Privacy Policy
The English Hub - a trading name of Upskill Energy Limited
Last updated: 12 May 2026
This policy explains who is responsible for your personal data, how to contact our Data Protection Officer (DPO) and Designated Safeguarding Lead (DSL), how to make a complaint to the ICO, and how to exercise your rights to access, export, or delete your data.
1. Contacts
Data Controller
Upskill Energy Limited, trading as The English Hub, is the data controller responsible for the personal data processed through theenglishhub.app and its associated services. We are registered with the UK Information Commissioner’s Office (ICO) under registration number ZC016690.
Data controller: Upskill Energy Limited (Company No. 16511479), trading as The English Hub. ICO registration: ZC016690. Registered office address available to schools on request during procurement.
Data Protection Officer (DPO)
Calum Johnson — [email protected]
Designated Safeguarding Lead (DSL)
Because our users include children, we maintain a Data Protection Officer and a Designated Safeguarding Lead responsible for child-protection matters arising from use of the platform. Where the same individual currently holds more than one of these roles, the conflict-of-interest and continuity arrangements are documented and available to schools on request.
Calum Johnson — [email protected]
Complaints to the ICO
If you are not satisfied with how we have handled your personal data, you have the right to lodge a complaint with the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint or by calling 0303 123 1113. We would, however, appreciate the chance to address your concerns first - please contact our DPO above.
2. What Personal Data We Collect
We collect and process the following categories of personal data:
Account information
- Full name and email address
- Password (stored as a salted hash; never in plain text)
- Date of birth or age confirmation (used to apply age-appropriate defaults)
- Account type (student, parent, teacher, school)
Learning data
- Course progress, quiz and mock-exam results
- Essay and written-response submissions
- AI-generated feedback on your work
- Time spent on learning activities
Billing information
- Payment card details (handled by Stripe; we do not store full card numbers)
- Billing address and transaction history
Technical data
- IP address, device and browser information
- Pages visited and interaction patterns (only with analytics consent)
- Error logs and performance data
3. Legal Bases for Processing
- Contract (Article 6(1)(b)): to deliver the learning platform you have signed up for, including account management, marking, and payments.
- Consent (Article 6(1)(a)): for optional marketing, non-essential cookies, and any AI training opt-ins. Consent can be withdrawn at any time.
- Legitimate interests (Article 6(1)(f)): for platform security, fraud prevention, and aggregate analytics, balanced against the rights of our users (especially children).
- Legal obligation (Article 6(1)(c)): for tax, accounting, and safeguarding record-keeping required by UK law.
4. Third-Party Data Processors
We share your personal data with the following third-party processors, each of which is bound by a data processing agreement and processes your data only on our instructions:
Stripe (Payments)
Stripe, Inc. processes all payment transactions. Card details are sent directly to Stripe and never stored on our servers. Stripe is PCI DSS Level 1 certified. stripe.com/gb/privacy.
Supabase (Authentication & Database)
Supabase, Inc. provides our authentication system and database infrastructure. Your account information, learning progress, and essay submissions are stored in Supabase-hosted databases, encrypted at rest and in transit. supabase.com/privacy.
Anthropic (AI Essay Feedback)
Anthropic, PBC provides the Claude AI model used to generate feedback on student essay submissions. Our data processing agreement with Anthropic prohibits the use of your submissions to train their models. anthropic.com/privacy.
Vercel (Hosting)
Vercel, Inc. hosts our website and application. Vercel processes technical data such as IP addresses and request logs as part of delivering the platform. vercel.com/legal/privacy-policy.
Sentry (Error Tracking)
Functional Software, Inc. (Sentry) provides error monitoring and performance tracking. Sentry receives technical context to help diagnose issues. sentry.io/privacy.
Resend (Email Delivery)
Resend, Inc. provides transactional email delivery. Your email address and message content are processed by Resend when we send you account or product emails. resend.com/legal/privacy-policy.
Microsoft Azure (Backend Hosting)
Microsoft Corporation provides cloud hosting for our backend API via Microsoft Azure (UK South region). Backend API traffic passes through this infrastructure. privacy.microsoft.com.
Vercel Analytics & Speed Insights (Usage Analytics)
Privacy-friendly usage analytics and Web Vitals timings, loaded only after you accept analytics cookies. No cross-site tracking cookies and no advertising profiles. vercel.com/legal/privacy-policy.
Google Analytics 4 (Usage Analytics)
Loaded only after you accept analytics cookies. We configure GA4 with IP anonymisation enabled. policies.google.com/privacy.
Rewardful (Affiliate Tracking)
Loaded only after you accept marketing cookies. Sets a first-party referral cookie so affiliates can be credited for sign-ups they refer. rewardful.com/privacy-policy.
5. Children’s Privacy
The English Hub is designed for GCSE learners, many of whom are minors. We follow the UK Information Commissioner’s Age Appropriate Design Code (the “Children’s Code”) and treat the best interests of the child as a primary consideration in every product decision.
- Eligibility: The English Hub is for learners aged 13 and over; users aged 13-15 require parent/guardian consent.
- Users aged 13-15 require parent/guardian consent. We collect a parent or guardian email at sign-up so that consent can be given, and a parent or guardian can review or revoke access at any time.
- Off-by-default for minors: personalised recommendations beyond core study delivery, streaks and habit-pressure mechanics, and all marketing communications are off by default for any account flagged as belonging to a child. They can only be enabled by an explicit, informed action.
- No behavioural advertising and no commercial profiling of children, in line with the Children’s Code.
- Plain-language transparency: child-facing accounts see a simplified, age-appropriate explanation of what data we hold, why, and how to delete it.
- Geolocation is not collected for child accounts.
