Welcome to enduri. We design our platform to support learning while protecting children’s data, rights, and wellbeing. This Privacy Policy explains how personal data is processed when enduri is used by schools in an operational educational context. (Version February 2026)

1. Our Role in Schools (Operational Service):
   When enduri is used by schools as part of teaching and learning activities, schools and educational authorities act as Data Controllers. This means that schools decide why personal data is used, what personal data is used, how long it is kept, and which lawful basis applies.
   enduri acts as a Data Processor. This means enduri processes personal data only on documented instructions from the school and only for the purpose of providing and maintaining the learning platform.
   
   
2. Data We Process:
   enduri processes only the personal data that is necessary to provide the learning service. This may include user account information such as names, login credentials and class information where required. It may also include learning activity data, platform usage information, content entered by users for learning purposes, and technical data required to operate, secure and improve the platform.

   enduri does not sell personal data and does not use student data for advertising purposes.

3. Lawful Basis (Determined by Schools):
   

   Schools determine the lawful basis for processing personal data when using enduri. Depending on the school’s legal and operational framework, this may include processing necessary for the performance of a contract relating to educational service delivery, processing required to comply with legal or regulatory obligations in education or safeguarding law, or processing necessary for legitimate educational and operational interests, provided these do not override the rights and freedoms of students.

   Where consent or parental authorisation is required, schools are responsible for obtaining, recording and managing this consent. enduri does not rely on implicit consent.

4. Data Processing Agreements (Article 28 GDPR):
   enduri enters DPA with schools before personal data is processed. These agreements define the processing instructions, confidentiality obligations, security requirements, sub-processor rules, and support enduri provides to schools, fulfilling data protection obligations.
   
   
5. Sub-processors:
   enduri may use carefully selected service providers to support delivery of the platform, for example secure hosting or infrastructure providers. All sub-processors are required to meet GDPR requirements and are bound by contractual data protection obligations. enduri remains responsible for the data protection performance of its sub-processors. A current list of sub-processors, including their purpose and processing location, is available within the enduri platform/database and may be updated from time to time.
   
   
6. Security Measures (Article 32 GDPR):
   enduri implements appropriate technical and organisational security measures to protect personal data. These measures include controlled access to systems, role-based permissions, encryption of data in transit and at rest where appropriate, ongoing security monitoring and system updates, and staff confidentiality and data protection training. The Technical and Organisational Measures (TOMs) List is available within the enduri platform/database and may be updated from time to time.
   
   
7. Support for Schools (Controller Obligations): 
   enduri supports schools in fulfilling their data protection obligations. This includes supporting responses to data subject rights requests, supporting security incident and breach management, and supporting data protection impact assessments where required.
   
   
8. Cookies:
   enduri uses cookies only where necessary to ensure platform functionality, security and performance. Where applicable, cookie settings can be managed through browser or system controls.
   
   
9. Children’s Data Protection Commitment:
   enduri is designed to minimise data collection, avoid unnecessary profiling, protect children’s confidentiality and support safe and secure digital learning environments. We are committed to designing services with children’s rights, safety and wellbeing in mind. Children’s Data Protection Commitment is available within the enduri platform/database
   
   
10. User Rights:
    Requests relating to personal data should normally be directed to the school as the Data Controller. enduri supports schools in fulfilling these requests.