Privacy Policy

1. Introduction

This Privacy Policy explains how Curious Minds Lab (CML) collects, uses, stores, and protects personal data when users interact with our website, pilot programme, educational platform, and AI-powered lesson tools.

2. Information We Collect

• Names and email addresses of authorised teachers and administrators.
• Organisation details and school information.
• Pilot submissions and enquiry data.
• Teacher-managed student profile records, such as display name or pseudonym, login code, class membership, assignment access, and optional school-side reference.
• Lesson metadata and curriculum selections.
• AI prompts and generated outputs.
• Moderation records and audit logs.
• Educational event telemetry, meaning structured interaction data from learner and teacher sessions.
• Technical usage information.

3. Educational Metadata & AI Data

Authorised teachers and administrators may generate educational content using AI tools. We may store lesson configuration settings, curriculum selections, generated stories, moderation history, and safeguarding review metadata.

CML also captures structured educational event telemetry, including student interaction events such as mission_started, branch_selected, chapter_started, chapter_completed, chapter_restarted, quiz_answer_correct, quiz_answer_incorrect, and mission_completed.

Teacher moderation events may include teacher_approved, teacher_rejected, teacher_edited, teacher_removed, teacher_restored, and teacher_deleted. Telemetry is linked to organisation context, secured by row-level security, and accessible only to authorised users within the relevant organisation or CML governance roles.

4. Safeguarding & Moderation

CML operates safeguarding and moderation workflows. Moderation decisions, safeguarding notes, approval history, and audit logs may be retained to support safe educational use.

Teacher safeguarding override decisions are logged with reason capture in a dedicated moderation memory table.

5. How We Use Data

• Manage pilot participation and teacher onboarding.
• Provide platform functionality and educational content generation.
• Capture educational telemetry to support adaptive learning intelligence.
• Maintain governance controls and safeguarding records.
• Support moderation workflows and audit requirements.
• Improve curriculum alignment and educational quality.
• Support grant applications and educational outcomes reporting.

6. Legal Basis

We process personal data under lawful bases including consent, contractual necessity, legitimate interests, and legal obligations under UK GDPR.

7. Third-Party Providers

CML currently uses providers including OpenAI, Supabase, Vercel, and Resend. AI prompts and outputs may be processed through OpenAI APIs to generate educational content. Student educational telemetry is not sent to OpenAI for mission generation. Supabase provides database, authentication, and row-level security. Vercel provides hosting and deployment infrastructure. Resend provides transactional email for onboarding, invitations, and notifications.

8. Data Hosting

Current infrastructure and hosting services operate within the EU region (eu-west-1). This applies to database storage, authentication records, educational telemetry, and personal data processed by CML.

9. Data Retention

Pilot enquiries may be retained for up to 24 months. Teacher and admin accounts may be retained for the duration of the relationship plus a governance period. Student account records are retained while the school/class relationship is active plus 12 months after inactivity or school departure. Student class membership is retained for the active class period plus 12 months. Student mission progress is retained for the current academic year plus 12 months. Educational event telemetry is retained for 12 months maximum unless aggregated or anonymised earlier. Evidence Pack aggregates may be retained for the academic year plus 2 years unless the school requests earlier deletion. AI generation logs and cost records are retained for 24 months. Security and audit logs are retained for 12 months. Financial/accounting records are retained for 6 years. Safeguarding and moderation records may be retained according to safeguarding severity, legal obligations, and incident requirements.

10. Children's Data

CML has implemented controlled teacher-managed student workflows for pilot and internal testing. Student access is designed around assignment-aware access, teacher-issued login codes, no student email requirement, and pseudonymous student records wherever reasonably possible.

Broader student-account launch remains gated by Vercel DPA completion and Student / Parent Privacy Notice review/distribution. DPIA v0.6 records DPO sign-off, ICO registration confirmation, formal student retention periods, and operational testing of the Data Subject Rights Workflow as complete.

Schools, parents, carers, and students should also refer to the Student / Parent Privacy Notice before wider student access is enabled.

11. Security Measures

• Role-based access controls with RLS enforcement.
• Authenticator Assurance Level 2 (AAL2) MFA for admin roles.
• Two TOTP authenticator apps on the dashboard account.
• Audit logging and moderation workflows.
• Governance reviews and safeguarding controls.
• Secure EU-region hosting infrastructure.
• Daily automated backups through Supabase Pro plan.

12. User Rights

Users may request access, correction, deletion, or restriction of personal data by contacting privacy@cmlab.co.uk.

Student-related requests will follow CML's Data Subject Rights Workflow. Where a request concerns a child, CML may need to verify authority through the relevant school or organisation before disclosing, changing, deleting, or restricting data.

13. Cookies

CML currently uses essential technical and session functionality required for platform operation. No marketing or tracking cookies are used.

14. Future Educational Governance

Current and future student-access functionality operates under teacher-managed educational governance workflows including lesson assignment, moderation review, educational oversight, and restricted safeguarding-controlled access.

Expanded student data processing, organisation-level analytics, and adaptive learning intelligence will be governed by the active DPIA process or a DPIA addendum before broader deployment.