Meedu Privacy Policy

Last Updated 09/04/2026

1. Introduction

Welcome to Meedu LTD's Privacy Policy. We value your privacy and are committed to protecting your personal information in accordance with the General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, COPPA, FERPA, and other applicable data protection laws.

We operate an online educational platform accessible through meedu.ai (the "Platform") that allows users to access educational courses, create content, and share educational resources. In providing these services, we process personal data with the utmost care and transparency.

Data Controller Information:

• Company: Meedu LTD
• Company Number: 11898675
• Registered Address: 19 Church Avenue, Swillington, Leeds, LS26 8QH, United Kingdom
• Contact: contact@meedu.co.uk
• Data Protection Officer: contact@meedu.co.uk

We reserve the right to update this Privacy Policy periodically. Material changes will be clearly communicated through our Platform, email, or other appropriate means at least 30 days before taking effect. The current version is always available on this page.

2. Information We Collect

2.1 Personal Information

Definition: Personal information refers to data that can identify you as an individual, including:

• Name and contact details (email address, postal address, telephone number)
• Date of birth and age verification information
• Account credentials and login information
• Educational records and course progress
• Communications with us
• Device and technical information (IP address, browser type, operating system)

Collection Methods:

• Direct provision during account registration
• Use of our Platform and services
• Communications with our support team
• Third-party social media sign-up (Google)
• Cookies and similar tracking technologies

2.2 Educational Data and Records

What We Collect:

• Course enrolments and progress
• Assessment results and grades
• Learning preferences and behaviour
• Educational content you create or share
• Interactions with educational materials
• Academic performance metrics

Educational Privacy Protection: We comply with FERPA requirements for educational records and provide enhanced protections for all educational data, particularly for users under 18.

2.3 Account and Authentication Data

What We Collect:

• Username and password (encrypted)
• Account preferences and settings
• Login history and security information

Security Measures: All authentication data is stored securely using industry-standard encryption and security protocols.

2.4 Payment and Transaction Data

The Platform is currently free during our Beta Release. When paid features are introduced, we will update this section accordingly. Payment processing will be handled by a third-party payment processor, and we will not store complete payment card details. This section will be updated at least 30 days before any paid features launch.

2.5 Website and Platform Interactions

What We Collect:

• Pages visited and time spent on Platform
• Features used and content accessed
• Search queries and interactions
• Click patterns and navigation behaviour
• Device information and technical specifications
• Performance and error logs

Purpose: This data helps us improve Platform functionality, user experience, and service quality whilst ensuring platform security.

2.6 Communications and Feedback

What We Collect:

• Messages sent through our Platform
• Support enquiries and help requests
• Survey responses and feedback
• Reviews and ratings
• Content reports and safety concerns

2.7 Third-Party Integration Data

When you sign up using Google, we may receive:

• Basic profile information (name)
• Email address

Important: Review Google's privacy policy to understand what information they share with us.

2.8 AI-Powered Features Data

Our Platform includes AI-powered features such as an educational chatbot and content generation tools. When you use these features:

• Your chat messages and questions are sent to third-party AI providers (currently OpenAI) for processing and response generation
• Course content may be sent to AI providers (currently Anthropic Claude) for educational content generation such as flashcards and quiz questions
• Chat conversation history is stored to provide contextual responses within a session
• AI providers process your data solely to generate responses and do not use it to train their models

Important: Do not share sensitive personal information (medical details, financial data, passwords) through the chatbot. The chatbot is designed for educational queries related to course content only.

3. Legal Basis for Processing

Under GDPR and UK data protection law, we process your personal data based on the following lawful bases:

3.1 Contract Performance

• Creating and managing your account
• Providing educational services
• Processing payments and transactions
• Delivering customer support

3.2 Legitimate Interests

• Platform security and fraud prevention
• Service improvement and development
• Analytics and performance monitoring
• Child safety and protection measures

3.3 Consent

• Marketing emails (tips, study reminders, and product updates) — only sent where you have given explicit opt-in consent at registration or subsequently
• Non-essential cookies and tracking
• Optional features and personalisation
• Research and survey participation

3.4 Legal Obligations

• Compliance with education regulations (FERPA, COPPA)
• Tax and accounting requirements
• Legal proceedings and investigations
• Data protection law compliance

3.5 Vital Interests

• Emergency situations requiring disclosure
• Child protection and safety measures

4. How We Use Your Information

4.1 Service Delivery and Account Management

• Creating and maintaining your account
• Providing access to educational content and features
• Processing course enrolments and tracking progress
• Managing subscriptions and billing
• Delivering personalised learning experiences (using limited automated processing for recommendations; no solely automated decisions with legal or significant effects. Users may request human review or explanation via contact@meedu.co.uk).

4.2 Communication and Support

• Responding to enquiries and providing support
• Sending service-related notifications and updates
• Providing important safety and security communications
• Facilitating communication between users (where appropriate)

4.3 Platform Improvement and Development

• Analysing usage patterns to improve functionality
• Developing new features and services
• Conducting research and analytics
• Testing and optimising platform performance
• Ensuring technical security and stability

4.4 Marketing and Promotional Communications

We only send marketing emails (tips, study reminders, weekly digests, and product updates) where you have given explicit opt-in consent, which you can provide at registration or withdraw at any time. We do not send marketing emails on the basis of legitimate interests.

• Sending tips, study reminders, and product updates (with explicit consent only)
• Providing tailored recommendations based on interests (with consent)
• Informing you about new courses and features (with consent)
• Conducting market research and surveys

4.5 Legal and Compliance Purposes

• Complying with legal obligations
• Protecting against fraud and abuse
• Enforcing our terms and conditions
• Responding to legal requests and investigations
• Maintaining records for regulatory compliance

4.6 Child Safety and Protection

• Implementing age-appropriate content filtering
• Monitoring for inappropriate content or behaviour
• Responding to safety reports and concerns
• Complying with child protection regulations

5. Data Sharing and Disclosure

5.1 We Do Not Sell Personal Data

Meedu LTD does not sell, rent, or trade your personal data to third parties for commercial purposes.

5.2 Service Providers and Partners

We may share data with trusted third parties who provide services on our behalf:

• Hosting and Infrastructure: Amazon Web Services (AWS), including compute, storage, and database services, hosted in the EU (London, eu-west-2)
• AI Processing: OpenAI (chatbot responses and query processing) and Anthropic (educational content generation). These providers process data solely to generate responses and retain it for up to 30 days for abuse monitoring only
• Error Monitoring: Sentry (error tracking and performance monitoring). Sentry receives technical error data, stack traces, and request metadata to help us identify and fix issues
• Chatbot Data Storage: MongoDB Atlas (hosted in EU) for storing educational content used by the AI chatbot and chat session history
• Authentication: Google (OAuth sign-in)
• Email Services: Amazon Simple Email Service (SES), hosted in eu-west-2, for transactional and marketing communications. Amazon processes email data under the AWS Data Processing Addendum, incorporated into the AWS Customer Agreement.

Safeguards: All service providers are contractually required to protect your data and use it only for specified purposes. A full list of our sub-processors is available on request by contacting contact@meedu.co.uk.

5.3 Educational Institution Sharing

For institutional accounts, we may share relevant educational data with:

• Authorised school administrators
• Teachers and instructors (for their students only)
• Educational technology coordinators
• Academic compliance officers

5.4 Legal and Safety Disclosures

We may disclose personal data when required by law or to protect safety:

• Compliance with legal obligations
• Response to court orders or legal process
• Protection of our rights and property
• Prevention of fraud or abuse
• Child safety and protection
• Emergency situations involving safety

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity, subject to the same privacy protections.

5.6 Parental Access (For Minors)

Parents and legal guardians of users under 18 may access their child's account information and educational records as permitted by law and our terms.

6. Your Privacy Rights

6.1 Rights Under GDPR and UK Data Protection Law

• Right of Access: Request copies of your personal data and information about how we process it.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data (subject to certain limitations).
• Right to Restrict Processing: Request limitation of how we process your data.
• Right to Data Portability: Receive your data in a machine-readable format for transfer to another service.
• Right to Object: Object to processing based on legitimate interests or for direct marketing.
• Right to Withdraw Consent: Revoke consent for processing where consent is the legal basis.

6.2 Rights Under COPPA (For Children Under 13)

In the unlikely event we collect data from a child under 13 (which is prohibited):

• Parents may review their child's personal information
• Parents may request deletion of their child's data
• Parents may refuse further collection of their child's information
• Parents may request information about our data practices

6.3 Rights Under FERPA (Educational Records)

• Right to inspect and review educational records
• Right to request correction of inaccurate records
• Right to control disclosure of educational information
• Right to file complaints about FERPA violations

6.4 How to Exercise Your Rights

To exercise any privacy rights, contact us at:

• Email: contact@meedu.co.uk with subject line "Privacy Rights Request"
• Include: Your full name, account email, specific request, and identity verification

We will respond to requests within 30 days and may require identity verification for security purposes.

6.5 Marketing Consent and Opt-Out

Marketing emails are only sent where you have given explicit consent. You can manage this at any time:

• At registration: opt in via the marketing consent checkbox (unchecked by default)
• Use the "unsubscribe" link in any marketing email to immediately opt out of that category
• Contact us at contact@meedu.co.uk to withdraw all marketing consent

6.6 Complaints and Appeals

If you believe we have not handled your data appropriately:

• Contact us directly at contact@meedu.co.uk
• File a complaint with the Information Commissioner's Office (ICO) at https://ico.org.uk/make-a-complaint/
• For educational records: Contact the Family Policy Compliance Office (US Department of Education)

7. Data Retention and Deletion

7.1 Retention Principles

We retain personal data only as long as necessary for the purposes outlined in this policy, including:

• Legal and regulatory requirements
• Service provision and support
• Fraud prevention and security
• Educational record obligations

7.2 Specific Retention Periods

Account Data: Retained whilst account is active plus 3 years after closure or as required by law.

Educational Records: Retained according to institutional policies and FERPA requirements (typically 3-7 years).

Payment Data: Retained for 7 years for tax and accounting purposes.

Marketing Data: Retained until consent is withdrawn or 3 years from last engagement.

Security Logs: Retained for 2 years for security and fraud prevention.

Children's Data: Retained for minimum period necessary, with enhanced deletion procedures.

7.3 Data Deletion

Upon retention period expiry:

• Data is securely and permanently deleted.
• Anonymised data may be retained for research and statistical purposes.
• Some data may be retained longer if legally required.

7.4 Account Deletion

You can permanently delete your account at any time:

• Self-service: Go to Account Settings > Password & Security > Danger Zone and click "Delete Account". Deletion is immediate and permanent — all personal data, course progress, and notes are removed.
• Alternatively, contact us at contact@meedu.co.uk with subject "Account Deletion Request" and we will process it within 30 days.
• Some information may be retained where required for legal compliance (e.g., tax records for 7 years).
• Anonymised aggregate usage data may be retained for analytics and platform improvement.

8. Data Security

8.1 Technical Safeguards

• Industry-standard encryption for data in transit and at rest
• Secure authentication and access controls
• Regular security assessments and monitoring
• Automated backup and disaster recovery procedures
• Firewall and intrusion detection systems

8.2 Organisational Measures

• Staff training on data protection and security
• Access controls limiting data access to authorised personnel
• Regular security policy reviews and updates
• Incident response and data breach procedures
• Vendor security assessments and contracts

8.3 Limitations

Whilst we implement robust security measures, no system is completely secure. We encourage users to:

• Use strong, unique passwords
• Report suspicious activity immediately
• Keep account information confidential

8.4 Data Breach Response

In the event of a suspected or confirmed personal data breach, we will:

• Assess and document the breach promptly and internally.
• Notify the Information Commissioner's Office (ICO) within 72 hours if the breach is likely to result in a risk to individuals' rights and freedoms.
• Notify affected users without undue delay (and where feasible, within 72 hours) if the breach is likely to result in a high risk to their rights (e.g., via email to registered addresses).
• Provide details in notifications on the breach nature, likely consequences, and recommended mitigation actions.

Suspected breaches should be reported immediately to contact@meedu.co.uk for investigation. Whilst we implement robust security measures, no system is completely secure. We encourage users to use strong passwords, enable 2FA (when available), and report suspicious activity promptly.

9. International Data Transfers

9.1 Cross-Border Processing

Your data may be processed outside your country of residence, including in countries that may not have equivalent data protection laws.

9.2 Transfer Safeguards

When transferring data internationally, we ensure adequate protection through:

• Adequacy Decisions: Transfers to countries deemed adequate by UK/EU authorities
• Standard Contractual Clauses: Legally binding data protection agreements
• Binding Corporate Rules: Internal privacy frameworks for multinational organisations
• Explicit Consent: Where appropriate and legally required

9.3 US Data Transfers

Data may be transferred to the United States for processing by our service providers. We ensure appropriate safeguards are in place through contractual protections and security measures.

10. Cookies and Tracking Technologies

10.1 What Are Cookies

Cookies are small text files stored on your device that help us provide and improve our services.

10.2 Types of Cookies We Use

10.3 Cookie Consent and Control

• We obtain consent for non-essential cookies
• You can manage cookie preferences through our consent banner
• Browser settings allow you to block or delete cookies
• Some functionality may be limited if essential cookies are disabled

10.4 Third-Party Cookies

Our Platform may include cookies from:

• Analytics providers (Google Analytics, when enabled)

We do not use advertising cookies, social media tracking pixels, or third-party marketing cookies.

