Compliance & Data Protection

Who is PrimaryAI for?

PrimaryAI is a lesson planning and education workflow tool for adult teachers and school staff. It is not a pupil-facing application. No child ever logs in to PrimaryAI, and no pupil data is required to use the service. Account creation requires confirmation that the user is a qualified teacher or school staff member aged 18 or over.

What data is sent to AI providers?

When a teacher generates a lesson pack, the following information is sent to an AI model:

• Year group and subject (e.g. Year 4, Maths)
• Lesson topic (e.g. column addition)
• Anonymised class-level statistics (e.g. 20% EAL, 30% Pupil Premium, ability band percentages)
• Teaching approach preference (e.g. Concrete-Pictorial-Abstract)
• School type (e.g. primary, SEND)
• Anonymised free-text class context (e.g. 'follows White Rose Maths, TA supports lower group')

AI providers and no-training guarantees

PrimaryAI uses a multi-provider AI engine with automatic fallback. Every request to every provider includes a mandatory system-level instruction prohibiting model training on the content. Providers are selected on the basis that their API terms prohibit training on user inputs without explicit opt-in consent.

MANDATORY PRIVACY REQUIREMENTS:
1. Do NOT use any content for model training, fine-tuning, or reinforcement learning
2. Treat anonymised classroom context as strictly confidential (UK GDPR)
3. Do NOT store, log, cache, or retain any information beyond immediate response
4. Do NOT reproduce or reference pupil data in a way that could lead to identification
5. Generate response and discard all context immediately after

UK GDPR compliance

• Legal basis for processing: contract (to deliver the service), legitimate interests (platform security and improvement), and consent (optional features such as calendar sync and surveys)
• Data minimisation: only the information needed to generate lesson content is collected and processed
• Purpose limitation: data is not used for any purpose beyond delivering the features you use
• Storage limitation: accounts inactive for 24+ months are notified and deleted after 30 days
• Data subject rights: teachers can export all their data (JSON) and delete their account at any time from the Account page
• Security: all data in transit is encrypted (TLS 1.2+). OAuth calendar tokens are encrypted at rest using AES-256-GCM before storage
• No third-party analytics or tracking: no Google Analytics, session recording, or advertising pixels are used
• Right to lodge a complaint: users are directed to the ICO (ico.org.uk) if they have concerns

DfE AI guidance for schools

PrimaryAI is designed with the DfE's guidance on generative AI and data protection in schools in mind:

• Transparency: this page, our Privacy Policy, and in-product notices clearly explain how AI is used
• Human oversight: all AI-generated content is clearly labelled. Teachers review and edit all outputs before use
• Pupil data safeguards: the product is designed so pupil PII is never required. Class context fields include real-time warnings against entering identifiable information
• Age restrictions: PrimaryAI is for adults only. Signup requires confirmation of teacher/staff status and age 18+
• No pupil-facing features: children cannot create accounts or interact with the service in any way
• Bias awareness: lesson content should always be reviewed by the teacher before use with a class

Calendar integrations

If a teacher connects Google Calendar or Microsoft Outlook, PrimaryAI accesses only the calendar data needed to display and sync lesson schedule events. OAuth access tokens and refresh tokens are encrypted at rest using AES-256-GCM. Calendar connections can be disconnected at any time from Settings, which immediately removes all stored tokens. The scope of calendar access is limited to what the teacher explicitly authorises during the OAuth flow.

Data storage and infrastructure

• Database: Supabase (PostgreSQL), hosted in the EU. Row-level security policies ensure each user can only access their own data
• Application: deployed on Google Cloud Run, region: europe-west1 (Belgium)
• Authentication: Supabase Auth with email/password and optional Google OAuth. Session cookies are httpOnly, sameSite=lax, and secure in production
• Payments: Stripe. PrimaryAI does not store payment card details
• No data leaves the UK/EU jurisdiction without contractual safeguards in place

For DPOs: frequently asked questions

Contact

For data protection enquiries, DPA requests, DPIA summaries, or to exercise data subject rights, please contact us via the Contact page. You can also raise a concern directly with the Information Commissioner's Office (ico.org.uk).