WhereWeLearn.com Terms and Conditions of Use
WhereWeLearn.com Privacy Policy
WhereWeLearn.com Privacy Policy
Effective date: 31st March 2021 Last updated: 28 March 2026
WhereWeLearn.com (“we", “us", “our") is a Company Limited by Guarantee registered in Ireland. We are the data controller for personal data collected through the WhereWeLearn platform (wherewelearn.com). This privacy notice explains what data we collect, why we collect it, the legal basis for doing so, how long we keep it, who we share it with, and your rights under the General Data Protection Regulation (GDPR).
Table of Contents
1. Who we are
Data controller: WhereWeLearn.com
Address:
Privacy contact: privacy@wherewelearn.com
Supervisory authority: Data Protection Commission (DPC), Ireland — www.dataprotection.ie
2. What personal data we collect and why
| Data | Why we collect it | Legal basis |
|---|
| Name, email address, hashed password, user role, organisation reference | Creating and managing your account; providing access to the platform | Contract (Art. 6(1)(b)) |
| Learning activity records — lessons accessed, quiz attempts, scores, completion dates, badges | Tracking your progress and providing the core LMS service | Contract (Art. 6(1)(b)) |
| Discussion post content, post timestamp | Enabling discussion and collaborative learning within courses | Contract (Art. 6(1)(b)) |
| Date of birth (optional, at registration) | Age-appropriate content presentation; verifying compliance with minimum age requirement | Contract (Art. 6(1)(b)) |
| IP address, browser type and version, operating system, pages viewed, timestamps | Security monitoring: detecting brute-force login attempts, identifying suspicious activity, and supporting incident investigation | Legitimate interests (Art. 6(1)(f)) — see Section 3 |
| Email address and one-time token | Sending password reset emails you request | Contract (Art. 6(1)(b)) |
We do not use your personal data for advertising, behavioural profiling, or marketing. We do not sell personal data.
3. Legal bases for processing
We rely on two legal bases under GDPR Article 6:
Contract — Article 6(1)(b)
Most processing is necessary to provide the WhereWeLearn service to you. Without it, we cannot create your account, record your learning progress, or provide the features you registered for.
Legitimate interests — Article 6(1)(f)
We process your IP address, browser data, and request timestamps for security monitoring purposes. Our legitimate interest is protecting the platform and user accounts from brute-force attacks, credential abuse, and unauthorised access. We apply proportionality by retaining raw security logs for 90 days only (see Section 8) and not using them for any purpose other than security. We also rely on legitimate interests for maintaining platform backups, which protects your learning records from loss.
We do not rely on consent as a legal basis for any processing. We do not use tracking cookies or analytics that would require consent under the ePrivacy Directive.
4. Cookies
We use only strictly necessary cookies to operate the platform:
- Authentication cookies — set when you log in, these identify your session and keep you signed in. They contain your user ID and a random security token. These cookies are marked Secure, HttpOnly, and SameSite=Strict.
We do not use analytics cookies, advertising cookies, or any other non-essential cookies. No consent is required for strictly necessary cookies.
If you use the “Sign in with Facebook" option, Facebook may set cookies on your browser as part of the login flow. These are governed by Facebook’s Privacy Policy.
5. Signing in with Google or Facebook
You can choose to sign in using your Google or Facebook account. If you do:
- We receive your email address and, where provided, your name and profile picture from the identity provider.
- We use this information to create or access your WhereWeLearn account. We do not receive your password.
- OAuth access tokens are not stored beyond the current session.
- We request only the minimum information needed (email address and basic profile).
For information about how Google and Facebook handle your data, see their respective privacy policies: Google Privacy Policy and Meta Privacy Policy.
When adding video materials from YouTube to a lesson, our service interacts with the YouTube API to retrieve video duration. Our use of YouTube API Services is governed by Google’s Privacy Policy.
6. Data processors and third parties
We use the following data processors who act on our instructions and are bound by data processing agreements:
| Processor | Role | Location |
|---|
| Web Hosting Ireland | Hosting the platform, database, backups, and email | Republic of Ireland |
| Meta Platforms Ireland Ltd (Facebook) | Optional sign-in via Facebook only | Ireland / EU (US parent) |
| Google Ireland Ltd | Optional sign-in via Google; YouTube API for video duration | Ireland / EU (US parent) |
We do not share your personal data with partner organisations, analytics providers, or any other third parties except as described above or as required by law.
If you choose to affiliate with an organisation (association) on the platform, your account membership within that organisation is visible to the organisation’s administrator. You can remove your association at any time via your account settings.
This site contains links to external websites. We are not responsible for the privacy practices of those sites, and this policy does not apply to them.
7. Transfers outside the EEA
Your data is hosted by Web Hosting Ireland in the Republic of Ireland and does not leave the EEA as part of normal platform operations.
If you choose to sign in with Google or Facebook, your authentication request passes through their services. Google LLC and Meta Platforms Inc. are US-based companies. Both operate under EU Standard Contractual Clauses (SCCs) as the transfer mechanism for EEA personal data. For details, see the Google Privacy Policy and Meta Privacy Policy.
8. How long we keep your data
| Data | Retention period |
|---|
| Account data (active users) | For the duration of your active use of the platform. After 24 months of inactivity, your account is reviewed for deletion. |
| Learning activity records, quiz results | For the duration of your active enrolment, plus 36 months after your last activity on the associated course. |
| Discussion posts | For the duration of the course plus 12 months, or earlier on an erasure request. |
| Security logs (IP address, browser data) | 90 days from the date of the log entry. |
| Password reset tokens | 1 hour from issue, or on first use. |
| Platform backups | 30-day rolling window. |
9. Children
Children under the age of 15 may not create their own account on WhereWeLearn. A child under 15 may access the platform through a parent or guardian’s account, where the parent or guardian can monitor and manage the child’s activity.
If we become aware that an account has been created by or for a child under 15 without parental involvement, we will delete that account and all associated information promptly.
10. Security
We protect your data using a combination of technical and organisational controls including:
- Passwords stored using bcrypt hashing — we cannot read your password
- All connections encrypted via HTTPS (TLS)
- Authentication cookies with Secure, HttpOnly, and SameSite=Strict flags
- Rate limiting and account lockout to protect against brute-force attacks
- Multi-factor authentication on administrative server access
- Automated daily backups with a 30-day retention window
No system can guarantee absolute security. If you believe your account has been compromised, please contact us immediately at request@wherewelearn.com.
11. Your rights
Under GDPR, you have the following rights in relation to your personal data:
| Right | What it means |
|---|
| Access (Art. 15) | You can request a copy of the personal data we hold about you. |
| Rectification (Art. 16) | You can ask us to correct inaccurate or incomplete data. |
| Erasure (Art. 17) | You can ask us to delete your personal data. You can also delete your account directly from your account settings. |
| Restriction (Art. 18) | You can ask us to pause processing of your data in certain circumstances, for example while we investigate a rectification request. |
| Portability (Art. 20) | You can request a copy of the data you provided to us in a structured, machine-readable format. |
| Objection (Art. 21) | You can object to processing based on our legitimate interests. We will stop unless we have compelling grounds that override your interests. |
To exercise any of these rights, contact us at privacy@wherewelearn.com. We will respond within 30 days. We may need to verify your identity before acting on your request.
Right to complain: If you are not satisfied with how we handle your data or your rights request, you have the right to lodge a complaint with the Data Protection Commission (DPC), Ireland’s supervisory authority:
- Website: www.dataprotection.ie
- Address: 21 Fitzwilliam Square South, Dublin 2, D02 RD28
- Phone: +353 (0)761 104 800
12. Changes to this policy
We may update this privacy notice from time to time. If we make a material change that affects your rights or the way we process your data, we will notify you by email to your registered address before the change takes effect. The effective date at the top of this page shows when the policy was last updated.
13. Contact us
For any questions about this privacy notice or how we handle your personal data, please contact: