Last updated: January 1, 2025
Everybody Counts is operated by Everybody Counts Ltd, a company registered in England and Wales. Our registered address is London, UK. We can be contacted at info@everybodycounts.co.
Everybody Counts provides an adaptive mathematics learning platform for Key Stage 1 and Key Stage 2 pupils in UK primary schools, serving schools, tutors, and educational organisations. This Privacy Policy explains how Everybody Counts Ltd ("we", "us", "our") collects, uses, stores, and protects personal data in connection with the operation of the platform accessible at everybodycounts.co and associated services.
We act as a data processor when processing pupil data on behalf of schools (who are the data controllers). We act as a data controller in our own right when processing data about school administrators, teachers, billing contacts, and website visitors.
We process personal data in accordance with UK GDPR (the UK General Data Protection Regulation as retained in UK law) and the Data Protection Act 2018. Our processing activities rely on the following legal bases:
Contract performance (Article 6(1)(b)): Processing necessary to deliver the services you have subscribed to, including account management, session delivery, and progress reporting.
Legitimate interests (Article 6(1)(f)): Processing necessary for our legitimate interests in operating and improving the platform, responding to enquiries, and communicating with existing customers about service updates. We balance these interests against the rights of data subjects and do not rely on this basis for processing children's data.
Legal obligation (Article 6(1)(c)): Processing necessary to comply with applicable law, including tax, accounting, and data protection obligations.
Consent (Article 6(1)(a)): Where we rely on consent — for example, for marketing communications to individuals who are not current customers — we will seek and record explicit consent and provide clear opt-out mechanisms.
For the processing of pupil data, we rely on the school's legal basis for processing (typically contract performance or public task under Article 6(1)(b) or (e)), and we process pupil data only on documented instructions from the school as data controller.
When a school creates an account or when a teacher registers on the platform, we collect: full name, professional email address, school name and address, job title or role, and login credentials (password stored as a salted hash; we do not store plaintext passwords).
During platform use, we collect: login timestamps and IP addresses, session activity logs (which classes were accessed, which reports were viewed), and any feedback or support requests submitted through the platform.
Pupil data is collected and controlled by the school. Schools provide us with: pupil first name, year group, class assignment, and a unique identifier. Schools are not required to provide pupil surnames, home addresses, dates of birth, or contact details. We recommend that schools use first name and initial only when creating pupil accounts.
During platform use, we collect: question response data (correct/incorrect, response latency), session completion data, and calculated ability estimates derived from response patterns. This data is used solely to deliver the adaptive learning functionality and to generate progress reports for teachers.
We do not collect pupil photographs, video or audio recordings, biometric data, health information, or any data about pupil demographics, ethnicity, or free school meal eligibility unless explicitly provided by a school for a specific agreed purpose.
When you visit everybodycounts.co, we collect standard web server log data including IP address, browser type and version, operating system, referring URL, pages visited, and visit timestamps. This data is collected automatically and is used for security monitoring and aggregate traffic analysis.
If you submit an enquiry through our contact form, we collect: name, email address, school name, and the content of your message.
We use school administrator and teacher data to: create and manage school accounts, authenticate users and maintain session security, deliver technical support, send service-related communications (including updates to terms, pricing changes, and maintenance notices), and process billing and payment.
We use pupil data to: deliver the adaptive practice sessions, calculate ability estimates and generate progress reports for teachers, and improve the accuracy of our item calibration models. Pupil data is never used for marketing, profiling for commercial purposes, or shared with third parties for purposes other than delivering the contracted service.
We use website visitor data to: monitor for security threats (unusual traffic patterns, attempted unauthorised access), analyse aggregate traffic patterns to understand how the site is used, and respond to contact form enquiries.
School administrator and teacher data is retained for the duration of the school's subscription and for 12 months following termination of the subscription, to facilitate account re-activation if required. After 12 months post-termination, account data is deleted.
Pupil data is retained for the duration of the school's subscription. Upon subscription termination, schools may request export of all pupil data in CSV format within 30 days of termination notice. After 30 days post-termination, pupil data is permanently deleted from active systems. Backup copies containing pupil data are retained for a maximum of 60 days before being overwritten or deleted.
Schools may request deletion of individual pupil records at any time during the subscription — for example, when a pupil transfers to a different school. Individual pupil records will be deleted within 5 working days of a deletion request.
Website enquiry data is retained for 24 months from the date of the enquiry, unless a business relationship is established following the enquiry, in which case it is retained for the duration of that relationship plus 12 months.
Web server log data is retained for 90 days for security monitoring purposes and then deleted.
We do not sell personal data. We do not share personal data with advertising networks, data brokers, or third parties for commercial purposes.
