Skip to main content

Privacy Policy

Last updated: 25 April 2026

About this policy

TeachKit (“TeachKit”, “we”, “us”) provides a classroom management platform with built-in coding and creative tools — including a Python IDE, a web development IDE, and a pixel editor — for teachers and their students at UK schools, available at teachkit.uk. This policy explains what personal information we collect, why we collect it, how we use it, and the rights you have over it under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

If you have any questions about this policy or want to exercise any of your rights, contact us at support [at] teachkit [dot] uk.

Who is the data controller?

For information that a school’s teachers enter into TeachKit about their students (names, year groups, class assignments, tasks, notes, saved work), the school is the data controller and TeachKit acts as a data processor on the school’s behalf. Teachers must have lawful authority from their school to use the service.

For information you provide directly when signing in (your Google account email and name), TeachKit is the data controller.

Sign-in with Google — what we receive

TeachKit uses Google Sign-In as its only authentication method. When you sign in, Google sends us:

  • Your email address (used to identify your account and to send service-related contact)
  • Your full name (displayed in the interface so teachers know whose work they are looking at)
  • A unique Google account identifier (a long opaque number used to link your account; it is not your email and cannot be used to contact you outside of Google)

We do not receive your Google password, your contacts, your calendar, your Drive files, your YouTube history, or any other Google service data. The OAuth scopes we request are limited to openid, email, and profile — the standard sign-in identity scopes.

We do not use Google data for advertising, profiling, or any purpose other than identifying you as the owner of a TeachKit account.

What other information we hold

In addition to the Google sign-in data above, TeachKit stores:

  • Account metadata — your role (student or teacher), the school you belong to, the date your account was created, and the date you last signed in
  • Classroom data entered by teachers — class names, year groups, timetable entries, student rosters (first name, last name, optional year group), tasks, observation notes, and per-student flags. Teachers are responsible for ensuring this data is accurate and that they have the school’s authority to enter it.
  • Student work — saved Python scripts, web projects, and pixel-editor drawings created by students using TeachKit’s built-in tools. Stored only so that students can return to their work and teachers can review it.
  • Session and security data — an encrypted session identifier in a cookie so we can keep you signed in, and rate-limiting counters tied to your IP address to prevent abuse of the sign-in form.
  • Application logs — we record errors and significant security events (failed logins, account state changes, impersonation by an administrator) so we can keep the service working and audit unusual activity. Logs include IP addresses and account identifiers.

Why we use your information

  • To authenticate you and keep you signed in (Google sign-in data, session cookie)
  • To provide the service — show your classes, save your work, deliver tasks (classroom data, student work)
  • To protect the service from abuse (rate-limiting counters, security logs)
  • To contact you about your account if necessary (your email address)

We do not sell your data. We do not use it for advertising. We do not share it with third parties for marketing.

Cookies

TeachKit uses a small number of strictly-necessary cookies:

  • teachkit_session — identifies your signed-in session. HttpOnly, Secure, SameSite=Lax, lifetime tied to your session.
  • teachkit_guest — a short-lived cookie used only during the Google sign-in handover (e.g. while you are entering a class code after authenticating with Google). Cleared when you successfully sign in.
  • url_intended — a 10-minute cookie that remembers the page you tried to visit before being redirected to sign in, so we can take you straight there afterwards.

We do not use third-party cookies, advertising cookies, or analytics cookies.

Where your data is stored

All TeachKit data is stored on servers physically located in the United Kingdom. Backups are encrypted and stored in the same jurisdiction. Data is never transferred outside the UK or the European Economic Area.

How long we keep it

  • Active accounts — kept for as long as the school continues to use TeachKit.
  • Archived classes and students — retained so that teachers can refer back to historical records (a typical use case is reading old observation notes when writing reports). A teacher or school administrator can request permanent deletion at any time.
  • Application logs — rotated automatically, with files older than 30 days removed.
  • Rate-limit counters — expire automatically (typically within 15 minutes).

When you ask us to delete your data, we remove it from the live database immediately. Encrypted backups created before the deletion request may continue to contain your data for a short period — until they are overwritten in our normal backup rotation — after which it is permanently gone.

Your rights under UK GDPR

You have the right to:

  • Be told what personal data we hold about you (right of access)
  • Have inaccurate data corrected (right to rectification)
  • Have your data deleted (right to erasure, also known as “the right to be forgotten”)
  • Restrict or object to how we use your data
  • Receive a copy of your data in a machine-readable format (right to portability)
  • Withdraw consent and stop using the service at any time

To exercise any of these rights, email support [at] teachkit [dot] uk. We will respond within one calendar month. If you are a student, you can also ask your teacher to make the request on your behalf.

If you believe we have mishandled your data, you have the right to complain to the Information Commissioner’s Office (ico.org.uk), the UK’s data protection regulator.

Children’s data

TeachKit is intended for use in UK schools, including with students under 13. Students do not register themselves — their accounts are created by their teacher with the school’s authority. Students’ Google accounts are typically issued by their school as part of Google Workspace for Education, and we rely on the school’s lawful basis under UK GDPR Article 6(1)(e) (public task) for processing student data on the school’s behalf.

Security

We protect your data with industry-standard measures including TLS encryption in transit, encrypted password-equivalent secrets at rest (such as two-factor authentication keys), HttpOnly and Secure cookie flags, server-side session storage, CSRF protection on every form, rate-limiting on sign-in attempts, and two-factor authentication for administrative accounts. No system is perfectly secure, but we take reasonable steps to keep your data safe and to alert affected users promptly if anything goes wrong.

Changes to this policy

If we make material changes to this policy we will update the “Last updated” date at the top and, where appropriate, notify users by email or via a notice in the app on next sign-in. Continued use of TeachKit after a change constitutes acceptance of the updated policy.

Contact

For privacy questions, deletion requests, or any other matter relating to your data:

support [at] teachkit [dot] uk