Back to home
Legal

Privacy Policy

Lotu Education Ltd is committed to protecting your privacy and the privacy of educational data processed through our platform. Please read this policy carefully to understand our practices.

Version 1.1 · Effective: May 2025 · UK GDPR & DPA 2018 Compliant

0. Privacy at a Glance

We know privacy policies can be long. Here is a plain-English summary of the most important things you should know about how Lotu Education handles data.

TopicWhat you need to know
Who we areLotu Education Ltd, a UK-based EdTech company building AI tools for teachers.
What data we useTeacher account information, school details, and educational documents uploaded by teachers or schools. We do not collect data directly from pupils.
Why we use itTo provide and improve the Lotu platform — including AI resource generation, auto-marking, and feedback tools.
Who we share it withTrusted technology subprocessors (OpenAI, AWS, Stripe, and Gmail) only. We do not sell data. Ever.
AI and automationOur AI tools assist teachers. All AI-generated outputs should be reviewed by a qualified teacher before use. AI does not make decisions about pupils.
Pupil dataLotu is a teacher-facing platform. Schools and teachers are responsible for ensuring they have the appropriate lawful basis before uploading any pupil-related content.
Your rightsYou can access, correct, delete, or export your data. Contact us at privacy@lotueducation.com.
How long we keep dataWe retain data for as long as your account or contract is active, plus 30 days. Financial records are kept for 7 years as required by law.
Where data is storedPrimarily on AWS infrastructure in the UK/EEA. Where transfers outside these regions occur (e.g. OpenAI), appropriate safeguards are in place.
ComplaintsYou can contact the Information Commissioner's Office (ICO) at www.ico.org.uk if you have concerns about how we handle your data.

This summary is for convenience only. The full policy below governs our practices.

1. Introduction

Lotu Education Ltd (“Lotu”, “we”, “us”, “our”) is committed to protecting the privacy and security of personal data processed through our platform and website (together, the “Service”). We understand that the educational environment carries particular responsibilities when it comes to data, and we take those responsibilities seriously.

This Privacy Policy explains:

  • what personal data we collect and why;
  • the lawful bases on which we rely to process that data;
  • how we protect, share, and retain data;
  • the rights of individuals whose data we process; and
  • the responsibilities of schools and organisations that use our Service.

This policy applies to all users of the Lotu platform and website, including teachers, school administrators, Special Educational Needs Coordinators (SENCOs), multi-academy trust (MAT) staff, and visitors to our website.

This policy is governed by the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 (DPA 2018). Where we refer to “data protection law”, we mean these instruments together.

We aim to be transparent, proportionate, and trustworthy in everything we do with data. If you have any questions after reading this policy, please contact us at the details in Section 18.

2. Who We Are

Lotu Education Ltd is a company registered in England and Wales.

  • Registered office: Level One, Basecamp Liverpool 49, Jamaica Street, Liverpool, Merseyside, England, L1 0AH
  • Company number: 16837074
  • Website: www.lotueducation.com
  • Data Protection Lead / DPO: Chief Operating Officer — privacy@lotueducation.com

For the purposes of data protection law, Lotu Education Ltd is the data controller in respect of personal data provided directly by individual teachers, school administrators, and website visitors.

Where Lotu processes personal data on behalf of a school or organisation (for example, when a school uploads classroom documents containing references to pupils), Lotu acts as a data processor on that school's behalf, under a written Data Processing Agreement (DPA). Schools and organisations remain data controllers in respect of that data.

Note on the DPO role: Lotu's current Data Protection Lead is also the COO. As the organisation grows, Lotu will review whether a formally independent DPO is required under Article 37 UK GDPR and will appoint one if necessary.

3. What Data We Collect

We collect only the data we need to provide and improve our Service.

3.1 Teacher and Staff Account Data

When a teacher or staff member registers for or uses Lotu, we may collect:

  • Name and professional title
  • Work email address
  • School or organisation name and address
  • Job role (e.g., teacher, SENCO, department lead)
  • Username and encrypted password credentials
  • Account preferences and settings

3.2 School and Organisation Data

When a school or MAT subscribes to Lotu, we may collect:

  • School name, address, and unique reference number (URN), where provided
  • Details of nominated administrators or account managers
  • Billing and subscription information (processed via Stripe, our payment provider)
  • Data Processing Agreement records

3.3 Platform Usage and Content Data

In the course of using the Lotu platform, users may upload or generate:

  • Classroom documents, worksheets, presentations, and assessments (PDF, DOCX, PPTX, image formats)
  • Curriculum and lesson planning materials
  • Marking and feedback inputs
  • Teacher comments, observations, and annotations
  • AI-generated outputs (resources, presentations, feedback drafts)

These documents and materials are referred to in this policy as “Educational Content”. Educational Content may include indirect references to pupils (for example, a marked worksheet bearing a pupil's first name). Lotu processes Educational Content solely to provide the platform features requested by the teacher or school.

