Privacy Policy
Last updated: 21 October 2025
Child‑friendly summary
We keep your information safe and only use it so the app can help you learn. We don’t show ads. We don’t sell your data. Your parent or guardian is in charge — they can see, download, or delete your information. If anything worries you, tell your grown‑up or ask us at [email protected].
Who we are (Controller)
Future Mill Limited ("we", "us", "our") is the controller for the personal data processed by the Otter Learn website and app (together, the "Service").
- Registered in: England & Wales, company number 08329410.
- Contact: [email protected].
Who this notice is for
- Parents/guardians who give consent and manage child accounts.
- Children using the app (we provide a simplified, child‑friendly version in‑app).
The data we collect (by category)
We apply data minimisation. We do not collect more than we need. We do not collect special category data (health, biometrics, etc.) unless clearly necessary and consented.
Account & identity
- Child: first name or nickname, age band or date of birth, class/group.
- Parent/guardian: name, email, consent verification logs.
Learning activity
- Content attempted, scores, hints used, streaks, achievements.
Technical
- App/device identifiers, IP address, timestamps, app logs, crash reports; approximate region for latency and fraud prevention.
Support
- Messages you send us, ticket metadata.
Why we use the data we collect
| Purpose | Examples | Lawful basis |
|---|---|---|
| Create & manage child accounts | Sign‑up, age gating, authentication | Consent (parental consent for under‑13s) |
| Provide learning features | Personalised levels, save progress, streaks | Performance of a contract |
| Parental controls & communications | Account emails, progress summaries, consent receipts | Legitimate interests; legal obligation to verify consent |
| Diagnostics & service improvement | Crash logs, feature usage (first‑party analytics) | Legitimate interests (improve service) |
| Marketing to parents/teachers (never to children) | Newsletters to consenting adults | Consent (opt‑in) |
When we rely on legitimate interests, we balance these against children’s rights and expectations. You can object.
Children’s data and parental consent
- We require verifiable parental consent before activating a child account (usually via email link to parent's email address).
- We use birth year, age band or school year to apply age‑appropriate experiences and protections.
- Parents/guardians can review, export, and delete their child’s data at any time.
No ads, no third‑party tracking
- We do not show any ads.
- We do not sell personal data.
- We do not use any third-party tracking or advertising services.
Sharing your data (processors & recipients)
We share data only with service providers who help us run the Service and are bound by data processing agreements. See our Subprocessors page for more details.
International transfers
Where data leaves the UK/EEA, we use appropriate safeguards:
- EU Standard Contractual Clauses (SCCs) and UK IDTA/Addendum.
- Transfer Impact Assessments and technical measures (encryption in transit and at rest, key management).
- Regional hosting preferences (UK/EEA) wherever feasible.
How long we keep data (retention)
We keep data only as long as needed for the purpose collected, then delete or irreversibly anonymise.
| Data category | Typical retention |
|---|---|
| Account & consent records | Life of account + 6 years (legal/audit) |
| Learning progress | Life of account; 12 months after closure |
| Crash/telemetry | 90 days aggregated thereafter |
| Payment records | 7 years (accounting/tax) |
| Support tickets | 24 months unless needed longer for disputes |
Anonymised learning data containing no personal information is kept indefinitely for research and improvement purposes.
Cookies, SDKs, and similar tech
We only use strictly necessary cookies run to provide security, login, and core features. We don't use any third-party cookies for tracking or advertising.
Your rights (parents and children)
Under UK/EU GDPR you have rights to:
- Access your/your child’s data;
- Rectification (correct inaccuracies);
- Erasure ("right to be forgotten");
- Restriction of processing;
- Portability (machine‑readable copy);
- Object to processing based on legitimate interests;
- Withdraw consent at any time (doesn’t affect prior lawful processing).
To exercise rights, contact [email protected]. We may ask for information to confirm identity. We respond within one month.
How parents manage child data
In the parent dashboard you can:
- Review learning progress and account information
- Update profile details
- Delete the child account
Automated decisions & profiling
- We use simple learning personalisation (e.g., level selection) to adapt difficulty.
- No decisions with legal or similarly significant effects are made about children.
- You can request a human review of any automated outcome that concerns you.
Security
We use industry‑standard measures: encryption in transit and at rest, least‑privilege access, audit logging, vulnerability management.
If we discover a data breach likely to risk individuals’ rights and freedoms, we will notify the ICO (and where required, affected parents/guardians) without undue delay and within legal time limits.
Third‑party links
If the Service links to third‑party content, those sites have their own privacy notices. We do not control them.
Changes to this notice
We may update this Privacy Policy to reflect changes to the Service or the law. We’ll post the new version here and notify parents of significant changes (e.g., email or in‑app message). The "Last updated" date shows when it changed.
Complaints
If you have concerns, please first contact us at [email protected]. If you are not satisfied with our response, you can complain to the UK Information Commissioner’s Office (ICO): ico.org.uk. If you’re in the EU, you can complain to your local supervisory authority.