Version 1.2 | June 2026
Halved Limited (“Halved”) is the operator of the Halved platform and website. Where Halved processes personal data as controller, it is the organisation legally responsible for deciding how and why that personal data is used. Where Halved processes student and school staff platform data for a school, the school is controller and Halved is processor, as explained below.
We are Halved Limited (hereafter referred to as “Halved”, “we”, “us”, “our”) and we are committed to protecting personal data. This privacy notice explains how personal data is collected, used, shared, stored and protected when schools, teachers, school administrators, students and website visitors use the Halved platform at https://www.halved.io, contact us, or use our website.
This notice applies to school administrators, teachers, students and website visitors. It should be read alongside the relevant school privacy notice. For students, parents and legal guardians, the school remains the first point of contact for questions about how student data is used in the school setting.
What this notice covers
This notice applies to personal data processed through the Halved platform and website. It does not replace the school’s privacy notice. It also does not apply to third-party websites or services linked from Halved; those organisations are responsible for their own privacy information.
This version is mainly written for adults, including school staff, parents and legal guardians. Halved will also make student-facing privacy information available before or when students first use the platform, in a concise, age-appropriate form for students using the platform.
Who are we?
Controller and processor status. For personal data processed through a school tenant for the purpose of delivering AI-assisted learning support to that school, the school is the controller and Halved acts as processor under a written data processing agreement. This includes student account data, teacher-created assignments, student assignment work, chat history and AI learning profiles. Halved processes that data only on the school documented instructions, except where UK law requires otherwise. Halved is controller for personal data it processes for its own business purposes, including website enquiries, news updates, supplier and customer administration, sales records, security administration and compliance records.
If you have any questions about this privacy notice or our privacy practices, please contact us:
Legal entity: Halved Limited
Email: dataprivacy@halved.io
Registered office address: 4 Comet House, Calleva Park, Aldermaston, Berkshire, RG7 8JA.
If you are a student, parent or legal guardian and your question concerns student data held in the school platform, please contact the school first. Halved will assist the school in responding to validated requests.
How do we use your data?
Personal data we collect and how it is collected
The personal data processed by Halved depends on how you interact with the platform and website. It may include names, school email addresses, school, year group, role, account details, hashed passwords, teacher-created assignment allocations, assignment work and submitted content, chat messages and AI responses, AI-generated learning profile summaries, optional voice audio where voice features are enabled, safeguarding alert content and metadata, support and enquiry details, news-update preferences, technical and security logs, and cookie or usage information.
Personal data is collected directly from schools and teachers when they configure tenants, classes, assignments and accounts; directly from students when they use the platform; directly from you when you contact Halved or sign up to updates; and automatically from the website or platform through necessary logs, session technologies and cookies.
Where personal data is needed to provide the platform, administer an account, respond to an enquiry, keep the service secure or comply with law, failure to provide it may mean that the relevant service or functionality cannot be provided. Where personal data is optional, Halved will make this clear and explain any effect of declining to provide it.
School and teacher accounts: For platform access, we process names, school email addresses, role, school identifier, hashed password and account administration information. Where this relates to the school use of the platform, Halved acts as processor for the school. Where Halved uses school contact details for contract administration, service notices, support, billing, security management or legal compliance, Halved acts as controller and relies on contract necessity, legitimate interests and/or legal obligation, as applicable.
Student accounts: Student accounts are created or authorised by the school. We process student name, school email address, year group, school and subject/assignment allocations. The platform does not capture SEND, accessibility, health or disability flags, and the AI learning profile records observed learning behaviour only and does not record any diagnosis, neurodevelopmental condition or disability label. The school is responsible for identifying the relevant Article 6 lawful basis; Halved processes student data only on the school documented instructions and applies appropriate confidentiality, access control, minimisation and security safeguards.
Platform usage and AI learning support: When students and teachers use the platform, Halved processes assignment work, chat conversation history, AI responses, lesson context, role-based identifiers, session timestamps and AI-generated learning profile summaries. The AI learning profile is inferred from the student’s use of the platform and is used to personalise future learning support sessions, such as by giving shorter explanations or identifying topics that may need reinforcement. Halved does not use identifiable student personal data to train third-party foundation models or for independent product development. Any service-improvement analysis using student-derived data must be carried out only on an anonymised or aggregated basis, unless the school has given documented instructions for the specific processing.
News updates: If you sign up to receive our news updates, we collect your name and email address to send them to you. We rely on consent or another lawful basis permitted by PECR and UK GDPR. You can unsubscribe at any time by using the unsubscribe link in our emails or by emailing dataprivacy@halved.io.
Contact enquiries and support: When you contact us by email, through our website or through a support channel, we collect your name, contact details and the content of your enquiry so that we can respond, administer our services and keep appropriate records. We rely on legitimate interests, contract necessity and/or legal obligation depending on the nature of the enquiry.
Website cookies
For more information about our deployment of and use of cookie information, please see Cookie Policy.
Controller purposes and lawful bases - more detail
The following table gives further detail about Halved controller processing. Student and school staff platform data processed for a school remains subject to the school DPA and the school documented instructions.
| What Halved uses personal data for | Relevant personal data | Role and lawful basis |
|---|---|---|
| Providing and administering school-facing platform access for school staff | Staff names, school email addresses, role, school identifier, account and support information | Processor for school platform data. As controller for customer administration: contract necessity, legitimate interests and legal obligation, as applicable. |
| Responding to enquiries and support requests | Contact details, role, school or organisation, enquiry content and support records | Legitimate interests, contract necessity and/or legal obligation, depending on the nature of the request. |
| News updates and adult marketing communications | Name, email address, organisation, role and communication preferences | Consent or legitimate interests where permitted by UK GDPR and PECR. Students must not receive marketing through the platform. |
| Non-essential cookies, website analytics and similar technologies | Cookie identifiers, browser/device information and website usage information | Consent where required by PECR and UK GDPR. Strictly necessary cookies are used to provide the service. |
| Security, audit logging, fraud prevention and incident response | Account identifiers, session information, audit logs, security events and technical metadata | Legal obligation and legitimate interests in keeping the platform secure and protecting users, schools and Halved. |
| Legal claims, regulatory compliance, accounting, audit and corporate administration | Relevant account, contact, transaction, correspondence and compliance records | Legal obligation and legitimate interests in protecting, managing and evidencing Halved’s business and legal rights. |
| Student-facing platform data processed for a school | Student account data, assignments, chat history and AI learning profiles | Halved acts as processor under the school’s documented instructions. The school identifies the Article 6 lawful basis. |
When Halved relies on legitimate interests as controller, it will assess whether its interests are overridden by the rights and interests of the relevant individual. You may request information about that assessment by contacting Halved.
Special category data
The platform is not designed to capture special category data and does not collect SEND, accessibility, health or disability flags. The AI-generated learning profile records observed learning behaviour only and does not record any diagnosis, neurodevelopmental condition or disability label. Halved does not solicit special category data. Where a student includes sensitive information in a free-text message, that content is handled through the safeguarding pipeline and Halved’s security controls; in that limited context the school, as controller, is responsible for identifying any applicable Article 9 condition and DPA 2018 Schedule 1 condition, and Halved processes such content only on the school documented instructions.
No sale or advertising use
Halved will not sell student personal data, use student personal data for behavioural advertising, or use student personal data to train third-party foundation models.
Approved applications and AI tools
Halved’s internal approved applications list does not authorise staff or contractors to process student personal data, school-controlled personal data or confidential school materials in general-purpose AI tools, social media tools, Dropbox or other non-platform applications. Those tools must not be used with student data unless separately assessed, approved, covered by appropriate contractual terms and, where required, added to the school DPA and sub-processor register.
Marketing and news updates
Halved will not send marketing or news updates to students through the platform. Adult school contacts and website visitors may receive news updates or service information where permitted by UK GDPR and PECR.
You can opt out of marketing communications at any time by using the unsubscribe link in Halved emails or by contacting dataprivacy@halved.io. This will not affect non-marketing service messages, security notices or communications that Halved is required or permitted to send for contractual, operational or legal reasons.
Halved will not sell personal data or share personal data with third parties for their own marketing purposes.
Processing children’s data
The Halved platform is used by students, including children under the age of 18. Student accounts are created and managed by schools and teachers, not directly by students or parents. Halved processes student personal data only for school educational purposes and on the school’s documented instructions. The following section gives further detail about use of generative AI in an education setting, including child-appropriate safeguards.
Personal data processed in an education setting
This section explains how personal data is processed where Halved is deployed by a school to provide AI-assisted learning support. It is intended to supplement, not replace, the school’s own privacy notice. The school remains the controller for student and school staff platform data and determines the educational purposes and lawful basis for the processing. Halved acts as processor for that school-controlled data under a written data processing agreement, except where Halved separately acts as controller for its own administration, security, legal compliance or business records.
Data subjects who may be affected
The processing may involve students who use the platform, including children aged under 18 and students with SEND or accessibility needs; teachers, tutors, school administrators and designated safeguarding leads who configure or supervise use of the platform; parents or legal guardians where their details or correspondence are provided by the school or included in a support or safeguarding context; and Halved personnel or authorised technical support users whose access is recorded in audit and security logs.
Types of personal data processed
Depending on the school configuration and features enabled, Halved may process identity and account data, such as name, school email address, role, school, year group, class and account credentials; educational data, such as teacher-created assignments, lesson context, assignment criteria, submitted work, quiz or task responses and teacher feedback; chat content, including student prompts, AI responses and conversation history; inferred learning data, including AI-generated learning profile summaries about apparent strengths, areas of difficulty and preferred learning approaches; optional voice audio and AI-generated audio where speech features are enabled; safeguarding alert content, message excerpts and escalation metadata; and technical data such as session times, role-based identifiers, security events, audit logs and diagnostic metadata.
How the generative AI works
Halved is a closed-loop educational support tool. It does not browse the internet, does not return public search results and does not use identifiable student personal data to train third-party foundation models. When a student sends a message to the AI, Halved sends the message text, relevant lesson notes, assignment criteria, the immediate conversation context, a role-based student identifier and a limited summary of the student’s learning profile to Azure OpenAI Service in the UK South region. Halved does not send the student’s name or email address as structured fields to Azure OpenAI. However, if a student types personal information into a chat message, that information will form part of the message text processed by the AI service.
Explanation of the AI output
The AI generates natural-language responses by predicting helpful text from the instructions, lesson materials and conversation context supplied to it. The output is not a human decision, is not guaranteed to be error-free, and should not be treated as an official educational assessment, disciplinary decision or safeguarding determination. The AI-generated learning profile is an inferred summary used to adapt future learning support, for example by providing shorter explanations, checking understanding, or revisiting topics that appear difficult. It is not intended to diagnose, label or determine a student’s SEND, disability or health status, and it is not used to make decisions with legal or similarly significant effects about students. Teachers and schools remain responsible for supervising the learning activity, reviewing outputs where appropriate and making educational, pastoral and safeguarding decisions.
Third-party sub-processors used to provide the platform and generative AI
Halved uses the sub-processors listed in the section “Who do we share personal data with?”. For generative AI and related platform delivery, these include Microsoft Azure for hosting, storage, security, logging and infrastructure; MongoDB Atlas for structured platform data; Azure OpenAI Service for AI learning support responses; Azure Speech Service where optional speech-to-text or text-to-speech is enabled; Azure Communication Services for transactional and safeguarding escalation emails; Azure Container Instances/Gotenberg for document conversion of teacher-uploaded lesson materials; Azure AI Content Safety and Azure Logic Apps for the safeguarding pipeline; Cloud202 Ltd for authorised technical development, support and maintenance. Cloudflare provides DNS, CDN and security for the Halved website (halved.io) only and does not process student or school personal data through the platform. Planned or conditional providers must not process live student data until assessed, contractually covered and activated in accordance with the school DPA and sub-processor notification arrangements.
