1. Introduction

Welcome to SchoolGPT. This Privacy Policy explains how SchoolGPT Limited ("SchoolGPT", "we", "us", "our") collects, uses, and protects personal information. SchoolGPT Limited is a company registered in the United Kingdom - Company Number 15815092.

We are committed to safeguarding the privacy of our users, especially children, and handling personal data transparently and securely in accordance with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws.

If you have any questions about this policy or our privacy practices, please contact us at: privacy@schoolgpt.com.

2. What Information We Collect and Why

We collect different types of information depending on how you interact with our services:

Free Service:

• We do not require sign-up for our free service and do not intentionally collect personal data from users of this service.
• We do not store user IP addresses associated with the use of the free service.
• When you use the free service, your inputs are processed by third-party Artificial Intelligence (AI) models solely to generate a response and provide the service. The providers we use for this include:
  • Microsoft Azure OpenAI Service: Their data privacy terms can be found here: https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy?tabs=azure-portal
  • OpenAI: Retain data for up to 30 days for trust and safety purposes but is not used for training their models. https://platform.openai.com/docs/guides/your-data
  • Anthropic: Retain data for up to 30 days for trust and safety purposes but is not used for training their models. See: https://trust.anthropic.com/faq
  • Groq: Their privacy policy can be found here: https://groq.com/privacy-policy/

Waiting List:

• If you sign up for our waiting list, we collect your Name, Email address, Country, and School Name.
• Purpose: To inform you about service availability, updates, and related SchoolGPT news.
• Legal Basis: Your consent, provided when you sign up to the list.

Personalised AI Service (for Schools):

• When providing our Personalised AI service to schools, SchoolGPT acts as a Data Processor, and the school is the Data Controller. Our processing activities are governed by a Data Processing Agreement (DPA) between SchoolGPT and the school.
• We process data provided by the school, which may include: Student Name, School Year, Country, Language. We also process data generated through the use of the service to adapt based on ability.
• User-generated content (inputs/outputs) within the service.
• Purpose: To provide the contracted educational AI services to the school and personalise the learning experience.
• Legal Basis: Processing is necessary for the performance of a contract with the school, and for the legitimate interests pursued by the school (providing educational tools), based on the school's own legal basis for processing student data (e.g., public task, consent obtained by the school).

Website/Service Usage Analytics:

• We use Microsoft Clarity and our own internal tracking systems to understand service usage, monitor performance, and improve user experience. Our internal tracking systems collect aggregated and anonymised data about feature usage and technical performance to help us maintain and enhance the service.
• We implement masking for input and output fields viewed within Microsoft Clarity sessions to enhance privacy.
• Legal Basis: Legitimate interests (to monitor and improve our service), potentially consent for any non-essential cookies/tracking (see Section 10).

3. How We Use Your Information

Your information is used for the following purposes:

• To provide, operate, maintain, and improve the SchoolGPT services.
• To personalise the Personalised AI service for students, as directed by the school.
• To manage our waiting list and communicate service updates or relevant information. We will only use waiting list information for direct marketing purposes beyond service updates if we obtain separate, explicit consent.
• To monitor service usage, performance, and stability using analytics tools.
• To respond to inquiries and provide customer support.
• To enforce our Terms of Service and other policies.
• To ensure the security and integrity of our services.
• To comply with legal and regulatory obligations.

4. Who We Share Information With (Third Parties & Sub-processors)

We limit sharing of personal data. Where necessary, we share information with:

• AI Providers: Microsoft (Azure OpenAI), Anthropic, Groq process inputs to generate outputs for both free and personalised services. These providers act as our sub-processors and are subject to contractual agreements regarding data handling and confidentiality.
• Hosting Providers: We use secure Tier 1 cloud infrastructure providers (e.g., AWS, Google Cloud Platform, Microsoft Azure as mentioned in internal policies) to host our service and data. They act as sub-processors.
• Analytics Providers: Microsoft provides the Clarity analytics service.
• Schools (Data Controllers): For the Personalised AI service, information related to student usage and progress may be shared with authorised personnel at their school as an integral part of the service provided under contract.
• Legal Requirements: We may disclose information if legally required (e.g., by court order) or in good faith belief that disclosure is necessary to protect our rights, protect user safety, investigate fraud, or respond to a government request.
• Business Transfers: In the event of a merger, acquisition, or asset sale, user information may be transferred as part of the transaction, subject to confidentiality agreements.

