AI Education Assessment Tool Privacy Policy

Fri May 02

1. Introduction

OpenKit Ltd (“we,” “our,” or “us”) is committed to protecting the privacy and security of all users of our AI-powered formative assessment tool for education. This Privacy Policy explains how we collect, use, store, protect, and when necessary, share your information when you use our platform.

We take data protection seriously. Our platform operates in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, as well as relevant educational privacy requirements.

By using our platform, you agree to the collection and use of information in accordance with this policy. If you are using our service through an educational institution, your use may also be governed by that institution’s policies and agreements with us.

2. Information We Collect

2.1 From Teachers and Educational Staff

We collect the following information from teachers and educational staff:

  • Account information (name, email address, school affiliation)
  • Professional role and department information
  • Authentication credentials (securely stored)
  • Platform usage data and interaction patterns
  • Voice recordings when using speech-to-text features for providing feedback
  • Assessment criteria, rubrics, and marking preferences
  • Feedback on AI-generated assessments and modifications made to AI outputs
  • Communication preferences and support requests

2.2 From Students

We collect the following information from students (typically through our integration with school systems and only as directed by the educational institution):

  • Basic identification information processed via Google Classroom or other learning management systems
  • Submitted assessments and coursework
  • Performance data on assessments
  • Learning patterns and academic progress information
  • Special educational needs and disabilities (SEND) indicators where provided by the institution for appropriate differentiation

2.3 From Learning Management Systems

Through integration with Google Classroom and potentially other platforms, we collect:

  • Class and course information
  • Assignment details
  • Enrolment information
  • Submission data
  • Institutional structure information

2.4 Cookies and Similar Technologies

We use cookies and similar technologies to:

  • Maintain your session and authentication status
  • Remember your preferences and settings
  • Collect anonymised usage statistics
  • Provide essential platform functionality

You can manage cookie preferences through your browser settings. Essential cookies necessary for core platform functionality cannot be disabled.

Under UK GDPR, we process your information on the following legal grounds:

  • Performance of a Contract: To provide our services to you or the educational institution you’re affiliated with
  • Legitimate Interests: To improve our services, maintain security, and develop new features
  • Legal Obligation: To comply with applicable laws and regulations
  • Consent: For specific processing activities where required by law

For processing children’s data, we rely on the lawful basis established by the educational institution (typically public task or legitimate interests) and act as a data processor.

4. How We Use Your Information

4.1 Provision of Core Services

We use collected information to:

  • Process and assess student work
  • Generate personalised feedback aligned with curriculum standards
  • Provide analytics on student and class performance
  • Enable teacher review and modification of AI-generated feedback
  • Facilitate integration with learning management systems
  • Support differentiated instruction based on student needs
  • Maintain and improve the technical functioning of our platform

4.2 Service Improvement and AI Model Training

With appropriate safeguards, we use:

  • Anonymised assessment data to improve our AI assessment capabilities
  • Teacher revisions and corrections to enhance model accuracy and alignment with educational standards
  • Usage patterns to optimise platform functionality
  • Anonymised student responses to build more accurate curriculum understanding
  • Voice input recordings (converted to text and then anonymised) to improve speech recognition capabilities

4.3 Research and Development

With explicit consent where required, we may use anonymised data for:

  • Educational research to improve teaching methodologies
  • Development of new features and capabilities
  • Evaluation of effectiveness in reducing teacher workload
  • Understanding common misconceptions in specific curriculum areas
  • Development of educational resources and guidance

5. AI Model Training and Fine-tuning Process

5.1 Use of Teacher Input for Model Improvement

When teachers modify AI-generated assessments, provide feedback, or create rubrics, we may use this information to improve our AI models. This process involves:

  • Comparing original AI output with teacher modifications
  • Identifying patterns in teacher corrections and preferences
  • Using these patterns to fine-tune our AI models
  • Improving curriculum alignment and assessment accuracy

5.2 Anonymisation Before Training

Before any teacher input is used for AI model training:

  • All personal identifiers (names, email addresses, school information) are removed
  • Unique identifiers are replaced with randomly generated tokens
  • Content is processed to remove context that could indirectly identify individuals
  • Data is aggregated across multiple sources to prevent re-identification
  • Statistical methods are applied to ensure k-anonymity (requiring at least k records to share any combination of identifying attributes)

5.3 Technical Safeguards for Model Training

We implement robust technical safeguards:

  • Training data is segregated from operational systems
  • Access to training datasets is strictly limited and audited
  • Differential privacy techniques are applied where appropriate
  • Model inputs and outputs are continuously monitored for potential privacy risks
  • Regular privacy impact assessments are conducted on our training processes

5.4 Opt-Out Rights

Teachers and schools have the right to opt out of contributing to model improvement:

