This Privacy Policy is our notice and statement that explains how 3P Learning Limited ("3P Learning", "we", "us") and our group companies collect, use, store, share and protects personal information when we provide our online learning products to schools, families and children.
3P Learning is committed to respecting your privacy rights, and how the law protects the data of our students, teachers, parents and schools. We offer our e-learning subscriptions to home customers and school customers, and the way we handle personal information for home and school users slightly differ. This policy is therefore split into:
- Part A (B2B — schools managed accounts),
- Part B (B2C — home / parent-managed accounts), and
- Part C (Information for all users).
This Privacy Policy applies to the following 3P Learning products and their related websites and apps: Mathletics, Reading Eggs, Reading Eggspress, Mathseeds, Writing Legends, LiteracyPlanet and Brightpath Progress (B2B only).
This Privacy Policy should be read in conjunction with in-product or regional privacy notices. For our teachers and educators, a short-form Privacy Notice for Schools is available below.
Privacy Reference – Notice for Schools
1. About 3P Learning
3P Learning Limited is an education technology company providing digital learning products to schools, teachers, parents, and students globally, including in Australia, Canada, Europe, Ireland, UK, New Zealand, UK, the United States and other markets.
The 3P Learning group of companies (collectively, "3P Learning") includes:
- 3P Learning Limited, (Australia)
- 3P International Holdings Pty Ltd (Australia)
- 3P Learning Australia Pty Ltd (Australia)
- 3P Learning Canada Limited, (Canada)
- 3P Learning Inc. (United States of America)
- 3P Learning NZ Limited (New Zealand)
- 3P Learning UK Limited (United Kingdom)
- Blake eLearning Inc. (United States of America)
- Blake eLearning UK Limited (United Kingdom)
- Blake eLearning Pty Limited (Australia)
- Intrepica Pty Limited (Australia)
- Pairwise Pty Limited (Australia)
Global head office (Australia): 3P Learning Limited, 3P International Holdings Pty Ltd, 3P Learning Australia Pty Ltd, Blake eLearning Pty Limited, Intrepica Pty Limited, Pairwise Pty Limited
655 Parramatta Road, Leichhardt NSW 2040, Australia.
Registered UK office: 3P Learning UK Limited, Blake eLearning UK Limited
33 Colston Avenue, Bristol, BS1 4UA.
Registered USA office: 3P Learning Inc., Blake eLearning Inc.
37 West 26th St, Suite 408, New York, NY 10010.
Registered CAN office: 3P Learning Canda Limited
Suite 370, 160 Quarry Park Boulevard SE Calgary T2C 3G3.
Registered NZ office: 3P Learning NZ Limited
Deloitte Centre, Level 20, 1 Queen Street, Auckland 2010, New Zealand.
This Privacy Policy supports our compliance with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ( the “EU GDPR”), the Children‘s Online Privacy Protection Act 1998 ("COPPA") and the FTC COPPA Rule (16 CFR Part 312, including the Final Rule published 22 April 2025), the Australian Privacy Act 1988 and the Australian Privacy Principles, the New Zealand Privacy Act 2020, the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial laws, the South African Protection of Personal Information Act ("POPIA"), and applicable US federal and state privacy laws (including FERPA, SOPIPA and the CCPA/CPRA).
2. Definitions
| Term | Meaning |
|---|---|
| Personal information / personal data | Information that identifies, or could reasonably be used to identify, a living individual (for example a student, parent, teacher or school administrator). |
| Child / children | An individual generally under 13 years of age in the COPPA & PIPEDA, under 16 years of age for GDPR, under 15 years of age in the AU schools and under the age at which consent is valid under other applicable laws. |
| Controller | The organisation that determines the purposes and means of processing personal information. |
| Processor | The organisation that processes personal information on behalf of a Controller and under its instructions. |
| School | School refers to a school, multi-academy trust, local authority, or other education organisation which has purchased or signed up to trial our products for use by its students / pupils and staff. |
| Parent | Parent refers to an individual that has purchased or signed up to trial our product for home educational use. |
| School-managed / B2B | Accounts provided under a contract between 3P Learning and a school or education authority. The school is the data Controller; 3P Learning is the Processor. |
| Home-managed / B2C | Accounts created directly by a parent or guardian for home use. 3P Learning is the data Controller. |
| Persistent identifier | Technical data (such as cookies, device identifiers, IP addresses and similar log data) that can be used to recognise a user or device over time. |
| Special category data | Refers to sensitive personal information, such as health, ethnicity or biometric data, and such data described in UK GDPR Article 9. We do not generally collect special category data from students. |
| Integral disclosure | A disclosure of a child‘s personal information to a third party that is necessary to provide the service the child or parent requested (e.g. payment processing, content delivery, hosting). |
| Non-integral disclosure | A disclosure that is not necessary to provide the service (e.g. advertising, data brokerage, AI model training). Requires separate, opt-in parental consent. |
| Verifiable parental consent (VPC) | Consent obtained using a method reasonably designed, in light of available technology, to ensure the person providing consent is the child‘s parent. |
| DPO | Data Protection Office(r) |
| Account Expiry(referred in our Data Retention Periods) | The point at which a user account becomes inactive. For school-managed (B2B) accounts, (i) school expiry is typically triggered by the end of a school’s licence or contract with 3P Learning; (ii) school student accounts expiry is generally initiated via the user roster lifecycle, specifically through student or teacher activity and roster status; should a student be deleted from the roster, the account transitions to inactive status following a six-month grace period. For home-managed (B2C) accounts, expiry is typically when the subscription is cancelled or not renewed. |
Part A — B2B (Schools and Education Authorities)
Collection of Personal Information – Schools
Part A applies to any school, multi-academy trust, local authority, or other education organisation that has purchased or is trialling our products for use by its students and staff. The school is the Data Controller; 3P Learning is a Data Processor. Schools should refer to this section together with their own privacy information to meet their obligations to students and parents.
A1. Control of Personal Information in school accounts (B2B)
For school-managed accounts, the school or education organisation is the Controller. 3P Learning processes personal information only on the school‘s documented instructions as set out in the subscription / licence agreement, and any rostering arrangement with a third party.
Our Data Processing Agreement for schools who are ‘controllers’ under GDPR data protection laws may also be requested to apply in their licence agreement.
Privacy Reference – Data Processing Agreement (DPA)
Parents and students with questions about why the school uses 3P Learning, or wishing to exercise individual rights should contact the school in the first instance. 3P Learning will assist the school in responding.
A2. Types of Personal Information we process (B2B)
| Category of individual | Categories of personal data |
|---|---|
| Students (pupils) | First name and last name or initials, year/grade level, school name, class assignment, login ID, learning activity data (scores, progress, time on task, content interactions, free-text entered into learning activities and read aloud voice feature). |
| Teachers | Name, work email, school name, role, login ID, support correspondence. |
| School administrators | Name, work email and contact details, school name, role, login ID, licence allocation information, support correspondence. |
| All users (technical) | Persistent identifiers such as IP address, device/browser type, authentication logs, system access patterns and security logs. |
Source of data:
We collect personal information directly from the school (teachers/administrators); from students when they use the program; from school-directed rostering providers; and system-generated information from platform use.
A3. What we do with personal information (B2B)
When a school chooses to use our e-learning programs, 3P Learning is required to process personal information for the school and under the school‘s instructions, as a Processor.
This section outlines what we do, and how we process personal information, for the school (Controller) and their school-managed accounts:
| Processing of data | Data involved |
|---|---|
| School account subscription | |
| Account creation and apply user settings established by school administrator (teachers, administrators, students/ pupils) | Names, usernames, roles, school details, authentication logs |
| Class rostering and integration with school systems | Student names/initials, class assignments. Student identifier (note this can be an email address depending on school rostering system). We do not contact students via their main identifier in cases where the identifier is an email or at any time. |
| Processing teacher and school data | |
| Teacher dashboards and reporting to parents | Student activity data |
| Usage analysis and reporting to the school | Aggregated and student-level usage data |
| Data anonymisation or export (on verified school request) | Student, teacher, activity data |
| Support requests directed from the school | User identifiers, support correspondence |
| Providing product updates and newsletters | Teacher data |
| Processing student data | |
| Learning, educational and assessment content delivery (lesson and merit activities, progress report, personalised learning experience) | Student activity data |
| Enable Read-aloud activity feature (Reading Eggs for Schools only) | Student activity data (audio recording for teacher) |
| Program activity leaderboards (in Program) | Student first name and initial, activity score |
| Processing platform requirements | |
| Hosting of data in program | Student, teacher, activity data, user identifiers |
| Platform security, abuse prevention, audit logging | Persistent identifiers, security logs |
| Data retention for service delivery | Student, teacher, activity data, user identifiers |
| Improving educational programs and features (product development) | Anonymised usage, activity and engagement data |
| Optional processing | |
| Participation in communities of practice with educators | Teacher/school data (in opt-in participation basis) |
| Participation in events or competitions, such as World Math(s) Day | Student first name and initial, school, activity data (in opt-in participation basis) |
The school, as Controller, determines their purpose and lawful basis when handling personal information which may include carrying out their role in the public interest or their official duty, or legitimate interest.
In our processing commitment to schools, we apply additional controls to the personal information of students in school-managed accounts as follows:
- We process student data only to deliver the educational service the school has asked for.
- Persistent identifiers (IP addresses, cookies, device IDs, log data) are used only for the internal operations set out in Part C1.
- Our learning program may display student achievements. Only the first name, initials or a school-chosen identifier of the student is ever displayed in class, school or program leaderboards. Only the school, teacher and student can view the student’s full name in their own account access. Student data processed on school instructions is stored and backed up in line with Part A5 below, and is deleted or anonymised in alignment with our data retention periods below.
A4. What we don’t do with Personal Information (B2B)
We do not sell data to advertisers (whether personal, anonymous or aggregated). We do not use data to engage in targeted advertising to children. Except to the extent required by law, we do not disclose or transfer any personal information to third parties unless such disclosure is authorised by the School or this Privacy Policy.
A5. Retention for school-managed data
Information is retained only as long as needed for the processing purposes it was collected for, including the retention period in this policy, and is then deleted or irreversibly anonymised.
At all times the school can request the earlier deletion or anonymisation of student data by contacting us at privacy@3plearning.com. On receipt of a verified request we will delete or anonymise the data from production systems within 30 days.
The default periods referenced in the link below apply unless the school instructs otherwise.
Privacy Reference – Retention Periods
A6. Individual privacy rights in the B2B context
Requests by individuals to exercise their privacy rights (access, rectification, erasure, restriction, portability, objection, and rights related to automated individual decision-making) should be directed to the school as the Controller.
3P Learning does not make solely automated decisions from personal information in our programs producing legal effect or similarly significant effects on children.
As the School administers all their user accounts, the students and teachers can submit removal or change requests to the School. Any teachers or parents who are unable to reach the school can contact privacy@3plearning.com.
3P Learning will assist the school in responding to any privacy requests, and in accordance with the Privacy Reference – Data Processing Agreement (DPA) (as applicable).
A7. FERPA and US state student privacy laws
Where 3P Learning provides services to schools, school districts or education agencies in the United States, we agree to act as a "school official" with a legitimate educational interest under the US Family Educational Rights and Privacy Act (FERPA, 20 USC §1232g) and to only use student education records to provide the service under the school‘s direction. 3P Learning relies on the school to provide appropriate notice to parents, and for the schools to authorise our collection of personal information from students under the age of 13. We also support schools‘ compliance with applicable US state student-privacy laws, including the California Student Online Personal Information Protection Act (SOPIPA) and equivalent state laws in other jurisdictions.
Part B — B2C (Home / Parent-Managed Accounts)
Collection of Personal Information – Home
Part B applies where a parent or guardian has purchased or is trialling a 3P Learning subscription for home use. In this case, 3P Learning is the Data Controller and is directly responsible for the personal information we collect.
B1. Control of Personal Information for home users (B2C)
Personal information is collected by the following 3P Learning companies (as Controller) for home-managed accounts:
- Mathletics: 3P Learning Limited (Australia)
- Mathseeds and Reading Eggs: Blake eLearning Pty Limited (Australia), Blake eLearning Inc (United States of America)
- LiteracyPlanet: Intrepica Pty Limited (Australia)
Global head office (Australia): 655 Parramatta Road, Leichhardt NSW 2040, Australia.
