Security & privacy

Kids' data, handled the way we'd want our own kids' data handled.

No ads. No resale. No training third-party models on your child's spelling mistakes. A plain-English promise, with the paperwork to back it up.

ISO 27001 certified Cyber Essentials Plus UK GDPR + Children's Code DfE Data Protection pledge KCSIE-aligned
Our six pledges

Written in plain English. Reviewed by a DPO. Signed in ink.

Every pledge here is contractually backed in our DPA. If we break one, we break the contract.

01

No ads. Ever.

Spellimus does not run adverts, does not embed third-party ad SDKs, and does not operate an affiliate programme. Children never see sponsored content inside the app.

02

No data resale.

We don't sell, trade, or share learner data with data brokers, advertisers, or analytics resellers. Our subscription fees are our only revenue — on purpose.

03

No model training on children.

Nothing a child types, speaks, or records is used to train a third-party model. Our adaptive engine runs entirely on your account's own history, in your account's own partition.

04

Data stays in the UK.

All learner data is processed and stored on UK infrastructure (AWS London, eu-west-2). Backups never leave the UK region. No cross-Atlantic transfers for children's accounts.

05

Deletion is one click.

A parent or school admin can permanently delete an account and everything attached to it with a single action. We honour it within 24 hours, across all backups within 30 days.

06

If we ever break a pledge, we close.

If acquiring a company means breaking one of these pledges, we walk. If we're ever forced to change them, we will close the service to existing customers before we re-open under new terms.

The technical bits

For your DPO, your IT lead, and the long nights before procurement.

Encryption

  • TLS 1.3 for all traffic
  • AES-256 at rest, envelope-encrypted via AWS KMS
  • Customer-managed keys for Classroom plan

Access control

  • SAML SSO (Google, Microsoft, Okta)
  • MFA required for all admin accounts
  • Least-privilege role model, audited quarterly

Hosting

  • AWS London (eu-west-2), multi-AZ
  • 99.95% uptime SLA for schools
  • Isolated infrastructure per customer tier

Backups & retention

  • Hourly incremental, daily full
  • 30-day point-in-time recovery
  • Tested quarterly — real drills, not paper

Monitoring

  • 24/7 infrastructure monitoring
  • Automated anomaly detection
  • Public status page · status.spellimus.com

Pen testing

  • Annual third-party penetration tests
  • Summary report available under NDA
  • Bug bounty programme — invite-only, active
What we collect

A complete list. Nothing hidden in a 40-page policy.

Data Why we collect it How long Shared with
Child's first namePersonalisation inside the appWhile account is activeNobody
Year group / age bandAppropriate word selectionWhile activeNobody
Practice responsesAdaptive engine, mastery tracking3 years after last useNobody
Voice recordings (opt-in)Your own custom pronunciationsUntil you delete themNobody
Parent emailLogin + weekly summary emailUntil account closedPostmark (email delivery, EU)
Anonymous usage metricsProduct improvement — aggregated only13 months rollingPostHog (self-hosted, UK)
Billing info (parents only)Processing payment7 years (HMRC requirement)Stripe (PCI-DSS Level 1)

That's everything. There is no separate "also" list. If it isn't in this table, we don't have it.

Sub-processors

Six names. All of them UK/EU. All of them under DPA.

AWS London
Hosting · eu-west-2
Cloudflare
CDN, DDoS · EU edge
Stripe
Payments · Ireland
Postmark
Transactional email · EU
PostHog
Analytics · self-hosted UK
ElevenLabs
TTS voices · UK pipeline, no learner data
The paperwork

Every document your DPO will ask for, before they ask.

Data Processing Agreement (DPA)

Pre-signed, UK GDPR schedule, sub-processor list, SCCs where needed.

Download PDF · 14 pages →

Information Security Policy

Controls, incident response, vendor management — ISO 27001 SoA summary.

Download PDF · 22 pages →

Safeguarding & KCSIE statement

How we align with KCSIE 2024, in-product moderation, reporting routes.

Download PDF · 8 pages →

DPIA (Data Protection Impact Assessment)

Template DPIA pre-filled for schools to adapt — ICO-aligned.

Download DOCX · 12 pages →

Incident response playbook

72-hour notification commitment, severity grading, comms templates.

Download PDF · 6 pages →

Penetration test summary

Executive summary of our 2024 annual pen test. Full report under NDA.

Request under NDA →
Children's Code

All 15 standards. Green across the board.

The ICO's Age Appropriate Design Code sets 15 standards for online services likely to be accessed by children. We map to every one. Our detailed self-assessment is available on request.

Request self-assessment
Best interests of the child
DPIAs on every release
Age-appropriate application
Transparency — plain language
Detrimental use blocked
Policies & standards upheld
Default high-privacy settings
Data minimisation
No data sharing by default
Geolocation off by default
Parental controls, age-appropriate
Profiling off by default
No nudge techniques
Connected toys & devices — N/A
Online tools to exercise rights
Data Protection Officer

Talk to a human.

For SARs, deletion requests, DPA queries, or anything that mentions the ICO. Our DPO reads every email personally.

Email: dpo@spellimus.com
Response: within 3 working days
SAR turnaround: 30 days or less
Security vulnerabilities

Responsible disclosure.

Found something that worries you? We'd love to hear. Coordinated disclosure, hall of fame, small bounties on critical issues.

Email: security@spellimus.com
PGP: key fingerprint
First response: within 24 hours