Legal
Privacy policy
Last updated: 4 June 2026
Contents
Privacy policy
Beta — provisional. gradIQual is in early beta. This policy reflects current UK data-protection law (UK GDPR as amended by the Data (Use and Access) Act 2025) and how the product works today; we are finalising the formal wording with our legal advisers before general release, and will update the effective date above when it changes.
Last updated: 4 June 2026 · Effective: 4 June 2026
1. Who we are
gradIQual (“we”, “us”) provides an AI-assisted formative feedback service for teachers. This policy explains how we handle personal data when you use gradIQual and this website.
- Controller / processor roles. For teacher account data, we act as a data controller. For student personal data processed when a teacher marks work, the school is the data controller and gradIQual acts as a data processor on the school’s instructions, under a data processing agreement.
- Contact: security@gradiqual.com.
- Data protection contact. We are not required to appoint a statutory Data Protection Officer. For any data protection question, contact our data protection lead at security@gradiqual.com.
2. Who this policy covers
- Teachers who sign up for and use gradIQual.
- Students whose work is marked through gradIQual (data processed on behalf of their school).
- Website visitors and people who contact us through this site.
3. What we collect
| Category | Examples | Source |
|---|---|---|
| Account data | Name, school email, school identity, authentication tokens | You / Google sign-in |
| Google Classroom & Drive data | Classes, rosters, assignments, student submissions, feedback documents | Google, with your authorisation |
| Student identifiers | Student name, email/Google identity | Google Classroom roster |
| Marking content | Student work submitted for marking, and the feedback generated | Teacher-initiated marking |
| Optional learning profiles | Teacher notes, progress notes, recurring strengths/areas (only if the feature is enabled) | Teacher / automated, when opted in |
| Assistant interactions | Scrubbed, redacted records of in-app assistant conversations | In-app assistant use |
| Billing data | Subscription status and payment details handled by Stripe | You / Stripe |
| Website & contact data | Information you submit through forms; limited technical data needed to run the site | You / your browser |
We do not intentionally collect special category data. Teachers are warned not to record sensitive information (such as clinical SEND details) in free-text notes.
4. How and why we use it, and our lawful basis
| Purpose | Lawful basis (UK GDPR Art. 6) |
|---|---|
| Provide marking and feedback to teachers | Contract (with the teacher); processing on behalf of the school (school’s basis) |
| Process student work to generate feedback | Performed for the school as controller, on its lawful basis |
| Maintain optional learning profiles (if enabled) | Legitimate interests (educational improvement) — subject to a balancing test |
| Operate accounts, authentication, and security | Contract; legitimate interests (securing the service) |
| Take payment for Pro and assessment-paper purchases | Contract |
| Respond to enquiries you send us | Legitimate interests (responding to you) |
| Prevent abuse of the website’s contact/chat features | Legitimate interests (protecting the service) — see our Cookie policy |
Where processing relies on legitimate interests, we balance those interests against your rights; this is especially important where children’s data is involved. The school’s own privacy notice to students and parents must cover the processing carried out on its behalf.
5. Retention
| Data | Retention |
|---|---|
| Assistant conversation logs | Scrubbed records automatically deleted after 30 days |
| Account data | For the life of the account, then deleted within 30 days of account closure |
| Student data processed for a school | For the duration of the school’s use of the service, then deleted per the data processing agreement |
| Optional learning profiles | For the duration of enrolment, or per the school’s instructions |
| Billing records | At least 6 years, to meet UK tax and accounting requirements (HMRC) |
Deletion is triggered on account closure, class archival, and contract termination. A complete retention schedule forms part of the data processing agreement we enter into with schools.
6. Who we share data with
We do not sell personal data. We share it only with the providers needed to run the service:
- Google Cloud Platform — hosting, storage, and Workspace/Classroom integration.
- AI model providers — Google (Gemini) and Anthropic (Claude) — to generate feedback from submitted work. We do not permit our AI providers to use your or your students’ content to train their models.
- Stripe — to take and manage payments.
- Cloudflare — abuse-prevention on the website’s contact/chat features.
Our current sub-processors and their roles are listed on our security and data protection page and in the data processing agreement we enter into with schools.
7. International transfers
Some providers process data outside the UK. Where personal data is transferred to providers in the United States, we rely on the UK Extension to the EU-US Data Privacy Framework (the “UK-US Data Bridge”) for providers certified under it, and otherwise on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with a transfer risk assessment. The specific safeguards for AI model processing are set out in our Data processing summary.
8. Your rights
Under UK GDPR you have rights to access, rectification, erasure, restriction, objection, and portability, and rights relating to automated decision-making. Feedback is not produced by solely automated decision-making within the meaning of Article 22 UK GDPR: a teacher meaningfully reviews and approves — and can amend or reject — all feedback before it is provided to a student.
When you make a request, we may ask for information we reasonably need to find your data or confirm your identity, and the time to respond may be paused until you provide it. We carry out a reasonable and proportionate search for the data covered by a request.
- Students and parents should exercise these rights through their school, which is the data controller for student data. The school will route requests to us where we hold relevant data.
- Teachers and website users can contact us directly at security@gradiqual.com.
The data-subject-rights workflow — including subject access requests covering any stored learning-profile data — is documented and operational before the optional learning-profile feature is enabled with real student data.
9. How we protect data
We apply layered safeguards including input and output safety checks, data minimisation, encryption in transit (TLS) and at rest, authenticated and ownership-scoped access, and audit logging. See our security and data protection page for detail.
10. Children’s data
gradIQual is used by teachers to process work by students aged 11–18. We have regard to the ICO’s Age Appropriate Design Code (Children’s Code) as it applies to our service, and additional student-data features are opt-in. Students do not hold gradIQual accounts; the school acts as controller for student data and provides the transparency notice to students and parents.
11. Changes to this policy
We will update this policy as the service develops and will note the effective date above. We will post changes here and, for material changes, notify account holders by email.
12. Contact and complaints
You can complain to us directly about how we handle your personal data — contact security@gradiqual.com and we will acknowledge and respond. If you remain dissatisfied, you also have the right to complain to the UK’s Information Commissioner’s Office (ICO) at ico.org.uk.