Skip to main content(Effective date: August 15, 2025)
1. Who We Are & Scope
This Privacy Policy explains how Squid Academy Ltd (“Squid”, “we”, “us”) collects, uses, shares, and protects personal information across our websites, web apps, and services (collectively, the “Services”). It works together with our Terms & Conditions and our Data Processing Addendum (DPA) for Organization customers.
Contact: [email protected].
2. How This Policy Relates To Our T&Cs & DPA
- For Public Users (people who create an account directly with us): Squid is the controller for your core account data; this Privacy Policy applies.
- For Organization‑provisioned users (students, teachers, staff invited by a school, university, esports center, etc.): the Organization is the controller and Squid is the processor/service provider under the DPA; this Privacy Policy should be read together with the DPA and your Organization’s privacy notices.
If the T&Cs and this Privacy Policy ever conflict on Organization data processing, the DPA prevails as to processing on the Organization’s behalf.
3. Who May Use The Services (children and students)
- Public accounts: Under‑13 sign‑ups are not permitted. Public Users must be 13+.
- Organization‑provisioned minors: Organizations must verify age and obtain/retain verifiable parental/guardian consent where required (e.g., COPPA; India DPDP under 18; Thailand PDPA).
Guidance for obtaining and verifying parental consent is available in our Parental Consent Guide.
- We do not sell personal data, profile minors for advertising, or use Organization‑provisioned minors’ data for cross‑context behavioral ads.
4. What We Collect
- Account and profile data (e.g., name, email, role/organization), classroom/team participation, coursework and tournament participation, and support requests.
4.2 Data we collect automatically
- Technical telemetry (e.g., login logs, timestamps) and security/operations data necessary to run the Services.
- If you sign in via a third‑party identity provider (e.g., Google/Apple) or you are invited by an Organization, we may receive limited account/roster information consistent with your settings and the Organization’s instructions.
4.4 Special categories and payment data
- We do not intend to collect special‑category data (e.g., health, biometrics). Please do not submit it unless necessary for educational use and permitted by law.
- We do not process payment card data for the Services; payments are handled by third‑party payment processors unless expressly stated in an Order.
We use personal information to:
- Provide the Services (user authentication, class/team management, course delivery, progress/tournament operations, support, and security).
- Maintain and improve the Services using aggregated/de-identified usage metrics; we do not attempt to re‑identify de‑identified data.
- Comply with law and enforce our T&Cs; respond to lawful requests (with safeguards).
AI/ML model training
We do not use Controller Personal Data (Organization‑provided data) to train, retrain, or fine‑tune generalized AI/ML models for unrelated product development, unless on the Organization’s documented instructions.
6. Cookies & Similar Tech
Right now we use only essential session cookies for authentication and core functions. If we later add analytics or non‑essential cookies, we’ll implement a compliant consent mechanism.
We share personal information with:
- Sub‑processors/service providers that help us host, support, secure, and deliver the Services; we maintain a Sub‑processor List and give 30 days’ advance notice of changes, with an emergency replacement carve‑out and objection/termination rights as set out in the DPA.
- Authorities when legally required (we notify and limit disclosure where possible).
- Business transfers. If we are involved in a reorganization (e.g., merger, acquisition, or sale of assets), personal information may transfer as part of the transaction; we will continue to protect it and will provide notice of any material changes to this Policy.
No sale/sharing for ads: When acting as a processor/service provider, we do not sell or share personal information or use it for cross‑context behavioral advertising; our US state privacy commitments are spelled out in the DPA and T&Cs.
8. International Data Transfers
We use approved safeguards for cross‑border transfers, including the EU Standard Contractual Clauses (SCCs) (Module 2/3 as applicable) and the UK Addendum/IDTA; we also support transfer impact assessments and supplementary measures where needed. See DPA Section 6 and Annex IV.
For details, see our International Data Transfers page.
9. Security
We maintain appropriate technical and organizational measures (access controls, encryption in transit/at rest, secure development and change management, monitoring, backups/DR, incident response). A summary of our TOMs is in Annex II of the DPA.
If we become aware of a confirmed Security Incident affecting Organization data, we will notify the impacted customer without undue delay (and where GDPR applies, where feasible within 72 hours, EEA 1 month; US states 45 days + permissible extension), and cooperate on remediation.
10. Retention
We keep personal information only as long as needed for the purposes above or as required by law. Upon termination/expiry, we’ll delete or return Organization personal data on written instruction and delete existing copies within 35 days; we can provide written deletion confirmation.
For details, see our Data Retention & Deletion Schedule.
11. Your Privacy Rights & How To Exercise Them
11.1 If you are a Public User
You may request access, correction, deletion, portability, and to object/restrict certain processing, subject to applicable law. Contact: [email protected] or submit a Privacy Request Form
11.2 If you are an Organization‑provisioned user
Your Organization is the controller and is responsible for authenticating requests and routing them to us; we will assist without undue delay via controller workflows. Where requests are excessive, manifestly unfounded, or duplicative, we may charge reasonable costs for assistance (as set out in the DPA).
11.3 Appeals & complaints
If we decline your request, you may appeal by replying to our decision email. You can also complain to a supervisory authority (e.g., the UK ICO) where applicable.
11.4 Global Privacy Control (GPC) & Non‑discrimination
Where required by law, we treat Global Privacy Control (GPC) signals (or equivalent) as an opt‑out request related to sale/sharing or targeted advertising. We will not discriminate against you for exercising Your Privacy Rights (e.g., no denial of services, different prices, or reduced quality).
12. Third‑Party Services & Links
If you enable third‑party sign‑in or integrations, those providers’ terms and privacy practices apply to their handling of your data. We’re not responsible for third‑party sites or services outside our control.
13. Marketing
We may send service and account notices. You can opt out of non‑essential marketing emails via the unsubscribe link in each message.
14. Automated Decision‑making
We do not engage in automated decision‑making that produces legal or similarly significant effects on individuals.
15. Changes To This Privacy Policy
We may update this Policy. We’ll post the new version with an updated effective date and, for material changes, provide reasonable notice. Continued use after the effective date constitutes acceptance.
Email: [email protected]
Address: 71‑75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.
**Regional Disclosures **(supplemental)
A) European Economic Area (EEA) & United Kingdom (UK)
- Controller: For Public Users, Squid Academy Ltd. For Organization users, your Organization is controller and Squid is processor under the DPA.
- Legal bases: contract performance (providing the Services), legitimate interests (security, service improvement using de‑identified data), consent (where we rely on it, e.g., non‑essential cookies), and legal obligations.
- Transfers: SCCs + UK Addendum; supplementary measures as needed.
- Your rights: access, rectification, erasure, restriction, portability, objection; complain to your local DPA.
B) United States (including state laws such as CA/VA/CO/UT/CT/TX)
- When acting as a processor/service provider for Organizations, we do not sell or share personal information and do not use it for cross‑context behavioral advertising; we process only for limited, specified purposes and flow down obligations to sub‑processors.
- You may request access, deletion, correction (where applicable), and information about our disclosures; we verify requests and respond as required by law.
- Texas and other state‑specific student/minor protections apply through controller (Organization) workflows.
US State Privacy Notice (CA/VA/CO/UT/CT/TX and similar)
- Categories collected (last 12 months): identifiers (name, email, account IDs); internet/network activity (basic logs, timestamps); education information (enrollments, progress, team/tournament participation). Not collected: precise geolocation; payment card numbers; biometrics; inferences.
- Sensitive Personal Information (SPI): Not used for inferring characteristics or additional purposes.
- Sources: you; your Organization; identity providers (e.g., Google/Apple); device/browser telemetry.
- Purposes: as described in Section 5 (provide, secure, support, and improve Services using aggregated/de‑identified metrics).
- Disclosures: service providers/sub‑processors; authorities where required; business transfers per Section 7. Sale/Share/Targeted advertising: No when we act as processor/service provider.
- Retention: per Section 10.
- Requests & appeals: see Section 11 (we verify identity and allow authorized agents where required).
C) Malaysia (PDPA 2010)
- We assist controllers with access/correction rights and use approved cross‑border safeguards where data leaves Malaysia.
D) Thailand (PDPA 2019)
- Parental consent is required for certain minors under PDPA; we assist controllers with data‑subject rights and appropriate transfer safeguards.
Guidance for obtaining and verifying parental consent is available in our Parental Consent Guide .
E) India (DPDP Act 2023)
- Children (<18) are treated as a protected class under DPDP; controllers must obtain verified parental consent before processing children’s data. We assist with data‑principal requests and apply transfer safeguards consistent with DPDP.
Guidance for obtaining and verifying parental consent is available in our Parental Consent Guide .
Appendix — Key definitions (plain English)
- Public User: Someone who creates a personal account directly with Squid (13+).
- Organization: A school, university, club, or esports center that invites users to the Services.
- Controller / Processor: The Organization decides “why/how” data is processed (controller); Squid processes on their instructions (processor).