3.4 Technical and Device Data

We automatically collect certain technical data when you use our Service, including:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and features used (interaction logs)
  • Session duration and timestamps
  • Error and diagnostic logs

3.5 Communications Data

If you contact us by email, support ticket, or other means, we will retain a record of that correspondence.

3.6 Data We Do Not Collect

Lotu does not:

  • collect or store personal data directly from pupils;
  • collect sensitive personal data (special category data as defined in Article 9 UK GDPR) unless it is incidentally present in Educational Content uploaded by a teacher or school — in that case, we process it solely on the school's instruction as data processor;
  • knowingly collect data from individuals under the age of 18 via direct registration; or
  • sell, rent, or trade personal data to any third party.

4. How We Collect Data

We collect personal data in the following ways:

Directly from you, when you:

  • create or manage a Lotu account;
  • upload documents or content to the platform;
  • interact with platform features (e.g., AI generation, marking tools);
  • contact our support or sales team; or
  • complete forms on our website (e.g., demo requests, newsletter sign-up).

Automatically, when you use our website or platform, through server logs, Google Analytics, and cookies (see Section 15).

From your school or organisation, when an administrator adds you as a user, or when a school uploads materials on a teacher's behalf.

From third parties, in limited circumstances — for example, where a school or MAT onboards staff in bulk via an approved integration.

5. How We Use Data

We use personal data for the following purposes:

5.1 Providing and Delivering the Service

  • Creating and managing user accounts
  • Processing uploaded Educational Content using AI (OpenAI) and OCR tools to generate classroom resources, presentations, and marking feedback
  • Enabling collaboration and access controls between teachers and administrators within the same school or organisation
  • Communicating with you about your account, service updates, and support via Gmail

5.2 Service Improvement and Development

  • Analysing aggregated, anonymised usage patterns via Google Analytics to understand how the platform is used and how it can be improved
  • Diagnosing and resolving technical faults
  • Developing new features and platform capabilities
Note: Where we use data for service improvement purposes, we apply strict data minimisation and anonymisation. We do not use individual pupils' data or identifiable teacher-authored content to train general-purpose AI models without explicit agreement.

5.3 Safety, Security, and Legal Compliance

  • Monitoring for and preventing unauthorised access, fraud, or misuse of the platform
  • Complying with legal obligations including responding to lawful requests from authorities
  • Maintaining records as required by applicable law

5.4 Billing and Account Administration

  • Processing subscription payments and issuing invoices via Stripe
  • Managing account renewals, upgrades, and cancellations

5.5 Marketing and Communications

  • Sending service-related communications (always)
  • Sending marketing communications, product updates, and educational resources (only where you have given consent or where we have a legitimate interest — see Section 16)

6. Lawful Bases for Processing

Under UK GDPR, we must have a lawful basis for each processing activity. The table below summarises the bases we rely on.

Processing ActivityLawful Basis
Account creation and managementContract (Article 6(1)(b)) — necessary to perform the contract with you or your school
Providing platform features (AI generation, marking, uploads)Contract (Article 6(1)(b))
Billing and payment processing via StripeContract (Article 6(1)(b)) and Legal obligation (Article 6(1)(c))
Technical data and Google AnalyticsLegitimate interests (Article 6(1)(f)) — improving and securing the Service, balanced against your interests and privacy rights
Service improvement and product developmentLegitimate interests (Article 6(1)(f))
Marketing communications to existing usersLegitimate interests (Article 6(1)(f)) — subject to your right to opt out at any time
Marketing communications to new contactsConsent (Article 6(1)(a))
Responding to legal obligations or requestsLegal obligation (Article 6(1)(c))

Where Lotu processes data as a data processor on behalf of a school or organisation, the school is the data controller and is responsible for its own lawful basis under UK GDPR. Lotu acts only on the documented instructions of the school.

Where special category data (such as information about a pupil's special educational needs, health conditions, or ethnicity) is incidentally present in Educational Content uploaded by a school, the school must have an appropriate condition under Article 9 UK GDPR — typically substantial public interest (Schedule 1, DPA 2018) in an educational context, or explicit consent where required.

