Skip to main content

Legal

Privacy Policy

Last updated: 1 June 2026

This policy explains how EDU DEVELOPMENT LTD (trading as Umaclass) handles personal data for our Online Madrasah, in line with the UK GDPR and the Data Protection Act 2018. We have written it in plain English. If anything is unclear, please email school@umaclass.com.

1. Who we are

EDU DEVELOPMENT LTD ("we", "us", "Umaclass") is the data controller for personal information collected through this website and the Online Madrasah service. We are a private company limited by guarantee, incorporated in England and Wales on 28 January 2022.

  • Registered office: 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
  • Companies House registration number: 13877588.
  • Contact: school@umaclass.com · +44 7576 012126 (WhatsApp), 9am–6pm UK time, daily.

2. What we collect

We only collect what we need to run the service. In practice that means:

From the parent

  • Name, phone number, email address and the country or city you write to us from.
  • Records of your conversations with us (lead form messages, WhatsApp chats, support emails, callback notes).
  • Billing details. Card numbers are handled directly by our payment processor — we never store them on our own systems.
  • How you found us: the page you arrived on, UTM parameters and the CTA you clicked, so we know which channels are working.

About the child (your student)

  • First name, age and current tajwid level — used to place them in the right group.
  • Diagnostic-quiz answers, if the child takes the 16-question entry quiz.
  • Lesson attendance, homework submissions and progress notes inside the LMS.
  • Live-lesson video and audio recordings (every lesson is recorded so missed ones can be caught up).

Technical data

  • Device type, browser, approximate location (from IP), pages visited and time spent.
  • Cookies and similar storage — see section 9.

3. Why we use it (lawful bases)

Under UK GDPR we have to tell you which legal basis we rely on for each use:

  • Contract. To deliver lessons, run the LMS, record attendance, issue certificates, take payment and respond to support requests. Without this data we can't provide the service.
  • Legitimate interests. To improve the programme, prevent fraud and abuse, keep the service secure, and measure how well our marketing is working (in aggregate). We balance this against your privacy and you can object — see section 8.
  • Consent. For non-essential cookies, marketing emails to prospective parents, and any storyteller-style use of a child's name or work in marketing. You can withdraw consent at any time.
  • Legal obligation. To keep accounting records and to respond to lawful requests from regulators or courts.

4. Children's data

Our Online Madrasah is designed for children aged 7 to 14. We follow the ICO's guidance on children's information and the Age Appropriate Design Code, and we take the following approach:

  • The contract is always with the parent or guardian. Children do not sign up or pay directly.
  • Where we rely on consent for the child's data, that consent is given by the parent or guardian holding parental responsibility, and we take reasonable steps to verify that.
  • We keep what we collect about the child to the minimum needed to teach them and to keep them safe.
  • We do not profile children, do not show them third-party advertising and do not sell their data — ever.
  • Lesson recordings exist for catch-up and safeguarding. Access is restricted to the family, the teacher, the curator and a small admin team. Recordings are not published.
  • Privacy information is provided in language a child can understand alongside this fuller version for parents.

See the ICO's guidance on children and the UK GDPR: ico.org.uk/childrens-information.

5. Who we share data with

We do not sell personal data. We share it only with carefully chosen processors who help us run the service. Each is bound by a written data-processing agreement and may only use the data on our instructions.

  • Website and LMS hosting: [Hosting provider: TBC].
  • CRM and lead management: [CRM provider: TBC].
  • Payment processing: [Payment processor: TBC].
  • Live-lesson video conferencing and recording: [Video platform: TBC].
  • Email and messaging delivery: [Email provider: TBC].
  • Analytics (aggregated and pseudonymised where possible): [Analytics provider: TBC].
  • Professional advisers (accountants, lawyers) where there's a legitimate need.

We will also disclose data where the law requires it — for example to respond to a court order or to protect a child's safety.

6. International transfers

Some of our processors are based outside the UK. Where personal data leaves the UK we make sure it remains protected to a standard equivalent to UK GDPR — usually through the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or an adequacy decision recognised by the UK government. A list of the specific safeguards in place is available on request.

7. How long we keep data

We don't keep data for longer than we need it. As a guide:

  • Lead form enquiries that don't convert: up to 12 months, then deleted.
  • Active student and parent accounts: for as long as you're with us, plus the period needed to issue certificates and handle refunds.
  • Lesson recordings: typically up to 12 months after the lesson, unless safeguarding requires longer.
  • Accounting and tax records: 6 years from the end of the financial year, as required by UK law.
  • Marketing consent records: until you withdraw consent, plus a short record so we can prove the consent was valid.

8. Your rights

Under UK GDPR you have the right to:

  • Ask for a copy of the personal data we hold about you or your child (the right of access).
  • Have inaccurate data corrected.
  • Have data deleted where we no longer need it (the right to erasure).
  • Restrict how we use the data while a query is being resolved.
  • Receive your data in a portable format and have it sent to another provider.
  • Object to processing based on legitimate interests.
  • Withdraw any consent you have previously given, at any time.

To exercise any of these rights, email school@umaclass.com. We aim to respond within one month.

If you're not happy with how we've handled your data, please tell us first so we can fix it. You also have the right to complain to the UK regulator, the Information Commissioner's Office, at ico.org.uk/make-a-complaint.

9. Cookies

We use a small number of cookies and similar technologies. Essential cookies make the site work (for example, remembering you're signed in). Analytics and marketing cookies help us understand how the site is used and which channels are bringing parents to us.

A cookie banner letting you accept or reject non-essential cookies is [Cookie banner: TBC — pending launch]. Until it is live, we do not set non-essential cookies without your consent. You can also block cookies in your browser settings.

10. Security

We use industry-standard measures to protect personal data: encryption in transit (HTTPS), encryption at rest where our providers offer it, access controls so only the people who need data can see it, and regular reviews of who has access. No system is perfectly secure, but if something goes wrong we will tell affected users without undue delay and notify the ICO where the law requires it.

11. Changes to this policy

We may update this policy from time to time — for example, when we add a new processor or change how the LMS works. The "Last updated" date at the top of the page will always show when the current version came into effect. If we make a material change we will let active families know by email.

12. How to contact us

Privacy questions and data-rights requests: