Privacy Policy for TeachAI
Last updated: 13 July 2026
TeachAI (teachai.io) provides AI-assisted curriculum planning, resource generation, assessment and pupil reporting for schools. Teachers and school leaders are the primary users; pupil records are created and managed by the school. This policy explains what personal data the Service processes, why, where it lives, and the rights you and your school can exercise.
Roles: your school and TeachAI
- Your school is the data controller for all pupil, parent and staff data entered into the platform. TeachAI processes this data only to provide the Service, on the school's instruction.
- TeachAI is the data processor for school data, and the controller for account registration, billing and product analytics.
- A Data Processing Agreement (DPA) is available for school deployments. [confirm: DPA template and signature process]
If you are a pupil or a parent, your school decides what data is entered into TeachAI and why — its own privacy notice is the first place to look for how your data is used.
Personal data we process
| Category | Examples | Source |
|---|---|---|
| Staff accounts | Name, email, role, school, subject and curriculum preferences | Self-registered |
| Pupil records | Name, class/year, date of birth, grades and assessment results, attendance, teacher observations and notes, generated pupil reports | Entered by the school |
| Parent/guardian | Name, email, link to pupil, parent–teacher messages | School-invited |
| Billing | Subscription records; card details are held by Stripe, never by TeachAI | Organisation admin |
| Optional sensitive data | Emergency contact and medical notes on pupil records — only where the school chooses to record them | Entered by the school |
Where data lives and how it is secured
Data is stored on Google Cloud / Firebase: Firestore (primary database), Cloud Storage (file uploads), Firebase Auth (identity) and Realtime Database (live classroom games). The application is hosted on Vercel, and document and slide generation runs on Google Cloud Run (us-central1). All data is encrypted in transit (TLS 1.2+) and at rest (AES-256, Google-managed keys).
- Role-based access control (admin, head teacher, faculty lead, teacher, student, parent), scoped per school organisation through database security rules.
- Every API request is verified server-side with a signed Firebase identity token; administrative actions are audit-logged.
- Parents see only their own linked children; pupils see only their own work.
[confirm: Firestore/Storage data region and the transfer mechanism (SCCs / UK IDTA) relied on for EU/UK customers — Cloud Run runs in the US]
A fuller description of our security controls and role-based access model is on our Trust & Privacy page.
AI processing
Generation features send lesson and assessment content — and, for pupil reports and AI marking, pupil names and performance data — to AI providers via API. TeachAI does not use school data to train AI models. [confirm: zero-data-retention / no-training terms are in place with each AI provider]
Sub-processors
We use the following third parties to provide the Service. Each may only process data to perform its function for TeachAI:
| Sub-processor | Purpose | Data it can touch |
|---|---|---|
| Google Cloud / Firebase | infrastructure — Firestore, Cloud Storage, Auth, Cloud Run | All service data |
| Vercel | application hosting | All service traffic |
| Anthropic | AI generation | Lesson and assessment content; pupil names and performance data for pupil reports and AI marking |
| OpenAI | AI generation, lesson assistant | Lesson and assessment content; pupil names and performance data for pupil reports and AI marking |
| Google Gemini | AI generation | Lesson and assessment content; pupil names and performance data for pupil reports and AI marking |
| Mistral | document OCR | Content of school-uploaded documents |
| DeepSeek | AI generation | Lesson and assessment content; pupil names and performance data for pupil reports and AI marking |
| Stripe | payments | Billing and subscription records — card details are held by Stripe, never by TeachAI |
| MailerSend | transactional email | Recipient names and email addresses |
| Mautic | marketing email | Staff contacts only — no pupil or parent data |
| Amplitude | product analytics | PII-sanitised usage events; email addresses redacted before sending |
| Supabase | curriculum reference content | Curriculum reference material only — no pupil data |
| Supadata | YouTube transcript retrieval | No personal data |
Cookies and analytics
We use cookies and similar local-storage technologies that are strictly necessary to sign you in and keep the Service secure (Firebase Authentication session state). For product analytics we use Amplitude; events are PII-sanitised and email addresses are redacted before they are sent. We do not use advertising cookies or ad networks. [confirm: full cookie/local-storage inventory and consent banner]
Your rights and data retention
- Access, rectification, erasure and portability requests for pupil, parent and staff data held on behalf of a school: contact your school (the controller), or the privacy contact below — requests are fulfilled within 30 days. [confirm: process — no self-serve export exists yet]
- In-app account deletion is available to individual users, with an emailed deletion certificate.
- On contract termination, school data is deleted from primary systems within 30 days and from backups within 90 days. [confirm: automated retention tooling not yet in place]
Children's data
TeachAI is used by primary and early-years settings, so pupil records — including for children under 13 — are held on the platform. This data is processed strictly on the school's instruction as controller; the school is responsible for its lawful basis and for any parental notice or consent required. Pupils do not self-register: under-13 accounts are created only via verified school onboarding, with the school acting as agent for parental consent. TeachAI does not advertise to pupils, does not sell personal data, and does not use school data to train AI models. [confirm: no-training holds across all configured AI providers]
Changes to this policy
We may update this policy from time to time. We will post the new version on this page and update the "Last updated" date above; material changes affecting school data will be notified to organisation admins.
Contact us
Questions, or a data-subject-rights request? Email trust@teachai.io. [confirm: dedicated privacy contact — e.g. privacy@teachai.io]