Lotu Education Ltd is committed to protecting your privacy and the privacy of educational data processed through our platform. Please read this policy carefully to understand our practices.
Version 1.1 · Effective: May 2025 · UK GDPR & DPA 2018 CompliantWe know privacy policies can be long. Here is a plain-English summary of the most important things you should know about how Lotu Education handles data.
| Topic | What you need to know |
|---|---|
| Who we are | Lotu Education Ltd, a UK-based EdTech company building AI tools for teachers. |
| What data we use | Teacher account information, school details, and educational documents uploaded by teachers or schools. We do not collect data directly from pupils. |
| Why we use it | To provide and improve the Lotu platform — including AI resource generation, auto-marking, and feedback tools. |
| Who we share it with | Trusted technology subprocessors (OpenAI, AWS, Stripe, and Gmail) only. We do not sell data. Ever. |
| AI and automation | Our AI tools assist teachers. All AI-generated outputs should be reviewed by a qualified teacher before use. AI does not make decisions about pupils. |
| Pupil data | Lotu is a teacher-facing platform. Schools and teachers are responsible for ensuring they have the appropriate lawful basis before uploading any pupil-related content. |
| Your rights | You can access, correct, delete, or export your data. Contact us at privacy@lotueducation.com. |
| How long we keep data | We retain data for as long as your account or contract is active, plus 30 days. Financial records are kept for 7 years as required by law. |
| Where data is stored | Primarily on AWS infrastructure in the UK/EEA. Where transfers outside these regions occur (e.g. OpenAI), appropriate safeguards are in place. |
| Complaints | You can contact the Information Commissioner's Office (ICO) at www.ico.org.uk if you have concerns about how we handle your data. |
This summary is for convenience only. The full policy below governs our practices.
Lotu Education Ltd (“Lotu”, “we”, “us”, “our”) is committed to protecting the privacy and security of personal data processed through our platform and website (together, the “Service”). We understand that the educational environment carries particular responsibilities when it comes to data, and we take those responsibilities seriously.
This Privacy Policy explains:
This policy applies to all users of the Lotu platform and website, including teachers, school administrators, Special Educational Needs Coordinators (SENCOs), multi-academy trust (MAT) staff, and visitors to our website.
This policy is governed by the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 (DPA 2018). Where we refer to “data protection law”, we mean these instruments together.
We aim to be transparent, proportionate, and trustworthy in everything we do with data. If you have any questions after reading this policy, please contact us at the details in Section 18.
Lotu Education Ltd is a company registered in England and Wales.
For the purposes of data protection law, Lotu Education Ltd is the data controller in respect of personal data provided directly by individual teachers, school administrators, and website visitors.
Where Lotu processes personal data on behalf of a school or organisation (for example, when a school uploads classroom documents containing references to pupils), Lotu acts as a data processor on that school's behalf, under a written Data Processing Agreement (DPA). Schools and organisations remain data controllers in respect of that data.
We collect only the data we need to provide and improve our Service.
When a teacher or staff member registers for or uses Lotu, we may collect:
When a school or MAT subscribes to Lotu, we may collect:
In the course of using the Lotu platform, users may upload or generate:
These documents and materials are referred to in this policy as “Educational Content”. Educational Content may include indirect references to pupils (for example, a marked worksheet bearing a pupil's first name). Lotu processes Educational Content solely to provide the platform features requested by the teacher or school.
We automatically collect certain technical data when you use our Service, including:
If you contact us by email, support ticket, or other means, we will retain a record of that correspondence.
Lotu does not:
We collect personal data in the following ways:
Directly from you, when you:
Automatically, when you use our website or platform, through server logs, Google Analytics, and cookies (see Section 15).
From your school or organisation, when an administrator adds you as a user, or when a school uploads materials on a teacher's behalf.
From third parties, in limited circumstances — for example, where a school or MAT onboards staff in bulk via an approved integration.
We use personal data for the following purposes:
Under UK GDPR, we must have a lawful basis for each processing activity. The table below summarises the bases we rely on.
| Processing Activity | Lawful Basis |
|---|---|
| Account creation and management | Contract (Article 6(1)(b)) — necessary to perform the contract with you or your school |
| Providing platform features (AI generation, marking, uploads) | Contract (Article 6(1)(b)) |
| Billing and payment processing via Stripe | Contract (Article 6(1)(b)) and Legal obligation (Article 6(1)(c)) |
| Technical data and Google Analytics | Legitimate interests (Article 6(1)(f)) — improving and securing the Service, balanced against your interests and privacy rights |
| Service improvement and product development | Legitimate interests (Article 6(1)(f)) |
| Marketing communications to existing users | Legitimate interests (Article 6(1)(f)) — subject to your right to opt out at any time |
| Marketing communications to new contacts | Consent (Article 6(1)(a)) |
| Responding to legal obligations or requests | Legal obligation (Article 6(1)(c)) |
Where Lotu processes data as a data processor on behalf of a school or organisation, the school is the data controller and is responsible for its own lawful basis under UK GDPR. Lotu acts only on the documented instructions of the school.