Our Children’s Code commitments
| ICO Children’s Code standard | How The English Hub meets it |
|---|
| 1. Best interests of the child | We are committed to assessing the impact on under-18s of product changes before release. The Designated Safeguarding Lead has veto over decisions affecting children. |
| 2. Data protection impact assessments | We are committed to assessing the impact on under-18s of product changes before release, and to reviewing that assessment on every material feature change. |
| 3. Age-appropriate application | Account flows branch by age at signup (13-15, 16-17, 18+). UI, copy, and defaults adapt per age cohort. |
| 4. Transparency | Privacy policy, data-use summary, and Children’s Code matrix written in plain English. Tested with under-16 users for comprehension. |
| 5. Detrimental use of data | No advertising, no profiling for commercial purposes, no data sold to third parties. AI training opt-in is off by default for all minors. |
| 6. Policies and community standards | Published safeguarding policy enforced. Users can flag harmful content; human review within 24h. |
| 7. Default settings | All minor accounts default to: profile private, analytics off, marketing off, AI training opt-in off. |
| 8. Data minimisation | We collect email, DOB, and essay submissions only. No address, no phone, no payment info from minors (parent pays). |
| 9. Data sharing | Sub-processors listed in section 4. No third-party ad networks. UK/EU hosting. |
| 10. Geolocation | Not collected for minors. No location-based features. |
| 11. Parental controls | Parent accounts can be linked to child accounts. Parent sees child’s essay history and weekly progress. Transparency flag shown to child when parent linkage is active. |
| 12. Profiling | No behavioural profiling. AI marking is deterministic per essay - no cross-essay inference that affects feature access. |
| 13. Nudge techniques | No gamification patterns that exploit developmental vulnerabilities. No "streak" pressure; progress is informational, not coercive. |
| 14. Connected toys and devices | Not applicable - The English Hub is a web + mobile SaaS. |
| 15. Online tools | Privacy tools (export, delete, correct) accessible from the account page. All actions complete in ≤30 days per UK GDPR. |
See our Safeguarding Policy for the operational detail of how the Designated Safeguarding Lead handles concerns.
6. Data Retention
- Account data: retained for the duration of your account. After account deletion, personal data is erased within 30 days, except where law requires longer.
- Learning submissions and AI feedback: retained for the duration of your account so you can review past work; erased within 30 days of account deletion.
- Billing records: retained for 7 years to comply with UK tax law (HMRC).
- Technical and error logs: retained up to 90 days, then automatically purged.
- Marketing consent records: retained for as long as the consent is active, plus 3 years after withdrawal to demonstrate compliance.
- Dormant child accounts: any account flagged as belonging to a child that shows no sign-in or learning activity for 12 consecutive months is automatically purged. We send a reminder email to the linked parent before deletion where contact details are on file.
7. Your Rights and Subject Access Requests
Under UK data protection law, you have the right to access, correct, port, restrict, object to processing of, or delete the personal data we hold about you, and to withdraw any consent you have given. The fastest way to exercise the most common rights is through your account:
- Export your data: /account/data-export - download a structured, machine-readable copy (JSON/CSV) of your account, learning progress, and submissions.
- Delete your account: /account/delete - permanently remove your account and associated learning data, subject to legal retention obligations.
- Correct your data: most account information can be updated directly through your account settings.
- Manual requests (access, restriction, objection, consent withdrawal): if you cannot use the in-product tools, email [email protected]. We will respond within one calendar month, extendable by a further two months for complex requests - we will let you know within the first month if an extension applies.
- For child accounts: the linked parent or guardian may exercise these rights on the child’s behalf using the same routes.
If you are unsatisfied with our response, you have the right to lodge a complaint with the ICO (see Section 1).
8. Cookies
We use cookies and similar technologies to operate the platform. Our use of cookies falls into the following categories:
- Strictly necessary cookies: required for the platform to function, including authentication session cookies and security tokens. These do not require consent.
- Functional cookies: remember your preferences such as theme settings and display options.
- Analytics cookies: help us understand how users interact with the platform so we can improve it. Set only with your consent.
- Marketing cookies: used by Rewardful for affiliate attribution. Set only with your consent.
We do not use behavioural advertising cookies. You can manage your cookie preferences at any time through the cookie settings on our website.
9. International Data Transfers
Some of our third-party processors are based in the United States. When personal data is transferred outside the UK, we ensure appropriate safeguards are in place to protect it, in compliance with UK GDPR:
- UK International Data Transfer Agreement (IDTA): we enter into the UK IDTA or the UK Addendum to the EU Standard Contractual Clauses with each US-based processor, as approved by the ICO.
- Supplementary measures: we implement additional technical and organisational safeguards, such as encryption in transit and at rest.
- Adequacy decisions: where the UK government has made an adequacy decision for a country, we may rely on that decision as the basis for transfer.
The following processors transfer data outside the UK: Stripe, Supabase, Anthropic, Vercel, Sentry, Resend, Google (GA4), and Rewardful. Each has appropriate transfer mechanisms in place as described above.
10. Data Security
We apply appropriate technical and organisational measures to protect personal data, including:
- TLS 1.2+ encryption in transit and AES-256 encryption at rest
- Role-based access controls and least-privilege staff access
- Salted password hashing using industry-standard algorithms
- Automated error monitoring and dependency patching
- Regular review of sub-processors and data flows
To report a security concern, please email [email protected].
11. Changes to This Policy
We may update this policy to reflect changes in our practices or the law. Material changes will be notified by email or by a prominent in-product notice. For users under 16, we will notify both the student and the linked parent or guardian.
© 2026 Upskill Energy Limited, trading as The English Hub. All rights reserved.