7. Children's and Educational Data

7.1 Our Approach to Pupil Data

Lotu is a teacher-facing platform. Our tools are designed to assist teachers, SENCOs, and school administrators in their professional work. We do not offer accounts, interfaces, or services directly to pupils, and we do not knowingly collect personal data directly from children.

We recognise, however, that the Educational Content uploaded to our platform by teachers and schools may include information relating to pupils — for example:

  • marked assignments bearing a pupil's name or year group;
  • teacher notes referencing individual learners;
  • documents describing a pupil's progress, attainment, or learning needs.

Where such data is present, Lotu processes it only to provide the specific platform features requested by the teacher or school. We apply the same technical and organisational safeguards to pupil-related data as we do to all other data on the platform.

7.2 School and Teacher Responsibilities

Schools and teachers are responsible for ensuring that any Educational Content uploaded to Lotu is handled in accordance with their own data protection obligations, including:

  • obtaining appropriate permissions or parental/guardian consent where required;
  • ensuring that only data that is necessary and proportionate is uploaded;
  • not uploading data that falls outside the scope of their agreed use of the platform; and
  • complying with their obligations as data controllers under UK GDPR and the DPA 2018.

7.3 Special Educational Needs and Safeguarding Data

Lotu is aware that documents uploaded by SENCOs or pastoral staff may contain sensitive information relating to special educational needs, education, health and care (EHC) plans, or welfare concerns.

Lotu does not:

  • make any assessment, recommendation, or determination regarding a pupil's special educational needs, safeguarding status, welfare, or medical condition;
  • generate outputs that are intended to constitute clinical, therapeutic, medical, or safeguarding advice; or
  • flag or report safeguarding concerns to any authority.
All AI-generated outputs relating to pupils are assistive tools for teachers only and must be reviewed by a qualified professional before any action is taken. Safeguarding responsibilities remain entirely with the school and its designated safeguarding lead(s).

8. AI and Automated Processing

8.1 How AI Is Used in Lotu

Lotu uses artificial intelligence and large language model (LLM) technology — currently provided by OpenAI — to power features including:

  • AI generation of classroom worksheets and resources
  • AI generation of presentations and visual learning materials
  • AI-assisted auto-marking and written feedback drafting
  • OCR (optical character recognition) extraction of text and content from uploaded documents

A current list of AI and other subprocessors is available at: www.lotueducation.com/subprocessors

8.2 AI Outputs Are Assistive, Not Decisive

AI-generated outputs produced by Lotu — including resource suggestions, feedback drafts, marking annotations, and extracted content — are assistive tools only.

Lotu explicitly does not use automated processing to:

  • make legally or significantly consequential decisions about any individual pupil or teacher;
  • assess, grade, or formally evaluate pupil attainment without human review;
  • produce clinical, therapeutic, medical, or safeguarding assessments; or
  • operate as a diagnostic tool of any kind.
All AI-generated outputs should be reviewed and approved by a qualified teacher or educational professional before use. Lotu's AI tools are designed to save teachers time and reduce administrative burden — not to replace professional judgement.

8.3 Accuracy and Limitations

AI systems can produce outputs that are inaccurate, incomplete, biased, or contextually inappropriate. Lotu does not warrant that AI-generated outputs are accurate, complete, or fit for any particular purpose. Users are responsible for reviewing and verifying AI outputs before acting on them.

8.4 No Solely Automated Decision-Making With Legal Effects

Lotu does not make any decision about an individual that produces legal effects or significantly affects them through solely automated means (as defined in Article 22 UK GDPR), without human review.

8.5 AI Model Training

Lotu will not use identifiable personal data from user accounts, or pupil-related content uploaded by schools, to train general-purpose AI models or to improve third-party AI systems — including OpenAI models — without explicit agreement. We may use anonymised, aggregated platform data to improve the quality and performance of Lotu's own features.

9. Data Sharing and Third Parties

9.1 Our Commitment

We do not sell, rent, or trade personal data. We share data only where necessary and with parties who provide appropriate data protection guarantees.

9.2 Technology Subprocessors

Lotu uses the following categories of third-party service providers (subprocessors) to operate the platform:

SubprocessorPurposeLocation
Amazon Web Services (AWS)Cloud hosting and infrastructureUK / EEA (primary); US (some services)
OpenAIAI and LLM processing for resource generation and markingUnited States
Google (Gmail)Transactional and support email communicationsUnited States / EEA
StripePayment processing and subscription managementUnited States / EEA
Google AnalyticsWebsite and platform usage analyticsUnited States / EEA
Amazon CognitoUser authentication and identity managementUK / EEA (primary)

All subprocessors are bound by contractual data protection obligations consistent with UK GDPR. Where subprocessors are located outside the UK/EEA, appropriate transfer mechanisms are in place (see Section 10). An up-to-date list of subprocessors is maintained at: www.lotueducation.com/subprocessors. We will provide reasonable advance notice of material changes.

