Privacy Policy

Effective date: 21 April 2026

This Privacy Policy explains how Hedgehog Education (“Hedgehog”, “we”, “us”, “our”) collects, uses and protects personal data when you visit hedgehog.education (the “Site”) and when you use the Hedgehog learning platform available at app.hedgehog.education (the “Platform”).

Hedgehog is established in Malta. We act as a data controller for personal data we collect through the Site, and as a data processor for personal data we process on behalf of educational institutions that use the Platform.

1. Who we are and how to contact us

For any questions about this Privacy Policy, including requests to exercise your data protection rights, please contact us at mikea@hedgehog.education.

2. The data we collect

2.1 Information you give us

  • Contact details — if you email us or fill in a form, we receive your name, email address and the contents of your message.
  • Account information — when you sign in to the Platform, we store the credentials, profile details and role assignments necessary to give you access.
  • Learning content — on the Platform, we store the exercises, answers, AI tutor conversations and progress data required to deliver the service.

2.2 Information we collect automatically

  • Technical data — IP address, device type, browser, language, referring URL and pages visited. We use this for security, fraud prevention and to keep the Site working.
  • Analytics data — if you accept cookies on the Site, we use PostHog to understand which pages are visited and how features are used. See section 5.

2.3 Children’s data

Where the Platform is used by school students under the age of 16, accounts are created and managed by their educational institution acting as data controller. Hedgehog only processes student data on the documented instructions of that institution.

3. How we use personal data

We use personal data for the following purposes:

  • To provide, secure and improve the Site and the Platform.
  • To respond to enquiries you send us and to manage our customer relationships.
  • To deliver the AI tutor and learning features that students and teachers use.
  • To produce aggregated and anonymised analytics that help us improve the product.
  • To meet our legal, regulatory and accounting obligations.

4. Legal bases (UK GDPR / EU GDPR)

  • Consent — for non-essential cookies and marketing communications.
  • Contract — to provide the Platform under our agreement with your school or directly with you.
  • Legitimate interests — to keep our services secure, prevent abuse, and improve our products.
  • Legal obligation — where the law requires us to retain or disclose specific data.

5. Cookies and tracking

On the Site, we set strictly necessary cookies needed to remember your cookie preference. We do not set analytics or marketing cookies until you click Accept on the cookie banner. You can change your choice at any time using the “Cookie preferences” link in the footer.

On the Platform, you have already consented to the use of cookies through the agreement signed between Hedgehog and your educational institution. The Platform uses cookies to keep you signed in (Supabase), to monitor service quality, and to improve the product (PostHog).

6. Sharing your data

We share personal data with the following categories of recipients, each bound by appropriate confidentiality and data protection obligations:

  • Hosting and infrastructure — Vercel Inc. (Site hosting); Supabase Inc. (database, authentication and file storage).
  • Product analytics — PostHog Inc. (anonymous and identified usage analytics, hosted in the EU).
  • Email delivery — Resend (transactional email such as invitations and notifications).
  • AI providers — large language model providers accessed through the Vercel AI Gateway, used to generate AI tutor responses. We do not allow these providers to train their models on your content.
  • Professional advisers and authorities — where required by law or to defend our legal rights.

7. International transfers

We host data in the European Union wherever possible. Where data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses or another lawful transfer mechanism approved under UK GDPR and EU GDPR.

8. How long we keep data

We keep personal data only for as long as is necessary for the purposes set out above. For Platform data processed on behalf of an educational institution, retention is governed by our contract with that institution.

9. Your rights

You have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate data.
  • Request deletion of your data, subject to legal exceptions.
  • Object to or restrict our processing.
  • Receive your data in a portable format.
  • Withdraw consent at any time.
  • Lodge a complaint with the Information and Data Protection Commissioner (Malta) or your local supervisory authority.

To exercise any of these rights, please contact us at mikea@hedgehog.education.

10. Security

We use industry-standard technical and organisational measures to protect personal data, including encryption in transit, role-based access control, database row-level security and regular dependency updates. No system can be guaranteed to be completely secure, and we will notify affected users and the relevant authority of any personal data breach as required by law.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will revise the “Effective date” above and, for material changes, give you prominent notice on the Site or by email.

12. Contact

If you have questions about this policy or wish to exercise your rights, contact mikea@hedgehog.education or write to Hedgehog Education in Malta.

See also our Terms & Conditions.