ICO Children’s Code self-assessment
The 15 standards, and where we stand on each.
The Age Appropriate Design Code is the standard the ICO measures services likely to be accessed by children against. Below is our plain-English position on each of the 15 standards. Last reviewed: May 2026.
For the official text of the Code see ico.org.uk.
Best interests of the child
Every product decision is filtered through a safeguarding-first lens. Under-13s are parent-mediated by default; evidence is moderated before anyone sees it; staff queues are designed to clear quickly so feedback reaches the child while the activity is still fresh. We don’t monetise children’s attention.
Data Protection Impact Assessments
We publish a pre-filled, ICO-aligned sample DPIA for adopting schools at /trust/dpia. We also conduct and maintain our own processor-side DPIA, which schools can request.
Age-appropriate application
Two parallel schemes route by year group: Tiger Stripes (Years 1–3) is parent-led with simple, encouraging activities; Earn Your Stripes (Year 4+) is for older children and may be self-led from age 13. We use the school’s record of the year group rather than self-attested age, which is more reliable for under-13s.
Transparency
Our privacy notice at /trust/privacy is written in plain English for the parent and pupil audience, with separate just-in-time prompts in-app when a new processing context arises (e.g. evidence upload, third-party attestation).
Detrimental use of data
We do not use children’s data in ways that have been shown to be detrimental to their wellbeing: no behavioural advertising, no profiling, no recommendation systems, no public profiles, no engagement-maximising design patterns.
Policies and community standards
We honour the policies we set: posted Privacy notice, sample DPIA, terms of use, sub-processor list. Material changes are notified to schools by email and dated on this site.
Default settings
Default settings are high-privacy. Evidence is visible only to the pupil’s parent, their form tutor and (if flagged) the school’s DSL. School admins see no evidence. There is no public profile, no search, no discovery.
Data minimisation
Pupil names are shown as first name + last initial outside the school’s staff view. EXIF metadata is stripped from every image on processing. We don’t collect pupil addresses, NHS numbers or contact details beyond what the school chooses to import.
Data sharing
We don’t sell or share personal data for anyone else’s marketing. Three named sub-processors handle infrastructure, transactional email and payments only — see /trust/sub-processors. Pupil records and evidence stay in Azure UK South.
Geolocation
We do not collect or use device geolocation. Location data embedded in photo EXIF is stripped before storage.
Parental controls
For under-13s the parent is the primary account holder. They see everything their child does on the platform and control evidence submission. We don’t use covert monitoring or surveillance patterns.
Profiling
We do not profile children. We do not use machine learning to infer characteristics, preferences or future behaviour. Award progression is based on observable, attested events.
Nudge techniques
We use encouragement copy at award moments (a confetti screen when a tier is earned), but we don’t deploy dark patterns, streak anxiety, fear-of-missing-out, or pressure to share. Activity-focused photo guidance is the only nudge against an alternative behaviour, and it’s for safeguarding.
Connected toys and devices
Not applicable — Earn Your Stripes is a web service. We don’t connect to IoT or wearables.
Online tools
Data subject rights are exercisable in-app: parents can delete a submission, close an account, or request a full export of their child’s record. The school remains the data controller and is the first port of call for pupil records.