Privacy Notice
Last updated 5 May 2026 · version 2.1
This Privacy Notice explains how TeachGen AI Ltd ("we", "us", "TeachGen AI") collects, uses and protects personal data in connection with the TeachGen AI website and platform. It is written for everyone who interacts with us - visitors to teachgen.ai, individual subscribers, and staff at the schools and trusts that use our services.
We are committed to handling your personal data lawfully and transparently under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations and (where applicable) the EU General Data Protection Regulation.
1. Who we are
TeachGen AI Ltd is a company registered in England & Wales (company number 14961819) at 11 Crossley Close, Barrow Upon Soar, Loughborough, England, LE12 8QL.
We are registered with the UK Information Commissioner's Office under registration number ZB619200.
You can contact the DPO at [email protected].
2. Controller and processor roles
We act in two different roles depending on the data:
- As Controller for the personal data we collect on this website (visitors, marketing leads, individual subscribers paying for their own account, and our own staff and contractors). This Privacy Notice describes that processing.
- As Processor for personal data that schools and multi-academy trusts upload to or generate within the TeachGen AI platform. The school or trust is the Controller and decides what is uploaded; we process that data on their instructions under our Standard Data Processing Addendum.
3. What personal data we collect
3.1 When you visit teachgen.ai
- IP address, approximate location, browser type, device type, referring URL, pages visited, dates and times.
- Cookies and similar technologies (see Section 9).
- Information you submit via forms (name, school, email, role, message).
3.2 When you create an account
- Name, email address, role, school or institution.
- Authentication is handled through school SSO for schools and trusts, or through personal Microsoft, personal Google or B2C email sign-in for individual subscribers. We do not store school-user passwords.
- Billing information (collected and processed by our payment provider, Stripe - we do not store full card numbers).
3.3 When you use the platform
- Prompts, content, and AI-generated outputs you create.
- Usage and activity logs (login events, feature usage, error events).
- Support communications.
We do not knowingly collect special category data (such as health, religion, or biometric data) and the platform is not designed for the routine processing of such data. School Controllers are responsible for ensuring an Article 9 lawful basis before any special category data is entered into the Service.
4. Why we use it, and our legal basis
| Purpose | Legal basis under UK GDPR |
|---|---|
| Providing and operating the Services you have signed up for | Article 6(1)(b) - performance of a contract |
| Processing payments and managing subscriptions | Article 6(1)(b) - performance of a contract; Article 6(1)(c) - legal obligation (tax records) |
| Customer support and account communications | Article 6(1)(b) - performance of a contract |
| Security monitoring, fraud prevention, abuse detection | Article 6(1)(f) - legitimate interests in protecting our service and users |
| Cookieless site analytics and performance measurement | Article 6(1)(f) - legitimate interests in understanding and improving our website |
| Optional Google Analytics cookies on the website | Article 6(1)(a) - consent |
| Marketing communications to existing customers about similar services | Article 6(1)(f) - legitimate interests, with opt-out in every communication (PECR soft opt-in) |
| Marketing communications to new prospects | Article 6(1)(a) - consent |
| Compliance with legal obligations (e.g. ICO requests, tax, court orders) | Article 6(1)(c) - legal obligation |
5. AI processing - your data is not used to train AI models
When you use the platform's AI features, your prompts and content are sent to one of our AI providers - Microsoft Azure OpenAI Service (text and image generation), Amazon Bedrock, or Google Vertex AI - for inference only. We use the enterprise APIs of each provider, which contractually exclude your data from training, fine-tuning or model evaluation.
All AI inference takes place inside our enterprise tenancies in EU regions. We do not send your data to OpenAI's direct API or to any other US-located AI provider.
The full prohibition on AI training is recorded in Clause 1.13 of our Standard Data Processing Addendum.
6. Sub-processors
We engage a limited number of trusted sub-processors to deliver the Services. The current list, with each provider's purpose, region and certifications, is published at teachgen.ai/sub-processors and is contractually referenced from the DPA.
We give school Customers at least 30 days' notice of any addition or replacement of a sub-processor.
7. International data transfers
All AI inference and primary data storage takes place in the United Kingdom or European Union. A small number of operational sub-processors (for transactional email, marketing email, payment processing and product analytics) are located in the United States.
Where personal data is transferred outside the UK/EEA, we rely on the following safeguards (UK GDPR Article 46):
- An adequacy decision under section 17A of the Data Protection Act 2018, including the UK Extension to the EU-US Data Privacy Framework, where the recipient is certified under it;
- The UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses for transfers from the United Kingdom; and
- The EU Standard Contractual Clauses (Module 2: Controller-to-Processor; or Module 3: Processor-to-Processor) for transfers from the EEA.
