/UK residents): Cloudflare processes this data on the basis of legitimate interests in protecting this website from automated abuse. Users in the EU and UK may have rights under GDPR / UK GDPR to request access, correction, erasure, or restriction of Cloudflare's processing by contacting dpo@cloudflare.com.

Cookies: Turnstile uses a strictly necessary, session-scoped cookie solely to carry out bot detection. This cookie is not used for tracking or advertising.

Contact for Cloudflare privacy concerns: dpo@cloudflare.com.

Your rights

You have the right to access, correct, and delete your data. Contact hello@learnaway.ai.