1. Introduction

Welcome to SchoolGPT. This Privacy Policy explains how SchoolGPT Limited ("SchoolGPT", "we", "us", "our") collects, uses, and protects personal information. SchoolGPT Limited is a company registered in the United Kingdom - Company Number 15815092.

We are committed to safeguarding the privacy of our users, especially children, and handling personal data transparently and securely in accordance with the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws.

If you have any questions about this policy or our privacy practices, please contact us at: privacy@schoolgpt.com.

2. What Information We Collect and Why

We collect different types of information depending on how you interact with our services:

Free Service:

• We do not require sign-up for our free service and do not intentionally collect personal data from users of this service.
• We do not store user IP addresses associated with the use of the free service.
• When you use the free service, your inputs are processed by third-party Artificial Intelligence (AI) models solely to generate a response and provide the service. The providers we use for this include:
  • Microsoft Azure OpenAI Service: Their data privacy terms can be found here: https://learn.microsoft.com/en-us/legal/cognitive-services/openai/data-privacy?tabs=azure-portal
  • OpenAI: Retain data for up to 30 days for trust and safety purposes but is not used for training their models. https://platform.openai.com/docs/guides/your-data
  • Anthropic: Retain data for up to 30 days for trust and safety purposes but is not used for training their models. See: https://trust.anthropic.com/faq
  • Groq: Their privacy policy can be found here: https://groq.com/privacy-policy/

Waiting List:

• If you sign up for our waiting list, we collect your Name, Email address, Country, and School Name.
• Purpose: To inform you about service availability, updates, and related SchoolGPT news.
• Legal Basis: Your consent, provided when you sign up to the list.

Website/Service Usage Analytics:

• We use Microsoft Clarity and our own internal tracking systems to understand service usage, monitor performance, and improve user experience. Our internal tracking systems collect aggregated and anonymised data about feature usage and technical performance to help us maintain and enhance the service.
• We implement masking for input and output fields viewed within Microsoft Clarity sessions to enhance privacy.
• Legal Basis: Legitimate interests (to monitor and improve our service), potentially consent for any non-essential cookies/tracking (see Section 10).

3. How We Use Your Information

Your information is used for the following purposes:

• To provide, operate, maintain, and improve the SchoolGPT services.
• To manage our waiting list and communicate service updates or relevant information. We will only use waiting list information for direct marketing purposes beyond service updates if we obtain separate, explicit consent.
• To monitor service usage, performance, and stability using analytics tools.
• To respond to inquiries and provide customer support.
• To enforce our Terms of Service and other policies.
• To ensure the security and integrity of our services.
• To comply with legal and regulatory obligations.

4. Who We Share Information With (Third Parties & Sub-processors)

We limit sharing of personal data. Where necessary, we share information with:

• AI Providers: Microsoft (Azure OpenAI), Anthropic, Groq process inputs to generate outputs for both free and personalised services. These providers act as our sub-processors and are subject to contractual agreements regarding data handling and confidentiality.
• Hosting Providers: We use secure Tier 1 cloud infrastructure providers AWS, Google Cloud Platform, Microsoft Azure, MongoDB and Digital Ocean to host our service and data. They act as sub-processors.
• Analytics Providers: Microsoft provides the Clarity analytics service.
• Legal Requirements: We may disclose information if legally required (e.g., by court order) or in good faith belief that disclosure is necessary to protect our rights, protect user safety, investigate fraud, or respond to a government request.

We do not sell personal information to third parties.

5. Data Storage and International Transfers

Some of our sub-processors (AI Providers, Hosting, Analytics) are based outside the UK/EEA, primarily in the United States. When data is transferred to these sub-processors, we ensure appropriate safeguards are in place as required by UK GDPR. This typically involves relying on the UK Addendum to the EU Standard Contractual Clauses (SCCs) or ensuring the provider is certified under an applicable adequacy framework, as part of our contractual agreements with them.

6. Data Security

We take the security of data seriously and implement robust technical and organisational measures designed to protect it against unauthorised access, alteration, disclosure, or destruction. These measures are outlined in our Information Security Policy and include:

• Encryption of sensitive data at rest and in transit.
• Strict access controls based on the principle of least privilege.
• Logical separation of data for different school clients.
• Secure software development practices.
• Regular security reviews and updates.
• Security awareness training for staff.
• Policies for secure remote working and device usage.

7. Data Retention

We retain data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law or contractual obligations:

• Waiting List Data: Retained for a maximum of 12 months after you sign up, or until you ask us to remove you from the list.
• System Logs: Relevant logs containing usage data (excluding direct personal identifiers where possible) are retained on a rolling 12-month basis for security and troubleshooting purposes.

Anonymised or aggregated data, which cannot identify individuals, may be retained for longer periods for statistical analysis and service improvement.

8. Your Data Protection Rights (UK GDPR)

Under UK GDPR, individuals have rights over their personal data. These include:

• Right of Access: To request copies of your personal data.
• Right to Rectification: To request correction of inaccurate data.
• Right to Erasure ('Right to be Forgotten'): To request deletion of your data under certain conditions.
• Right to Restrict Processing: To request limitation of how your data is used under certain conditions.
• Right to Data Portability: To request transfer of your data to another organisation, or to you, under certain conditions.
• Right to Object: To object to processing based on legitimate interests or for direct marketing.

Exercising Your Rights:

• For Waiting List Members: You can exercise your rights directly by contacting us at privacy@schoolgpt.com.

You also have the right to lodge a complaint with the UK's supervisory authority, the Information Commissioner's Office (ICO), if you believe your data protection rights have been infringed. Website: https://www.ico.org.uk

9. Children's Privacy

• Our services are intended for use in educational settings and may be used by children under the age of 18.
• Our Terms of Service require that users under 18 have permission from a parent or legal guardian.

10. Cookies and Tracking Technologies

We use cookies and similar technologies for various purposes:

• Strictly Necessary / Security Cookies: Essential for the basic functioning and security of our website and services. These include cookies for session management and maintaining your logged-in status securely. These cookies cannot be disabled through our preference tools as the service cannot function correctly without them.
• Functionality / Preference Cookies: Used to remember choices you make (such as your language preference) and provide enhanced, more personal features.
• Analytics Cookies: We use cookies associated with Microsoft Clarity and potentially our internal systems to gather aggregated data about how users interact with our services, helping us improve functionality and user experience. Data collected via Clarity is subject to input masking as described earlier.

Managing Cookies:

• When you first visit our website or service, you may be presented with a cookie banner or tool allowing you to manage your preferences for non-essential cookies (like Analytics or Functionality cookies). You can typically adjust these preferences at any time through a link or settings area on our website/service.
• Additionally, most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set, visit www.aboutcookies.org or www.allaboutcookies.org.

Please note that disabling certain cookies, especially strictly necessary ones, may affect the functionality and availability of our services.