Lawful basis
Where Halved processes student and school staff platform data for a school, Halved acts as processor and relies on the school’s documented instructions rather than identifying its own Article 6 lawful basis for that school-controlled processing. The school is responsible for identifying and communicating its lawful basis. In many UK state school deployments, the relevant lawful basis is likely to be public task under Article 6(1)(e) UK GDPR, although schools must make their own assessment. Independent schools or other education providers may in some cases rely on legitimate interests, contract necessity, legal obligation or another lawful basis depending on the circumstances.
The platform does not capture SEND, accessibility, health or disability flags. Where safeguarding information or other sensitive information is processed, for example where a student includes such information in a free-text message, the school is responsible for identifying an Article 9 condition and any required Data Protection Act 2018 Schedule 1 condition, such as substantial public interest conditions relevant to safeguarding.
Where Halved acts as controller for its own business, security, support, legal or compliance purposes, the lawful bases are set out in the controller purposes and lawful bases section above.
Children’s Code (Age-Appropriate Design Code) safeguards
Halved will apply the following child-privacy safeguards where the platform is used by children, including where those safeguards are adopted as good practice to support the school’s own compliance with the ICO Children’s Code (Age-Appropriate Design Code). In particular, Halved will place students’ best interests at the centre of design and operation; support the school with DPIA information and data flow documentation; provide concise, prominent and age-appropriate privacy information, including point-of-use explanations for AI personalisation/profiling and prompts to ask a teacher or trusted adult if a student is unsure; use high-privacy defaults; collect and use only the personal data needed for the educational purpose; avoid using student data for advertising, sale of data, behavioural profiling, unrelated analytics or independent model training; restrict profiling to explainable learning-support personalisation; avoid nudge techniques that encourage students to weaken privacy settings or share unnecessary personal data; not collect geolocation, biometric data, payment data or device identifiers beyond what is needed for a standard browser session; limit sharing to approved sub-processors; apply role-based access controls, encryption, audit logging and retention limits; and provide routes for students, parents and schools to raise concerns or exercise data protection rights through the school.
School configuration and supervision
Schools should decide which classes, subjects, students and features are appropriate for the deployment, including whether optional voice features are enabled. The safeguarding pipeline is a standard, always-active part of the platform, and each school must provide at least one designated safeguarding lead and a monitored email address to receive safeguarding alerts. Schools should tell students not to include unnecessary personal information in chat messages and should ensure teachers understand that AI outputs are support materials requiring professional oversight, not a substitute for teacher judgement or safeguarding procedures.
Who do we share personal data with?
We share personal data with the following categories of third parties:
- Technology providers and sub-processors: We use the technology providers listed below to operate, host, support and secure the platform. Where student data is processed for a school, these providers act as sub-processors and must be covered by written data processing terms. Planned or conditional providers must not process live student data until they are activated under the school DPA (and the school has been notified where required).
| Provider | Purpose | Location | Data involved |
|---|---|---|---|
| Microsoft Azure | Primary hosting, storage, security services, audit logging and infrastructure services | UK South / United Kingdom regions, as configured | Platform data required to host, secure and operate the service |
| MongoDB Atlas | Student accounts, lessons, assignments and structured platform data | Azure UK South | Structured platform data as configured for the school tenant |
| Azure OpenAI Service | AI learning support responses and language model inference | UK South | Chat messages, lesson context, role-based identifier and learning profile summary. Student names and email addresses are not sent as structured fields. |
| Azure Speech Service | Optional speech-to-text and text-to-speech voice features | UK South | Student voice audio and AI-generated text where the school enables voice features |
| Azure Communication Services | Transactional emails and safeguarding escalation emails | United Kingdom | Usernames, email addresses, account setup/password reset links and safeguarding alert content |
| Azure Container Instances (Gotenberg) | Document conversion for teacher-uploaded lesson materials | UK South | Teacher-uploaded lesson material content |
| Azure AI Content Safety | Automated content safety moderation | UK South | Chat message text and safety metadata |
| Azure Logic Apps | Safeguarding workflow orchestration if enabled | UK South | Safeguarding flag metadata and escalation email content |
| **Cloud202 Ltd **(‘Cloud202’) | Technical platform development, support and infrastructure maintenance where access to personal data is required | United Kingdom | Potential access to platform data for support and maintenance under Halved instructions and Article 28/sub-processor terms. No independent use, download, reuse or retention of student data; access must be named, MFA-protected, least privilege and reviewed. |
| Cloudflare (website only) | DNS, CDN and security for the Halved marketing website (halved.io) | Active for the website; not in front of the platform | IP addresses, headers and security metadata of website visitors. Does not process student or school personal data. |
Cloud202 access to personal data is permitted only under appropriate Article 28/sub-processor terms, documented access controls, MFA, least privilege and removal of temporary contractor access when no longer required.
Cloudflare fronts the Halved marketing website (halved.io) only and does not sit in front of the student-facing platform (my.halved.io). It therefore processes no student or school personal data and is not a platform sub-processor. This was confirmed in June 2026 by inspecting response headers, which showed Cloudflare serving halved.io but not my.halved.io.
Regulators and authorities: We may share personal data where required by law or where necessary for safeguarding, security, prevention or detection of crime, legal claims, or to protect rights, property or safety. Where Halved is processor, such disclosures will be made in accordance with the DPA, documented instructions or applicable law, and we will inform the school unless legally prohibited.
Halved only allows service providers and sub-processors to handle personal data where Halved is satisfied that they take appropriate measures to protect it and where appropriate contractual obligations are in place. Where Halved acts as processor, sub-processors must be authorised under the school DPA or notified to the school in accordance with that DPA.
Halved may also share relevant personal data with professional advisers, insurers, auditors, banks, law enforcement agencies, courts, public authorities and regulators where necessary for legal, regulatory, accounting, audit, insurance, safeguarding, security or dispute-resolution purposes.
If Halved undergoes a merger, acquisition, asset sale, investment, restructuring or insolvency process, relevant personal data may be shared with the other parties and professional advisers involved. Halved will limit the information shared where possible and will require appropriate confidentiality protections.
Where do we store your data?
Data residency and international transfers: Production data is hosted in UK regions as described in the Data Flow and Data Handling Summary. Halved will not intentionally host student personal data outside the UK. If any restricted transfer arises, including support access from outside the UK, Halved will ensure appropriate safeguards under Chapter V UK GDPR are in place and will notify the school where required by the DPA.
International transfers - more detail
The current position is that production student personal data is hosted in UK regions. If Halved needs to transfer personal data outside the UK in the future, including support access from outside the UK, Halved will do so only where an adequacy regulation, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or another lawful transfer mechanism applies.
Halved will not permit access to UK school or student personal data by any non-UK affiliate or operation unless the school has been notified where required and appropriate UK GDPR transfer safeguards and processor or sub-processor arrangements are in place.
How long do we keep your data?
Retention: Student and school staff platform data is retained in accordance with the school contract, the school documented instructions and the Halved Data Retention Policy. Unless a longer period is required by law or the school documented instructions, school-controlled personal data will be deleted or returned within 90 days after termination of the school contract. Safeguarding records must be retained only for the period agreed with the school and aligned with the school safeguarding retention schedule.
Anonymisation: Halved may retain information indefinitely only where it has been anonymised so that individuals are no longer identifiable, taking account of the risk of singling out, linkability, and inference. Pseudonymised data remains personal data and is not treated as anonymised. Halved must not attempt to reidentify anonymised information.
AI profiling and automated decision-making: Halved creates an AI-generated learning profile from a student’s interactions with the platform to personalise learning support. This is profiling/inferred data for data protection purposes, as explained in the section “Personal data processed in an education setting”. It is not used to make decisions with legal or similarly significant effects about a student and does not replace teacher judgement. Teachers and schools remain responsible for educational decisions.
Keeping personal data secure
Halved uses appropriate technical and organisational measures designed to prevent personal data from being accidentally lost, used, accessed, altered or disclosed unlawfully. These include encryption in transit, encryption at rest, role-based access controls, secrets management, audit logging and controlled administrator access, as described in Halved’s Security Policy.
Access to personal data is limited to people and providers with a genuine need to access it for the purposes described in this notice and, where relevant, under the school DPA. Halved also maintains procedures to deal with suspected personal data breaches.
Administrative and contractor access to production systems is restricted to authorised personnel with a need to know and must use named accounts, MFA, least privilege, password-manager storage, access logging/review and timely removal of temporary contractor access.
Where Halved acts as processor for a school, Halved will notify the school without undue delay after becoming aware of a personal data breach affecting school-controlled personal data. Where Halved acts as controller, Halved will notify affected individuals and/or the ICO where legally required.
What are your rights under data protection law?
Where Halved acts as controller, you may have the rights listed below. Where Halved acts as processor for a school, requests about student or school staff platform data should be made to the school, and Halved will assist the school in responding.
-
Request access to your personal data (subject access request): to receive a copy of the data we hold and to check we are processing it lawfully.
-
Request correction: to have incomplete or inaccurate data corrected.
-
Request erasure: to ask us to delete your personal data where there is no good reason to continue processing it. Note that we may not always be able to comply for specific legal reasons, which we will explain if applicable.
-
Object to processing: where we rely on legitimate interest, or where we process your data for direct marketing.
-
Request restriction of processing: to ask us to suspend processing in certain circumstances.
-
Request data portability: to receive your data in a structured, machine-readable format where applicable.
-
Withdraw consent: where we rely on consent. This will not affect the lawfulness of any processing before withdrawal.
You also have the right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects, where applicable. Halved does not use the platform to make such decisions about students.
You also have the right to lodge a complaint. For more information, please see the section ‘How to complain’ below.
Please be aware that these rights are not absolute and will not be available in all circumstances.
To exercise a right where Halved is controller, please email dataprivacy@halved.io and provide enough information to identify yourself, the right you want to exercise and the personal data to which your request relates. Halved may request additional information if reasonably needed to verify your identity.
Halved will respond to valid rights requests without undue delay and normally within one month, subject to any extension permitted by UK GDPR for complex requests. Where Halved is processor for a school, Halved will assist the school in responding to validated requests.
How to complain
You have the right to make a complaint to us if you are unhappy about how we handle your personal data. You can contact us at dataprivacy@halved.io. We will acknowledge your complaint within 30 days of receiving it and, without undue delay, will take appropriate steps to investigate, keep you informed and tell you the outcome. Full details of how we handle data protection complaints are set out in our Data Protection Complaints Process, available on our website.
You also have the right to complain to the Information Commissioner’s Office, the UK supervisory authority for data protection. The ICO can be contacted through https://www.ico.org.uk or by telephone on 0303 123 1113.
Do we review this policy?
We review this privacy notice at least once a year, and sooner when our practices change or when required by law. The next scheduled review is June 2027. We will notify schools of material changes affecting school-controlled personal data in accordance with the school DPA. When Halved makes significant changes, it will take appropriate steps to inform schools and, where relevant, website users, for example by notifying school contacts or publishing a notice on the Halved website.
Do you need extra help?
If you would like this notice in another format, such as large print, audio, accessible HTML or another language, please contact dataprivacy@halved.io.