We do not sell personal information to third parties.

5. Data Storage and International Transfers

Personal data processed for the Personalised AI service is stored within infrastructure located geographically close to the client school (e.g., data for UK and EU schools is stored within the EU/UK).

Some of our sub-processors (AI Providers, Hosting, Analytics) are based outside the UK/EEA, primarily in the United States. When personal data is transferred to these sub-processors, we ensure appropriate safeguards are in place as required by UK GDPR. This typically involves relying on the UK Addendum to the EU Standard Contractual Clauses (SCCs) or ensuring the provider is certified under an applicable adequacy framework, as part of our contractual agreements with them.

6. Data Security

We take the security of personal data seriously and implement robust technical and organisational measures designed to protect it against unauthorised access, alteration, disclosure, or destruction. These measures are outlined in our Information Security Policy and include:

• Encryption of sensitive data at rest and in transit.
• Strict access controls based on the principle of least privilege.
• Logical separation of data for different school clients.
• Secure software development practices.
• Regular security reviews and updates.
• Security awareness training for staff.
• Policies for secure remote working and device usage.

7. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law or contractual obligations:

• Waiting List Data: Retained for a maximum of 12 months after you sign up, or until you ask us to remove you from the list.
• Personalised AI Data: Retained for the duration that the student account is active under the school's subscription. We act upon the school's instructions (as Data Controller) regarding deletion requests. Data is typically deleted promptly upon request from the school or contract termination.
• System Logs: Relevant logs containing usage data (excluding direct personal identifiers where possible) are retained on a rolling 12-month basis for security and troubleshooting purposes.

Anonymised or aggregated data, which cannot identify individuals, may be retained for longer periods for statistical analysis and service improvement.

8. Your Data Protection Rights (UK GDPR)

Under UK GDPR, individuals have rights over their personal data. These include:

• Right of Access: To request copies of your personal data.
• Right to Rectification: To request correction of inaccurate data.
• Right to Erasure ('Right to be Forgotten'): To request deletion of your data under certain conditions.
• Right to Restrict Processing: To request limitation of how your data is used under certain conditions.
• Right to Data Portability: To request transfer of your data to another organisation, or to you, under certain conditions.
• Right to Object: To object to processing based on legitimate interests or for direct marketing.

Exercising Your Rights:

• For Personalised AI Users (Students/Parents): As SchoolGPT acts as a Data Processor for the school, please direct any requests to exercise your data protection rights (including requests for rectification) to your school administration (the Data Controller). The school is responsible for verifying and correcting the primary record of student data (e.g., in their Management Information System). We will fully support the school in responding to your request and implementing necessary changes to the data processed within SchoolGPT, in accordance with our DPA.
• For Waiting List Members: You can exercise your rights directly by contacting us at privacy@schoolgpt.com.

You also have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO), if you believe your data protection rights have been infringed. Website: https://www.ico.org.uk

9. Children's Privacy

• Our services are intended for use in educational settings and may be used by children under the age of 18.
• For the Personalised AI service, the school (as Data Controller) is responsible for ensuring they have the appropriate legal basis, including obtaining any necessary parental consent under applicable laws, before providing student data to us or allowing students to use the service.
• Our Terms of Service require that users under 18 have permission from a parent or legal guardian.
• We treat children's data with the highest level of care and apply strict security measures as outlined in our Information Security Policy. We do not knowingly collect personal data from children outside the scope of providing our contracted services to schools.

10. Cookies and Tracking Technologies

We use cookies and similar technologies for various purposes:

• Strictly Necessary / Security Cookies: Essential for the basic functioning and security of our website and services. These include cookies for session management and maintaining your logged-in status securely. These cookies cannot be disabled through our preference tools as the service cannot function correctly without them.
• Functionality / Preference Cookies: Used to remember choices you make (such as your language preference) and provide enhanced, more personal features.
• Analytics Cookies: We use cookies associated with Microsoft Clarity and potentially our internal systems to gather aggregated data about how users interact with our services, helping us improve functionality and user experience. Data collected via Clarity is subject to input masking as described earlier.

Managing Cookies:

• When you first visit our website or service, you may be presented with a cookie banner or tool allowing you to manage your preferences for non-essential cookies (like Analytics or Functionality cookies). You can typically adjust these preferences at any time through a link or settings area on our website/service.
• Additionally, most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.

Please note that disabling certain cookies, especially strictly necessary ones, may affect the functionality and availability of our services.