Each sub-processor's transfer mechanism is identified on the sub-processors page.
8. How long we keep your data
For school subscriptions, retention follows the schedule in our DPA. For individual accounts and website visitors, the same windows apply by analogy:
| Data category | Active retention | Post-termination |
|---|---|---|
| Account and authentication records | Term of subscription | Deleted within 60 days of termination |
| Content created on the platform (prompts, outputs) | Term of subscription | Available for export for 30 days; deleted within 60 days |
| Usage and audit logs | 12 months from event | Deleted within 60 days of termination |
| Backups | Maximum 35 days rolling | Overwritten in normal cycle after termination |
| Billing and tax records | Term of subscription | Retained for 6 years (UK statutory requirement) under restricted access |
| Marketing contact records | Until consent withdrawn or 3 years of inactivity | Deleted on withdrawal |
9. Cookies and similar technologies
We keep website tracking deliberately limited. We use a necessary first-party cookie and matching browser storage entry to remember whether you accepted optional analytics cookies. Cloudflare Web Analytics is used for cookieless website analytics and performance measurement; Cloudflare states that this service does not use cookies, localStorage or fingerprinting to collect usage metrics.
Google Analytics 4 is optional. We only load Google Analytics after you accept optional cookies. If you reject optional cookies, we do not load Google Analytics and we clear Google Analytics cookies that we can access from your browser.
| Name | Provider | Purpose | When set | Duration |
|---|---|---|---|---|
| cookie-consents | TeachGen AI | Stores your optional analytics cookie choice. | When you accept or reject optional cookies. | 365 days |
| cookie-consents in localStorage | TeachGen AI | Stores the same optional analytics preference, including version and timestamp, so the site can apply your choice. | When you accept or reject optional cookies. | Until you clear browser storage or update your choice. |
| _ga | Google Analytics | Distinguishes visitors for optional website analytics. | Only after you accept optional cookies. | Usually up to 2 years. |
| _ga_VMEPTQ2WH6 | Google Analytics | Persists GA4 measurement state for this website. | Only after you accept optional cookies. | Usually up to 2 years. |
You can change your choice at any time using the Cookie settings link in the footer.
10. Children's data
The TeachGen AI platform is sold to schools and used by their staff. The Services are not directed at, or designed for direct use by, children. Where personal data of, or relating to, children is processed by school Customers, we apply the standards of the UK Information Commissioner's Age Appropriate Design Code (Children's Code) to the design and operation of the Services and provide reasonable assistance to school Controllers in meeting their own Children's Code obligations.
11. Your rights
Under UK GDPR you have the following rights, exercisable by emailing [email protected]:
- Right of access (Art 15) - to obtain a copy of your personal data.
- Right to rectification (Art 16) - to correct inaccurate or incomplete data.
- Right to erasure (Art 17) - to have your data deleted in defined circumstances.
- Right to restriction (Art 18) - to restrict processing in defined circumstances.
- Right to data portability (Art 20) - to receive your data in a structured, machine-readable format (we use JSON or CSV).
- Right to object (Art 21) - including the absolute right to object to direct marketing.
- Rights related to automated decision-making and profiling (Art 22) - we do not use the Services to make solely automated decisions producing legal or similarly significant effects on you.
- Right to withdraw consent (Art 7) - where processing relies on your consent, you can withdraw it at any time.
For school deployments, requests are typically routed via the school's Data Protection Officer; we will assist them under our DPA.
12. How we keep your data secure
We use encryption in transit (TLS 1.2 or higher) and at rest (AES-256), restricted role-based access, security monitoring, and regular review of our technical and organisational measures. Detailed security measures are set out in Appendix C of our DPA.
13. EU AI Act
We operate the platform in line with the obligations applicable to us under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). We will provide reasonable assistance to school Controllers carrying out fundamental rights impact assessments where required.
14. Complaints
If you have a concern about how we handle your personal data, please contact our DPO at [email protected] in the first instance - we aim to respond within five business days.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk/make-a-complaint) or, where applicable, the data protection authority of your EU member state.
15. Changes to this notice
We may update this Privacy Notice from time to time. The "Last updated" date and version at the top of this page reflect the current version. Material changes will be notified to school Customers under our DPA, and to individual subscribers by email or in-platform notice.
16. Related documents
- Data protection overview - what we commit to, with documents and quick facts.
- Sub-processors - current list with change log.
- Standard Data Processing Addendum (DPA) - Article 28 contract for school Customers.
- Standard Service Agreement (SA) - master commercial contract for school Customers.
- Terms & Conditions - for individual subscribers.
Need the procurement view?
Our data-protection page answers the questions schools, trusts and DPOs ask before approving TeachGen AI.
See our full data-protection page