9.3 Schools and Organisations

Where Lotu is deployed by a school or MAT, authorised administrators within that organisation may be able to access account and usage data associated with teachers at their school, subject to agreed role-based access controls. Lotu does not grant one school or organisation access to data belonging to another.

9.4 Legal and Regulatory Disclosure

We may disclose personal data if required to do so by applicable law or by order of a court or competent regulatory authority. Where legally permitted, we will notify affected users of such requests.

9.5 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business assets, personal data may be transferred to the acquiring entity, subject to equivalent data protection protections. We will notify users of any material change in data controllership.

10. International Transfers

Lotu's primary infrastructure is hosted on AWS within the United Kingdom and/or European Economic Area (EEA). However, certain subprocessors — including OpenAI, Google (Gmail and Analytics), and Stripe — process data in the United States.

Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of UK GDPR, including:

  • the UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses;
  • adequacy decisions by the UK Secretary of State where applicable; or
  • other approved transfer mechanisms as recognised under UK data protection law.

Details of the transfer safeguards applicable to each subprocessor are available on request at privacy@lotueducation.com.

11. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, and in accordance with our legal obligations.

Data CategoryRetention Period
Teacher account dataDuration of the active account, plus 30 days following account closure
School / organisation account dataDuration of the active contract, plus 30 days following contract end
Educational Content (uploaded documents, AI outputs)Duration of the active account or contract, deleted within 30 days of account closure or on written request
Billing and financial records7 years (as required by UK tax and financial reporting law)
Support emails and communications records6 months from the date of the communication
Technical logs and analytics data6 months on a rolling basis
Marketing consent recordsUntil consent is withdrawn, plus 6 months

Where a school exercises its right to erasure or terminates its contract, we will delete or irreversibly anonymise associated Educational Content within 30 days, subject to any applicable legal hold requirements.

12. Security Measures

Lotu applies technical and organisational security measures appropriate to the risks associated with processing personal data in an educational context. These include:

  • Encryption: All data in transit is encrypted using TLS. Data at rest is encrypted using AWS industry-standard encryption.
  • Access controls: Role-based access controls (RBAC) are in place to ensure users can only access data relevant to their role. Administrative access to production systems is restricted and logged.
  • Authentication: User authentication is managed via Amazon Cognito with secure password policies. Multi-factor authentication (MFA) is on our near-term development roadmap and will be communicated to users upon release.
  • Subprocessor vetting: All third-party subprocessors are assessed for their security posture before engagement and reviewed periodically.
  • Audit logging: Platform activity is logged to support security monitoring and auditability.
  • Incident response: We maintain an internal data breach and incident response procedure. In the event of a personal data breach, we will notify the ICO within 72 hours where required, and will notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.
  • Privacy by design: Security and privacy considerations are built into the development of new platform features from the outset.

We encourage users to report any suspected security incidents immediately to privacy@lotueducation.com.

13. User Rights Under UK GDPR

Individuals whose personal data we process as data controller have the following rights under UK GDPR. To exercise any of these rights, please contact privacy@lotueducation.com.

RightWhat it means
Right of accessYou may request a copy of the personal data we hold about you (a Subject Access Request).
Right to rectificationYou may ask us to correct inaccurate or incomplete data about you.
Right to erasureYou may ask us to delete your personal data where there is no lawful reason for us to continue holding it.
Right to restrictionYou may ask us to restrict how we use your data in certain circumstances.
Right to data portabilityYou may ask us to provide your personal data in a structured, commonly used, machine-readable format.
Right to objectYou may object to processing based on legitimate interests or for direct marketing purposes.
Rights re: automated decision-makingYou have the right not to be subject to solely automated decisions that produce legal or similarly significant effects.
Right to withdraw consentWhere processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

We will respond to valid requests within one calendar month. In complex cases, we may extend this by a further two months, in which case we will inform you within the first month. We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.

Where Lotu processes personal data as a data processor on behalf of a school, individual rights requests relating to that data should be directed to the relevant school as data controller in the first instance. We will cooperate with schools in responding to such requests.

14. School and Organisation Responsibilities

This section is addressed specifically to schools, MATs, and other organisations that subscribe to Lotu as an institution.

14.1 Data Controller Status

Where a school or organisation uses Lotu to process Educational Content — including content that relates to, or is generated on the basis of, information about pupils — the school or organisation acts as the data controller for that content. Lotu acts as the data processor, processing such content only on the documented instructions of the school.

14.2 Data Processing Agreement

Lotu will enter into a Data Processing Agreement (DPA) with each subscribing school or organisation, as required by Article 28 UK GDPR. Schools should ensure that their DPA is signed and retained before uploading Educational Content to the platform. Please contact privacy@lotueducation.com to request the current standard DPA.

14.3 Lawful Basis for Pupil Data

Schools must ensure that they have an appropriate lawful basis under UK GDPR — and, where applicable, an appropriate condition under Article 9 for special category data — before uploading any content that contains or relates to pupil personal data.

In most cases in a school context, the relevant lawful basis will be public task (Article 6(1)(e)) or legitimate interests (Article 6(1)(f)), supported by the school's existing data protection documentation and privacy notices to parents and guardians. Lotu does not assess, validate, or verify the lawful basis held by each school. This responsibility rests entirely with the school as data controller.

14.4 Parental and Guardian Awareness

Where a school uploads content relating to pupils, the school should ensure that its existing privacy notices to parents and guardians are accurate and up to date, and that they adequately describe the school's use of third-party EdTech platforms. Lotu can provide a summary of our data processing activities for schools to incorporate into their own privacy notices on request.

14.5 Data Minimisation

Schools and teachers should apply data minimisation principles when using the platform:

  • avoid uploading more pupil data than is necessary for the task at hand;
  • redact or anonymise pupil identifiers where possible, especially for sensitive content;
  • do not upload content that is not relevant to the educational purpose for which the platform is being used.

14.6 Safeguarding and Pastoral Data

Schools that upload materials containing safeguarding-related, pastoral, or medically sensitive pupil information should ensure that access to such materials on the platform is appropriately restricted, and that relevant staff are made aware of their data protection obligations. Lotu does not have visibility of individual document sensitivity unless this is flagged by the school.

14.7 Staff Training and Awareness

Schools are responsible for ensuring that staff using Lotu understand their data protection responsibilities and use the platform in accordance with the school's own data protection policies and acceptable use guidelines.

15. Cookies and Analytics

Lotu uses cookies and similar tracking technologies on our website and platform.

CategoryTools UsedPurposeOpt-out?
Strictly necessaryAmazon CognitoSession authentication and security tokensNo — required for the Service
Performance / analyticsGoogle AnalyticsUnderstanding how users navigate the platform to improve itYes — via cookie preferences
FunctionalPlatform preferences storeRemembering your settings and preferencesYes — via cookie preferences

Full details of the cookies we use, their purposes, and how to manage or withdraw consent are set out in our Cookie Policy: www.lotueducation.com/cookies

We will seek your explicit consent before placing non-essential cookies, in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR.

16. Marketing Communications

16.1 If You Are an Existing User

We may send you information about Lotu product updates, new features, educational resources, and relevant industry news on the basis of our legitimate interests in keeping existing users informed.

You may opt out at any time by clicking the "unsubscribe" link in any marketing email or by contacting privacy@lotueducation.com. Opting out does not affect service-critical communications such as account security alerts or invoices.

16.2 If You Are a New Contact

Where you have not previously used our Service, we will only send you marketing communications where you have given your explicit consent.

16.3 No Marketing to Pupils

Lotu does not send marketing communications to pupils and does not use any pupil-related data for marketing purposes.

17. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the features of our platform, or applicable data protection law.

Where we make material changes, we will:

  • update the version number and effective date at the top of this page;
  • notify registered users by email or via an in-platform notification; and
  • where required by law, seek fresh consent.

Previous versions are available on request from privacy@lotueducation.com.

18. Contact Information

Lotu Education Ltd

Level One, Basecamp Liverpool, 49 Jamaica Street, Liverpool, Merseyside, L1 0AH

Privacy and Data Protection enquiries: privacy@lotueducation.com

Data Protection Lead: Chief Operating Officer
Email: privacy@lotueducation.com

School DPA requests: privacy@lotueducation.com — mark email "FAO: Data Protection"

19. Complaints and ICO Rights

We take data protection concerns seriously and encourage you to contact us first so that we can try to resolve any issue promptly.

If you are not satisfied with our response, or if you believe that we have processed your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

Information Commissioner's Office

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: www.ico.org.uk

Helpline: 0303 123 1113

You also have the right to seek a judicial remedy in the courts of England and Wales if you consider that your rights under UK GDPR have been infringed.

Lotu Education Ltd — Privacy Policy — Version 1.1 — Effective May 2025

Registered in England & Wales — Company No. 16837074