Privacy Policy

Version 1.4
Effective Date: 01/02/2025
Last Updated: 18/11/2025

​

Spark Education AI is committed to protecting the privacy, security and rights of teachers, students and schools. This policy explains how we collect, use and safeguard personal data and how we ensure the confidentiality, integrity and availability of our systems and information. It is designed to comply with UK GDPR, EU GDPR, COPPA and CCPA where applicable.

Schools act as Data Controllers for student data. Spark Education AI acts as a Data Processor on their behalf. For teacher accounts Spark acts as the Data Controller.

 

1. Contact Details

Spark Education AI
58 Mill St
Kirkcaldy
Scotland
KY1 1SD
Email: marc@sparkeducation.ai

 

2. Data We Collect

We follow strict data minimisation throughout the platform.

Teacher data

• Name

• School email address

• Class or school affiliation

• Platform activity needed to operate the service

Student data (pseudonymised)

Teachers create student profiles using labels such as initials or display names. 

We do not collect:
 

• full names

• email addresses

• dates of birth

• home information

• special category data

Data linked to a pseudonymised student ID may include:

• reading age or band selected by a teacher

• generated story history

• comprehension responses and scores

• engagement and progress metrics

Platform usage data

• device type

• interactions within the platform

• stories generated and completed

• responses to comprehension tasks

This data is used only to deliver and improve Spark services. We do not use data for advertising or commercial resale.

 

3. Legal Basis for Processing

Spark processes personal data under the following lawful bases:

• Consent provided by teachers during account creation

• Contract, where Spark provides access to schools under a subscription

• Legitimate Interests needed to operate and improve the service

• Legal compliance where required

Schools determine their own lawful basis when providing student data.

 

4. How We Use Data

Spark uses data only for educational purposes, including:

• generating personalised stories and comprehension questions

• providing teachers with progress and insight dashboards

• operating core platform features

• improving accuracy and safety of AI outputs

• sending essential service communications to teachers

We do not use any personal data for profiling beyond assigning appropriate reading levels and content.

 

5. AI Content and Safety Controls

Spark uses controlled, template based prompts to generate literacy content. The system does not allow free chat or open ended student input.

Safety layers include:

• fixed narrative structures

• age banded vocabulary lists

• teacher selected reading ages and themes

• banned word filters before generation

• OpenAI moderation tools

• post generation checks for reading age, tone and suitability

• no pupil to pupil or pupil to AI messaging

The AI is purpose-built for children’s reading. It does not have the ability to generate unrestricted content. All outputs follow age-appropriate vocabulary lists, fixed story structures and school-safe themes defined by our literacy guidelines.

Only anonymised data is sent to OpenAI. OpenAI does not train models on Spark data.

 

6. Sub Processors

Spark uses a small number of GDPR compliant sub processors to deliver the service:

• Bubble.io (AWS EU region) for hosting and database services

• OpenAI API for story and question generation using anonymised data only

• SendGrid (Twilio) for teacher onboarding and service emails

We do not sell or rent data and we do not share data with any independent Data Controllers.

 

7. Data Security

Spark applies technical and organisational measures to protect data including:

• encryption in transit and at rest through AWS EU
• role based access control
• audit logging and monitoring
• pseudonymisation of all student data

regular internal reviews of permissions and system behaviour

controlled development and release processes

independent sub processor security reviews

Only authorised Spark personnel can access system level data.

 

8. Information Security Framework

Spark maintains an internal security framework focusing on:

Risk management

Ongoing assessment of risks to confidentiality, integrity and availability. Controls are adapted as the platform evolves.

Secure development

Testing, code reviews where applicable, safety evaluation of prompts and moderation pipelines.

Monitoring

Tracking of unusual activity, system errors or potential misuse.

Access controls

Principle of least privilege applied across all systems.

Business continuity

Backups, disaster recovery processes and service resilience planning through AWS EU hosting.

 

9. Incident Reporting and Response

Spark has a documented incident response process. If a security issue or content error occurs:

1. Immediate containment and removal of affected content
    

2. Internal investigation and root cause analysis
    

3. Notification to the school as soon as possible where required
    

4. Full transparency on findings and corrective steps
    

5. Support with parent communication if the school requests it
    

6. Review of filters and processes to prevent recurrence
    

 

10. International Transfers

Where data is processed outside the UK or EU, Spark uses Standard Contractual Clauses and other approved safeguards.

 

11. Data Retention

• Student data is retained only for the duration of the school subscription

• Teacher accounts remain active until deletion is requested

• Upon termination all associated data is deleted or anonymised

• Schools may request erasure at any time

 

12. User Rights

Teachers and schools may request:

• access

• correction

• deletion

• restriction

• data portability

• objection

Requests can be submitted to marc@sparkeducation.ai.

Schools may act on behalf of their students.

 

13. Third Party Links

Spark may contain links to external resources. We are not responsible for their privacy practices and encourage users to review their policies.

 

14. Changes to this Policy

We may update this policy to reflect service improvements or regulatory changes. Significant updates will be communicated to schools or teachers through the platform or by email.

 

15. Acceptance

By using Spark Education AI, you agree to the practices described in this policy. If you do not agree, you should stop using the service.

 

16. Policy Review and Continuous Improvement

This Privacy Policy will be reviewed annually or whenever significant changes occur within Pickatale's operations or IT infrastructure. Updates will be made to ensure the policy remains relevant and effective in addressing evolving security threats.