Registered UK office: 33 Colston Avenue, Bristol, BS1 4UA.
Registered USA office: 37 West 26th St, Suite 408, New York, NY 10010
Privacy contact: privacy@3plearning.com
B2. Types of Personal Information we collect from parents and children (B2C)
The parent or guardian consents to our collection and use of the personal information under the terms of this Privacy Policy on behalf of the users, by creating the account profiles.
| Category of individual | Categories of personal data |
|---|---|
| Parent / guardian (subscriber) | Name, email, phone number (optional), payment method (handled by our payment processor), subscription details, login ID, support correspondence, marketing preferences. |
| Children (up to 4 per parent account) | First name or chosen nickname, year/grade level, year of birth, login ID, learning activity data (scores, progress, time on task, content interactions, free-text entered during activities). |
| All users (technical) | Persistent identifiers such as IP address, device/browser type, authentication logs, security logs and system access patterns. |
Source of data: We collect personal information directly from the parent at sign-up, from the parent or child during their use of our program. From parent users we also collect and maintain records (timestamp and method) of their marketing preferences.
Children data and privacy rights
When a parent or guardian creates a child’s account, the parent gives consent on the child’s behalf to our collection and use of the child’s personal information.
Where a child‘s data is linked to a parent‘s email (for example, when a child profile is created under a parent account), that linked child data is treated as the child‘s personal information.
Our Notice to Children, available on the login page, explains to children how we use their personal information.
A child can withdraw the permission to our processing of their personal information by asking their parent to delete their account. Parents and guardians can contact us to update or delete a child’s account at any time.
B3. What we do with personal information (B2C)
This section outlines what we do, and how we process personal information for home-managed accounts.
| Our Processing Activities | Data involved | Lawful Basis (GDPR) |
|---|---|---|
| Manage Subscription | ||
| Account creation and management | Parent name, email, password, payment method, subscription details | Contract |
| Enable parent to administer child profiles linked to the parent account (up to 4 child users) | Child first name/nickname, username, year of birth, grade | Legitimate interest |
| Enable parent subscriptions management (renewals, billing, users licence management) | Parent details, subscription and user details, payment method | Contract |
| Data deletion (on parent request) | User account data, activity data | Contract |
| Program features for parent | ||
| Parent/Family dashboard for reporting and settings control | Parent account details, Child activity data | Contract |
| Support requests directed from parent | Parent account details, support correspondence, usage data needed to troubleshoot | Contract |
| Program features for child | ||
| Content delivery (lessons, merit awards, progress report, personalised learning experience) | Child learning activity data, grade, progress | Legitimate interest |
| Program activity leaderboards | Child first name, initials or a chosen nickname, activity score | Legitimate interest |
| Platform requirements | ||
| Hosting program data | Data and processing data in program (see features for parent and child) | Contract |
| Platform security, fraud prevention and abuse protection | Persistent identifiers, security logs, authentication logs | Legitimate interest |
| Improving educational programs and features (product development) | Anonymised usage and engagement data | Legitimate interest |
| Optional processing | ||
| Marketing communications to parents (not to children) | Parent email, first name, last name, phone (optional), consent record | Consent (Explicit opt-in) |
| Participation in events or competitions, such as World Math(s) Day | Child first name and initial, activity data (in opt-in participation basis) | Consent (Explicit opt-in) |
We do not generally collect sensitive personal information (or “special category” data) from parents or children. If a parent chooses to provide this information (for example, by disclosing a special need or disability to request additional accessibility support), we process it under explicit consent. For more information refer to C6.
In our processing commitment to parents and children we also apply additional controls as follows:
- We review the processing of children’s personal information to respond to requirements under law. We have undertaken legitimate interest assessments (LIA) for all purposes that require an assessment.
- We do not use or disclose children’s personal information that is not necessary and integral to our delivery of our learning program unless we have express parent opt-in consent. For example, we do not share children data to any data brokerage, AI training or promotional activities.
- Persistent identifiers (IP addresses, cookies, device IDs, log data) are used only for the internal operations set out in Part C1.
- User data is stored and backed up in line with Part B5 below.
B4. What we don’t do with Personal Information (B2C)
- We do not sell data to advertisers (whether personal, anonymous or aggregated).
- We do not use children data for behavioural advertising, or marketing profiles.
- There is no marketing to children in our e-learning programs. Only parents may provide contact information for marketing preferences.
- Except to the extent required by law, we do not disclose or transfer any personal information to third parties except as set out in this Privacy Policy.
B5. Retention for home-managed data
Information is retained only as long as needed for the purposes it was collected for, including the retention period in this policy, and is then deleted or irreversibly anonymised.
We retain personal information as detailed in our Data Retention Period Reference.
Privacy Reference – Retention Periods
At any time, Parents can request the removal of data by contacting us at privacy@3plearning.com. On receipt of a verified request, we will anonymise the data from production systems within 30 days.
B6. Parental rights and authentication
Parents, guardians of children and children themselves (via the parent account holder) on home-managed accounts can, at any time:
- Review the personal information we hold about the child.
- Ask us to correct or update it.
- Ask us to stop further collection or use of the child‘s personal information.
- Ask us to delete the child‘s personal information.
- Withdraw any parent consent given (for example, for marketing communications or subscription renewal). Withdrawal does not affect processing that occurred before the consent was withdrawn.
Parental authentication. Access to or changes in a child‘s personal information must be authenticated by the parent. When authenticating a request we may request personal information, such as the parent email address and password recorded on the account.
B7. Marketing communications and separate choice
We send marketing communications about 3P Learning products only to parents who have opted in. Our communications are to the parent — never directly to a child.
Parents can withdraw consent by updating the marketing preferences in the parent console, by using the "unsubscribe" link in any marketing communication or by contacting privacy@3plearning.com.
Separate choice. We operate a separate-choice model for children‘s data. A parent consenting to the service (so that we can collect and internally use their child‘s personal information to deliver our products) does not have to consent to any non-integral disclosure of that data (for example, to a third party for that third party‘s own purposes). 3P Learning does not currently make any non-integral disclosures of children‘s personal information; if we ever proposed to, we would pause the change and obtain separate, opt-in parental consent before proceeding.
| Integral disclosure | A disclosure of a child‘s personal information to a third party that is necessary to provide the service the child or parent requested (e.g. payment processing, content delivery, hosting). |
|---|---|
| Non-integral disclosure | A disclosure that is not necessary to provide the service (e.g. advertising, data brokerage, AI model training). Requires separate, opt-in parental consent. |
B8. Direct notice to parents at onboarding
At sign-up, we provide parents with a direct notification (in addition to this Policy) that explains in plain language: the categories of data we will collect, how we will use that data. Marketing use of the parent‘s email is disclosed in that direct notice. A link to this full Privacy Policy is included in the direct notice. We obtain verifiable parental consent via the monetary-transaction method.
B9. Placement of privacy links
Links to this policy as well as resources for Parents to explain our Privacy Policy to children and our Junior/Teen friendly privacy policies are placed prominently on login screens to our online applications.
Part C — Information for all users
The following sections apply to both school-managed and home-managed accounts.
C1. Persistent identifiers and internal operations
We use limited technical data — "persistent identifiers" such as IP addresses, device identifiers, cookies, log data, and mobile-app identifiers— solely to support the internal operations of our services. This dedicated section is provided because persistent identifiers receive special treatment under COPPA and under the ICO Children‘s Code.
What we use persistent identifiers for
- Authenticating users and maintaining session state.
- Security and fraud prevention (detecting unusual access patterns, blocking abusive traffic).
- Troubleshooting and diagnostics (identifying and fixing technical issues).
- Service reliability and performance (CDN routing, load balancing).
- Internal analytics and A/B testing to improve the service.
- Legal compliance and record-keeping required by law.
What we do NOT use persistent identifiers for
- Behavioural advertising to children.
- Building profiles of children for cross-service use or for third parties.
- Contacting a child directly outside the educational service.
- Training AI models using children‘s identifiable personal information.
- Selling or licensing children‘s personal information to data brokers.
Safeguards
- Persistent identifiers are stored only in systems used for the internal operations listed above, subject to role-based access controls.
- Technical controls (including network segmentation, logging and monitoring) prevent these identifiers from being exported to advertising or profiling platforms.
- We review our subprocessors at least annually to confirm they do not use persistent identifiers for prohibited purposes; our contracts prohibit such use.
- Security logs containing persistent identifiers are retained for 12 months and then deleted.
C2. Storage, Sharing and subprocessors
We store and share personal information only with trusted third-party subprocessors to support delivery of our services. Subprocessors process personal information only on our instructions and under contractual privacy and security obligations. 3P Learning does not authorise subprocessors to use personal information for their own purposes. We do not share children‘s personal information with third parties for the third parties‘ own purposes.
The list of subprocessors and storage locations are detailed here:
Privacy Reference – SubProcessors.
C3. International operations and transfers
We operate globally with regional support from Australia, New Zealand, the UK, Canada and the United States. As a result, personal information may be transferred to, stored in, or accessed from any country listed above.
Where we transfer personal information across borders, we use appropriate safeguards, including:
- the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs), as applicable;
additional technical measures (including encryption in transit and at rest) to protect the transferred data.
Individuals can request a copy of the specific transfer mechanism we use by contacting privacy@3plearning.com. Our sales, operational and global customer support teams (primarily in Australia, the United Kingdom, the USA and Canada) may access personal information to service enquiries.
C4. Security and data protection measures
We apply layered administrative, technical and physical safeguards to protect personal information throughout its lifecycle. Our SOC 2 Type II, WISP and ROPA reports available on request via privacy@3plearning.com. Further detail is set out below:
- Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent).
- Data minimisation as standard.
- Role-based access controls (RBAC) and segregation of customer data.
- Multi-factor authentication (MFA) for employee administrative access to production systems.
- Monitoring and intrusion detection.
- Regular vulnerability scanning and patching aligned to vendor CVSS severity.
- Independent penetration testing at least annually for customer-facing products that process children‘s data.
- Secure software development lifecycle with peer review, dependency scanning and pre-production security testing.
- Network segmentation between production, corporate and development environments.
- Endpoint protection (anti-malware, disk encryption, device management) on all employee devices with access to children‘s data.
- Encrypted backups used for disaster recovery only.
- Mandatory annual cybersecurity and specific children’s privacy training for all employees.
- Documented incident response plan, tabletop-tested annually, including parental and regulator notification obligations.
- Privacy by design and by default, including Data Protection Impact Assessments (DPIAs) for higher-risk processing, reviewed periodically or prior to substantial change. Consultation with relevant data protection authorities of residual high risk processing prior to processing.
C5. Notice and consent for significant new uses
If we propose to use student or children personal information for a purpose that is significantly different from what is described in this Policy, we will:
- notify the parent or the school (as Controller) in advance;
- explain the new purpose, basis of processing, any new recipients and any new retention period;
- obtain updated parental consent (for B2C) or new instructions from the school (for B2B) before the new use begins;
- update this Policy to reflect the change.
C6. Voice, biometric, government-issued identifiers and geo-location
3P learning do not collect biometric identifiers (such as voiceprints, facial templates, fingerprints) and government-issued identifiers (such as social security numbers, state ID numbers, birth certificates, passport numbers) for identification purposes. We do not collect, store, infer or surface precise or coarse geolocation data about children or any other users through the products covered by this Policy. The products do not include any feature that allows parents, schools or other users to track a child‘s location. Students and teachers may access learning activities for reading practice (Read Aloud Feature for school subscriptions only) where voice recordings may be entered to enable the assessment of reading fluency only.
C7. Cookies and third-party technologies
We use cookies and similar technologies on our websites and within some of our services for essential functionality, performance and analytics, functionality/personalisation, and marketing to parents. We do not use cookies or third-party providers to engage in behavioural targeting of advertisements to students or children. For full detail (including cookie categories, specific cookies set, and how to manage them) see our cookie policy.
https://www.3plearning.com/cookie-policy/
C8. Certifications and regulatory commitments
- UK ICO registration (Z2188515), for 3P Learning UK Limited.
- SOC 2 Type II attestation, evidencing the operating effectiveness of our security controls.
- kidSAFE+ COPPA seal for products directed to children under 13 in the US.
- Safer Technologies for Schools (ST4S) in Australia and New Zealand.
