Privacy Policy
This policy explains how Moodly collects, uses, and protects your personal data. We are committed to protecting your privacy, especially the privacy of children.
1. Introduction
Mr G Education Ltd ('Moodly', 'we', 'us', 'our') is committed to protecting the privacy of all users of our platform, with particular care given to the protection of children's personal data.
This Privacy Policy explains how we collect, use, store, and protect personal data when you use the Moodly platform, including the Teacher Portal (portal.moodly.education), Learner App (submit.moodly.education), and our website (moodly.education).
We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the ICO's Age Appropriate Design Code.
2. Data Controller and Processor
2.1 For School Data
- When Moodly is used by a school or educational institution, the School is the Data Controller for student and staff personal data.
- Mr G Education Ltd acts as the Data Processor, processing data only on the School's behalf and in accordance with their instructions.
- Schools should provide their own privacy notices to students, parents, and staff regarding the use of Moodly.
2.2 For Website Visitors
- For visitors to our website who are not using the platform through a school, Mr G Education Ltd is the Data Controller.
3. Data We Collect
3.1 Student Data (via Schools)
- Name and class/year group assignment
- Check-in data: emoji selections representing emotional state, timestamps, and optional notes
- Affirmations and peer recognition messages
- Survey responses
- Demographic data provided by the school (e.g., gender, ethnicity, free school meal status) for analytics purposes
- PIN credentials for app access
3.2 Staff Data (via Schools)
- Name and email address
- Role and permission level within the school
- Activity logs within the platform
- Notes and comments on student welfare
- AI Assistant query history
3.3 Website Visitor Data
- Contact form submissions (name, email, school name, role, message)
- Analytics data (via cookies, with consent)
- Technical data (IP address, browser type, device information)
4. Special Category Data
Moodly processes special category data under UK GDPR Article 9, including:
Health-related data: Information about children's emotional and mental wellbeing states
This processing is necessary for reasons of substantial public interest under Schedule 1 of the Data Protection Act 2018, specifically for safeguarding of children and individuals at risk.
We implement additional safeguards for this sensitive data, including strict access controls, encryption, and limited retention periods.
5. Legal Basis for Processing
5.1 For School Platform Use
- Contract: Processing is necessary for the performance of our contract with the School.
- Public Interest: For educational institutions, processing is necessary for the performance of a task carried out in the public interest (education and safeguarding).
- Legitimate Interests: To improve our services and ensure platform security.
5.2 For Website Visitors
- Consent: For marketing communications and non-essential cookies.
- Legitimate Interests: For website analytics and security.
- Contract: To respond to enquiries and provide requested information.
6. How We Use Personal Data
We use personal data to:
Platform Operation
- Provide the Moodly platform services to Schools
- Enable students to submit emotional check-ins
- Generate wellbeing analytics and reports for authorised staff
- Facilitate welfare escalations and safeguarding processes
- Provide AI-assisted guidance to teachers (without sharing identifiable student data with AI systems)
Service Improvement
- Analyse aggregated, anonymised usage patterns to improve the platform
- Develop new features based on user needs
- Ensure platform security and prevent abuse
Communications
- Send service-related notifications to School administrators
- Respond to support requests
- Send marketing communications (with consent only)
7. Data Sharing
We do not sell personal data. We share data only as follows:
7.1 Within the School
- Student data is visible only to authorised staff members within the student's school, as determined by the school's permission settings.
- For Multi-Academy Trusts, data sharing across schools is controlled by trust administrators.
7.2 Service Providers
- Google Cloud Platform and Microsoft Azure (cloud hosting and infrastructure, data stored within UK/EEA)
- Brevo (website enquiry processing and email communications)
- Google Analytics via Google Tag Manager (website usage analytics)
- PostHog (product analytics and user experience improvement)
- Cookiebot (cookie consent management)
- Retool (internal administration)
- Stripe (payment processing — no student data shared)
- AI service providers (queries only, no identifiable student data)
7.3 Legal Requirements
- We may disclose data if required by law, court order, or to protect the safety of individuals.
