Assessment creationMarking & feedbackLesson planningAnalytics & insights About Sign in Get in touch

Privacy policy

Last updated 19 June 2026. This policy explains how Rubrical handles personal data.

Who we are

Rubrical is an AI teaching platform built and operated by OpenKit Ltd (company number 13030838), registered in England and Wales at Cambridge Guildhall, Market Square, Cambridge CB2 3QJ, and registered with the ICO (reference ZB035728). Schools use Rubrical to create assessments, draft AI-assisted marking and feedback, plan lessons, analyse class progress and connect selected learning-platform data.

For pupil, class, assessment and learning-platform data, your school or trust is normally the data controller and Rubrical/OpenKit is normally the data processor. We process that data on your school's instructions under the relevant school agreement and data processing terms. For our own business, account, support, website and contact data, OpenKit is the controller.

What we collect

  • Account and staff data - names, work email addresses, roles, school memberships, authentication data and account status.
  • School and class data - schools, departments, classes, courses, rosters, exam boards and class membership.
  • Student identity data - student names, emails or IDs where the school provides them, and learning-platform identifiers used to match submissions correctly.
  • Assessment and rubric data - papers, questions, mark schemes, rubrics, uploaded files, converted text and assessment metadata.
  • Student work and feedback - submissions, scans, extracted answers, evidence spans, AI draft marks, teacher-finalised marks and feedback.
  • Knowledge base and teaching resources - teaching materials, extracted text, chunks, embeddings and metadata used to support marking, feedback and lesson planning.
  • Learning-platform data - where your school connects Google Classroom or Microsoft, the classes, rosters, assignments, selected files, submissions, sync status and provider account identifiers needed for that integration.
  • Analytics and operational data - class analytics, at-risk flags, plain-English analytics queries, audit/cache/rate-limit records, error data, usage and cost metadata, trace IDs and security logs.
  • Website and contact data - information you send through the website contact form, plus normal request metadata processed by website, form, hosting and security providers.

How we use it

We use personal data to provide Rubrical: account access, assessment creation, rubric generation, student-work extraction, AI-drafted marking and feedback, teacher review, lesson planning, class analytics, learning-platform sync and teacher-approved return or write-back.

We also use limited operational data to keep Rubrical secure and reliable, investigate errors, support schools, prevent abuse, understand system costs and meet legal or contractual obligations.

AI and model training

Rubrical uses AI to draft marks, rationales, feedback, rubrics, lesson resources and analytics support from the materials your school chooses to use in the platform. AI outputs are for teacher review. Rubrical does not automatically return marks or feedback to students or write them back to a learning platform without teacher action.

We do not use student work, learning-platform data, or data derived from it to train, fine-tune, benchmark, evaluate or improve any AI or machine-learning model, including Rubrical's own models. We do not sell personal data, use it for advertising, use it for data-broker activity, or use it for credit or eligibility decisions.

By default, marking and rubric generation run on Rubrical's own model, hosted on Modal in a UK or EEA region. Google's Gemini, through Google Vertex AI in a UK or EU region, is a backup provider. Both run in the region we select, so school data stays in the UK or EEA, and neither provider trains its models on school data. We do not route school or learning-platform data through unpaid consumer AI services.

Google Workspace API data

The use of information received from Google Workspace APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

We do not retain user data obtained through Google Workspace APIs to develop, improve, or train non-personalized AI and/or ML models.

Microsoft integration data

Where a school authorises Microsoft Graph, Teams or Education API access, we use that data only for the school-approved integration features, such as roster, assignment and submission workflows. We use least-privilege permissions where possible, rely on the school's Microsoft tenant/admin consent process where required, and delete local copies according to the school agreement and disconnect/offboarding process.

Analytics and observability

Rubrical includes product analytics for schools, such as class progress, assessment-objective breakdowns and at-risk indicators. These are part of the school service and can involve teacher, class and student identifiers.

We also keep operational logs and traces to diagnose issues, monitor costs and protect the service. These are access-controlled and minimised where possible. The current v3 marketing website does not use active Google Analytics, PostHog, Sentry or Clarity tracking scripts in the public source path we reviewed; if that changes, this policy will be updated.

Sharing and sub-processors

We do not sell personal data. We use sub-processors and integrations only to provide, secure, support and improve the Rubrical service for schools. These include hosting, database, storage, authentication, document conversion, AI inference, learning-platform APIs, observability, email/contact handling and edge/security providers.

The data protection page in the footer explains the current processing categories, where core data is stored, where data may be sent and which provider details still need confirmation before a signed school DPA.

Where data is held

Core school app data is stored in Rubrical's Supabase project in West Europe (London). This covers the main database, authentication, storage, realtime and vector data layer.

Data can leave that core layer when a feature needs it, for example for AI inference, document conversion or embeddings, learning-platform sync or write-back, observability, support, security, hosting or email/contact handling. AI inference runs in a UK or EEA region on Modal and Google Vertex AI. Because some providers, including Modal and Google, are US-incorporated companies, we treat their processing as a restricted transfer and cover it with the UK International Data Transfer Addendum or IDTA in their data processing agreements, supported by a transfer risk assessment.

Retention and deletion

We keep school data for as long as needed to provide Rubrical to the school, or as instructed in the school's agreement and data processing terms. When an agreement ends, we delete or return school data according to those instructions and our operational deletion processes.

Learning-platform credentials are destroyed locally when a connection is disconnected or offboarded. Some operational records, such as sync logs, security logs, support records and backups, may be retained for limited periods for security, reliability, legal or contractual reasons.

Security

OpenKit holds ISO/IEC 27001, ISO 9001 and Cyber Essentials. We protect data through role-based access, Supabase row-level security and service-role boundaries, encrypted LMS token custody, secure transport, access controls, audit records and data-origin rules that keep LMS and student data out of model-training and evaluation datasets. Read more on our security page.

Children's data

Rubrical is used by school staff, not as an open consumer service for children. Pupil work and student identifiers are processed on behalf of the school for teaching, assessment, feedback and class insight.

Your rights

Individuals have rights under UK GDPR, including access, correction, restriction and erasure. Because the school is normally the controller for pupil and class data, requests about that data are usually handled through the school. School staff can contact us directly about their own Rubrical account or contact data.

Changes

If we change this policy, we will update the date above. For material changes affecting school processing, we will notify schools through the appropriate account, contract or support channel.

Contact

For privacy or data-protection questions, contact our team and ask for the data protection lead, or email contact@openkit.co.uk. OpenKit Ltd is registered with the ICO (reference ZB035728). You also have the right to complain to the Information Commissioner's Office at ico.org.uk.