Privacy Notice

Last updated: 24 March 2026  |  Operated by CODEX EDUCATION LTD

This notice explains how personal information is used in Computing Ninja. For school-delivered service data, the school or trust is typically the data controller and Computing Ninja (CODEX EDUCATION LTD) acts as processor. CODEX EDUCATION LTD acts as controller for its own operational, security, support, and compliance processing.

This notice is drafted in line with UK GDPR, the Data Protection Act 2018, Department for Education guidance on data protection in schools, DfE guidance on generative AI in education and product safety standards, and ICO guidance on privacy information and DPIAs.

1. Who is responsible for personal data

For school-delivered pupil records, the data controller is usually the school, academy, or trust. Computing Ninja acts as processor for most pupil and classroom processing. CODEX EDUCATION LTD acts as controller for its own operational, security, support, and compliance data.

Controller contact details (for CODEX EDUCATION LTD controlled processing):

• Organisation: CODEX EDUCATION LTD
• Email: admin@computing.ninja
• Data Protection Lead, CODEX EDUCATION LTD

2. What information is processed

Depending on enabled features, Computing Ninja processes:

• Account data: email address, username, optional full name, account status, last login.
• Authentication data: password hash (not plaintext password), Microsoft SSO profile fields needed to sign in.
• Learning and assessment data: activity attempts, responses, scores/marks, feedback, progress and performance records.
• Teacher/admin data: class and tutor-group related records needed for teaching workflows.
• Uploaded assessment data: imported files and parsed response rows for supported teacher import tools.
• Technical/security data: session information, operational logs, and SSO incident diagnostics with hashed email/IP fragments.

3. Why information is used

Personal data is used to:

• authenticate users and manage access
• deliver learning activities and store progress
• support teacher workflows, marking, and analytics
• maintain service reliability, security, and troubleshooting
• send service emails where configured

4. Lawful basis

Lawful basis is set by the data controller (usually the school or trust). Typical bases include:

• Public task (education provision and school management)
• Legal obligation (where applicable)
• Legitimate interests (for service security and operations, where appropriate)
• Consent (only where a controller chooses consent-based processing for specific features)

5. Sharing and third-party services

Personal data may be shared with:

• the school or trust and authorised staff using the platform
• technical service providers needed for operation (for example identity sign-in and email delivery)

Third-party services include:

• Microsoft Entra ID (Azure AD) for SSO (where enabled)
• SMTP email infrastructure for service mail delivery

AI-assisted marking tools are used by teachers for selected CAMNAT assessment activities. Student response content is processed transiently by an AI service to assist teacher marking. No direct personal identifiers are included in the AI request payload. Results are reviewed by the teacher before any feedback is shared with students. Anthropic's commercial terms state that customer content is not used to train models. Further detail is available in Anthropic's Commercial Terms and Privacy Policy.

6. International transfers

• Service data is hosted in the UK.
• DNS failover infrastructure is multi-region.
• AI marking assistance uses a third-party API with infrastructure outside the UK. The provider's commercial terms include a data processing agreement and prohibit use of customer data for model training.

7. Security measures

Computing Ninja applies controls including:

• TLS/HTTPS for data in transit
• data at rest protections applied at the hosting/database infrastructure layer
• password hashing for local credentials
• authenticated, role-based access checks on protected routes
• security-focused session handling for SSO flows
• operational logging for incident investigation

8. Cookies

This service uses strictly necessary session cookies for authentication and secure access. No tracking or analytics cookies are used. Under the Privacy and Electronic Communications Regulations (PECR) 2003, strictly necessary cookies do not require user consent. If this changes, this notice will be updated.

9. Retention

• Account and authentication records: while active, then delete or anonymise within 24 months of inactivity or closure.
• Learning and assessment records: current academic year plus 6 years, then delete or anonymise.
• Imported assessment files: delete within 90 days of successful import.
• Security/incident logs: retain for 12 months, unless required for an active investigation.
• Backup retention window: rolling 35-day backup window.

10. Your rights

Subject to legal exceptions, individuals may have rights to: access personal data, rectification, erasure, restriction, objection, and portability (where applicable).

For school-controlled data, requests should be made via the school or trust. For CODEX EDUCATION LTD controlled processing:

• Email: admin@computing.ninja
• Postal address: 128 City Road, London, United Kingdom, EC1V 2NX

11. Complaints

Concerns should be raised with the school or trust controller or CODEX EDUCATION LTD first. You may also contact the Information Commissioner's Office (ICO): ico.org.uk

12. Updates

This notice may be updated for legal, technical, or operational changes.