  • The opt-out setting is available in the “Privacy Settings” section of your account
  • Opting out will prevent your data from being used in future training datasets
  • Opting out will not affect the quality or availability of the core service
  • You can change your opt-out preference at any time, with immediate effect for future data

6. Data Processing, Storage, and Security

6.1 Data Security Measures

We implement and maintain appropriate technical and organisational measures:

  • Compliance with ISO 27001 information security standards
  • End-to-end encryption for data in transit using TLS 1.3
  • Encryption for data at rest using AES-256
  • Regular security audits and penetration testing
  • Strict access controls based on the principle of least privilege
  • Multi-factor authentication for administrative access
  • Continuous security monitoring and threat detection
  • Regular security training for all staff with data access
  • Secure development practices and code reviews
  • Redundant systems and disaster recovery planning
  • Physical security for all premises containing data processing equipment

6.2 Data Anonymisation Techniques

Our anonymisation process includes:

  • Removal of direct identifiers (names, email addresses, IDs)
  • Pseudonymisation using secure one-way hashing
  • Generalisation of attributes that could lead to identification
  • Data aggregation across multiple users
  • Application of statistical noise to prevent inference attacks
  • Separation of identifying information from content data
  • Regular reviews of anonymisation effectiveness

6.3 Data Storage Location

All personal data is stored on secure servers located in the United Kingdom or European Economic Area. We ensure that any data transfers outside these regions comply with UK GDPR requirements for international data transfers, including appropriate safeguards such as Standard Contractual Clauses.

6.4 Data Minimisation

We apply data minimisation principles:

  • We collect only information necessary for specified purposes
  • We process the minimum amount of data needed for each function
  • We implement automated data deletion when the purpose is fulfilled
  • We regularly review data holdings to identify unnecessary retention

7. Automated Decision-Making

Our platform employs AI technology to assist in assessment and feedback generation, which may constitute automated decision-making under UK GDPR. Important safeguards include:

  • All automated assessments are subject to teacher review and modification
  • No high-stakes or final assessments are made solely by automated means
  • The logic involved in automated processing is explained to users
  • Teachers can override any automated assessment or feedback
  • Regular auditing of AI outputs for potential bias or inaccuracy

8. Data Sharing and Third Parties

8.1 Our Approach to Data Sharing

We share personal information only when necessary for providing our services, complying with legal obligations, or with your explicit consent. We do not sell your personal information under any circumstances.

8.2 Categories of Third Parties

We may share data with the following categories of recipients:

CategoryPurposeExamplesData SharedSafeguards
Cloud InfrastructurePlatform hosting and database managementAWS, Google Cloud, AzureEncrypted application data and databasesISO 27001 certified providers, DPAs, encryption
Learning Management SystemsIntegration with school platformsGoogle ClassroomAssignment data, student submissionsMinimal necessary access, secure APIs
Analytics ServicesService performance monitoringApplication InsightsAnonymised usage statisticsData minimisation, no PII, EU/UK hosting
Communication ServicesService notificationsSendGridEmail addresses, namesData processing agreement, minimal data transfer
Security ServicesThreat detection and monitoringCloudflareIP addresses, access logsSecurity-focused processing, DPA with confidentiality

We may disclose personal information if required to do so by law or in response to valid requests by UK public authorities, such as law enforcement or educational regulators.

8.4 Data Processing Agreements

All third parties that process personal data on our behalf are required to sign comprehensive Data Processing Agreements that:

  • Prohibit using the data for their own purposes
  • Require appropriate security measures
  • Restrict further subprocessing without our approval
  • Ensure compliance with UK data protection laws
  • Provide for regular compliance audits

8.5 International Transfers

Where any processing involves transfers of data outside the UK or EEA, we implement additional safeguards:

  • Standard Contractual Clauses approved by the UK Government
  • Supplementary technical measures where necessary
  • Transfer impact assessments for all third countries
  • Regular monitoring of international transfer mechanisms

9. UK Regulatory Compliance

9.1 UK GDPR and Data Protection Act 2018

We comply with the UK General Data Protection Regulation and the Data Protection Act 2018, including:

  • Processing personal data lawfully, fairly, and transparently
  • Collecting data only for specified, explicit, and legitimate purposes
  • Ensuring data is adequate, relevant, and limited to what is necessary
  • Maintaining accurate and up-to-date data
  • Keeping data in a form that permits identification for no longer than necessary
  • Processing data securely with appropriate technical and organisational measures
  • Demonstrating accountability for compliance

9.2 Department for Education Guidelines

We align our practices with Department for Education (DfE) recommendations for educational technology providers, including:

  • Data Protection Toolkit for Schools
  • Cloud software services: guidance for schools
  • Safeguarding requirements for educational settings

9.3 Age-Appropriate Design Code

We comply with the UK’s Age Appropriate Design Code (Children’s Code), including:

  • Providing high privacy settings by default for child users
  • Collecting minimal data from children
  • Restricting data sharing and profiling
  • Employing clear, age-appropriate language in communications
  • Conducting Data Protection Impact Assessments for processing involving children’s data

9.4 Specific Educational Requirements

We adhere to additional education-specific requirements:

  • Keeping Children Safe in Education statutory guidance
  • Information sharing advice for safeguarding practitioners
  • Protection of Freedoms Act 2012 (where biometric data is concerned)
  • Education-specific provisions of the Data Protection Act 2018

10. Your Rights and Choices

Under UK data protection law, you have the following rights:

10.1 Access and Information

You have the right to:

  • Be informed about how we use your personal data
  • Access your personal data
  • Receive a copy of your personal data in a structured, commonly used, machine-readable format

10.2 Control and Rectification

You have the right to:

  • Have inaccurate personal data rectified
  • Request the deletion of your personal data in certain circumstances
  • Restrict or object to certain processing of your data
  • Withdraw consent where processing is based on consent

10.3 AI Model Training Opt-Out

As detailed in section 5.4, you can opt out of having your anonymised data used for AI model training at any time through your account’s Privacy Settings.

10.4 How to Exercise Your Rights

To exercise any of these rights:

  • Log in to your account and use the relevant settings where available
  • Contact our Data Protection Officer at dpo@openkit.co.uk
  • Write to us at: Data Protection Officer, OpenKit Ltd, Portland House, Durham DH1 1TW, United Kingdom

We will respond to your request within one calendar month. If we cannot fully address your request, we will explain why.

10.5 Complaints

If you are not satisfied with our response to your data rights request, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Contact details are provided in Section 13.

11. Data Retention

11.1 Retention Periods

We retain personal information only as long as necessary:

Data CategoryRetention PeriodRationale
Account InformationDuration of active account plus 6 monthsAllow for account recovery and continuity
Teacher Input and Modifications24 months from creationCurriculum cycle and improvement purposes
Student Assessment DataCurrent academic year plus 12 monthsYear-over-year progress comparison
Voice Recordings30 days or until processed into textLimited time needed for processing
Usage Analytics24 months in identifiable formPlatform improvement cycle
Security Logs12 monthsSecurity monitoring and incident investigation

11.2 Post-Termination Retention

Following account termination:

  • Personal information is deleted or anonymised within 6 months
  • Content you created may be retained in anonymised form
  • Backup archives are purged according to our rotation schedule (maximum 90 days)

11.3 Anonymised Data

Data that has been effectively anonymised may be retained for longer periods for research and improvement purposes, as it no longer constitutes personal data under UK GDPR.

11.4 Exceptions

Retention periods may be extended where necessary for:

  • Compliance with legal obligations
  • Resolving disputes or enforcing agreements
  • Protecting against fraudulent or illegal activity
  • Addressing technical issues affecting data integrity

12. Children’s Privacy

12.1 Our Approach to Children’s Data

Our service is designed for use in educational settings, including with students under 18. We take additional precautions with children’s data:

  • We only process children’s data as instructed by their educational institution
  • We apply the UK Age Appropriate Design Code to all aspects of our service
  • We collect only the minimum necessary data to provide the educational service
  • We never use children’s data for marketing, advertising, or profiling
  • We implement child-specific data protection by design and default

12.2 Responsibility of Educational Institutions

Schools and educational institutions using our service:

  • Maintain their responsibility as data controllers for student information
  • Are responsible for obtaining appropriate consent or establishing other lawful bases for processing
  • Should provide appropriate privacy information to parents/guardians and students
  • Control access and permissions to student data within their organisation

12.3 Special Safeguards

For children’s data, we implement special safeguards:

  • Enhanced security controls and monitoring
  • Strict data minimisation principles
  • Limited retention periods
  • Restricted staff access
  • Regular compliance reviews specific to children’s data protection
  • Special handling for SEND indicators and other sensitive information

13. Changes to This Privacy Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. If we make significant changes, we will:

  • Post a prominent notice on our platform
  • Send an email notification to administrators
  • Provide in-app notifications at least 30 days before changes take effect
  • Keep previous versions available for review

The latest version of this policy will always be available at [www.openkit.co.uk/infopages/ai-edtech-privacy-policy].

14. Contact Information

If you have questions or concerns about this Privacy Policy or our data practices:

Data Protection Officer
OpenKit Ltd
Email: contact@openkit.co.uk
Address: Portland House, Durham DH1 1TW, United Kingdom Telephone: +44 20 3355 1358

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: www.ico.org.uk

15. Effective Date

This Privacy Policy is effective as of 2 May, 2025.

Last updated: 2 May, 2025