- Alignment with UK GDPR, EU GDPR, the Data Protection Act 2018, the US Children‘s Online Privacy Protection Act and FTC COPPA Rule (including the 22 April 2025 Final Rule), FERPA, California SOPIPA, CCPA/CPRA, Australian Privacy Act 1988 and the Australian Privacy Principles (including APP 1, 5, 8, 11, 12, 13), the New Zealand Privacy Act 2020, PIPEDA and relevant Canadian provincial acts, and the South African Protection of Personal Information Act (POPIA).
C9. Australian Children‘s Online Privacy Code
The products covered by this Policy are designated internet services under the Online Safety Act 2021 (Cth) that are likely to be accessed by children. We will review our policies and practices to align with the OAIC Children‘s Online Privacy Code and as updated from time to time. The best interests of the child are a primary consideration in how we design our products and handle personal information. In practice this means: no behavioural advertising to children (see C1); age-appropriate language and interfaces in child-facing experiences; Data Protection Impact Assessments and child-impact assessments before launching features that affect children (see C4); and mandatory children‘s privacy training for all employees (see C4). 3P Learning products are educational services whose sole or primary purpose is to support the education of end-users, and the minimum-age scheme under the Online Safety Amendment (social media Minimum Age) Act 2024 does not apply to them.
C10. Ownership of information
- School-managed accounts (B2B): schools retain ownership and remain Data Controllers of student and teacher personal information. 3P Learning does not claim ownership and processes this data only to deliver the service.
- Home-managed accounts (B2C): parents or guardians retain ownership of their child‘s personal information. 3P Learning does not claim ownership and uses it only to provide the service and meet legal obligations.
- Student-generated content and results: schools and families retain ownership. We use this data solely for features such as progress tracking, reporting, and feedback.
- Platform data: 3P Learning owns the underlying platform, software, and aggregated or anonymised insights that do not identify individuals.
C11. Changes to this Policy
We may update this Privacy Policy from time to time. Material changes will be communicated to parents (B2C) and to school account administrators (B2B), via in-product notifications or in email. The current version is always available from our product websites.
C12. Contact us
For privacy questions or requests (including parental requests for access, correction or deletion), or to exercise any of your rights please contact privacy@3plearning.com or write to us (refer to section 1 for regional office addresses).
We aim to respond to privacy requests within 7 days. Complex requests may take longer, in which case we will keep you informed of progress.
For more contact information please visit https://3plearning.com/contact.
C13. Your right to complain to a supervisory authority
Individuals have the right to lodge a complaint with a supervisory authority if they think we have not handled their personal information properly. We encourage individuals to contact us first at privacy@3plearning.com so that we can try to resolve the issue directly.
UK — Information Commissioner‘s Office (ICO):
- Make a complaint: ico.org.uk/for-the-public
- Main ICO homepage: ico.org.uk
- Helpline: 0303 123 1113.
- Post: Information Commissioner‘s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
In other regions, individuals can complain to their local data protection authority, including:
- Australia — Office of the Australian Information Commissioner (oaic.gov.au).
- Canada — Office of the Privacy Commissioner of Canada (priv.gc.ca) and applicable provincial regulators.
- Ireland — Data Protection Commission (dataprotection.ie).
- New Zealand — Office of the Privacy Commissioner (privacy.org.nz).
- South Africa — Information Regulator (inforegulator.org.za).
- United States — Federal Trade Commission (ftc.gov) and the relevant State Attorney General for children‘s data under COPPA.
Referenced documents (maintained separately)
| Referenced document | URL | Referenced from section |
|---|---|---|
| Data Retention Policy | Privacy Reference - Retention Periods | A5, B5 |
| Subprocessors list | Privacy Reference - SubProcessors | C2 |
| Data Processing Agreement (DPA) | Privacy Reference – Data Processing Agreement (DPA) | A1, A6 |
| Privacy Notice for Schools | Privacy Reference – Notice for Schools | 1 |
| 3P Learning Regional Contacts | 3plearning.com/contact | C12 |
| ICO Registration Certificate (Z2188515) | registration-certificate-z2188515.pdf | C8 |
| Cookie Policy | www.3plearning.com/cookie-policy/ | C7 |