How we protect your child's data

Last updated: June 2026

Our approach

Mustard Investments is an educational platform used by young people, so protecting the data we hold about your child is central to how we build and operate. This page explains, in plain terms, the safeguards we have in place and how you can exercise your data rights at any time.

Encryption in transit and at rest

  • All traffic between your device and our platform is encrypted using HTTPS/TLS.
  • Account and learning data is stored in Google Cloud Firestore and Firebase Authentication, where it is encrypted at rest using Google Cloud's infrastructure-level encryption.
  • We never transmit or store credentials in plain text.

Access control

  • Database access is restricted by Firebase Security Rules — a signed-in user can only read and write their own records.
  • Administrative access to production systems is limited to authorised personnel and protected by strong authentication.
  • We do not give advertisers or marketing companies access to your child's data.

Data minimisation & retention

  • We collect only what is necessary to provide the educational service — account details and learning progress.
  • We do not track geolocation and we do not profile children for advertising.
  • Personal data is kept only while the account is active. If an account is deleted, the associated personal data is removed within 30 days, except where the law requires us to keep certain records.

UK-GDPR & ICO registration

We process personal data in line with the UK General Data Protection Regulation (UK-GDPR) and the Data Protection Act 2018, and we are registered with the Information Commissioner's Office (ICO). Children aged 13 to 15 can only have an active account once a parent or guardian provides verifiable consent, reflecting the UK age of consent for information society services.

Exercising your data rights

You and your child have the right to access, correct, delete, or port the personal data we hold, and to object to or restrict certain processing. A parent or guardian can also withdraw consent for a child's account at any time, after which we will deactivate the account and delete the associated personal data.

To exercise any of these rights, or to ask a question about how we protect your child's data, contact our Data Protection Officer at dpo@mustardinvestments.com. You can also read the full Privacy Policy.

If you are not satisfied with our response, you have the right to lodge a complaint with the ICO, the UK's supervisory authority for data protection, at ico.org.uk.

For educational purposes only. Not financial advice. Mustard Investments is not authorised or regulated by the Financial Conduct Authority.

Mustard Investments | Learn to Invest for Free