- We will notify the School of any legal requests for data unless legally prohibited from doing so.
8. AI Assistant and Data
8.1 How the AI Assistant Works
- The AI Assistant provides general guidance to teachers on student wellbeing matters.
- Teachers submit questions or scenarios to receive evidence-based suggestions.
8.2 Data Protection
- No identifiable student data (names, specific check-in data) is passed to AI systems.
- Teachers should not include identifying student information in their AI queries.
- AI interactions may be logged for quality assurance and abuse prevention.
- AI processing is carried out by third-party providers under strict data processing agreements.
9. Children's Privacy
We take extra care to protect children's data in accordance with the ICO's Age Appropriate Design Code:
9.1 Best Interests
- The best interests of the child are a primary consideration in how we design and operate our platform.
- We minimise data collection to what is necessary for educational and safeguarding purposes.
9.2 Age-Appropriate Experience
- The Learner App uses simple, age-appropriate interfaces (emoji-based).
- We do not use manipulative design patterns ('dark patterns').
- We do not use children's data for marketing or advertising.
9.3 Transparency
- Privacy information is provided in age-appropriate language where children may access it.
- Schools are responsible for providing appropriate information to students and parents.
9.4 Parental Access
- Parents/guardians may request access to their child's data through the School.
- Schools control access to student data and should have their own policies for parental requests.
10. Data Retention
10.1 Active Accounts
- Free tier: Classroom data is retained until the user creates a new class, at which point the previous class data is replaced.
- Paid tiers: Classroom data, including all student submissions, is deleted 7 days after the School deletes the class within the application.
- Staff activity logs are retained for 12 months.
10.2 Account Termination
- Upon subscription termination, Schools may request data export within 30 days.
- After 30 days, personal data is scheduled for deletion.
- Some data may be retained longer if required for legal, regulatory, or safeguarding purposes.
10.3 Anonymised Data
- Aggregated, anonymised data may be retained indefinitely for research and service improvement.
- Anonymised data cannot be linked back to individuals.
10.4 Website Enquiry Data
- Contact form and demo request data is retained in our CRM system for the purpose of responding to enquiries and follow-up communications.
- You may request deletion of your data at any time by contacting info@moodly.education.
11. Data Security
We implement appropriate technical and organisational measures to protect personal data:
Technical Measures
- Encryption of data in transit (TLS/HTTPS) and at rest
- Secure authentication and access controls
- Regular security assessments and updates
- Automated backup and disaster recovery
Organisational Measures
- Staff training on data protection
- Access limited to authorised personnel only
- Incident response procedures
- Regular review of security practices
12. International Transfers
Personal data is primarily stored and processed within the United Kingdom and European Economic Area.
Where data is transferred outside the UK/EEA, we ensure appropriate safeguards are in place, including:
UK adequacy decisions
Standard Contractual Clauses (SCCs)
Additional technical and organisational measures where required
13. Your Rights
Under UK GDPR, individuals have the following rights:
Your Rights
- Access: Request a copy of your personal data
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of data (subject to legal obligations)
- Restriction: Request limitation of processing
- Portability: Receive data in a portable format
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: Where processing is based on consent
Exercising Rights
- For School platform data: Contact your School's data protection contact, as the School is the Data Controller.
- For website data or general enquiries: Contact info@moodly.education
- We will respond to requests within one month.
15. Changes to This Policy
We may update this Privacy Policy from time to time.
Material changes will be notified to School administrators via email.
The 'Effective Date' at the top of this policy indicates when it was last updated.
Continued use of the platform after changes constitutes acceptance of the updated policy.
16. Contact Us
For privacy-related enquiries:
Email: info@moodly.education
Website: moodly.education
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.
Document Version: 2.0
Last Reviewed: 11 February 2025
Next Scheduled Review: 11 February 2026
Published by: Mr G Education Ltd
Related Policies
For information about how to use our platform, please also review our Terms of Service.