Privacy Policy
Effective date: 15 April 2026
This privacy notice will help you understand how Wordwall uses and protects your personal data.
We are part of the Harbour Topco (UK) Limited Group. For the purposes of data processing this includes VISUAL EDUCATION LIMITED T/A Wordwall registered at 33 Glasshouse Street, London, England, W1B 5DG and Wordwall Inc, registered at 1521 Concord Pike, ste 201 Wilmington, DE 19803.
Your privacy is protected by law, and it is also protected by our data security and protection policies. This page gives you an idea of how we use your data and the safeguards we put in place to protect it.
You can contact our voluntarily appointed Data Protection Officer at dpo@wordwall.net or by phone on 01509 438404, if you have any concerns or wish to exercise your rights.
If you are an EU Data Subject you can contact our EU Representative, Rune Peterson, at eurep@fifthsquare.eu. Our EU Representative complies with our obligations under GDPR Article 27 and is established in the Republic of Ireland. Please note that our EU Representative is a Third Party. They will process your personal data in accordance with this Privacy Policy.
Our Promises
To help you on your journey with us, we need data about you. We make the following promises about how we will treat this data:
- We will only collect data about you that is relevant and necessary.
- Your data will only be held on systems that meet high compliance standards.
- Your data will only be accessed by those who need it, and we will minimise the amount of data that is processed, wherever possible.
- We won't share or sell your data to any third party, except, if permitted, for the marketing of our own services to you, unless either you have agreed, we are required to share it by law, or we need to fulfil our service commitments.
- We will always remember that it is your personal data, not ours. As such, we will ensure complete transparency and openness with you wherever possible.
- We respect your rights as outlined in the next section and will respond to all requests promptly.
Your Rights
You have certain rights over any data we hold about you:
- Your right of access - You have the right to ask us for copies of your personal information.
- Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
- Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
- Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
- Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
Where we use or store your personal data, because you have given your consent, you have the right to withdraw your consent at any time. For example, if you have subscribed to our mailing list you have an opportunity to unsubscribe at any time.
You can read more about your rights at http://knowyourprivacyrights.org/.
If you would like to uphold your rights, then please contact our Data Protection Officer at dpo@wordwall.net
If you are dissatisfied with our response you also have the right to lodge a complaint with the Data Protection Authority. This can be done at https://ico.org.uk/concerns/.
Wordwall also participates in the iKeepSafe COPPA Safe Harbor program. If you believe we have not resolved your privacy concern relating to children's data, you may contact iKeepSafe directly at COPPAPrivacy@ikeepsafe.org.
How we Collect your Data
Typically, the data we process comes from the following sources:
- You are a school, education provider or teacher and have signed up to the service and engaged with us to create accounts, raise a support ticket, set assignments
- You are a pupil that has been assigned an activity and you add your name to the leaderboard.
- On behalf of an organisation or as an individual, you have enquired about our service or signed up to our mailing lists.
- Other engagement with us through social media, email, phone or at events or by entering competitions and promotions or undertaken surveys.
If you belong to an organisation, we may source your information from public databases and other sources for our Legitimate Interests. If you ask for us to send information about our services to someone else, you warrant you have the consent from them to share their data with us.
What Data we Collect
We try to minimise the data held and the exact data elements we hold will be dependent on your journey with us. Typically, data elements we collect are detailed in the table below:
| Purpose/Use | Type of data | Legal basis |
|---|---|---|
| To register you as a new customer | (a) Identity (b) Contact |
Performance of a contract |
| To process and deliver your subscription including: (a) Manage payments, fees, and charges (b) Collect and recover money owed to us |
(a) Identity (b) Contact (c) Transaction (d) Marketing and Communications |
(a) Performance of a contract with you (b) Necessary for our legitimate interests (to process subscriptions and recover debts due to us) |
| To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy / cookie policy (b) Dealing with your requests, complaints and queries |
(a) Identity (b) Contact (c) Profile (d) Marketing and Communications |
(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated, manage our relationship with you and offer you support in using our services if required) |
| To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) | (a) Identity (b) Contact (c) Technical |
(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation |
| To deliver relevant website content and online advertisements to you and measure or understand the effectiveness of the advertising we serve to you | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical |
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy). For example, we will use your contact details if you have opted in to our mailing list to deliver the relevant content to you. |
| To use data analytics to improve our website, products/services, customer relationships and experiences and to measure the effectiveness of our communications and marketing | (a) Technical (b) Usage |
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy) |
| To provide AI-powered automated content generation features using third-party AI services | (a) AI Interaction (b) Usage (c) Technical |
Necessary for our legitimate interests (to enhance our service offering and improve user experience through AI-powered features) |
| To (i) copy, reproduce, store, distribute, publish, export, adapt, edit and translate personal data, and to use the personal data for analytics purposes; (ii) analyse the personal data via human analysis or the use of an algorithm or other technological tool such as artificial intelligence, machine learning or otherwise; (iii) anonymise and/or aggregate the personal data and/or combine it with other information in a way that it is no longer attributable to the individual and retain and reuse that aggregated data for our own commercial purposes. | (a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical |
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy). |
| To send you relevant marketing communications and make personalised suggestions and recommendations to you about goods or services that may be of interest to you based on your Profile Data | (a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications |
Consent, having obtained your prior consent to receiving direct marketing communications such as from the mailing list if you're an individual or by Legitimate Interest if you are working on behalf of an organisation. |
Our website contains content created by us or others. These may include external links, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We don't provide any warranty or accept any liability for this content. If personal data or inappropriate material is found, please report it to us immediately at dpo@wordwall.net.
Children Under 13
We do not knowingly collect personal data directly from children. Each registered account holder determines whether to collect or input student personal data into the platform and is responsible for ensuring that they have the appropriate legal basis and required permissions under applicable laws and regulations.
In such cases our collection of children's data will be limited to what may be reasonably necessary to participate in the relevant activity or to create accounts or log in. This may include the child's name, the score they achieved in a game, and their progress through an assignment. We do not demand real names are used for this purpose, and any entry is accepted on the basis that consent of the parent or guardian has been obtained in all cases.
It is also possible further information may be inferred about a child from the way in which a teacher names the resources that the teacher creates.
When an account holder inputs personal data Wordwall acts as Data Processor and the Account Holder is the Controller.
If a bulk or institutional subscription ends, the individual account holder retains access to and control of their account and associated data, subject to this Privacy Policy and our Terms of Use.
If we become aware that we have collected such information without appropriate consent, we will delete it promptly. If you believe we may have collected personal information from a child under 13, please contact us using the details provided in this Privacy Policy.
The activities of a child on our website are tracked but the child's data arising from this tracking is completely anonymous provided that the child is not accessing our services through a signed-up account.
Legal Basis for Processing your Data
We use a specific legal basis to process your personal data, detailed in the above table. The legal basis we use depends on the nature of the processing activity we undertake on your personal data.
If we use the lawful basis of legitimate interests, we ensure that our processing is not overridden by your data protection interests or fundamental rights and freedoms. In these cases, we act as a Data Controller.
When our clients provide us information, we process this data on the basis that the provider of that data has the right legal basis to share that information with us, and we accept no liability for omissions on their part. In these cases, we act as a Data Processor.
What we use your Data for
We process information about you to provide you with the services for which you, your employee or our clients enter when signing up for our services.
Further information is provided in the table above, which details the purposes or reasons we process your personal data. All our processes are mapped and are subject to various internal policies, procedures and governance, ensuring your data privacy and security remains central to all we do.
We also collect, use, and share de-identified aggregated data such as statistical or demographic data. For example, we may aggregate individuals' usage data to calculate the percentage of users accessing a specific website feature to analyse general trends in how users are interacting with our website to help improve the website and our service offering.
How we Process your Data
Data is processed/stored locally and on encrypted third party hosted cloud services such as Google Business Suite and Azure.
In addition, we use Large Language Models (LLM) often referred to as "AI" to power automated content generation features within our platform and enhance the user experience. We may also use your input data to improve the way we design and configure prompts for our AI service providers, to enhance the quality and relevance of AI‑generated content. This data is not used to train the underlying AI models operated by those providers.
Users remain liable for all inputs and assume responsibility to ensure that no personal, copyrighted or intellectual property is used in content. AI-generated content is automated and may contain inaccuracies. We do not guarantee the accuracy, completeness, or reliability of AI outputs. You remain responsible for verifying AI-generated educational content before use with students.
A full list of the processors used can be found here. These services all have strong data security at the heart of their systems including ISO27001 and SOC2 certification. We ensure that access to these services is strictly controlled and include strong authentication processes like Multi Factor Authentication.
Data is processed in either the UK, EEA/EU data centres or on US based servers that have demonstrated strong Data Security. We may also process your data in countries outside the UK or European Union from time to time in other aspects of our business.
Further to Section 119A of the Data Protection Act 2018 and noting Case C-311/18 in the European Court of Justice, if your data is transferred or processed outside of the UK or EEA we ensure the safeguards of International Data Transfer Agreements (IDTAs) or Addendums are enforced. Where this is not possible, we ensure that European Standard Contractual Clauses are entered.
We regularly review suppliers for data security compliance to ensure your data is safe and track where your data is held.
We will never ask you for your username or password for your account or ask you for any credentials for other applications or websites.
Who we share your data with
We will not share your information with third party organisations (known as sub-processors) except as part of providing a product or service to our clients and/or when legally obliged to. It is our policy to use only third-party providers that are bound to maintain appropriate levels of security and confidentiality, to process your personal information only as instructed by us, and to flow those same obligations down to their sub-processors.
We may also disclose your personal information to those within our group of companies, law enforcement, regulatory and other government agencies, as required by and/or in accordance with applicable law or regulation.
When you ask us to connect your account with a third-party service (for example a Virtual Learning Environment or Single Sign-On provider), we will share the data needed to enable that integration. If your subscription was purchased by an organisation (e.g. a whole-school subscription), that organisation may also access data associated with accounts under its subscription for administration purposes.
We may use marketing services from third parties. These may rely on the use of cookies. You can read more about these in our Cookie Policy.
Wordwall uses a Fractional Data Protection Officer (DPO) for compliance purposes. Should you have a data protection query or complaint your details may be passed to them to assist us. In all other cases our DPO does not have access to your data.
If Wordwall is involved in a merger, acquisition or asset sale, personal data may be transferred between parties, but we will provide notice before personal data is transferred and becomes subject to a different privacy notice.
Retaining your Data
Dependent on the data you provide us and for what purpose it is provided we may need to retain your data for up to 7 years following the end of engagement with you or our client. If you wish to find out more about your specific data retention, please contact us.
Data for students may be deleted at any time by account holders through the dashboard.
Legal Compliance
We seek to uphold our legal obligations as covered by the Data Protection Act 2018, Data Use and Access Act 2025 and the General Data Protection Regulation 2016. Our Data Protection Authority is designated as the Information Commission (IC) formally the Information Commissioners Office (ICO). This Privacy Policy is reviewed on a regular basis and was last reviewed in March 2026. We retain the right to update this notice at any time and the latest version will always be displayed on our website. If we make material changes to this Privacy Policy, we will notify affected users before the changes take effect.
California Privacy Rights (CCPA/CPRA)
If you are a California resident, you have specific rights regarding your personal information under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These rights include the right to know what personal information we collect, use, and disclose; the right to request deletion or correction of your personal information; the right to opt out of the sale or sharing of personal information; and the right to limit the use of sensitive personal information. We will not discriminate against you for exercising these rights. You may submit a request using the contact details provided in this Privacy Policy.
