Data Protection Policy

Back to Home

1. Purpose and Scope

This Data Protection Policy outlines how AssetryAI complies with data protection laws, including the UK General Data Protection Regulation (UK GDPR), to protect the personal data of our users, students, and stakeholders.

2. Data Protection Principles

We process all personal data in accordance with the following principles:

Lawfulness, Fairness, and Transparency: We process data legally, fairly, and in a transparent manner
Purpose Limitation: We collect data for specified, explicit, and legitimate purposes
Data Minimization: We collect only data that is adequate, relevant, and necessary
Accuracy: We keep personal data accurate and up to date
Storage Limitation: We retain data only as long as necessary
Integrity and Confidentiality: We protect data with appropriate security measures
Accountability: We demonstrate compliance with data protection principles

3. Legal Basis for Processing

We process personal data under the following legal bases:

Contract: To perform our contract with you (providing assessment services)
Legitimate Interests: To improve our services, ensure security, and operate our business
Consent: For marketing communications and optional features
Legal Obligation: To comply with legal and regulatory requirements
Educational Purposes: For processing student data on behalf of educational institutions

4. Data Controller and Processor Roles

4.1 AssetryAI as Data Controller

For educator and institutional account information, AssetryAI acts as the data controller, determining how and why personal data is processed.

4.2 AssetryAI as Data Processor

For student data submitted by educators and institutions, AssetryAI typically acts as a data processor, processing data on behalf of the educational institution (the data controller).

4.3 Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with institutional clients that specify:

The nature and purpose of data processing
Types of personal data processed
Data subject categories
Our obligations and rights as processor
Security measures implemented

5. Categories of Personal Data

5.1 User Data (Educators/Administrators)

Identity data (name, username)
Contact data (email address)
Professional data (institution, role, subject areas)
Account data (password hash, preferences)
Transaction data (credits purchased, usage history)
Technical data (IP address, browser type, device information)

5.2 Student Data

Student identifiers (name, student ID as provided by educator)
Assignment submissions (essays, answers, uploaded files)
Assessment results (grades, scores, feedback)
Performance analytics (submission times, attempt history)
Plagiarism and AI detection results

6. Data Security Measures

6.1 Technical Measures

We implement comprehensive technical security measures:

Encryption: AES-256 encryption at rest, TLS 1.2+ in transit
Access Control: Role-based access control (RBAC), multi-factor authentication (MFA) available
Network Security: Firewall protection, intrusion detection systems
Secure Development: Security code reviews, vulnerability scanning
Database Security: Encrypted PostgreSQL databases, parameterized queries
Backup and Recovery: Encrypted automated backups, disaster recovery plans

6.2 Organizational Measures

We maintain robust organizational safeguards:

Staff Training: Regular data protection and security awareness training
Access Policies: Principle of least privilege, need-to-know access
Confidentiality Agreements: All staff sign confidentiality agreements
Incident Response: Data breach response and notification procedures
Regular Audits: Internal and external security assessments
Vendor Management: Due diligence on third-party processors

7. Data Breach Notification

7.1 Breach Detection and Response

In the event of a data breach, we will:

Assess the breach within 24 hours of detection
Contain and remediate the breach immediately
Document the breach details and response actions
Notify affected parties as required by law

7.2 Notification Requirements

We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach where feasible, and notify affected data subjects without undue delay if the breach poses a high risk to their rights and freedoms.

8. International Data Transfers

8.1 Transfer Safeguards

When transferring personal data internationally, we ensure appropriate safeguards:

Standard Contractual Clauses (SCCs) approved by the EU Commission
Adequacy decisions for transfers to approved countries
Additional security measures for sensitive data

8.2 Data Locations

Primary data storage: United Kingdom (DigitalOcean London datacenter)

AI Processing: May occur in USA (Google Cloud, OpenAI) under appropriate safeguards

9. Data Subject Rights

We facilitate the exercise of the following data subject rights:

9.1 Right of Access

Individuals can request confirmation of whether we process their personal data and access to that data.

9.2 Right to Rectification

Individuals can request correction of inaccurate or incomplete personal data.

9.3 Right to Erasure ("Right to be Forgotten")

Individuals can request deletion of their personal data in certain circumstances.

9.4 Right to Restriction of Processing

Individuals can request limitation of how we process their data.

9.5 Right to Data Portability

Individuals can request their data in a structured, commonly used, machine-readable format.

9.6 Right to Object

Individuals can object to processing based on legitimate interests or for direct marketing.

9.7 Rights Related to Automated Decision-Making

Individuals have the right not to be subject to automated decision-making with legal or significant effects. Our AI grading is always subject to educator review and override.

9.8 How to Exercise Rights

To exercise any of these rights, contact us at:

Email: [email protected] or [email protected]
Contact Form: Submit a Request

We will respond within one month (extendable by two months for complex requests).

10. Data Retention

10.1 Retention Periods

Data Category	Retention Period
Active user accounts	Duration of account + 90 days after closure
Student submissions	As determined by educational institution or 2 years maximum
Transaction records	7 years (tax and accounting requirements)
System logs	90 days (security logs may be retained longer)
Backup data	30 days after deletion from primary systems

10.2 Secure Deletion

When data is deleted, we use secure deletion methods to prevent recovery.

11. Privacy by Design and Default

We incorporate data protection into our development process:

Privacy impact assessments for new features
Minimal data collection by default
Privacy-enhancing technologies
Regular security and privacy reviews

12. Third-Party Processors

12.1 Sub-Processors

We engage the following categories of sub-processors:

Infrastructure: DigitalOcean (cloud hosting)
Payment Processing: Stripe (payment transactions)
AI Services: Google Cloud AI, OpenAI (AI processing)
Communication: Email service providers

12.2 Sub-Processor Requirements

All sub-processors must:

Provide appropriate data protection guarantees
Implement appropriate technical and organizational measures
Process data only on our documented instructions
Maintain confidentiality
Assist with data subject rights requests

13. Special Categories of Data

We generally do not process special categories of personal data (sensitive data such as health information, racial or ethnic origin, etc.). If such data is submitted in student assignments, it is processed only as necessary for the educational assessment purpose.

14. Accountability and Governance

14.1 Data Protection Officer (DPO)

Contact our DPO at: [email protected]

14.2 Documentation

We maintain records of processing activities, including:

Purposes of processing
Categories of data subjects and personal data
Categories of recipients
International transfers
Retention periods
Security measures

14.3 Regular Reviews

This Data Protection Policy is reviewed and updated annually or when significant changes occur.

15. Cookies and Tracking

See our Privacy Policy for detailed information about cookies and tracking technologies we use.

16. Children's Data

When processing data of children (under 18), we ensure:

Parental/guardian consent obtained through educational institutions
Age-appropriate privacy notices
Enhanced security measures
No profiling or automated decision-making affecting children

17. Complaints and Enforcement

17.1 Internal Complaints

If you have concerns about our data protection practices, please contact us first at [email protected].

17.2 Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) in the UK:

Website: https://ico.org.uk
Helpline: 0303 123 1113

18. Updates to This Policy

We may update this Data Protection Policy to reflect changes in our practices or legal requirements. Material changes will be communicated to users via email and prominent notices on our platform.

19. Contact Information

For data protection inquiries:

Data Protection Officer: [email protected]
Privacy Team: [email protected]
General Contact: Contact Form

Commitment to Data Protection: AssetryAI is committed to the highest standards of data protection. We continuously monitor and improve our data protection practices to ensure your information is safe and secure.