Privacy Policy

1. Who We Are

EngagedLab (“we”, “us”, “our”) is an educational technology platform that transforms static learning materials into interactive, gamified experiences. EngagedLab is operated by EdTechLab LTD, a company registered in England and Wales.

The official company website of EdTechLab LTD is EdTechLab.co.uk.

Data Controller: For individual user accounts, EdTechLab LTD acts as the data controller. For institutional deployments, the subscribing institution is the data controller and EngagedLab acts as the data processor under a Data Processing Agreement (DPA).

Data Protection Officer: dpo@engagedlab.co.uk

2. Data We Collect

2.1 Account Information

When you create an account, we collect:

• • Full name and email address
• • Password (stored as a bcrypt hash—we never store plaintext passwords)
• • Institution name (optional)
• • Phone number (optional, for two-factor authentication)
• • Profile avatar (optional)
• • Role selection (Educator, Administrator)

2.2 Learning & Interaction Data

When users interact with labs and challenges, we collect:

• • Lab completion events and attempt timestamps
• • Quiz and challenge responses (used for mastery tracking)
• • Bayesian mastery probability scores per concept
• • Time spent on activities (for learning analytics)
• • Misconception patterns (aggregated, for content improvement)
• • XP, achievements, and streak data (gamification)

2.3 Content Data

• • Source materials uploaded by educators (PDFs, Word documents, text)
• • Generated interactive lab content
• • Comments and version history in collaborative editing
• • Course structures and enrolment data

2.4 Technical & Usage Data

• • IP address and approximate geolocation (country-level)
• • Browser type, operating system, and device type
• • Pages visited and session duration
• • Error logs and performance metrics
• • Referral source

3. How We Use Your Data

4. Data We Never Collect or Sell

5. Data Security

We implement industry-standard security measures to protect your data:

• • Encryption in transit: All connections use TLS 1.3.
• • Encryption at rest: Database storage uses AES-256 encryption.
• • Password hashing: bcrypt with salt rounds ≥ 12.
• • Access controls: Role-based access with multi-tenant isolation.
• • Infrastructure: Hosted in SOC 2 Type II certified data centres.
• • Monitoring: 24/7 intrusion detection and automated alerting.
• • Backups: Encrypted daily backups with point-in-time recovery, retained for 30 days.
• • Penetration testing: Annual third-party pen tests with remediation SLAs.

6. Data Sharing & Sub-Processors

We share data only with service providers necessary to operate the platform:

All sub-processors are bound by Data Processing Agreements. A full list is available upon request.

7. International Data Transfers

Our primary infrastructure is located in the European Economic Area (EEA). When data is transferred outside the EEA, we rely on:

• • EU Standard Contractual Clauses (SCCs) for US-based sub-processors
• • UK International Data Transfer Agreement (IDTA) for UK adequacy
• • Supplementary security measures as required by the Schrems II ruling

For institutional partners requiring data residency guarantees, we offer EU-only and UK-only hosting configurations.

8. Your Rights

Depending on your jurisdiction, you have the following rights:

To exercise any right, email privacy@engagedlab.co.uk. We respond within 30 days. For GDPR subjects, the supervisory authority is the UK Information Commissioner’s Office (ICO).

9. Data Retention

10. Cookies & Similar Technologies

We use a minimal set of cookies:

• • Essential cookies: Session authentication, CSRF protection, locale preference. These cannot be disabled.
• • Preference cookies: Theme selection (light/dark), language preference. Stored locally.

We do not use third-party analytics cookies, advertising cookies, or cross-site tracking technologies.

11. Children’s Privacy

EngagedLab is designed for higher education and professional training. We do not knowingly collect data from children under 16 (or 13 in the US under COPPA). If an institution uses EngagedLab with students under the applicable age threshold, the institution is responsible for obtaining appropriate consent. If we learn that we have collected data from a child without proper authorisation, we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy periodically. When we make material changes, we will:

• • Post the updated policy on this page with a new effective date
• • Notify registered users by email at least 30 days before changes take effect
• • Notify institutional administrators through the admin dashboard

13. Contact Us

For privacy-related enquiries, data access requests, or complaints: