This policy explains how School BudAI ("we", "us", the "Service") handles personal data. It is written for UK schools and reflects our obligations under the UK GDPR and the Data Protection Act 2018. We recommend each school review this policy with its Data Protection Officer (DPO) and reference it from its own privacy notices to pupils, parents and staff.
Controller and processor roles
For personal data your staff enter into the Service about pupils, parents and other staff - incident logs, policies, parent communications, intervention records and lesson observations - your school is the data controller and we act as a data processor on the school's documented instructions.
For the data needed to operate accounts - staff names, email addresses, sign-in records and audit logs of how the Service is used - we act as a controller. A data processing agreement (DPA) governing our processing is available to schools on request.
What we collect
- Account data - your name, email address and role, and your school's name. If you sign in with Google, we receive your name and email from Google's OAuth service; we do not receive your Google password.
- Content you submit - the text and documents you provide so the Service can draft policies, refine incident logs, write parent communications, record interventions and observations, and answer staff questions. This may include personal data about pupils, parents and staff, and may include special category data (for example safeguarding or health information) and data about children.
- Generated output - the drafts and answers the Service produces, together with the versions you save.
- Audit and usage records - for every AI request we record the final prompt sent, the output produced and any tool calls made, plus who made the request and when. We do not store the model's internal "reasoning".
- Technical data - a session cookie to keep you signed in, and standard server logs. Prompt-bearing fields are redacted from our request logs.
How we use it
We use your data to provide and secure the Service, to generate the drafts and answers you ask for, to maintain an evidential audit trail of AI use for your school's accountability, and to respond to data subject requests. We do not sell your data, and we do not use your content to train AI models.
AI processing and sub-processors
To generate responses, the content you submit is sent to a large language model hosted on Amazon Bedrock. Where you ask a question that needs current information, the relevant query is sent to the Tavily web search service. Our sub-processors are:
- Amazon Web Services (Bedrock) - AI model hosting.
- Tavily - web search.
- Google - optional single sign-on.
- DigitalOcean - application and database hosting.
International transfers
Our AI processing is carried out in the United Kingdom (AWS
eu-west-2, London). Some sub-processors (for example optional Google
sign-in) may process limited data outside the UK; where personal data leaves the UK
it is protected by appropriate safeguards, including the UK International Data
Transfer Addendum to the EU Standard Contractual Clauses. Details are set out in
our DPA.
Legal basis
Where your school is the controller, processing is generally carried out under the school's lawful basis for performing its public task and for the purposes of education and safeguarding; special category data is processed under the school's substantial public interest and safeguarding conditions. Where we act as controller for account and audit data, our legal basis is our legitimate interest in operating and securing the Service and our legal obligation to keep accurate records.
Retention
We retain audit records for seven years from the date of each event. Audit records are append-only and cannot be altered or deleted by the Service. Content and the artefacts you create are kept until deleted by your school; deletions are "soft" so that records remain available for subject access and audit purposes before being purged.
The Service is not the canonical record for statutory retention. Your school's management information and safeguarding systems remain the system of record for retention obligations such as the IRMS schedule (for example date of birth plus 25 years for safeguarding records).
Your rights
You have rights to access, rectify, erase, restrict and object to the processing of your personal data, and to data portability. Because your school is the controller for pupil and staff content, requests about that data should normally be made to your school. To support this, headteachers can use the in-app subject access surface to view and export every record we hold about a given user, including soft-deleted records.
Security
Access requires authentication and is scoped to your school. Credentials are encrypted at rest, traffic is encrypted in transit, and the database is hosted on infrastructure we control. Audit records are protected against modification at the database level.
Cookies
We use a single, strictly necessary session cookie to keep you signed in. We do not use advertising or third-party tracking cookies.
Children's data
The Service is used by school staff, not directly by pupils. Content staff enter may include personal data about children; this is processed on your school's instructions and for the school's educational and safeguarding purposes.
Changes to this policy
We may update this policy from time to time. Material changes will be notified to schools, and the "last updated" date above will reflect the current version.
Contact
For privacy questions or to request our data processing agreement, contact us at privacy@schoolbudai.com. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.