Where special category data (such as information about a pupil's special educational needs, health conditions, or ethnicity) is incidentally present in Educational Content uploaded by a school, the school must have an appropriate condition under Article 9 UK GDPR — typically substantial public interest (Schedule 1, DPA 2018) in an educational context, or explicit consent where required.
Lotu is a teacher-facing platform. Our tools are designed to assist teachers, SENCOs, and school administrators in their professional work. We do not offer accounts, interfaces, or services directly to pupils, and we do not knowingly collect personal data directly from children.
We recognise, however, that the Educational Content uploaded to our platform by teachers and schools may include information relating to pupils — for example:
Where such data is present, Lotu processes it only to provide the specific platform features requested by the teacher or school. We apply the same technical and organisational safeguards to pupil-related data as we do to all other data on the platform.
Schools and teachers are responsible for ensuring that any Educational Content uploaded to Lotu is handled in accordance with their own data protection obligations, including:
Lotu is aware that documents uploaded by SENCOs or pastoral staff may contain sensitive information relating to special educational needs, education, health and care (EHC) plans, or welfare concerns.
Lotu does not:
Lotu uses artificial intelligence and large language model (LLM) technology — currently provided by OpenAI — to power features including:
A current list of AI and other subprocessors is available at: www.lotueducation.com/subprocessors
AI-generated outputs produced by Lotu — including resource suggestions, feedback drafts, marking annotations, and extracted content — are assistive tools only.
Lotu explicitly does not use automated processing to:
AI systems can produce outputs that are inaccurate, incomplete, biased, or contextually inappropriate. Lotu does not warrant that AI-generated outputs are accurate, complete, or fit for any particular purpose. Users are responsible for reviewing and verifying AI outputs before acting on them.
Lotu does not make any decision about an individual that produces legal effects or significantly affects them through solely automated means (as defined in Article 22 UK GDPR), without human review.
Lotu will not use identifiable personal data from user accounts, or pupil-related content uploaded by schools, to train general-purpose AI models or to improve third-party AI systems — including OpenAI models — without explicit agreement. We may use anonymised, aggregated platform data to improve the quality and performance of Lotu's own features.
We do not sell, rent, or trade personal data. We share data only where necessary and with parties who provide appropriate data protection guarantees.
Lotu uses the following categories of third-party service providers (subprocessors) to operate the platform:
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud hosting and infrastructure | UK / EEA (primary); US (some services) |
| OpenAI | AI and LLM processing for resource generation and marking | United States |
| Google (Gmail) | Transactional and support email communications | United States / EEA |
| Stripe | Payment processing and subscription management | United States / EEA |
| Google Analytics | Website and platform usage analytics | United States / EEA |
| Amazon Cognito | User authentication and identity management | UK / EEA (primary) |
All subprocessors are bound by contractual data protection obligations consistent with UK GDPR. Where subprocessors are located outside the UK/EEA, appropriate transfer mechanisms are in place (see Section 10). An up-to-date list of subprocessors is maintained at: www.lotueducation.com/subprocessors. We will provide reasonable advance notice of material changes.
Where Lotu is deployed by a school or MAT, authorised administrators within that organisation may be able to access account and usage data associated with teachers at their school, subject to agreed role-based access controls. Lotu does not grant one school or organisation access to data belonging to another.
We may disclose personal data if required to do so by applicable law or by order of a court or competent regulatory authority. Where legally permitted, we will notify affected users of such requests.
In the event of a merger, acquisition, or sale of all or part of our business assets, personal data may be transferred to the acquiring entity, subject to equivalent data protection protections. We will notify users of any material change in data controllership.
Lotu's primary infrastructure is hosted on AWS within the United Kingdom and/or European Economic Area (EEA). However, certain subprocessors — including OpenAI, Google (Gmail and Analytics), and Stripe — process data in the United States.
Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of UK GDPR, including:
Details of the transfer safeguards applicable to each subprocessor are available on request at privacy@lotueducation.com.
We retain personal data only for as long as necessary for the purposes for which it was collected, and in accordance with our legal obligations.
| Data Category | Retention Period |
|---|---|
| Teacher account data | Duration of the active account, plus 30 days following account closure |
| School / organisation account data | Duration of the active contract, plus 30 days following contract end |
| Educational Content (uploaded documents, AI outputs) | Duration of the active account or contract, deleted within 30 days of account closure or on written request |
| Billing and financial records | 7 years (as required by UK tax and financial reporting law) |
| Support emails and communications records | 6 months from the date of the communication |
| Technical logs and analytics data | 6 months on a rolling basis |
| Marketing consent records | Until consent is withdrawn, plus 6 months |
Where a school exercises its right to erasure or terminates its contract, we will delete or irreversibly anonymise associated Educational Content within 30 days, subject to any applicable legal hold requirements.
Lotu applies technical and organisational security measures appropriate to the risks associated with processing personal data in an educational context. These include:
We encourage users to report any suspected security incidents immediately to privacy@lotueducation.com.
Individuals whose personal data we process as data controller have the following rights under UK GDPR. To exercise any of these rights, please contact privacy@lotueducation.com.
| Right | What it means |
|---|---|
| Right of access | You may request a copy of the personal data we hold about you (a Subject Access Request). |
| Right to rectification | You may ask us to correct inaccurate or incomplete data about you. |
| Right to erasure | You may ask us to delete your personal data where there is no lawful reason for us to continue holding it. |
| Right to restriction | You may ask us to restrict how we use your data in certain circumstances. |
| Right to data portability | You may ask us to provide your personal data in a structured, commonly used, machine-readable format. |
| Right to object | You may object to processing based on legitimate interests or for direct marketing purposes. |
| Rights re: automated decision-making | You have the right not to be subject to solely automated decisions that produce legal or similarly significant effects. |
| Right to withdraw consent | Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. |
We will respond to valid requests within one calendar month. In complex cases, we may extend this by a further two months, in which case we will inform you within the first month. We do not charge a fee for exercising your rights unless a request is manifestly unfounded or excessive.
Where Lotu processes personal data as a data processor on behalf of a school, individual rights requests relating to that data should be directed to the relevant school as data controller in the first instance. We will cooperate with schools in responding to such requests.
This section is addressed specifically to schools, MATs, and other organisations that subscribe to Lotu as an institution.
Where a school or organisation uses Lotu to process Educational Content — including content that relates to, or is generated on the basis of, information about pupils — the school or organisation acts as the data controller for that content. Lotu acts as the data processor, processing such content only on the documented instructions of the school.
Lotu will enter into a Data Processing Agreement (DPA) with each subscribing school or organisation, as required by Article 28 UK GDPR. Schools should ensure that their DPA is signed and retained before uploading Educational Content to the platform. Please contact privacy@lotueducation.com to request the current standard DPA.
Schools must ensure that they have an appropriate lawful basis under UK GDPR — and, where applicable, an appropriate condition under Article 9 for special category data — before uploading any content that contains or relates to pupil personal data.
In most cases in a school context, the relevant lawful basis will be public task (Article 6(1)(e)) or legitimate interests (Article 6(1)(f)), supported by the school's existing data protection documentation and privacy notices to parents and guardians. Lotu does not assess, validate, or verify the lawful basis held by each school. This responsibility rests entirely with the school as data controller.
Where a school uploads content relating to pupils, the school should ensure that its existing privacy notices to parents and guardians are accurate and up to date, and that they adequately describe the school's use of third-party EdTech platforms. Lotu can provide a summary of our data processing activities for schools to incorporate into their own privacy notices on request.
Schools and teachers should apply data minimisation principles when using the platform:
Schools that upload materials containing safeguarding-related, pastoral, or medically sensitive pupil information should ensure that access to such materials on the platform is appropriately restricted, and that relevant staff are made aware of their data protection obligations. Lotu does not have visibility of individual document sensitivity unless this is flagged by the school.
Schools are responsible for ensuring that staff using Lotu understand their data protection responsibilities and use the platform in accordance with the school's own data protection policies and acceptable use guidelines.
Lotu uses cookies and similar tracking technologies on our website and platform.
| Category | Tools Used | Purpose | Opt-out? |
|---|---|---|---|
| Strictly necessary | Amazon Cognito | Session authentication and security tokens | No — required for the Service |
| Performance / analytics | Google Analytics | Understanding how users navigate the platform to improve it | Yes — via cookie preferences |
| Functional | Platform preferences store | Remembering your settings and preferences | Yes — via cookie preferences |
Full details of the cookies we use, their purposes, and how to manage or withdraw consent are set out in our Cookie Policy: www.lotueducation.com/cookies
We will seek your explicit consent before placing non-essential cookies, in accordance with the Privacy and Electronic Communications Regulations 2003 (PECR) and UK GDPR.
We may send you information about Lotu product updates, new features, educational resources, and relevant industry news on the basis of our legitimate interests in keeping existing users informed.
You may opt out at any time by clicking the "unsubscribe" link in any marketing email or by contacting privacy@lotueducation.com. Opting out does not affect service-critical communications such as account security alerts or invoices.
Where you have not previously used our Service, we will only send you marketing communications where you have given your explicit consent.
Lotu does not send marketing communications to pupils and does not use any pupil-related data for marketing purposes.
We may update this Privacy Policy from time to time to reflect changes in our practices, the features of our platform, or applicable data protection law.
Where we make material changes, we will:
Previous versions are available on request from privacy@lotueducation.com.
Lotu Education Ltd
Level One, Basecamp Liverpool, 49 Jamaica Street, Liverpool, Merseyside, L1 0AH
Privacy and Data Protection enquiries: privacy@lotueducation.com
Data Protection Lead: Chief Operating Officer
Email: privacy@lotueducation.com
School DPA requests: privacy@lotueducation.com — mark email "FAO: Data Protection"
We take data protection concerns seriously and encourage you to contact us first so that we can try to resolve any issue promptly.
If you are not satisfied with our response, or if you believe that we have processed your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: www.ico.org.uk
Helpline: 0303 123 1113
You also have the right to seek a judicial remedy in the courts of England and Wales if you consider that your rights under UK GDPR have been infringed.
Lotu Education Ltd — Privacy Policy — Version 1.1 — Effective May 2025
Registered in England & Wales — Company No. 16837074