GDPR & Privacy Policy

Effective: January 2026

School Compliance Fact Sheet

Download our official 1-page compliance overview to provide to your school's IT department.

Download .docx

Institutional Compliance Pack

Download our full suite of procurement-ready compliance documents for your institution.

Data Processing Agreement (DPA) DPIA Template Subprocessor List Data Flow Diagram

Class Architect (“we”, “our”, “us”) is committed to protecting your privacy and ensuring the security of your personal data. This policy explains how we collect, use, store, and protect your information in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who We Are

Class Architect is operated by Phased Cortex Ltd, a company registered in England and Wales. If you have any questions about this policy, contact us at privacy@classarchitect.com.

2. What Data We Collect

We collect only the minimum data necessary to provide our service:

Account Information: when you sign in via Google, Microsoft, or email, we store your name, email address, and profile picture URL provided by the OAuth provider.
Uploaded Content: specification PDFs, documents, and submission files you upload are temporarily processed and stored for the duration of your session. These files are permanently deleted after processing.
Usage Data: anonymous analytics about feature usage to help us improve the platform.

3. How We Use Artificial Intelligence

To provide high-quality feedback and grading, we use generative AI technology. We believe in being open about how this works:

Purpose: We use AI to provide automated assessments and educational feedback on student submissions.
Our Enterprise AI Provider: We utilise Google's enterprise-grade Vertex API (Gemini Flash 2.5) as our technology partner. We do not use standard consumer-facing AI tools.
Data Processing Addendum (DPA): We have a formal DPA agreement in place with Google. This provides extra embedded protections and legally binds our AI processing to strict enterprise security standards and UK/EU privacy laws.
No Model Training: We explicitly configure our systems to ensure that none of your data is ever used to train or improve Google’s base AI models. Your work remains your own.

4. Data Protection & Minimization

We follow the principle of "Data Minimization" to keep your personal information safe:

Redaction Gateway: Before any student submission is sent to our AI processor, our system automatically scrubs the content to remove Personally Identifiable Information (PII), such as full names, specific student IDs, and contact details.
Data Residency: All data is processed in Google Cloud’s London region (europe-west2), with UK/EU data protection safeguards.
Transient Processing: We do not store student submissions on our AI provider’s servers. Data is processed in a stateless manner and is removed from the AI environment immediately upon the completion of the grading task.
Storage: Specification files and student submissions are processed, made available for download, and permanently deleted from our servers within 24 hours.

5. Third-Party Processors

Clerk — authentication and user management (US-based, SOC 2 compliant)
Stripe — payment processing (PCI DSS Level 1 compliant)
Google Cloud (Vertex AI) — enterprise AI model inference for content generation (europe-west2)

All third-party processors are contractually obligated to comply with UK GDPR standards.

6. Your Rights

You remain in control of your data. Under the UK GDPR, you have the right to:

Request Access: See the data we hold about you.
Request Deletion: Exercise your "Right to be Forgotten" and have your records purged from our systems.
Human Oversight: We maintain a "human-in-the-loop" policy. While AI assists in grading, you have the right to request a human review of any assessment provided by our system.
Rectify or Restrict: Correct inaccurate data or object to processing.

To exercise any of these rights, email privacy@classarchitect.com. We will respond within 30 days.

7. Security & Encryption

We implement strict technical and organisational measures to protect your data:

Encryption in Transit: All data transmitted between your browser, our servers, and Google Vertex AI is secured using robust TLS 1.2+ (HTTPS) protocols. This prevents any interception of data while it is moving across the internet.
Encryption at Rest: While data is temporarily held by our cloud providers or during active AI inference, it is protected by hardware-level AES-256 encryption.
Zero Retention Architecture: We process, generate, and delete. We do not maintain a historical database of student submissions.

Our infrastructure is hosted on SOC 2-compliant cloud providers subject to regular security audits.

8. Updates

We may update this policy from time to time. Significant changes will be communicated via email. The latest version is always available at this URL.

9. Frequently Asked Questions (IT & Compliance)

Question: "Are you sending our students' names and details to the cloud?"

Our Answer: Actually, we aren't. Our local Redaction Gateway uses pattern matching to actively strip emails, phone numbers, and typical student IDs before the data ever leaves our server. Plus, we force educators to manually check a legal waiver confirming they have anonymised the document before the 'Submit' button even activates.

Question: "Is Google going to use our students' coursework to train their AI?"

Our Answer: No. We do not use consumer AI (like ChatGPT or standard Gemini). We use Google Cloud Vertex AI under a formal Enterprise Data Processing Addendum (DPA). A DPA is a legally binding contract that guarantees your data is processed safely, kept entirely within the EU/UK, and never used by Google to train or improve their AI models.

Question: "What happens if your database gets hacked?"

Our Answer: We have a Zero Retention Architecture. We process the work, generate the feedback, and permanently delete the files from active memory within 24 hours. We literally don't have a database of historical student work to be hacked.

Question: "GDPR Article 22 says AI cannot make final decisions on a student's legal or educational status without a human. How do you handle this?"

Our Answer: We strictly enforce a 'Human-in-the-loop' policy. Our user interface explicitly warns educators that the AI provides recommendations only, and a human assessor must review and finalize the grade before it is considered valid.

Class Architect • GDPR compliant by design