Privacy Policy

Syndeou is committed to protecting personal data, learner data, institutional data, and confidential information processed through Lrnsy.

This Privacy Policy explains how information is collected, used, stored, shared, protected, and retained when institutions and authorised users use the Lrnsy platform, website, and related services.

Because Lrnsy is used in education environments, this policy gives particular attention to learner data, children's data, safeguarding, access control, and responsible data handling.

This policy applies to:

• Schools and education institutions
• Administrators
• Educators and Academic Guides
• Parents or guardians
• Learners
• Institutional leadership
• Website visitors
• Users of Lrnsy services

In most cases:

• The Institution is the Data Controller
• Syndeou is the Data Processor
• Authorised users act under the authority of the Institution

The Institution determines why and how learner data is used. Syndeou processes data on behalf of the Institution to deliver Lrnsy services.

For website enquiries, business communications, commercial records, and internal operational data, Syndeou may act as an independent Data Controller.

For payment processing, VGA Brokers and Tap Payments may act as independent data controllers for the payment information they process.

Lrnsy may process the following categories of data.

Data may be collected:

• Directly from institutions
• Directly from authorised users
• Through platform use
• Through learner assessments
• Through educator input
• Through parent or guardian input where applicable
• Through support communications
• Through website forms
• Through payment providers
• Through technical logs and security systems

Data is used to:

• Provide access to Lrnsy
• Create and manage accounts
• Support personalised learning
• Support learner profiling and pathway planning
• Enable academic progress tracking
• Generate institutional reports
• Support educator decision-making
• Provide AI-supported insights
• Manage safeguarding-related workflows where applicable
• Deliver training and certification
• Provide customer support
• Maintain platform security
• Process billing and payments
• Comply with legal and contractual obligations
• Improve platform reliability and functionality

Lrnsy may use AI-supported analytics to identify patterns, trends, anomalies, engagement signals, academic progress signals, developmental indicators, or risk-related signals for human review.

AI is used as a support layer only.

AI does not:

• Diagnose learners
• Replace educators
• Make final decisions
• Automatically determine learner outcomes
• Replace safeguarding review
• Replace institutional responsibility

All AI-supported outputs must be interpreted and acted upon by authorised professionals within the Institution.

The legal basis for processing may include:

• Performance of a contract
• Legitimate educational interests
• Compliance with legal obligations
• Consent where required
• Institutional authority
• Protection of learners and safeguarding obligations
• Payment and transaction processing requirements

The Institution is responsible for ensuring the correct legal basis is in place for learner data and children's data.

Lrnsy may process data relating to children and minors because it is used in educational settings.

Children's data is handled with enhanced care.

Syndeou expects institutions to:

• Provide required privacy notices
• Obtain required parental or guardian consent where necessary
• Ensure use of Lrnsy is lawful
• Restrict access to authorised personnel
• Maintain safeguarding procedures
• Use learner data only for appropriate educational purposes

Syndeou does not sell children's data.

Data may be shared with:

• The Institution
• Authorised school staff
• Authorised parents or guardians, where applicable
• Authorised learners, where applicable
• Support and implementation personnel
• Hosting and infrastructure providers
• Security and monitoring providers
• Professional advisers where necessary
• Regulators or authorities where legally required

Payment-related data may be processed by VGA Brokers and Tap Payments for transaction processing, settlement, compliance, fraud prevention, refunds, disputes, and payment support.

Where Lrnsy payments are processed through VGA Brokers and Tap Payments:

• VGA Brokers may act as the merchant entity
• Tap Payments may act as the payment gateway or payment processor
• These providers may process payment data as independent data controllers
• Their own privacy notices and terms may apply
• Syndeou does not directly store full card details
• Payment data may be used for transaction processing, fraud prevention, compliance, chargebacks, refunds, and reconciliation

Users should review the applicable payment provider terms where required.

Syndeou may use trusted third-party service providers to deliver Lrnsy, including:

• Cloud hosting providers
• Security providers
• Email providers
• Support tools
• Analytics infrastructure
• Backup providers
• Technical service providers

Where these providers process personal data on behalf of Syndeou, they are required to apply appropriate confidentiality and security obligations.

Payment providers such as VGA Brokers and Tap Payments are generally treated as independent controllers for payment processing, not standard platform sub-processors.

Syndeou applies security measures aligned with ISO/IEC 27001:2022 principles.

Security measures may include:

• Role-based access control
• Least privilege access
• User authentication
• Encryption in transit
• Encryption at rest where applicable
• Secure cloud infrastructure
• Access logging
• Monitoring
• Backup controls
• Incident response procedures
• Confidentiality obligations
• Segregation of duties where practical
• Secure development practices
• Supplier security review
• Administrative access restrictions

No system can be guaranteed completely secure, but Syndeou takes reasonable organisational and technical measures to protect data.

Access to Lrnsy is role-based. Different users may have different access rights depending on their role, such as:

• School administrator
• Educator
• Academic Guide
• Parent or guardian
• Learner
• Leadership user
• System support personnel

Institutions are responsible for assigning appropriate access rights and removing access when no longer required.

Data is retained only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required by law, contract, safeguarding obligations, audit requirements, or legitimate institutional needs.

Learner data retention is generally determined by the Institution.

Upon termination, data may be returned, deleted, anonymised, or retained according to the Data Processing Agreement, applicable contract, and legal requirements.

Depending on the applicable law, individuals may have rights to:

• Access personal data
• Correct inaccurate data
• Request deletion
• Restrict processing
• Object to processing
• Request data portability
• Withdraw consent where consent applies

Because institutions usually control learner data, requests relating to learner records should normally be submitted to the Institution.

Syndeou will assist the Institution where required and appropriate.

Data may be stored or processed in secure cloud environments, which may involve international data transfers.

Where international transfers occur, Syndeou will apply appropriate safeguards as required by applicable law and contractual obligations.

If Syndeou becomes aware of a security incident involving personal data, it will take reasonable steps to:

• Investigate the incident
• Contain the incident
• Assess potential impact
• Notify affected institutions where required
• Support required regulatory or data subject notifications
• Remediate identified risks

Institutions are responsible for notifying regulators, parents, guardians, learners, or other parties where they are legally required to do so as data controllers.

The Lrnsy website may use cookies or similar technologies to support website functionality, analytics, security, and user experience.

Users may manage cookies through browser settings where applicable.

Syndeou may update this Privacy Policy from time to time.

Updated versions will be posted on the website or communicated where appropriate.

For privacy-related queries, contact: