⚠️

Legal review required before publishing

This privacy policy has been prepared as a structured draft based on the information provided. It is not a substitute for review by a qualified Irish solicitor or EU data protection specialist. Several clauses are marked for confirmation — these must be verified against your actual technical implementation, third-party contracts, and data processing agreements before this document is published or relied upon. Remove this notice before publishing.

Intellect Education Limited · SprintUp Education

Privacy Policy.

📅 Last updated: March 2026🏛️ Governed by: Irish law · GDPR📋 Version: 1.0

1. Overview

This privacy policy explains how Intellect Education Limited collects, uses, stores, and protects personal data in connection with SprintUp Education — the company's flagship product. It applies to all users of the platform: school administrators, teachers, students (whose data is managed by their school), and curriculum creators.

Intellect Education Limited is registered in Ireland and subject to the General Data Protection Regulation (GDPR) (EU) 2016/679. This regulation sets one of the world's most comprehensive frameworks for personal data protection. All users of SprintUp Education — regardless of where they are located — benefit from these protections as our baseline standard.

Our core commitments on data

We never sell personal data to third parties. We never use personal data or student data for advertising. Student data is never used to train AI models without explicit confirmation of that position (see Section 7). We collect only what we need to deliver the service. You can request deletion of your data at any time.

2. Who we are

Data controller: Intellect Education Limited, registered in Ireland.

Product: SprintUp Education (trading name), a two-sided platform for schools and curriculum creators operated by Intellect Education Limited.

Data protection contact: privacy@sprintup.education

General contact: hello@sprintup.education

🔍

Confirm before publishing: Add your full registered address and Companies Registration Office number here once confirmed.

3. Data we collect

We collect personal data in the following categories, depending on how you use the platform:

Category	What it includes	Who it applies to	Legal basis
Account credentials	Email address, hashed password, account type	All registered users	Contract
School details	School name, country, type, administrator name and contact	School administrators	Contract
Student data	Name, enrolment details, class assignments — as entered by the school administrator	Students (via schools)	Legitimate interest · School consent
Student activity data	Course progress, assignment completion, quiz results, time on platform	Students (via schools)	Contract · Legitimate interest
Content created	Curriculum, course materials, lesson plans, and other content built on the platform	Teachers, creators, school admins	Contract
AI prompts & outputs	Prompts submitted to AI tools and generated content returned	Teachers, creators, school admins	Contract · Legitimate interest
Payment information	Transaction records, plan details — payment card data is processed directly by Stripe and never stored by us	School admins, creators	Contract · Legal obligation
Usage analytics	Pages visited, features used, session duration, device and browser type, IP address	All users	Legitimate interest · Consent (cookies)

We do not collect sensitive personal data as defined under GDPR Article 9 (such as health data, racial or ethnic origin, political opinions, or biometric data).

4. How we use data

We use the data we collect only for the following purposes:

Delivering the platform. Account creation, authentication, course delivery, marketplace transactions, AI tool operation, and all core platform functions.

Platform improvement. Aggregated and anonymised usage analytics to understand how the platform is used and improve its performance, reliability, and features. Individual user data is not used for this purpose.

Communications. Service notifications (account activity, billing, security), product updates you have opted into, and responses to your support requests.

Legal compliance. Meeting our obligations under Irish and EU law, including financial record-keeping, responding to lawful data requests, and enforcing our terms of service.

We do not use personal data for advertising, profiling for third-party marketing, or any purpose not listed above.

5. Schools as data controllers

For student data specifically, SprintUp Education operates as a data processor on behalf of the school, which is the data controller. This is the standard GDPR model for B2B platforms that process data on behalf of institutional clients.

This means: the school decides what student data to enter into the platform, for what purpose, and for how long. SprintUp Education processes that data only on the school's instructions, as set out in our Data Processing Agreement (DPA). Schools are responsible for their own compliance obligations with respect to their students' data, including obtaining any consents required under applicable law.

Schools operating in the EU or EEA should ensure they have a signed DPA with Intellect Education Limited before enrolling students on the platform. Please contact privacy@sprintup.education to request the DPA.

🔍

Action required: A formal Data Processing Agreement (DPA) document must be prepared and made available to schools before they onboard students. This is a GDPR requirement under Article 28. Your solicitor should draft this alongside this privacy policy.

6. Children and minors

SprintUp Education is a school platform used by institutions serving learners of all ages — from primary-age children through to adult education. Student data at all ages is managed and entered by the school administrator, not by students themselves.

Direct accounts. SprintUp Education does not permit children under 13 to create direct accounts on the platform. Student access is always provisioned by a school administrator through the school's account.

School responsibility for minors. When a school enrols students who are minors (under 18, or under a lower age threshold required by applicable local law), the school is responsible for ensuring it has the appropriate legal basis and, where required, parental consent to enrol those students and share their data with third-party processors including SprintUp Education. Schools should refer to their own data protection policies and the DPA.

GDPR and children. Under GDPR Article 8, the age of digital consent varies by EU member state (between 13 and 16). Schools based in EU member states are responsible for understanding the applicable age threshold in their jurisdiction.

🔍

Review with solicitor: If you anticipate schools in the US enrolling students, COPPA (under 13) and FERPA (student education records) obligations should be assessed. This clause may need additional language for non-EU jurisdictions.

7. AI tools and data

SprintUp Education's AI curriculum tools are powered by third-party AI service providers (see Section 8). When you use these tools, the prompts you submit and the content generated are processed by those providers.

What we share with AI providers. We share the content of your prompts with our AI provider to generate the requested output. We do not share your name, school name, or student-identifying information as part of AI prompts unless you choose to include such information in the prompt content yourself.

AI training data — current position.

Notice: AI training data position under review

We are currently reviewing our data processing agreements with our AI service providers specifically regarding whether user-submitted prompts or generated content may be used to train AI models. We will update this policy when our position is confirmed. Until that update is published, schools with specific requirements or restrictions on this point — including schools whose policies prohibit data from being used in AI training — should contact us at privacy@sprintup.education before using the AI tools or enrolling students whose data may be involved in AI-assisted workflows. We will respond to those enquiries individually with our current position.

Student data and AI. We do not submit student personal data (names, identifiers, or student-specific activity records) to AI providers as part of standard platform operation. AI tools are available to teachers and administrators for curriculum and lesson planning — not for direct processing of student records.

8. Third-party processors

We use the following third-party service providers to operate the platform. Each processes personal data only to the extent necessary for the stated purpose and is subject to a data processing agreement.

Stripe

Payment processing for school subscriptions, credit top-ups, and creator marketplace payouts. Payment card data is processed and stored by Stripe directly — SprintUp Education does not store card numbers.

🇺🇸 US · EU adequacy

OpenAI (or equivalent)

AI curriculum generation tools. Prompts submitted by users are sent to the AI provider's API to generate requested content. See Section 7 for current position on training data.

🇺🇸 US · SCCs apply

Hosting provider

Platform hosting, data storage, and infrastructure. All data is stored on servers within the EU or EEA where possible. Confirm server locations with your hosting provider before publishing.

🇪🇺 EU preferred

Email provider

Transactional emails (account confirmations, password resets, billing notifications) and opted-in product communications.

🇺🇸 US · SCCs apply

Analytics provider

Aggregated usage analytics to improve platform performance. If using Google Analytics, a cookie consent mechanism is required. Consider a privacy-first alternative (e.g. Plausible, Fathom) to simplify compliance.

Confirm location

🔍

Confirm before publishing: Verify the exact providers, their locations, and that you have signed data processing agreements with each. For US-based providers, confirm the transfer mechanism (Standard Contractual Clauses are the standard approach post-Schrems II).

9. Data retention

Account data is retained for as long as your account is active. If you close your account, personal data is deleted within 90 days unless retention is required by law (e.g. financial records).

Student data is retained for as long as the school's account is active. When a school closes its account, student data is deleted within 90 days. Schools may request earlier deletion at any time via privacy@sprintup.education.

Financial records (transaction history, invoice data) are retained for 7 years as required under Irish tax law.

Usage analytics are retained in aggregated, anonymised form indefinitely. Identifiable usage logs are retained for 12 months then anonymised.

Content created (curriculum, lesson plans, course materials) remains associated with the creating account until deletion is requested. Creators retain intellectual property rights to their content as per the Terms of Service.

10. Your rights

Under GDPR, all data subjects have the following rights. To exercise any of these rights, contact privacy@sprintup.education. We will respond within 30 days.

Right of access

Request a copy of all personal data we hold about you and information on how it is used.

Right to rectification

Request correction of inaccurate or incomplete personal data we hold about you.

Right to erasure

Request deletion of your personal data where there is no legitimate reason for us to continue processing it.

Right to restriction

Request that we restrict processing of your data in certain circumstances — for example while a complaint is investigated.

Right to portability

Request your personal data in a structured, machine-readable format that you can transfer to another provider.

Right to object

Object to processing based on legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent

Where processing is based on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

Rights regarding automated decisions

You have the right not to be subject to decisions based solely on automated processing that significantly affect you.

For student rights requests: Because schools are the data controller for student data, requests from students or their parents/guardians regarding student data should be directed to the school in the first instance. The school will coordinate with us where necessary.

11. Security

We implement technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include encrypted data transmission (TLS), hashed password storage, access controls, and regular security assessments.

In the event of a personal data breach that poses a risk to individuals' rights and freedoms, we will notify the Irish Data Protection Commission within 72 hours and affected users without undue delay, as required by GDPR Article 33.

🔍

Confirm before publishing: Ensure your security measures list accurately reflects what is implemented — encryption at rest, penetration testing cadence, access control policies, and breach response procedures should all be documented internally before being referenced in the privacy policy.

12. International transfers

Some of our third-party processors are based outside the European Economic Area (EEA) — notably in the United States (Stripe, AI provider, email provider). Where personal data is transferred outside the EEA, we ensure appropriate safeguards are in place under GDPR Chapter V, including Standard Contractual Clauses (SCCs) approved by the European Commission.

We aim to store data on EU/EEA infrastructure where possible. For data stored or processed outside the EEA, the same level of protection required by GDPR is contractually maintained through our data processing agreements with those providers.

13. Policy updates

We may update this policy as the platform evolves, as our third-party processors change, or as legal requirements develop. When we make material changes — particularly to how we handle student data, AI data processing, or data subject rights — we will notify registered users by email and display a notice on the platform.

The "last updated" date at the top of this document reflects the most recent revision. Previous versions are available on request by emailing privacy@sprintup.education.

Continued use of the platform after a material update constitutes acceptance of the revised policy. If you disagree with any material change, you may close your account and request deletion of your data.

14. Contact and complaints

For any questions about this policy, to exercise your rights, or to raise a data protection concern, contact us at:

Data protection contact.

We aim to respond to all data protection enquiries within 5 business days and to complete formal requests within 30 days as required by GDPR.

Data protection email

privacy@sprintup.education

For rights requests, DPA enquiries, breach reports

General contact

hello@sprintup.education

For all other enquiries

Legal entity

Intellect Education Limited

Registered in Ireland

Supervisory authority

Data Protection Commission

dataprotection.ie · Ireland

If you believe your data protection rights have been infringed and we have not resolved your complaint satisfactorily, you have the right to lodge a complaint with the Irish Data Protection Commission (DPC) at dataprotection.ie, or with the supervisory authority in your EU member state of residence.