11. Children's Privacy Protection

11.1 Age Restrictions and Verification

• Users must be at least 13 years old to use our Platform.
• Age verification is required during registration via neutral screening (e.g., birthdate entry).
• We do not knowingly collect personal information from children under 13; users under 13 are prohibited from creating accounts, and any such data discovered will be deleted immediately without compensation.
• If you believe we have collected data from a child under 13, contact us at contact@meedu.co.uk.
• Enhanced protections apply for users aged 13-17, including optional parental notification.

11.2 Parental Rights and Consent

For users aged 13-17:

• Optional parental notification of account creation (via provided email at signup).
• Parental access to educational records upon verified request (e.g., matching email + ID).
• Right to request account deletion at any time.
• Enhanced privacy protections, including limited sharing.
• We do not permit users under 13, so no parental consent is collected for them. In the unlikely event we discover under-13 data, it will be deleted immediately.

11.3 Child Safety Measures

• Age-appropriate content filtering
• Proactive monitoring for inappropriate content
• Safe reporting mechanisms
• Staff training on child protection
• Cooperation with law enforcement when required

11.4 Educational Context Protections

• FERPA compliance for educational records
• COPPA compliance for children's data
• Enhanced data security for minors
• Regular safety audits and assessments

12. Content Contributor Data

12.1 Scope

This section applies to individuals who express interest in or participate in our "Request a Course" programme or any other content contribution arrangement. If you complete a Google Form or similar form to express interest in contributing study materials or creating educational content for payment, we collect and process additional data as described below.

12.2 Additional Data We Collect

• Name: To identify you and enter into a payment arrangement. Lawful basis: UK GDPR Article 6(1)(b) — contractual necessity.
• Email address: Automatically collected by Google Forms from your Google account, used to contact you about the arrangement and process payment. Lawful basis: Article 6(1)(b).
• Course and university: To determine which educational content to create and match your expertise. Lawful basis: Article 6(1)(b).
• Year of study: To calibrate the academic level of content we create. Lawful basis: Article 6(1)(f) — our legitimate interest in producing quality, level-appropriate educational content.
• Phone / WhatsApp number (optional): To provide an alternative communication channel for coordinating the arrangement. Lawful basis: Article 6(1)(f) — our legitimate interest in efficient coordination. You have the right to object to this processing at any time.
• Study materials availability: To assess the scope of your contribution. Lawful basis: Article 6(1)(b).

12.3 How We Use This Data

• Assessing your suitability for a paid content creation arrangement
• Coordinating the content creation process
• Processing payment for your contribution
• Maintaining records as required by HMRC

12.4 Retention of Contributor Data

• Form responses: Up to 2 years from date of submission, or until the content creation project is complete plus 6 months, whichever is later.
• Study materials you share: Deleted within 6 months of content creation completion. Only the MCQs/flashcards we create (which will not identify you) are retained.
• Contact details: Deleted within 30 days of final payment, unless you separately consent to future contact.
• Payment records: 7 years (as required by HMRC for business records).

12.5 Third-Party Processing

Contributor data collected via Google Forms is processed by Google as our data processor under their Workspace Data Processing Agreement. See Google's privacy policy at policies.google.com/privacy for information about their data practices. Payment data is shared with our payment processor to complete your payment.

13. Updates to This Privacy Policy

13.1 Policy Changes

We may update this Privacy Policy to reflect:

• Changes in data protection laws
• New features or services
• Feedback from users and regulators
• Evolving privacy best practices

13.2 Notification of Changes

Minor Changes: May be made without specific notice, but will be reflected in the updated policy.

13.3 Continued Use

Your continued use of our Platform after policy changes constitutes acceptance of the updated terms. If you disagree with changes, you may close your account.

14. Contact Information and Data Protection

14.1 General Contact

14.2 Data Protection Enquiries

Data Protection Officer:contact@meedu.co.uk

Subject Line for Privacy Matters: "Data Protection - [Your Request]"

Response Time: Within 30 days for rights requests, 2 business days for general enquiries

14.3 Specialised Enquiries

All sent to contact@meedu.co.uk with appropriate subject lines:

• Child Safety Reports: "Safety Report - [Brief Description]"
• Accessibility Requests: "Accessibility - [Your Need]"
• Legal Notices: "Legal Notice - [Type]"
• Security Incidents: "Security Incident - [Details]"

14.4 Regulatory Contacts