Privacy Policy

Your privacy is important to us.

Introduction

We have built GoCodeIt with schools and education in mind. GoCodeIt only requires limited information about users in order to provide access to our services.

Free users can use the services without providing any personal information, and GoCodeIt will only store limited tracking information necessary to provide the service (outlined below). Where we require personal information, this is limited to only the information needed for us to allow you to access the resources and GoCodeIt platform. We do not collect any sensitive personal information from our users, and we only require information pertaining to the use of the service and no more.

Teachers may provide information to us about the students they wish to access the service, but this is limited to an identifier for teachers to identify their students, such as a student's name or other identifier. No further details are required. We do not ask for or require any official educational records.

As we store details of code submissions for our users, it is possible that from time to time users may include information of a sensitive nature in the text of their programs or other inputs. GoCodeIt takes reasonable technical and organisational measures to protect all data stored on the platform; however, we strongly advise schools to ensure that students understand they should not enter personal or sensitive information into programs or other free-text areas.

Users should be strongly discouraged from entering personal information or other information of a sensitive nature into the programs they write or other areas where information can be entered.

GoCodeIt is designed to be used in educational settings, and we take our responsibilities with respect to safeguarding seriously. We expect all users to use the platform lawfully, respectfully, and in accordance with our Terms of Service. Schools are responsible for ensuring students use the platform appropriately and in line with their own acceptable use policies. GoCodeIt does not actively monitor the content of individual code submissions in real time; however, we reserve the right to review and remove content that is reported to us or that comes to our attention as potentially harmful, offensive, or in breach of our Terms of Service.

Content produced by users that contravenes the terms of the service may be removed.

1. Data Controller and Processor Roles

Under the UK GDPR, it is important to understand the distinction between data controllers and data processors:

  • Schools (Data Controllers): When a school subscribes to GoCodeIt, the school acts as the Data Controller for the personal data of its teachers and students. The school determines the purposes and means of processing that data and remains responsible for its lawful basis for doing so.
  • GoCodeIt (Data Processor): GoCodeIt acts as a Data Processor on behalf of schools. We process teacher and student data only in accordance with the school's instructions and solely for the purpose of delivering the GoCodeIt platform and its educational services.

For personal accounts created directly by individual teachers or other adults, GoCodeIt acts as the Data Controller for that account data.

Data Processing Agreement (DPA): A Data Processing Agreement is available to schools on request. The DPA sets out the obligations of both parties with respect to personal data processed through the platform, in compliance with UK GDPR Article 28. Please contact us via our About page to request a copy.

2. Data We Collect

2.1 Information Users Provide:

This includes registration details, code submissions, and communications via support or feedback forms. For instance:

  • Name, email address and organisation details for account creation and communication.
  • Optional feedback and preferences.

2.2 Information Provided About Students:

Teachers may provide limited information about students, specifically:

  • Student name or identifier.

This data is strictly necessary to enable access to our services.

3. Information We Collect Automatically

When you access or use our services, we automatically collect information sent from your device, including:

  • Log Information: Details about your use of our services, for example browser type, access times, pages viewed, IP address, and the page you visited before navigating to our services.
  • Device Information: Information about the device you use to access our services, including hardware model, operating system, and version. This helps us support a wide range of devices and operating systems.
  • Location Information: Information about the location of your device (e.g., IP address) each time you access or use the service. This helps us improve our services, investigate possible abuse, and understand our platform's popularity in different areas. It is not intended to identify or locate individual users.
  • Cookies and Tracking Technologies: We use cookies to enhance your experience and enable essential functionality. Our cookie usage is GDPR compliant:
    • Essential Cookies: We automatically store essential cookies required for login, session management, security, payment processing, and core platform functionality. Under GDPR Article 6(1)(b) and (f), these cookies are necessary for the performance of our service and do not require your consent. They are stored for the durations specified below:
      • PHPSESSID - PHP session cookie that maintains your login state (expires when you close your browser)
      • essential_cookies - Records that essential cookies have been acknowledged (stored for 1 year)
      • gci_desc_limit - Rate limiting cookie for security purposes to prevent abuse when loading projects (stored for 1 hour, used only for non-authenticated users)
      • gci_resolve_limit - Rate limiting cookie for security purposes to prevent abuse when resolving project codes (stored for 1 hour, used only for non-authenticated users)
      • Stripe Payment Cookies - Our payment processor, Stripe, sets essential cookies when you access payment pages to process transactions securely. These cookies are necessary to complete purchases and are covered under GDPR Article 6(1)(b) as they are required for contract performance. Stripe's cookies are managed according to Stripe's Privacy Policy.
    • Non-Essential Cookies: We ask for your consent to use non-essential cookies for third-party educational content such as YouTube and Tella video embeds. These cookies (non_essential_cookies) are optional and can be accepted or rejected through our cookie banner. You have full control over these cookies, and rejecting them will not affect the core functionality of our platform. When accepted, they are stored for 1 year to remember your preference.
    You can change your non-essential cookie preferences at any time by clicking the cookie settings button that appears in your browser, or by clearing your browser cookies. Essential cookies will remain as they are necessary for the service to function properly and maintain security.

3.1 Browser Storage (localStorage and sessionStorage):

In addition to cookies, we use browser localStorage and sessionStorage to store functional data that enhances your experience and enables essential features. Under GDPR Article 6(1)(b) and (f), this storage is necessary for the performance of our service and does not require your consent. The data stored includes:

  • Session Management: Coordination of login sessions across multiple browser tabs, session expiry notifications, and logout events
  • UI Preferences: Your selected code editor theme, last active tab, and navigation state (including filter settings, page numbers, and sort preferences) to provide a seamless experience
  • Security: Rate limiting data for password reset and username recovery to prevent abuse
  • Navigation State: For students, we cache non-personal navigation references such as your last viewed class and project folder names (these are internal identifiers used for navigation only and do not contain personally identifiable information) to improve navigation performance

All browser storage data is stored locally in your browser and is never transmitted to third parties. LocalStorage persists until you clear your browser data or log out, while sessionStorage is automatically cleared when you close your browser tab. This data contains no personal information and is used solely for functional purposes. You can clear all browser storage data at any time through your browser settings.

We also collect the following information about subscribers to our premium services during the subscription process:

  • Payment Information: Stored with a secure third-party processor for processing payments, providing billing histories, and other payment-related purposes.

4. How We Use Your Data

We use your data to:

  • Provide and improve our services, including coding challenges and progress tracking.
  • Offer support and communicate with users, including sending information on updates, news about the service, and important system messages.
  • Offer customer services and allow us to respond to any questions or requests you may have.
  • Monitor use of the service and improve it.
  • Ensure platform security and compliance with legal obligations.

5. Legal Basis for Processing

We process personal data under the following lawful bases:

  • Contract performance (Article 6(1)(b)): Processing necessary to deliver the GoCodeIt service to registered users and subscribers.
  • Legitimate interests (Article 6(1)(f)): For platform security, fraud prevention, service improvement, and communication about the service, where these interests are not overridden by the rights of individuals.
  • Consent (Article 6(1)(a)): Where we rely on your consent, for example for non-essential cookies, you may withdraw that consent at any time.
  • Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with applicable law.

Student Data: Student personal data is processed by GoCodeIt on behalf of the school (as Data Processor). The school's lawful basis for processing student data is typically the performance of a task carried out in the public interest (Article 6(1)(e)) or the performance of a contract (Article 6(1)(b)), in accordance with the school's own data protection obligations. GoCodeIt processes student data solely to enable the delivery of educational services as directed by the school.

6. Data Retention

We retain personal data only for as long as necessary to provide the service and meet our legal obligations. The following retention periods apply:

  • Teacher and administrator accounts: Retained for the duration of the active account. Following account deletion or closure, account data is retained for up to 12 months to allow for reinstatement requests and to meet any contractual obligations, after which it is permanently deleted or anonymised.
  • Student accounts and data: Retained for the duration of the school's active subscription or until the school requests deletion. Where a school account closes or a deletion request is received, student data is deleted or anonymised within 30 days.
  • Code submissions: Retained for the duration of the associated student or teacher account. Deleted or anonymised within 30 days of an account deletion request.
  • System and access logs: Retained for up to 12 months for security monitoring and platform improvement purposes, then deleted.
  • Security audit logs: Retained for up to 24 months to support the investigation of potential security incidents.
  • Payment and billing records: Retained for 7 years in accordance with statutory financial record-keeping requirements.
  • Support communications: Retained for up to 24 months from the date of last contact, then deleted.

Where data is no longer required, it is securely deleted or anonymised so that it can no longer be attributed to an individual.

7. Data Sharing

Your data may be shared with trusted service providers who assist us in operating the platform (for example, our hosting provider and payment processor), or as required by law. These providers are contractually bound to process data only on our instructions and in accordance with applicable data protection law.

Student data is accessible only to the teacher or organisation that provided the information and to GoCodeIt staff where necessary to deliver or support the service.

We only collect the data necessary to provide the service and we never sell your data or share it with third parties for marketing purposes.

8. Safeguarding

GoCodeIt is designed to be used in educational settings and we take our responsibilities with respect to child safeguarding seriously.

  • Appropriate use: GoCodeIt is an educational coding platform. All users are expected to use the platform lawfully, respectfully, and in accordance with our Terms of Service. Schools are responsible for ensuring students use the platform appropriately and in line with their own acceptable use policies.
  • Content monitoring: GoCodeIt does not actively monitor the content of individual code submissions in real time; however, we reserve the right to review and remove content that is reported to us or that comes to our attention as potentially harmful, offensive, or in breach of our Terms of Service.
  • School responsibility: Schools retain responsibility for ensuring that GoCodeIt is used appropriately within their safeguarding framework. We encourage schools to include GoCodeIt in their existing digital safeguarding policies and to brief students on appropriate use.
  • Concerns: If you have a safeguarding concern related to content or activity on the GoCodeIt platform, please contact us immediately via our About page.

9. Data Breach Procedures

In the event of a personal data breach, GoCodeIt has procedures in place to identify, contain, and respond to incidents promptly and in accordance with UK GDPR obligations.

  • Detection and containment: We maintain security monitoring and logging to detect potential breaches or unauthorised access. On identifying a breach, we will take immediate steps to contain and mitigate the incident.
  • Notification to schools: Where a breach involves student or teacher data processed on behalf of a school, we will notify the affected school without undue delay, providing sufficient detail to allow the school to fulfil its own reporting obligations as Data Controller.
  • ICO reporting: Where GoCodeIt acts as Data Controller and a breach is likely to result in a risk to the rights and freedoms of individuals, we will report the breach to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, in accordance with UK GDPR Article 33.
  • Individual notification: Where a breach is likely to result in a high risk to individuals, we will notify affected individuals directly without undue delay.

We maintain an internal record of all data breaches, whether or not they are reportable, as required by UK GDPR Article 33(5).

10. Your Rights

Under UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Request correction of inaccurate or incomplete data.
  • Request deletion of your data (subject to legal obligations and retention requirements).
  • Restrict or object to certain types of data processing.
  • Request portability of your data in a structured, machine-readable format (where applicable).
  • Withdraw consent where processing is based on consent, without affecting the lawfulness of prior processing.
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been infringed.

Where a student wishes to exercise their rights, requests should be submitted by the school as Data Controller on the student's behalf.

To exercise any of these rights, please contact us via our About page.

11. Privacy by Design and DPIA Support

GoCodeIt is built with privacy by design and privacy by default principles in mind. We take a proactive approach to data protection, embedding privacy considerations into the design of new features and processes from the outset, rather than as an afterthought.

This includes:

  • Collecting only the minimum data necessary to deliver the service (data minimisation).
  • Applying appropriate access controls so that data is accessible only to those who need it.
  • Encrypting data in transit and at rest where appropriate.
  • Reviewing and updating our security practices on an ongoing basis.

12. Additional Information

Data is held on servers located in the United Kingdom. We employ advanced encryption technologies and adhere to industry best practices to ensure the security and confidentiality of your data. Our servers are protected by robust security measures to prevent unauthorised access, and we continuously monitor and update our systems to safeguard your information.

13. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data protection rights, or want to request a Data Processing Agreement or DPIA support documentation, please contact us using the contact link on our About page.

Last Updated: March 2026