Privacy Policy

Effective date: 5 November 2025

1. Who we are

Lingjo (“we”, “us”, “our”) is a trading name of AureyaTech Ltd and provides learning and assessment tools for teachers and students. We are the data controller for most processing described here. Where we act strictly on behalf of a school/institution under contract, we may act as a data processor.

Registered business name: AureyaTech Ltd. ICO Registration Number: ZC089084. See Section 17 for contact details.

2. Scope (launch focus)

This policy covers personal data processed via Lingjo’s websites, apps, and related services. During our initial launch we focus on private teachers and their invited/linked students.

3. Data relationships & limits

One-Teacher/School Mapping
  • Each student email can be connected to one school or private teacher at any given time.
  • If a student needs to switch teacher/school, the previous connection must be removed before a new connection is made.
Account Deletion Behaviour
  • When a private teacher deletes their account, Lingjo deletes the student data associated with that teacher — e.g., assignments, feedback, scores, enrolment links — to uphold data minimisation.
  • We do not automatically delete the student’s own account. Students may delete their account at any time through in-product settings or by contacting us.
  • Where we act as a processor for a school, we will follow the school’s instructions and retention policies.

4. Lawful bases

  • Performance of a contract: account access, classroom features, assessment, account administration.
  • Legitimate interests: platform security, service improvement, preventing abuse, learning analytics consistent with user expectations.
  • Consent: optional communications and non-essential cookies; parental consent for under-13s where required.
  • Public task: when we process on behalf of schools fulfilling educational duties.

5. Data we collect

Categories of personal data
CategoryExamplesPurposeLawful basis
Account & IdentityEmail; display name (optional); role (student/teacher); teacher–student linkageCreate/manage accounts; link students to a single teacher/schoolContract; Legitimate interests; Public task
Authentication (via Clerk)Session tokens; sign-in logs; MFA statusSecure login and session managementContract; Legitimate interests
Education RecordsAssignments, submissions, scores, teacher feedback, progressProvide learning and reporting featuresContract; Public task
Usage & DeviceApp interactions, timestamps, IP address, device/browser metadataSecurity, reliability, service improvementLegitimate interests; Consent for non-essential analytics
Support & CommunicationsSupport tickets, email threads, in-app messagesResolve issues; service updatesContract; Legitimate interests; Consent (marketing)

We do not intentionally collect special category data. If such data is shared inadvertently, we will minimise, delete, or protect it appropriately.

6. How we use data

  • Operate and secure accounts, classes, and assessments.
  • Authenticate users and protect sessions.
  • Provide teacher dashboards and student progress tracking.
  • Detect/prevent fraud and misuse.
  • Improve performance and user experience.
  • Provide support and service communications.
  • Use aggregated/anonymised data to inform improvements.

7. Cookies & tracking

We use strictly necessary cookies (e.g., authentication). With your consent, we may use analytics cookies to understand usage. Manage preferences via your browser or in-product controls (where available).

8. Sharing & processors

We do not sell personal data. We use vetted service providers under UK GDPR-compliant terms, limited to what’s necessary.

Our core processors
ProcessorRoleData handledPrimary region
ClerkAuthentication & identitySign-in data, sessions, MFA statusEU region (e.g., eu-west)
Cloud/Hosting ProviderInfrastructure & databasesApp data, encrypted at restUK/EU
AI/LLM Provider (e.g., OpenAI)Language processing for selected featuresPseudonymised prompts/content; no direct identifiers by defaultEU/UK where available; else SCCs

Disclosures may occur where required by law, to protect users, or to defend our legal rights, following due process.

9. Third-party AI & API services (anonymised)

  • No direct identifiers by default: we remove or pseudonymise names, emails, IDs before requests.
  • Minimum necessary: only the text needed to fulfil a feature (e.g., paragraph of an essay) is sent.
  • Provider controls: where available, we disable provider training on your data and request minimal retention.
  • Regional processing & safeguards: UK/EU preferred; otherwise adequacy/SCCs with additional measures.
  • School/teacher controls: AI features can be disabled or limited on request.

10. Retention & deletion

  • We retain personal data only as long as necessary for the purposes described or as required by law/contract.
  • Teacher deletion: when a private teacher deletes their account, Lingjo deletes the student data linked to that teacher (assignments, feedback, scores, and linkage). The student’s account remains; students may delete their account separately at any time.
  • Backups are encrypted and retained for limited periods before secure deletion.

11. Security

Technical
  • TLS for data in transit; encryption at rest.
  • Secrets management; no hard-coded credentials.
  • RBAC and least-privilege access.
  • Admin access audit logging.
  • Regular patching and dependency scanning.
  • Signed webhooks (e.g., Clerk) with signature verification.
Organisational
  • Data Protection Impact Assessments where required.
  • Staff confidentiality & access training.
  • Incident response & disaster recovery plans.
  • Vendor due diligence and DPAs with processors.
  • Privacy by design & default.

12. Children’s Code (Age-Appropriate Design Code)

  • High-privacy defaults for under-18 users.
  • Clear, age-appropriate explanations of settings and features.
  • Parental consent for under-13 account creation where required.
  • Geolocation/social features off unless strictly needed.

13. International transfers

We prefer UK/EU processing and storage. Where transfers/access occur outside the UK/EU, we rely on adequacy regulations or Standard Contractual Clauses with appropriate safeguards.

14. Your rights

Under UK GDPR, you can request access, rectification, erasure, restriction, portability, or object to processing. When processing is based on consent, you can withdraw consent at any time. To exercise your rights, contact us via Section 17. Where we act as a processor for a school, we may redirect your request to the controller.

15. Breaches & reporting

We investigate all personal data incidents. Where required, we notify the ICO within 72 hours and affected users without undue delay if there is a high risk to their rights and freedoms.

16. Changes to this policy

We may update this policy to reflect changes in the law, guidance, or our services. We will post updates here and, where appropriate, provide in-app or email notices.

17. Contact & Data Protection Officer

If you have questions or wish to exercise your rights, contact:

  • CompanyAureyaTech Ltd (Lingjo trading as)
  • Postal71-75 Shelton Street
    London, Greater London
    WC2H 9JQ
    United Kingdom
  • Emailhello@lingjo.com
  • Websitehttps://aureyatech.com
  • ICORegistration Number: ZC089084

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority, if you believe we have not addressed your concerns adequately. Our ICO Registration Number is ZC089084. You can contact the ICO at:

Information Commissioner's Office

Wycliffe House
Water Lane
Wilmslow
Cheshire SK9 5AF

Website: https://ico.org.uk

Helpline: 0303 123 1113

This Master Privacy Policy governs all AureyaTech Ltd Services. Product-specific privacy notices and contractual agreements supplement this Policy where applicable.

Clerk Authentication Notice

We use Clerk for authentication. Clerk acts as our data processor and stores authentication data in the EU region. We do not store user passwords.

  • EU region configured for auth data
  • MFA enforced for admin accounts
  • Session/device management & signed webhooks