1. Who we are
DEEP Education (“we”, “us”, “our”) is the data controller for personal data processed through the AI Literacy Audit Tool at ailiteracyaudit.com. We are a trading name of DEEP Professional Ltd, registered in England and Wales (company number 16052380).
2. What data we collect
We collect and process the following categories of personal data:
2.1 Account information
- Email address (used as your login identifier)
- Name (optional)
- Password (stored only as a one-way cryptographic hash — we never store or see your actual password)
- School name, region, and country
- Your role within the school (e.g. principal, headteacher, head of department, consultant)
2.2 Documents you upload
- School policy documents (PDF, DOCX, XLSX) and webpage URLs submitted for audit analysis
- By default, we do not retain your documents or their extracted text. Files are processed in memory during analysis and released immediately afterwards. No copies are written to disk.
- If your school opts in to data retention, extracted text is stored in our database for up to 2 years to enable follow-up audits and progress tracking. You can withdraw this consent and delete stored text at any time from your settings page.
2.3 Audit results
- Dimension scores (1–5 across 9 education dimensions)
- Evidence citations, gap analysis, strengths, and recommendations
- Action plans and implementation guidance
- Report synthesis summaries
2.4 Payment information
- Payment details (card numbers, billing address) are processed directly by Stripe and are never stored on our servers. We receive only a customer reference ID and subscription status from Stripe.
2.5 Technical data
- IP address (used for rate limiting and security; not stored long-term)
- A single authentication cookie (HTTP-only, secure, strictly necessary for login)
3. How we use your data
We process your data for the following purposes and legal bases:
| Purpose | Legal basis (UK GDPR) |
|---|---|
| Providing the audit service (document analysis, scoring, reports) | Performance of contract (Art. 6(1)(b)) |
| Account authentication and security | Performance of contract (Art. 6(1)(b)) |
| Processing payments via Stripe | Performance of contract (Art. 6(1)(b)) |
| Sending password reset emails | Performance of contract (Art. 6(1)(b)) |
| Retaining document text for progress tracking (when opted in) | Consent (Art. 6(1)(a)) |
| Maintaining audit logs for security and compliance | Legitimate interest (Art. 6(1)(f)) |
4. AI processing
Your uploaded documents are analysed by Google Gemini (Google’s large language model) to generate audit scores and recommendations. During this process:
- Document text and your school’s region are sent to the Gemini API
- No personal data about individual users (names, emails, passwords) is sent to Gemini
- Google processes this data as a sub-processor under their Cloud Data Processing Addendum
- We use Gemini’s API mode (not the consumer product) — your data is not used to train Google’s models
5. Who we share data with
We share data only with the following third-party sub-processors, each under appropriate data processing agreements:
| Sub-processor | Data shared | Purpose | Location |
|---|---|---|---|
| Google (Gemini API) | Document text, school region | AI-powered audit analysis | EU/US |
| Stripe | Customer ID, payment metadata | Payment processing | US (with EU data residency) |
| Resend | Email address | Password reset and notification emails | US |
| Hetzner | All stored data (encrypted at rest) | Database and application hosting | Germany (EU) |
We do not sell your data. We do not use any third-party analytics, advertising, or tracking services. Our anonymous analytics (see section 9) are fully self-hosted — no data leaves our servers.
6. International transfers
Our database is hosted on servers in Germany (EU). Where data is transferred to sub-processors outside the UK/EU (Google, Stripe, Resend in the US), we rely on Standard Contractual Clauses and the UK International Data Transfer Agreement as appropriate.
7. Data retention
- Uploaded documents: Processed in memory and released immediately. Not retained unless you opt in to data retention.
- Document text (opted-in): Retained for up to 2 years from the audit date, then automatically deleted. You can delete stored text at any time.
- Audit results: Retained for the lifetime of your account.
- Account data: Retained until you delete your account.
- Password reset tokens: Expire and are deleted after 1 hour.
- Audit logs: Retained for up to 7 years for compliance purposes.
- Temporary processing data: Automatically deleted after 1 hour.
8. Your rights
Under UK GDPR and the Data Protection Act 2018, you have the following rights:
- Right of access (Art. 15): Request a copy of all data we hold about you. Use the “Download My Data” button in your account settings.
- Right to rectification (Art. 16): Update your account information at any time, or contact us to correct any inaccuracies.
- Right to erasure (Art. 17): Delete your account and all associated data from your account settings. Deletion is immediate and irreversible.
- Right to data portability (Art. 20): Download your data in a structured, machine-readable JSON format from your account settings.
- Right to restrict processing (Art. 18): Contact us to restrict how we process your data.
- Right to withdraw consent: Where processing is based on consent (e.g. document text retention), withdraw consent at any time from your settings page with no impact on past processing.
- Right to object (Art. 21): Object to processing based on legitimate interest by contacting us.
To exercise any of these rights, use the self-service tools in your account settings or send us a message.
9. Cookies & analytics
We use a single, strictly necessary authentication cookie to keep you signed in. This cookie:
- Is HTTP-only (not accessible to JavaScript)
- Is sent only over HTTPS in production
- Contains only an encrypted session token — no personal data
- Expires after 30 days of inactivity
We do not use advertising cookies, or any third-party tracking cookies. Because our cookie is strictly necessary for the service to function, consent is not required under UK PECR regulations, though we inform you of its use via our cookie banner.
9.1 Anonymous analytics
We use Umami, a self-hosted, open-source analytics tool, to collect anonymous pageview data. Umami:
- Does not use cookies
- Does not collect or store any personal data (no IP addresses, no fingerprints)
- Runs entirely on our own servers in Germany (EU) — no data is sent to third parties
- Complies with GDPR, PECR, and ePrivacy regulations without requiring consent
This data helps us understand which pages are visited and how users navigate the site, so we can improve the service. It cannot be used to identify individual users.
10. Children’s data
The AI Literacy Audit Tool is designed for use by school staff (teachers, leaders, and administrators), not by children. We do not knowingly collect personal data from anyone under 18. If uploaded school documents contain references to individual students, these are processed transiently during AI analysis and are not extracted, stored, or indexed by our system.
11. Security
We protect your data with the following measures:
- All connections encrypted with TLS (HTTPS enforced)
- Passwords hashed with bcrypt (12 salt rounds)
- Database hosted in a private network on EU servers
- Rate limiting on authentication endpoints
- Prompt injection detection on uploaded documents
- HTTP-only secure session cookies
- Stripe webhook signature verification
12. Changes to this policy
We may update this privacy policy from time to time. Material changes will be communicated via email to registered users. The “last updated” date at the top of this page indicates the most recent revision.
13. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection.
14. Contact
DEEP Education (trading name of DEEP Professional Ltd, company number 16052380)
For data protection enquiries, general questions, or to exercise any of your rights, please use our contact form or email us directly at education@deepprofessional.com.