Data Protection
At Teachmate, we take our responsibilities for protecting personal data seriously. We have constructed our Teachmate service with data protection and security principles at its heart.
This page sets out the key matters that we believe our customers will want to understand. If you are a school and are carrying out a Data Protection Impact Assessment (DPIA) in relation to the use of our service, you will find this information helpful. If you have any further questions, you can contact us via our contact form at https://teachmate.com/contact
The Data Protection Principles
Data Protection law states that when processing personal data, it should be done in line with the data protection principles of: Lawfulness, fairness, and transparency; Purpose limitation; Data minimisation; Accuracy; Storage limitation; Integrity and confidentiality; and Accountability. We have taken care to ensure that these principles are embedded in our product design and service to our customers. Both where we act as a data processor and as data controller we ensure that these principles are followed. We ensure that our products incorporate data protection by design and default.
Acting as Data Controller
We act as a controller of personal data in the following ways:
When you sign up for a subscription to our service we will hold: your first name and last name, email address, country (this is so we can select which curriculum you require, it may not be the same as the country you are located in), your default curriculum choices, and password. If you upgrade to a pro account, we use Stripe to manage our subscription payments. The Stripe terms of service are here. Individual subscriptions remain until the user deletes the account themselves (this can be done by the user in the ‘My Account’ tab) or requests for it to be deleted. Inactive accounts will be deleted after 6 years of inactivity.
If you purchase as a school, we act as controller in relation to our main point of contact (the admin user) and also collect the school’s name and address. We also act as data controller for the information entered by the admin user about staff (name and email address) to create individual teacher licences. This is so we can send each user information about our news, features and developments. School data is deleted 28 days after expiration of the contract unless there are active discussions about renewing the licence. Again, we use Stripe to process subscription payments.
If you sign up for one of our free demo webinars, we use Eventbrite to manage the booking process. The Eventbrite terms of service are here.
Once you are using our platform, if you use our feedback tool, information contained within the output (the information generated by the AI tool) and the feedback that you type into the feedback box, we may use this information to improve our AI tools. We do not keep a copy of the input that is used to generate the output that you give feedback on. Similarly, if you contact us with suggestions, we will hold any personal data within your suggestion to develop our services.
If you agree to share information with us to promote our services, or act as an ambassador, we will hold your personal data as a controller. In those cases, we will ask for your consent to share your name, your comments, your school, and a photo before sharing on our social media channels and website.
Our Privacy Notice sets out more detailed information about our use of personal data as Controller.
Acting as Data Processor
We encourage our users to ensure that they also follow data protection principles when using our products and services. There is no requirement to enter any identifiable personal data into any of our AI tools, and it is the user’s choice and responsibility to ensure that they follow their school’s data protection requirements. For example, the use of personal data should always be minimised, so do not enter pupil information unless you need to. You can use nicknames or pseudonyms instead of real names when creating your inputs if necessary.
However, we acknowledge that it is possible for users to choose to enter personal data into some of our AI tools.
Entering any personal data into our tools always remains the choice of the user, and we act as processor only in relation to this information. When using these tools, users will see a reminder that they should avoid or minimise the use of personal data where possible. The warning states “Please remember that users are responsible for adherence to data protection and GDPR guidelines. Consider whether it is necessary to enter any personally identifiable information (personal data) into this tool. If you choose to do so, the terms of our Data Processing Agreement will apply. Please also ensure that you follow your own organisation’s policies and procedures.”
Users can see their inputs and the content they create for 28 days in the My Content area. During this time, the content is held on our servers (stored in the UK). It is automatically removed after 28 days. Users can delete content any time before then if desired, using the delete button. This ensures that users remain in full control of what they create and how long it is stored. Users are also able to download any content for that time period, which may be helpful in the event of receiving a Data Subject Access Request (DSAR) or other Rights Request. Only Users can see the content in the My Content area. We do not access or disclose the content within the My Content area to anyone, unless required to by law or the user requests that we do so.
Data Controllers are responsible for identifying an appropriate lawful basis for processing personal data. We are committed to complying with controller instructions, including supporting controllers with upholding their own responsibilities under Data Protection laws, and supporting them to ensure that they comply with Data Subject Rights Requests. Where we process personal data as a processor, we do so in accordance with our Data Processing Agreement. This agreement is linked to in our Terms and Conditions of Service.
How we train our AI models
We train our models using Azure Open AI tools. We keep this up to date as new versions are released. We then augment that Open AI model with additional relevant information which is specific to education. Our staff continually review new publications and information and where relevant, we will add them to our model, using expert staff in the education sector in each nation to ensure accuracy and quality. Information and debate around the use of Open AI models is readily available, and users should be aware of the risks and limitations of AI during this time of rapid development in the technology. Users may wish to read the ICO guidance on AI. We also think this information from the Department for Education about the development of a sector store for AI data may be of interest- this is how our system already works.
Use of Data to train models
User’s input data is not stored or used by anyone, neither Teachmate nor OpenAI. The output data is retained by us for 28 days only so that the user can access their generation history. Teachmate super admins can access this output data on request of the user for technical troubleshooting. We do not view or use any user inputs or outputs to train our AI models. The only time we potentially use this information is if the user uses the feedback tool within the relevant tool. We store user feedback on our internal data base for 28 days. We may use the output and the feedback provided by the user to improve our models. Again, we do not use any personal data or any user inputs/outputs to train models. This is why we think our service is a better choice for school users than some other products, which may use input and output data to further train models. Users can also email in with product suggestions, but we do not use any personal data from this contact to create or improve our tools.
Storage of personal data
We use Amazon AWS and Azure for data storage and API processing. They meet very high data security standards (SOC 2 and ISO 27001/ISO 27002). All our servers and API processing takes place on UK hosted servers, so no data is sent/stored outside of the UK, unless users themselves access our service outside of the UK. Personal data is encrypted in transit with TLS and at rest through RDS AES-256. More detailed information is contained in our responses to the Vendor Security Information Questionnaire.
Intellectual Property
The intellectual property of both inputs and outputs always remains the property of the user.
Safeguarding, Harmful Content, Bias and Discrimination
No generative AI product can guarantee zero bias or hallucinations, but we strongly scaffold our prompts and use our own RAG datasets to ensure accuracy in our results. We educate teachers to evaluate generative AI content before using it, and we provide tools to refine answers if something should be changed. All of our tools have feedback buttons, through which users may alert us to any tools that may give outputs we need to work on. More complex tools use several rounds of generative AI processing which gives a level of self-checking, in so far as we are able. Users are always responsible for checking their inputs and outputs to ensure that pupils are safeguarded and risk in relation to harmful content, bias or discrimination is removed.
Data controllers are responsible for ensuring that their use of AI is transparent and fair to data subjects.
JCQ guidance on AI use and assessments
We do not currently offer any AI tools that are specifically designed to assist teachers with assessing work that is assessed for examination purposes. Teachers are responsible for ensuring that both pupil work and their assessment of it is carried out in line with JCQ requirements.