Where special category data is included in uploaded documents, processing is carried out:
On behalf of the user (as Data Processor)
Under Article 9(2)(g) – Substantial public interest
Or other lawful bases determined by the Data Controller (the school or governing body)
The responsibility for determining lawful basis remains with the user as Data Controller.
5. AI Processing
SchoolGov AI uses artificial intelligence systems to:
Analyse uploaded documents
Generate summaries
Identify governance risks
Provide advisory responses
Suggest governance challenge questions
AI processing is provided by OpenAI, L.L.C. (San Francisco, USA) via their API. Content submitted to the AI (including document text, chat messages, and form fields) is sent to OpenAI’s servers for processing. Under OpenAI’s API Data Usage Policy:
API inputs and outputs are not used to train OpenAI’s models
Data is retained by OpenAI for up to 30 days for abuse monitoring, then deleted
Processing is covered by OpenAI’s Data Processing Addendum (DPA) incorporating Standard Contractual Clauses
We do not:
Sell uploaded data
Publish uploaded data
Intentionally use uploaded data to train public AI models
AI-generated outputs are advisory only and do not constitute legal advice.
6. Automated Decision-Making
SchoolGov AI uses artificial intelligence to generate governance advice, document summaries, and suggested questions. Under Article 22 of UK GDPR, we confirm that:
No decisions with legal or similarly significant effects are made solely by automated processing
All AI outputs are advisory and require human review before any action is taken
No automated profiling is carried out that produces legal effects on users or data subjects
Users retain full discretion over governance decisions
AI-generated content should always be reviewed by a qualified individual before being relied upon.
7. Data Security
We implement appropriate technical and organisational measures, including:
SSL/TLS encryption in transit
Secure server infrastructure
Role-based access controls
Encrypted password storage
Audit logging
Restricted internal access to production systems
Access to uploaded documents is limited to authorised systems and, where necessary, authorised personnel.
No system can guarantee absolute security; however, we maintain industry-standard safeguards.
8. Data Retention
8.1 Account Data
Retained while the account remains active and for a limited period thereafter for legal and security purposes.
8.2 Uploaded Documents
Retained:
Until deleted by the user
Or until account closure
Or as required for legal compliance
Users may request deletion of uploaded documents or full account deletion.
We reserve the right to retain minimal audit logs for security and compliance purposes.
9. Cookies
SchoolGov AI uses cookies to operate the platform. Cookies are small text files stored on your device.
9.1 Essential Cookies
These are strictly necessary for the platform to function and cannot be disabled:
Session cookies – Maintain your logged-in state and security tokens
govai_cookie_consent – Records your cookie preferences (expires after 1 year)
CSRF/nonce tokens – Protect against cross-site request forgery
9.2 Analytics Cookies
If you consent, we may use analytics cookies to understand how the platform is used:
Page views and navigation patterns
Feature usage frequency
Error tracking and performance monitoring
Analytics data is aggregated and does not identify individual users.
9.3 Managing Cookies
When you first visit SchoolGov AI, a cookie consent banner allows you to:
Accept All – Enables essential and analytics cookies
Essential Only – Enables only strictly necessary cookies
You can also manage cookies through your browser settings. Note that disabling essential cookies may prevent the platform from functioning correctly.
10. Data Sharing
We share data with the following categories of third-party providers, each subject to contractual data protection obligations:
10.1 Named Sub-Processors
OpenAI, L.L.C. (USA) – AI infrastructure provider. Processes document text, chat messages, and form content to generate AI responses. Covered by DPA with Standard Contractual Clauses. API data is not used for model training.
Square (Block, Inc.) (USA) – Payment processor. Processes payment card details, billing name, and email for subscription payments. SchoolGov AI does not store card numbers; these are handled entirely by Square’s PCI DSS-compliant systems. Covered by Square’s DPA.
Hostinger International Ltd (EU/Lithuania) – Web hosting and infrastructure. Hosts the platform, database, and uploaded files.
10.2 Other Categories
IT security and monitoring providers
Email delivery services (for transactional and notification emails)
Legal or regulatory authorities (where legally required)
We do not sell personal data.
11. International Transfers
Some of our sub-processors are based outside the UK. The following safeguards apply:
OpenAI (USA) – Standard Contractual Clauses (SCCs) via OpenAI’s Data Processing Addendum
Square / Block, Inc. (USA) – Standard Contractual Clauses via Square’s DPA
Hostinger (EU) – UK adequacy decision for EEA transfers
Where data is transferred outside the UK, we rely on:
UK adequacy decisions
UK-approved International Data Transfer Agreements (IDTAs)
Standard Contractual Clauses (SCCs)
We regularly review our sub-processors and transfer mechanisms to ensure ongoing compliance.
12. User Responsibilities (Important)
Users of SchoolGov AI agree that they:
Have lawful authority to upload documents
Have identified a valid lawful basis for processing
Will not upload data unlawfully
Will not use the platform for unlawful surveillance or profiling
The governing body or school remains responsible as Data Controller for compliance with UK GDPR in relation to uploaded data.
13. Data Subject Rights
Individuals have the right to:
Access personal data
Rectify inaccurate data
Request erasure
Restrict processing
Object to processing
Data portability
Lodge a complaint with the Information Commissioner’s Office (ICO)
Seek judicial remedy if you believe your rights have been infringed
We aim to respond to all data subject requests within 30 calendar days. Where SchoolGov AI acts as Data Processor, requests may be referred to the relevant Data Controller.
14. Children’s Data
SchoolGov AI is intended for use by adults acting in professional governance roles.
We do not knowingly collect data directly from children. Any child-related data uploaded is processed solely on behalf of the user acting as Data Controller.
15. Liability Limitation
SchoolGov AI provides AI-generated governance support. Outputs are:
Advisory in nature
Not a substitute for legal advice
Not a substitute for statutory guidance
Not a replacement for professional judgment
Users remain responsible for governance decisions.
16. Updates to This Policy
We may update this Privacy Policy periodically. The latest version will always be available at: