Privacy Policy

EverywhereX is a learning platform run by a UK-based organisation, founded as an initiative of the 1 in 10 Dyslexia charity (see 1in10.co.uk). Under UK GDPR we are the data controller for personal data processed through the service. If you have a question about how your data is handled, or you want to exercise any of your rights, email privacy@evx.logicmesh.dev.

We collect three categories of personal data:

About the account holder (usually a parent)

• Your name and email address.
• Authentication data (password hash managed by Supabase, or your Google sign-in identifier — we never see your Google password).
• Account role (parent, teacher, admin) and any school or organisation affiliation if you were invited by one.
• Notification preferences, accessibility preferences, last-seen timestamp, and records of which transactional emails we’ve sent you.

About your child (or pupil, if you are a teacher)

• First name, year group, date of birth, and the responses to the intake questionnaire (learning style, interests, goals, SEND types, current levels).
• The AI-generated learning persona built from those responses.
• Every lesson started, completed, quiz score, time spent, and chat message exchanged with the AI tutor.
• Per-child accessibility settings (dyslexia font, text-to-speech, extended time, reduced density, high contrast).

We deliberately do not collect:your child’s surname, home address, phone number, photograph, medical diagnosis letters, school attendance records, or any EHCP documentation. If any of that ends up in a free-text field by accident, tell us and we’ll erase it.

Operational data (everyone)

• AI-usage metering: which endpoint was called, how many tokens were used, the model, and the pence cost. Used for abuse prevention and capacity planning.
• Moderation flags: when a message is refused by the safety filter, we log the event so admins can review patterns.
• Rate-limit counters and session metadata for security.
• Error telemetry via Sentry (EU region) when something breaks. Sentry receives stack traces and route names, never chat content or intake answers.
• Email delivery events (accepted, bounced, complained) to help us debug deliverability.

Under UK GDPR we must identify a lawful basis for every use of personal data. Ours are:

• Performance of a contract (Article 6(1)(b)) — to provide the learning service you signed up for: account management, lesson delivery, AI tutoring, progress tracking, transactional confirmation emails.
• Legitimate interests (Article 6(1)(f)) — for service integrity, fraud and abuse prevention, moderation of AI outputs, and service analytics. We have balanced our interest against your rights and concluded that a platform serving children cannot run without these.
• Consent (Article 6(1)(a)) — for optional marketing-style emails such as the weekly progress digest, re-engagement nudges, and product updates. You can withdraw at any time from Settings.
• Legal obligation (Article 6(1)(c)) — where a safeguarding concern or a law-enforcement request requires disclosure.

Where we process data about a child, we rely on parental consent provided by the account holder (UK GDPR Article 8 and the AADC). We do not create accounts directly for children under 13.

We use a small number of vetted sub-processors to run the service. None of them are permitted to use your data for their own purposes.

Chat messages are sent to OpenAI’s API for inference only. Under our API-tier agreement, OpenAI does not use inputs or outputs to train its models.

We do not transfer personal data outside the UK/EEA to countries without an adequacy decision except the OpenAI API call described above, which relies on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.

• Account and child profiles: for the life of the account. Delete from Settings at any time.
• Progress and chat history: same as the account, unless you delete an individual child sooner.
• Email delivery events: 12 months, then automatically purged.
• Operational logs (AI spend, moderation flags): retained after account deletion with the personal link severed, so service-integrity metrics continue to work.
• GDPR request audit log: retained indefinitely for ICO compliance proof. Contains email and request type only.
• Backups: 30 days rolling. A deleted account may persist in a backup snapshot for up to 30 days before it rolls off.

Under UK GDPR you have the right to:

• Access and portability — download a machine-readable copy of everything we hold about you from Settings → Data & Privacy.
• Erasure— delete your account from the same page. Deletion is scheduled 14 days ahead so you have a chance to change your mind; after that we can’t restore it.
• Rectification— edit your profile and your child’s learning profile from Settings.
• Restriction and objection — contact us at privacy@evx.logicmesh.dev if you want us to pause processing or object on legitimate-interest grounds.
• Withdraw consent — turn off any optional email from Settings at any time.
• Complain to the ICO— if you are unhappy with how we’ve handled your data, you can complain to the UK Information Commissioner’s Office at ico.org.uk/make-a-complaint. We’d rather you talked to us first, but this right is yours regardless.

This service is designed with the ICO’s Age-Appropriate Design Code (AADC) in mind. In particular:

• Best interests of the child — the service puts learning outcomes and safety above engagement metrics. We deliberately do not use dark patterns such as anxiety-inducing daily streaks or public leaderboards.
• Default to high privacy — a new account comes with optional marketing and nudge emails off by default at the product level, and all settings are held at the most privacy-protective option until the adult actively changes them.
• Transparency — this notice is written for the adult; a child-facing version will be added alongside the student-login flow in a future release.
• Profiling — we build an AI persona from the intake answers so lessons can be personalised. This persona is never used for advertising, never shared, and can be reviewed and edited by the parent from the child detail page.
• Data minimisation — we only ask for what we need to teach the child and keep them safe.

Data is encrypted in transit (TLS 1.2+) and at rest. Access to production systems is restricted to named engineers with two-factor authentication. Chat content is moderated through the OpenAI moderation API both before the model sees the request and before the response reaches the child. We keep a running audit of moderation events for admin review.

If the AI tutor detects content that suggests a child is at risk of harm, the conversation is flagged and stored for review. In a genuine safeguarding concern we will follow the procedures set out in Keeping Children Safe in Education 2025and, where appropriate, share information with the child’s school DSL or relevant authorities. This is a narrow legal-obligation carve-out on the non-disclosure rule and does not affect day-to-day privacy.

If we make a material change we’ll email registered account holders and update the date at the top of this page. Routine editorial changes are logged in the Help Centre.