Legal & Privacy
2026 Preview

Privacy Policy

How 3P Learning collects, uses, stores and protects personal information when providing online learning products to schools, families and children.

3P Learning Limited  ·  Effective August 2026  ·  Applies to all 3P Learning products

This Privacy Policy is our notice and statement that explains how 3P Learning Limited ("3P Learning", "we", "us") and our group companies collect, use, store, share and protects personal information when we provide our online learning products to schools, families and children.

3P Learning is committed to respecting your privacy rights, and how the law protects the data of our students, teachers, parents and schools. We offer our e-learning subscriptions to home customers and school customers, and the way we handle personal information for home and school users slightly differ. This policy is therefore split into:

This Privacy Policy applies to the following 3P Learning products and their related websites and apps: Mathletics, Reading Eggs, Reading Eggspress, Mathseeds, Writing Legends, LiteracyPlanet and Brightpath Progress (B2B only).

This Privacy Policy should be read in conjunction with in-product or regional privacy notices. For our teachers and educators, a short-form Privacy Notice for Schools is available below.
Privacy Reference – Notice for Schools

1. About 3P Learning

3P Learning Limited is an education technology company providing digital learning products to schools, teachers, parents, and students globally, including in Australia, Canada, Europe, Ireland, UK, New Zealand, UK, the United States and other markets.

The 3P Learning group of companies (collectively, "3P Learning") includes:

Global head office (Australia): 3P Learning Limited, 3P International Holdings Pty Ltd, 3P Learning Australia Pty Ltd, Blake eLearning Pty Limited, Intrepica Pty Limited, Pairwise Pty Limited

655 Parramatta Road, Leichhardt NSW 2040, Australia.

Registered UK office: 3P Learning UK Limited, Blake eLearning UK Limited

33 Colston Avenue, Bristol, BS1 4UA.

Registered USA office: 3P Learning Inc., Blake eLearning Inc.

37 West 26th St, Suite 408, New York, NY 10010.

Registered CAN office: 3P Learning Canda Limited

Suite 370, 160 Quarry Park Boulevard SE Calgary T2C 3G3.

Registered NZ office: 3P Learning NZ Limited

Deloitte Centre, Level 20, 1 Queen Street, Auckland 2010, New Zealand.

This Privacy Policy supports our compliance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ( the “EU GDPR”), the Children‘s Online Privacy Protection Act 1998 ("COPPA") and the FTC COPPA Rule (16 CFR Part 312, including the Final Rule published 22 April 2025), the Australian Privacy Act 1988 and the Australian Privacy Principles, the New Zealand Privacy Act 2020, the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial laws, the South African Protection of Personal Information Act ("POPIA"), and applicable US federal and state privacy laws (including FERPA, SOPIPA and the CCPA/CPRA).

2. Definitions

TermMeaning
Personal information / personal dataInformation that identifies, or could reasonably be used to identify, a living individual (for example a student, parent, teacher or school administrator).
Child / childrenAn individual generally under 13 years of age in the COPPA & PIPEDA, under 16 years of age for GDPR, under 15 years of age in the AU schools and under the age at which consent is valid under other applicable laws.
ControllerThe organisation that determines the purposes and means of processing personal information.
ProcessorThe organisation that processes personal information on behalf of a Controller and under its instructions.
SchoolSchool refers to a school, multi-academy trust, local authority, or other education organisation which has purchased or signed up to trial our products for use by its students / pupils and staff.
ParentParent refers to an individual that has purchased or signed up to trial our product for home educational use.
School-managed / B2BAccounts provided under a contract between 3P Learning and a school or education authority. The school is the data Controller; 3P Learning is the Processor.
Home-managed / B2CAccounts created directly by a parent or guardian for home use. 3P Learning is the data Controller.
Persistent identifierTechnical data (such as cookies, device identifiers, IP addresses and similar log data) that can be used to recognise a user or device over time.
Special category dataRefers to sensitive personal information, such as health, ethnicity or biometric data, and such data described in UK GDPR Article 9. We do not generally collect special category data from students.
Integral disclosureA disclosure of a child‘s personal information to a third party that is necessary to provide the service the child or parent requested (e.g. payment processing, content delivery, hosting).
Non-integral disclosureA disclosure that is not necessary to provide the service (e.g. advertising, data brokerage, AI model training). Requires separate, opt-in parental consent.
Verifiable parental consent (VPC)Consent obtained using a method reasonably designed, in light of available technology, to ensure the person providing consent is the child‘s parent.
DPOData Protection Office(r)
Account Expiry(referred in our Data Retention Periods)The point at which a user account becomes inactive. For school-managed (B2B) accounts, (i) school expiry is typically triggered by the end of a school’s licence or contract with 3P Learning; (ii) school student accounts expiry is generally initiated via the user roster lifecycle, specifically through student or teacher activity and roster status; should a student be deleted from the roster, the account transitions to inactive status following a six-month grace period. For home-managed (B2C) accounts, expiry is typically when the subscription is cancelled or not renewed.

Part A — B2B (Schools and Education Authorities)

Collection of Personal Information – Schools

Part A applies to any school, multi-academy trust, local authority, or other education organisation that has purchased or is trialling our products for use by its students and staff. The school is the Data Controller; 3P Learning is a Data Processor. Schools should refer to this section together with their own privacy information to meet their obligations to students and parents.

A1. Control of Personal Information in school accounts (B2B)

For school-managed accounts, the school or education organisation is the Controller. 3P Learning processes personal information only on the school‘s documented instructions as set out in the subscription / licence agreement, and any rostering arrangement with a third party.

Our Data Processing Agreement for schools who are ‘controllers’ under GDPR data protection laws may also be requested to apply in their licence agreement.
Privacy Reference – Data Processing Agreement (DPA)

Parents and students with questions about why the school uses 3P Learning, or wishing to exercise individual rights should contact the school in the first instance. 3P Learning will assist the school in responding.

A2. Types of Personal Information we process (B2B)

Category of individualCategories of personal data
Students (pupils)First name and last name or initials, year/grade level, school name, class assignment, login ID, learning activity data (scores, progress, time on task, content interactions, free-text entered into learning activities and read aloud voice feature).
TeachersName, work email, school name, role, login ID, support correspondence.
School administratorsName, work email and contact details, school name, role, login ID, licence allocation information, support correspondence.
All users (technical)Persistent identifiers such as IP address, device/browser type, authentication logs, system access patterns and security logs.

Source of data:

We collect personal information directly from the school (teachers/administrators); from students when they use the program; from school-directed rostering providers; and system-generated information from platform use.

A3. What we do with personal information (B2B)

When a school chooses to use our e-learning programs, 3P Learning is required to process personal information for the school and under the school‘s instructions, as a Processor.

This section outlines what we do, and how we process personal information, for the school (Controller) and their school-managed accounts:

Processing of dataData involved
School account subscription
Account creation and apply user settings established by school administrator (teachers, administrators, students/ pupils)Names, usernames, roles, school details, authentication logs
Class rostering and integration with school systemsStudent names/initials, class assignments. Student identifier (note this can be an email address depending on school rostering system). We do not contact students via their main identifier in cases where the identifier is an email or at any time.
Processing teacher and school data
Teacher dashboards and reporting to parentsStudent activity data
Usage analysis and reporting to the schoolAggregated and student-level usage data
Data anonymisation or export (on verified school request)Student, teacher, activity data
Support requests directed from the schoolUser identifiers, support correspondence
Providing product updates and newslettersTeacher data
Processing student data
Learning, educational and assessment content delivery (lesson and merit activities, progress report, personalised learning experience)Student activity data
Enable Read-aloud activity feature (Reading Eggs for Schools only)Student activity data (audio recording for teacher)
Program activity leaderboards (in Program)Student first name and initial, activity score
Processing platform requirements
Hosting of data in programStudent, teacher, activity data, user identifiers
Platform security, abuse prevention, audit loggingPersistent identifiers, security logs
Data retention for service deliveryStudent, teacher, activity data, user identifiers
Improving educational programs and features (product development)Anonymised usage, activity and engagement data
Optional processing
Participation in communities of practice with educatorsTeacher/school data (in opt-in participation basis)
Participation in events or competitions, such as World Math(s) DayStudent first name and initial, school, activity data (in opt-in participation basis)

The school, as Controller, determines their purpose and lawful basis when handling personal information which may include carrying out their role in the public interest or their official duty, or legitimate interest.

In our processing commitment to schools, we apply additional controls to the personal information of students in school-managed accounts as follows:

A4. What we don’t do with Personal Information (B2B)

We do not sell data to advertisers (whether personal, anonymous or aggregated). We do not use data to engage in targeted advertising to children. Except to the extent required by law, we do not disclose or transfer any personal information to third parties unless such disclosure is authorised by the School or this Privacy Policy.

A5. Retention for school-managed data

Information is retained only as long as needed for the processing purposes it was collected for, including the retention period in this policy, and is then deleted or irreversibly anonymised.

At all times the school can request the earlier deletion or anonymisation of student data by contacting us at privacy@3plearning.com. On receipt of a verified request we will delete or anonymise the data from production systems within 30 days.

The default periods referenced in the link below apply unless the school instructs otherwise.

Privacy Reference – Retention Periods

A6. Individual privacy rights in the B2B context

Requests by individuals to exercise their privacy rights (access, rectification, erasure, restriction, portability, objection, and rights related to automated individual decision-making) should be directed to the school as the Controller.

3P Learning does not make solely automated decisions from personal information in our programs producing legal effect or similarly significant effects on children.

As the School administers all their user accounts, the students and teachers can submit removal or change requests to the School. Any teachers or parents who are unable to reach the school can contact privacy@3plearning.com.

3P Learning will assist the school in responding to any privacy requests, and in accordance with the Privacy Reference – Data Processing Agreement (DPA) (as applicable).

A7. FERPA and US state student privacy laws

Where 3P Learning provides services to schools, school districts or education agencies in the United States, we agree to act as a "school official" with a legitimate educational interest under the US Family Educational Rights and Privacy Act (FERPA, 20 USC §1232g) and to only use student education records to provide the service under the school‘s direction. 3P Learning relies on the school to provide appropriate notice to parents, and for the schools to authorise our collection of personal information from students under the age of 13. We also support schools‘ compliance with applicable US state student-privacy laws, including the California Student Online Personal Information Protection Act (SOPIPA) and equivalent state laws in other jurisdictions.

Part B — B2C (Home / Parent-Managed Accounts)

Collection of Personal Information – Home

Part B applies where a parent or guardian has purchased or is trialling a 3P Learning subscription for home use. In this case, 3P Learning is the Data Controller and is directly responsible for the personal information we collect.

B1. Control of Personal Information for home users (B2C)

Personal information is collected by the following 3P Learning companies (as Controller) for home-managed accounts:

Global head office (Australia): 655 Parramatta Road, Leichhardt NSW 2040, Australia.

Registered UK office: 33 Colston Avenue, Bristol, BS1 4UA.

Registered USA office: 37 West 26th St, Suite 408, New York, NY 10010

Privacy contact: privacy@3plearning.com

B2. Types of Personal Information we collect from parents and children (B2C)

The parent or guardian consents to our collection and use of the personal information under the terms of this Privacy Policy on behalf of the users, by creating the account profiles.

Category of individualCategories of personal data
Parent / guardian (subscriber)Name, email, phone number (optional), payment method (handled by our payment processor), subscription details, login ID, support correspondence, marketing preferences.
Children (up to 4 per parent account)First name or chosen nickname, year/grade level, year of birth, login ID, learning activity data (scores, progress, time on task, content interactions, free-text entered during activities).
All users (technical)Persistent identifiers such as IP address, device/browser type, authentication logs, security logs and system access patterns.

Source of data: We collect personal information directly from the parent at sign-up, from the parent or child during their use of our program. From parent users we also collect and maintain records (timestamp and method) of their marketing preferences.

Children data and privacy rights

When a parent or guardian creates a child’s account, the parent gives consent on the child’s behalf to our collection and use of the child’s personal information.

Where a child‘s data is linked to a parent‘s email (for example, when a child profile is created under a parent account), that linked child data is treated as the child‘s personal information.

Our Notice to Children, available on the login page, explains to children how we use their personal information.

A child can withdraw the permission to our processing of their personal information by asking their parent to delete their account. Parents and guardians can contact us to update or delete a child’s account at any time.

B3. What we do with personal information (B2C)

This section outlines what we do, and how we process personal information for home-managed accounts.

Our Processing ActivitiesData involvedLawful Basis (GDPR)
Manage Subscription
Account creation and managementParent name, email, password, payment method, subscription detailsContract
Enable parent to administer child profiles linked to the parent account (up to 4 child users)Child first name/nickname, username, year of birth, gradeLegitimate interest
Enable parent subscriptions management (renewals, billing, users licence management)Parent details, subscription and user details, payment methodContract
Data deletion (on parent request)User account data, activity dataContract
Program features for parent
Parent/Family dashboard for reporting and settings controlParent account details, Child activity dataContract
Support requests directed from parentParent account details, support correspondence, usage data needed to troubleshootContract
Program features for child
Content delivery (lessons, merit awards, progress report, personalised learning experience)Child learning activity data, grade, progressLegitimate interest
Program activity leaderboardsChild first name, initials or a chosen nickname, activity scoreLegitimate interest
Platform requirements
Hosting program dataData and processing data in program (see features for parent and child)Contract
Platform security, fraud prevention and abuse protectionPersistent identifiers, security logs, authentication logsLegitimate interest
Improving educational programs and features (product development)Anonymised usage and engagement dataLegitimate interest
Optional processing
Marketing communications to parents (not to children)Parent email, first name, last name, phone (optional), consent recordConsent (Explicit opt-in)
Participation in events or competitions, such as World Math(s) DayChild first name and initial, activity data (in opt-in participation basis)Consent (Explicit opt-in)

We do not generally collect sensitive personal information (or “special category” data) from parents or children. If a parent chooses to provide this information (for example, by disclosing a special need or disability to request additional accessibility support), we process it under explicit consent. For more information refer to C6.

In our processing commitment to parents and children we also apply additional controls as follows:

B4. What we don’t do with Personal Information (B2C)

B5. Retention for home-managed data

Information is retained only as long as needed for the purposes it was collected for, including the retention period in this policy, and is then deleted or irreversibly anonymised.

We retain personal information as detailed in our Data Retention Period Reference.
Privacy Reference – Retention Periods

At any time, Parents can request the removal of data by contacting us at privacy@3plearning.com. On receipt of a verified request, we will anonymise the data from production systems within 30 days.

B6. Parental rights and authentication

Parents, guardians of children and children themselves (via the parent account holder) on home-managed accounts can, at any time:

Parental authentication. Access to or changes in a child‘s personal information must be authenticated by the parent. When authenticating a request we may request personal information, such as the parent email address and password recorded on the account.

B7. Marketing communications and separate choice

We send marketing communications about 3P Learning products only to parents who have opted in. Our communications are to the parent — never directly to a child.

Parents can withdraw consent by updating the marketing preferences in the parent console, by using the "unsubscribe" link in any marketing communication or by contacting privacy@3plearning.com.

Separate choice. We operate a separate-choice model for children‘s data. A parent consenting to the service (so that we can collect and internally use their child‘s personal information to deliver our products) does not have to consent to any non-integral disclosure of that data (for example, to a third party for that third party‘s own purposes). 3P Learning does not currently make any non-integral disclosures of children‘s personal information; if we ever proposed to, we would pause the change and obtain separate, opt-in parental consent before proceeding.

Integral disclosureA disclosure of a child‘s personal information to a third party that is necessary to provide the service the child or parent requested (e.g. payment processing, content delivery, hosting).
Non-integral disclosureA disclosure that is not necessary to provide the service (e.g. advertising, data brokerage, AI model training). Requires separate, opt-in parental consent.

B8. Direct notice to parents at onboarding

At sign-up, we provide parents with a direct notification (in addition to this Policy) that explains in plain language: the categories of data we will collect, how we will use that data. Marketing use of the parent‘s email is disclosed in that direct notice. A link to this full Privacy Policy is included in the direct notice. We obtain verifiable parental consent via the monetary-transaction method.

B9. Placement of privacy links

Links to this policy as well as resources for Parents to explain our Privacy Policy to children and our Junior/Teen friendly privacy policies are placed prominently on login screens to our online applications.

Part C — Information for all users

The following sections apply to both school-managed and home-managed accounts.

C1. Persistent identifiers and internal operations

We use limited technical data — "persistent identifiers" such as IP addresses, device identifiers, cookies, log data, and mobile-app identifiers— solely to support the internal operations of our services. This dedicated section is provided because persistent identifiers receive special treatment under COPPA and under the ICO Children‘s Code.

What we use persistent identifiers for

What we do NOT use persistent identifiers for

Safeguards

C2. Storage, Sharing and subprocessors

We store and share personal information only with trusted third-party subprocessors to support delivery of our services. Subprocessors process personal information only on our instructions and under contractual privacy and security obligations. 3P Learning does not authorise subprocessors to use personal information for their own purposes. We do not share children‘s personal information with third parties for the third parties‘ own purposes.