We use the following sub-processors to deliver the platform service. All sub-processors are contractually bound to process data only on our instructions and in compliance with UK GDPR:
Amazon Web Services EMEA SARL (Ireland): Cloud hosting and data storage. All data is stored in AWS EU-WEST-1 (Dublin) and EU-WEST-2 (London) regions. Data does not leave the UK/EEA except where required by law.
Stripe Payments Europe Ltd (Ireland): Payment processing for subscription billing. Stripe processes billing contact name, email address, and payment card details. Stripe is PCI DSS Level 1 certified. We do not store payment card details on our own systems.
Postmark (ActiveCampaign, LLC — EU data stored in Ireland): Transactional email delivery for account confirmation emails, password resets, and weekly progress digests. Pupil data is not included in emails sent via Postmark.
Sentry (Functional Software Inc. — EU data processed in Germany): Error monitoring and crash reporting for the platform application. Sentry receives anonymised error logs; we configure Sentry to scrub personal data from error reports before transmission.
We maintain an up-to-date list of sub-processors. Schools operating under a Data Processing Agreement with us will be notified of any changes to sub-processors with 30 days notice, providing time to object before the change takes effect.
We may disclose personal data to law enforcement, regulatory bodies, or courts where required by applicable UK law. We will notify the relevant data controller of any such disclosure unless prohibited by law from doing so.
The primary data storage and processing infrastructure for Everybody Counts operates within the UK and European Economic Area. We do not routinely transfer personal data outside the UK/EEA.
Where our sub-processors have parent companies or operations outside the UK/EEA (as is the case with Amazon Web Services and Postmark), we ensure that appropriate safeguards are in place for any data that may be accessed from outside the UK/EEA. These safeguards include Standard Contractual Clauses approved by the UK Information Commissioner's Office and, where applicable, additional technical measures including data residency controls that prevent data from being stored outside specified regions.
We implement technical and organisational measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
Encryption of all personal data at rest using AES-256. Encryption of all data in transit using TLS 1.2 or higher. Role-based access controls limiting internal access to personal data to staff whose role requires it. Multi-factor authentication required for all staff with access to production systems. Regular penetration testing of the platform, conducted annually by an independent security firm. Formal incident response procedures covering detection, containment, notification, and post-incident review. Staff data protection training provided to all employees on joining and annually thereafter.
No security measures are completely impenetrable, and we cannot guarantee absolute security. In the event of a personal data breach, we will notify affected schools within 48 hours of becoming aware of the breach and will support schools in fulfilling their own breach notification obligations to the Information Commissioner's Office.
Depending on your relationship to us (school administrator, teacher, parent acting on behalf of a pupil, or website visitor), you may have the following rights regarding your personal data:
Right of access: You have the right to request a copy of the personal data we hold about you.
Right to rectification: You have the right to request correction of inaccurate personal data.
Right to erasure: You have the right to request deletion of your personal data in certain circumstances.
Right to restrict processing: You have the right to request that we restrict processing of your personal data in certain circumstances.
Right to data portability: You have the right to receive your personal data in a portable format and to transmit it to another controller.
Right to object: You have the right to object to processing based on legitimate interests.
For pupils, these rights are exercisable by the school as data controller, acting on behalf of the pupil (or in some cases the pupil's parent or guardian). Schools should contact us directly to exercise rights relating to pupil data.
To exercise any of these rights, please contact us at info@everybodycounts.co. We will respond to all rights requests within one month. Where a request is complex or there are multiple requests, we may extend this period by up to two additional months and will notify you of the extension.
We use cookies and similar technologies on everybodycounts.co and within the platform. Full details of the cookies we use, their purposes, and how to manage them are set out in our Cookie Policy.
The Everybody Counts platform is designed to be used by children aged 5 to 11 under the supervision of schools and teachers. We take our obligations in relation to children's data with particular seriousness.
Pupil accounts are created and managed exclusively by schools, not by pupils or their parents directly. Pupils do not create their own accounts, do not provide personal information to us directly, and do not have access to any features of the platform beyond the supervised learning sessions.
We do not use pupil data for behavioural profiling, targeted advertising, or any purpose unrelated to the delivery of learning sessions and progress reporting to the pupil's school. We do not share pupil data with third parties except as necessary to operate the platform (as described in the sub-processors section above).
We comply with the Age Appropriate Design Code (UK Children's Code) and have completed a Children's Code Assessment for the pupil-facing elements of the platform.
We may update this Privacy Policy from time to time. When we make material changes, we will notify current customers by email to the registered account email address and update the "Last updated" date at the top of this page. Continued use of the platform after the effective date of changes constitutes acceptance of the updated policy.
For any questions or concerns about this Privacy Policy or our data practices, please contact us:
By email: info@everybodycounts.co
By post: Everybody Counts Ltd, London, UK
If you are dissatisfied with our response to a privacy concern, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO). The ICO can be contacted at ico.org.uk or by calling 0303 123 1113.