Learnaway
Security

We store the least we can, and protect what remains.

No keylogger. We record timing metadata only, never the characters a student types. The strongest data-protection measure is simply not holding the data in the first place, so Learnaway is built to minimise what it keeps. For everything we do store, here are the technical and organisational safeguards in place.

What we store

By default we keep only the final work and the analysis results. The writing process is scored on our server in memory and then discarded. Licensed schools can opt in to retain a content-free timing timeline (Process Replay), and even then we never store the characters a student types.

By default (every account)

We score the writing process on our server, in memory, then throw the process stream away. Only the result and the final work are kept.

Stored

  • The final submitted text, so the teacher can read the work
  • The analysis results: the risk signal plus the plain-English explanation tags and the numbers behind them
  • Minimal metadata: word count, submission time, device input type

Never stored

  • The characters a student types or pastes (we are not a keylogger)
  • Clipboard contents, screen, camera, microphone, or other tabs
  • The minute-by-minute timing timeline (used to score, then discarded)

Process Replay (premium, opt-in)

Licensed schools can opt in, per assignment, to retain the content-free timing timeline so a teacher can replay how a piece was written. Students are always told.

Stored

  • Everything from the default tier, plus…
  • The timing timeline: when keystrokes, pauses, pastes and tab-switches happened
  • Paste sizes (a number of characters) and their position in the timeline

Never stored

  • Still never the characters typed or pasted (the replay shows rhythm, not words)
  • No intermediate drafts of the text are reconstructed or saved

How we protect it

Encrypted in transit and at rest

All traffic uses TLS, and stored data is encrypted at rest (AES-256) by our managed Postgres provider. Nothing student-related travels or sits in the clear.

Row-Level Security on every table

Access is enforced in the database itself, not just the app. Postgres Row-Level Security policies cover every table, so a teacher can only ever read submissions for assignments they own.

Least-privilege access

Students submit through a write-only path and can never read work back. Teachers see only their own classes. The wide-access service role is used only for narrow, audited server tasks like billing sync.

EU data residency available

Licensed European institutions can have their data hosted in the EU, keeping student records within the appropriate jurisdiction.

Configurable retention and deletion

Licensed institutions set their own retention window and can request deletion of all student data at any time. Free-tier data is deleted on request.

Transparent sub-processors

We use a small set of vetted infrastructure sub-processors (hosting, database, transactional email) and list them on request. Learnaway never sells data or shares it for advertising.

Breach notification without undue delay

Under our Data Processing Agreement, we commit to notifying the institution of any personal-data breach without undue delay so they can meet their own obligations.

See exactly what we collect →Read our Data Processing Agreement →