Privacy Policy

WriteTrack Ltd ("we", "us", "our") is committed to protecting the privacy and security of your personal data. This Privacy Policy explains how we collect, use, share, and protect information about you when you use our AI-powered writing assessment platform for UK primary schools.

This policy applies to teachers, school administrators, pupils, and parents who interact with our service. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all relevant UK data protection laws.

We take extra care when handling children's data, applying enhanced safeguards in accordance with the Information Commissioner's Office (ICO) Age Appropriate Design Code.

WriteTrack Ltd is the data controller for the personal information we process, unless otherwise stated.

If you have any questions about this Privacy Policy or how we handle your data, please contact us using the details above.

We collect and process the following categories of personal data:

Teacher and School Administrator Accounts

• Full name and email address
• School name, address, and contact details (for school accounts)
• Password (stored securely as a hashed value)
• Account type and role (individual teacher, school admin, school teacher)
• Subscription and billing information
• Usage data (login times, features used)

Pupil Data

• First name and last name
• Year group (Years 1-6)
• Username (for pupil login to view their feedback)
• Class and cohort assignments
• No sensitive personal data such as home address, date of birth, or contact details is collected

Children's Written Work

• Handwritten work images (JPG, PNG, HEIC formats)
• Typed text submissions
• AI-generated transcriptions of handwritten work (OCR)
• AI-generated feedback aligned to the UK National Curriculum
• Writing task metadata (genre, audience, purpose, term)
• Submission dates and processing status

Handwriting Samples (Biometric Data)

• Sample handwriting images for improving OCR accuracy
• AI-extracted handwriting characteristics (letter formation, spacing, joins)
• Quality scores and processing metadata
• This constitutes biometric data under UK GDPR and is processed with appropriate safeguards and parental consent

Usage and Technical Data

• IP address and browser type
• Device information and operating system
• Page views and navigation patterns
• Error logs and diagnostic data
• Session data (cookies for authentication)

Payment Information

• Billing details are processed by Stripe (our payment provider)
• We store only: subscription type, status, and payment dates
• We do NOT store credit card numbers or full payment details

We use your personal data for the following purposes:

Providing Our Service

• Processing handwritten work using AI-powered OCR (Google Gemini)
• Generating curriculum-aligned feedback for pupils, parents, and teachers
• Improving handwriting recognition accuracy through per-pupil profiles
• Creating handwriting practice guides and editing exercises
• Generating whole-class feedback summaries
• Exporting feedback as PDF and Word documents

Account Management

• Creating and managing user accounts
• Authenticating users and maintaining session security
• Managing classes, cohorts, and pupil assignments
• Providing customer support

Billing and Subscriptions

• Processing subscription payments
• Managing free trials and renewals
• Enforcing account limits (pupils, teachers, classes)
• Sending payment receipts and invoices

Communication

• Sending transactional emails (welcome, payment confirmations, trial endings)
• Sending account-related notifications
• Responding to support requests
• Notifying about price changes (30 days advance notice)

Service Improvement

• Analysing usage patterns to improve features
• Monitoring service performance and uptime
• Identifying and fixing bugs
• Aggregate analytics (anonymized data with no personally identifiable information)

Legal Compliance

• Complying with legal obligations (tax, accounting, data protection)
• Protecting against fraud and abuse
• Enforcing our Terms of Service
• Responding to legal requests (court orders, regulatory enquiries)

Under UK GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases:

Consent

• Processing children's data: We obtain consent from schools/teachers acting in loco parentis
• Handwriting samples (biometric data): Explicit consent required
• Marketing communications: Opt-in consent required

Contract Performance

• Providing the WriteTrack service as agreed in our Terms of Service
• Processing payments and managing subscriptions
• Delivering AI-generated feedback

Legal Obligation

• Retaining financial records for 7 years (HMRC requirement)
• Complying with data protection laws
• Responding to lawful requests from authorities

Legitimate Interests

• Fraud prevention and security
• Service improvement and analytics (using anonymized data)
• Error logging and debugging

We conduct a Legitimate Interests Assessment (LIA) to ensure our interests do not override your rights and freedoms. Children's data is never processed solely on the basis of legitimate interests.

WriteTrack serves UK primary schools and processes data of children aged 5-11 (Years 1-6). We take extra care to protect children's privacy and comply with the ICO's Age Appropriate Design Code.