The list of subprocessors and storage locations are detailed here:
Privacy Reference – SubProcessors.

C3. International operations and transfers

We operate globally with regional support from Australia, New Zealand, the UK, Canada and the United States. As a result, personal information may be transferred to, stored in, or accessed from any country listed above.

Where we transfer personal information across borders, we use appropriate safeguards, including:

additional technical measures (including encryption in transit and at rest) to protect the transferred data.

Individuals can request a copy of the specific transfer mechanism we use by contacting privacy@3plearning.com. Our sales, operational and global customer support teams (primarily in Australia, the United Kingdom, the USA and Canada) may access personal information to service enquiries.

C4. Security and data protection measures

We apply layered administrative, technical and physical safeguards to protect personal information throughout its lifecycle. Our SOC 2 Type II, WISP and ROPA reports available on request via privacy@3plearning.com. Further detail is set out below:

C5. Notice and consent for significant new uses

If we propose to use student or children personal information for a purpose that is significantly different from what is described in this Policy, we will:

C6. Voice, biometric, government-issued identifiers and geo-location

3P learning do not collect biometric identifiers (such as voiceprints, facial templates, fingerprints) and government-issued identifiers (such as social security numbers, state ID numbers, birth certificates, passport numbers) for identification purposes. We do not collect, store, infer or surface precise or coarse geolocation data about children or any other users through the products covered by this Policy. The products do not include any feature that allows parents, schools or other users to track a child‘s location. Students and teachers may access learning activities for reading practice (Read Aloud Feature for school subscriptions only) where voice recordings may be entered to enable the assessment of reading fluency only.

C7. Cookies and third-party technologies

We use cookies and similar technologies on our websites and within some of our services for essential functionality, performance and analytics, functionality/personalisation, and marketing to parents. We do not use cookies or third-party providers to engage in behavioural targeting of advertisements to students or children. For full detail (including cookie categories, specific cookies set, and how to manage them) see our cookie policy.

https://www.3plearning.com/cookie-policy/

C8. Certifications and regulatory commitments

C9. Australian Children‘s Online Privacy Code

The products covered by this Policy are designated internet services under the Online Safety Act 2021 (Cth) that are likely to be accessed by children. We will review our policies and practices to align with the OAIC Children‘s Online Privacy Code and as updated from time to time. The best interests of the child are a primary consideration in how we design our products and handle personal information. In practice this means: no behavioural advertising to children (see C1); age-appropriate language and interfaces in child-facing experiences; Data Protection Impact Assessments and child-impact assessments before launching features that affect children (see C4); and mandatory children‘s privacy training for all employees (see C4). 3P Learning products are educational services whose sole or primary purpose is to support the education of end-users, and the minimum-age scheme under the Online Safety Amendment (social media Minimum Age) Act 2024 does not apply to them.

C10. Ownership of information

C11. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to parents (B2C) and to school account administrators (B2B), via in-product notifications or in email. The current version is always available from our product websites.

C12. Contact us

For privacy questions or requests (including parental requests for access, correction or deletion), or to exercise any of your rights please contact privacy@3plearning.com or write to us (refer to section 1 for regional office addresses).

We aim to respond to privacy requests within 7 days. Complex requests may take longer, in which case we will keep you informed of progress.

For more contact information please visit https://3plearning.com/contact.

C13. Your right to complain to a supervisory authority

Individuals have the right to lodge a complaint with a supervisory authority if they think we have not handled their personal information properly. We encourage individuals to contact us first at privacy@3plearning.com so that we can try to resolve the issue directly.

UK — Information Commissioner‘s Office (ICO):

In other regions, individuals can complain to their local data protection authority, including:

Referenced documents (maintained separately)

Referenced documentURLReferenced from section
Data Retention PolicyPrivacy Reference - Retention PeriodsA5, B5
Subprocessors listPrivacy Reference - SubProcessorsC2
Data Processing Agreement (DPA)Privacy Reference – Data Processing Agreement (DPA)A1, A6
Privacy Notice for SchoolsPrivacy Reference – Notice for Schools1
3P Learning Regional Contacts3plearning.com/contactC12
ICO Registration Certificate (Z2188515)registration-certificate-z2188515.pdfC8
Cookie Policywww.3plearning.com/cookie-policy/C7