User information is stored in such a way that, once accounts are set up, on a day to day basis access is restricted to the school administrator / independent tutor. We collect this data on a ‘pseudonymised’ basis, which means we only process this information with reference to a numerical ‘object identifier’. That means it can be linked to an individual – but only where connected to a separate identifier. This is held separately and is only accessible by the school administrator within the specific ‘tenancy’ (ie school profile) of that account.

We do process usage / performance data of students so that we can provide statistical feedback to teachers on the engagement and performance of students, and so that we can understand how our services are being used. As explained above, we collect this information on a ‘pseudonymised’ basis so we only see which school profile the pseudonymised individual belongs to.

Data is stored primarily through secure cloud storage systems provided by Microsoft Azure including storage accounts, MySQL databases and Azure Cosmos. Our servers are based in the UK and EU / European Economic Area.

As explained above, we hold data in such a way that it remains under the control of the school / tutor responsible for uploading it to our system, via our ‘tenancy’ arrangements. Furthermore, by holding student performance information in a pseudonymised format we are reducing the risk of information being held or accessed in a way that identifies individual students. We use the market-leading Microsoft Azure cloud storage system which has robust data security arrangements in place. Our terms and conditions with Microsoft contain relevant provisions to govern the processing of data by Microsoft as a data processor, as required by GDPR.

If students are under 18 a responsible adult (ie in most cases the teacher who is the account administrator) is required to agree to our terms of use on behalf of the students, and to ensure that the student/s complies with these terms. Students are notified of key privacy information and our terms of use via pop-up notices / links at the point of first login. Consistent with the ICO’s Children’s Code, we do not rely on consent as the lawful basis for processing user data in the context of our provision of services, as this is inappropriate in a context where the processing is a condition of the services being provided.

Please see our Privacy Notice for details of what lawful grounds we rely on for processing personal data: https://www.educationai.co.uk/legal/dataprivacy/

We typically retain personal data for 30 days after a school’s agreement with us for the provision of services has ended. However, some data may be retained for longer than this, for example, in order to defend legal claims.