Your Students' Data. Your Control.
Built with privacy at the core. Your institution's data stays protected, encrypted, and under your control.
Our Security Commitments
Multi-Factor Authentication
Administrative accounts require multi-factor authentication. Teachers, coordinators, and IT staff all use MFA to access student data.
Per-School Encryption
Each school's data is encrypted with unique keys. Your institution's information remains protected and separate from other schools.
Session Protection
Multiple layers of session security prevent unauthorised access. Suspicious activity triggers automatic protection measures.
No Data Sales
We do not sell, rent, or trade student data. Ever. No advertising partners, no data brokers, no exceptions.
Responsible AI Use
If we use interaction patterns to improve our AI tutor, data is fully anonymised first. You can opt out entirely.
Full Audit Trail
Administrative actions are logged with timestamps. Full accountability, available for your review on request.
Regulatory Compliance
GDPR
Full compliance with UK GDPR and EU General Data Protection Regulation. Your institution is the data controller; we process data only on your behalf.
FERPA
Compliant with the Family Educational Rights and Privacy Act. Educational records are protected and accessible only to authorised parties.
COPPA
Children's Online Privacy Protection Act compliance for users under 13. Parental/school consent required; enhanced protections for young learners.
PIPEDA
Compliant with Canada's Personal Information Protection and Electronic Documents Act for Canadian institutions.
What We Collect
Transparency matters. Here's what data flows through our systems:
π Learning Data
- Experiment actions - What students do in the virtual lab
- Progress markers - Which experiments completed, time spent
- Assessment responses - Answers to lab questions
- Safety compliance - Whether proper procedures were followed
π€ Account Data
- Username - Can be pseudonymous (student IDs work fine)
- School/class association - Which institution and group
- Role - Student, teacher, or administrator
π« What We Don't Collect
Home addresses, phone numbers, biometric data, browsing history, social media, financial info, health info, advertising profiles
Security Architecture
Encryption
Data encrypted in transit and at rest. Your students' work is protected at every stage.
Role-Based Access
Students see only their own data. Teachers see only their classes. Administrators see only their institution.
Audit Logging
Administrative actions are logged and auditable. Every data export, every permission change.
Secure Backups
Automated encrypted backups with tested restoration procedures.
Offline Capability
The platform works offline. When offline, no data leaves the device until the student reconnects.
Built Differently
Recent high-profile EdTech breaches have exposed millions of student records. We designed WhimsyLabs to avoid the common vulnerabilities.
Your Institution's Rights
π€ Data Export
Request a complete export of all your institution's data at any time, in standard formats.
ποΈ Data Deletion
Request complete deletion of your institution's data when you leave the platform.
π Data Access
Review exactly what data we hold about your students. Full transparency.
βοΈ Data Correction
Correct any inaccurate data. You maintain control over your information.
Questions About Data Security?
We're happy to discuss our security practices with your IT team, complete vendor security questionnaires, or arrange a technical review with your data protection officer.