Privacy Notice

Last updated 5 May 2026 · version 2.1

This Privacy Notice explains how TeachGen AI Ltd ("we", "us", "TeachGen AI") collects, uses and protects personal data in connection with the TeachGen AI website and platform. It is written for everyone who interacts with us - visitors to teachgen.ai, individual subscribers, and staff at the schools and trusts that use our services.

We are committed to handling your personal data lawfully and transparently under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations and (where applicable) the EU General Data Protection Regulation.

1. Who we are

TeachGen AI Ltd is a company registered in England & Wales (company number 14961819) at 11 Crossley Close, Barrow Upon Soar, Loughborough, England, LE12 8QL.

We are registered with the UK Information Commissioner's Office under registration number ZB619200.

You can contact the DPO at [email protected].

2. Controller and processor roles

We act in two different roles depending on the data:

  • As Controller for the personal data we collect on this website (visitors, marketing leads, individual subscribers paying for their own account, and our own staff and contractors). This Privacy Notice describes that processing.
  • As Processor for personal data that schools and multi-academy trusts upload to or generate within the TeachGen AI platform. The school or trust is the Controller and decides what is uploaded; we process that data on their instructions under our Standard Data Processing Addendum.

3. What personal data we collect

3.1 When you visit teachgen.ai

  • IP address, approximate location, browser type, device type, referring URL, pages visited, dates and times.
  • Cookies and similar technologies (see Section 9).
  • Information you submit via forms (name, school, email, role, message).

3.2 When you create an account

  • Name, email address, role, school or institution.
  • Authentication is handled through school SSO for schools and trusts, or through personal Microsoft, personal Google or B2C email sign-in for individual subscribers. We do not store school-user passwords.
  • Billing information (collected and processed by our payment provider, Stripe - we do not store full card numbers).

3.3 When you use the platform

  • Prompts, content, and AI-generated outputs you create.
  • Usage and activity logs (login events, feature usage, error events).
  • Support communications.

We do not knowingly collect special category data (such as health, religion, or biometric data) and the platform is not designed for the routine processing of such data. School Controllers are responsible for ensuring an Article 9 lawful basis before any special category data is entered into the Service.

4. Why we use it, and our legal basis

PurposeLegal basis under UK GDPR
Providing and operating the Services you have signed up forArticle 6(1)(b) - performance of a contract
Processing payments and managing subscriptions Article 6(1)(b) - performance of a contract; Article 6(1)(c) - legal obligation (tax records)
Customer support and account communicationsArticle 6(1)(b) - performance of a contract
Security monitoring, fraud prevention, abuse detection Article 6(1)(f) - legitimate interests in protecting our service and users
Cookieless site analytics and performance measurement Article 6(1)(f) - legitimate interests in understanding and improving our website
Optional Google Analytics cookies on the websiteArticle 6(1)(a) - consent
Marketing communications to existing customers about similar services Article 6(1)(f) - legitimate interests, with opt-out in every communication (PECR soft opt-in)
Marketing communications to new prospectsArticle 6(1)(a) - consent
Compliance with legal obligations (e.g. ICO requests, tax, court orders) Article 6(1)(c) - legal obligation

5. AI processing - your data is not used to train AI models

When you use the platform's AI features, your prompts and content are sent to one of our AI providers - Microsoft Azure OpenAI Service (text and image generation), Amazon Bedrock, or Google Vertex AI - for inference only. We use the enterprise APIs of each provider, which contractually exclude your data from training, fine-tuning or model evaluation.

All AI inference takes place inside our enterprise tenancies in EU regions. We do not send your data to OpenAI's direct API or to any other US-located AI provider.

The full prohibition on AI training is recorded in Clause 1.13 of our Standard Data Processing Addendum.

6. Sub-processors

We engage a limited number of trusted sub-processors to deliver the Services. The current list, with each provider's purpose, region and certifications, is published at teachgen.ai/sub-processors and is contractually referenced from the DPA.

We give school Customers at least 30 days' notice of any addition or replacement of a sub-processor.

7. International data transfers

All AI inference and primary data storage takes place in the United Kingdom or European Union. A small number of operational sub-processors (for transactional email, marketing email, payment processing and product analytics) are located in the United States.

Where personal data is transferred outside the UK/EEA, we rely on the following safeguards (UK GDPR Article 46):

  • An adequacy decision under section 17A of the Data Protection Act 2018, including the UK Extension to the EU-US Data Privacy Framework, where the recipient is certified under it;
  • The UK International Data Transfer Agreement (UK IDTA) or the UK Addendum to the EU Standard Contractual Clauses for transfers from the United Kingdom; and
  • The EU Standard Contractual Clauses (Module 2: Controller-to-Processor; or Module 3: Processor-to-Processor) for transfers from the EEA.

Each sub-processor's transfer mechanism is identified on the sub-processors page.

8. How long we keep your data

For school subscriptions, retention follows the schedule in our DPA. For individual accounts and website visitors, the same windows apply by analogy:

Data categoryActive retentionPost-termination
Account and authentication recordsTerm of subscriptionDeleted within 60 days of termination
Content created on the platform (prompts, outputs)Term of subscriptionAvailable for export for 30 days; deleted within 60 days
Usage and audit logs12 months from eventDeleted within 60 days of termination
BackupsMaximum 35 days rollingOverwritten in normal cycle after termination
Billing and tax recordsTerm of subscription Retained for 6 years (UK statutory requirement) under restricted access
Marketing contact recordsUntil consent withdrawn or 3 years of inactivityDeleted on withdrawal

9. Cookies and similar technologies

We keep website tracking deliberately limited. We use a necessary first-party cookie and matching browser storage entry to remember whether you accepted optional analytics cookies. Cloudflare Web Analytics is used for cookieless website analytics and performance measurement; Cloudflare states that this service does not use cookies, localStorage or fingerprinting to collect usage metrics.

Google Analytics 4 is optional. We only load Google Analytics after you accept optional cookies. If you reject optional cookies, we do not load Google Analytics and we clear Google Analytics cookies that we can access from your browser.

NameProviderPurposeWhen setDuration
cookie-consentsTeachGen AIStores your optional analytics cookie choice.When you accept or reject optional cookies.365 days
cookie-consents in localStorageTeachGen AI Stores the same optional analytics preference, including version and timestamp, so the site can apply your choice. When you accept or reject optional cookies.Until you clear browser storage or update your choice.
_gaGoogle AnalyticsDistinguishes visitors for optional website analytics.Only after you accept optional cookies.Usually up to 2 years.
_ga_VMEPTQ2WH6Google AnalyticsPersists GA4 measurement state for this website.Only after you accept optional cookies.Usually up to 2 years.

You can change your choice at any time using the Cookie settings link in the footer.

10. Children's data

The TeachGen AI platform is sold to schools and used by their staff. The Services are not directed at, or designed for direct use by, children. Where personal data of, or relating to, children is processed by school Customers, we apply the standards of the UK Information Commissioner's Age Appropriate Design Code (Children's Code) to the design and operation of the Services and provide reasonable assistance to school Controllers in meeting their own Children's Code obligations.

11. Your rights

Under UK GDPR you have the following rights, exercisable by emailing [email protected]:

  • Right of access (Art 15) - to obtain a copy of your personal data.
  • Right to rectification (Art 16) - to correct inaccurate or incomplete data.
  • Right to erasure (Art 17) - to have your data deleted in defined circumstances.
  • Right to restriction (Art 18) - to restrict processing in defined circumstances.
  • Right to data portability (Art 20) - to receive your data in a structured, machine-readable format (we use JSON or CSV).
  • Right to object (Art 21) - including the absolute right to object to direct marketing.
  • Rights related to automated decision-making and profiling (Art 22) - we do not use the Services to make solely automated decisions producing legal or similarly significant effects on you.
  • Right to withdraw consent (Art 7) - where processing relies on your consent, you can withdraw it at any time.

For school deployments, requests are typically routed via the school's Data Protection Officer; we will assist them under our DPA.

12. How we keep your data secure

We use encryption in transit (TLS 1.2 or higher) and at rest (AES-256), restricted role-based access, security monitoring, and regular review of our technical and organisational measures. Detailed security measures are set out in Appendix C of our DPA.

13. EU AI Act

We operate the platform in line with the obligations applicable to us under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). We will provide reasonable assistance to school Controllers carrying out fundamental rights impact assessments where required.

14. Complaints

If you have a concern about how we handle your personal data, please contact our DPO at [email protected] in the first instance - we aim to respond within five business days.

You also have the right to lodge a complaint with the UK Information Commissioner's Office (ico.org.uk/make-a-complaint) or, where applicable, the data protection authority of your EU member state.

15. Changes to this notice

We may update this Privacy Notice from time to time. The "Last updated" date and version at the top of this page reflect the current version. Material changes will be notified to school Customers under our DPA, and to individual subscribers by email or in-platform notice.

16. Related documents