Enhanced Safeguards for Children

• Data minimization: We collect only essential information (first name, last name, year group)
• No sensitive data: We do NOT collect home addresses, dates of birth, or contact details
• No behavioral tracking: We do not track children's behavior or create profiles for marketing
• No social features: Pupils cannot interact with each other through our platform
• Parental transparency: Parents can request copies of their child's data at any time
• Secure access: Pupils access feedback via username/password provided by teachers

Consent and Parental Rights

• Schools/teachers act in loco parentis when using WriteTrack
• Schools are responsible for obtaining parental consent where required
• Parents have the right to request deletion of their child's data
• Parents can contact us directly with concerns: privacy@writetrack.co.uk

Biometric Data (Handwriting Samples)

• Handwriting patterns are considered biometric data under UK GDPR
• Explicit consent is required before collecting handwriting samples
• Samples are used solely to improve OCR accuracy for that specific pupil
• Samples are NOT shared with third parties or used for any other purpose
• Parents can request deletion at any time

We share your data only with trusted third-party service providers who help us deliver our service. All providers are carefully selected and comply with UK GDPR.

AI Processing: Google Gemini

• Purpose: Optical Character Recognition (OCR) and writing analysis
• Data shared: Handwritten work images, typed text
• Server location: EU/UK regions only
• Data retention: Processing only (NOT stored by Google)
• No AI training: Pupil work is NOT used to train Google's AI models
• Data Processing Agreement: In place

Payment Processing: Stripe

• Purpose: Subscription billing and payment processing
• Data shared: Email, billing details, payment information
• Server location: EU region
• Privacy Policy: stripe.com/privacy
• PCI-DSS compliant: Stripe handles all card data securely

Hosting: Supabase

• Purpose: Database hosting and file storage
• Data shared: All platform data (accounts, submissions, feedback)
• Server location: EU region (no transfers outside EU/UK)
• Security: ISO 27001 certified, SOC 2 compliant
• Data Processing Agreement: In place

Transactional Emails: Resend

• Purpose: Sending account and subscription emails
• Data shared: Email addresses, names
• Retention: Email logs retained for 90 days

We Do NOT:

• Sell or rent your data to third parties
• Share children's data for marketing purposes
• Use pupil work for advertising or commercial purposes
• Allow AI providers to train on pupil data

WriteTrack is committed to keeping your data within the UK and EU. We do NOT transfer your personal data outside the European Economic Area (EEA) or UK.

• All databases are hosted in EU regions (via Supabase)
• AI processing occurs on Google's EU/UK servers only
• Payment processing by Stripe uses EU infrastructure
• No data is sent to the United States or other non-adequate countries

If this changes in the future, we will notify you and ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).

We retain your personal data only for as long as necessary to provide our service and comply with legal obligations. For detailed retention periods, see our Data Retention Policy.

Active Accounts

• Teacher and pupil data: Duration of subscription
• Submissions and feedback: Duration of subscription
• Handwriting samples: Duration of subscription (or until deleted by request)

Deleted Accounts

• All personal data deleted within 30 days of account closure
• Anonymized analytics retained indefinitely (no personal identifiers)

Financial Records

• Invoices and payment records: 7 years (HMRC legal requirement)
• VAT records: 6 years

Backups

• Database backups retained for 30 days
• Deleted data overwritten within 30 days

You have important rights under UK GDPR to control your personal data:

Right to Access (Article 15)

You can request a copy of the personal data we hold about you (Subject Access Request). We will provide this within 30 days, free of charge.

Right to Rectification (Article 16)

You can ask us to correct inaccurate or incomplete data. You can update your account details directly in Settings.

Right to Erasure / "Right to be Forgotten" (Article 17)

You can request deletion of your personal data. We provide an account deletion feature in Settings that permanently deletes all your data within 30 days. Note: Financial records must be retained for 7 years for tax purposes.

Right to Data Portability (Article 20)

You can request a copy of your data in a machine-readable format (JSON, CSV). Contact us to request data export.

Right to Object (Article 21)

You can object to processing based on legitimate interests. Contact us to exercise this right.

Right to Restrict Processing (Article 18)

You can request we stop processing your data while we verify accuracy or assess your objection.

Rights Related to Automated Decision-Making (Article 22)

Our AI-generated feedback is NOT used for automated decision-making or grading. Teachers review all AI outputs and make professional judgments. No automated decisions are made that legally or significantly affect pupils.

Right to Withdraw Consent

Where we process data based on consent (e.g., handwriting samples), you can withdraw consent at any time. This does not affect processing that occurred before withdrawal.

Right to Complain

You have the right to complain to the Information Commissioner's Office (ICO) if you believe we have mishandled your data:

To exercise any of your data protection rights:

Account Deletion

• Log in to WriteTrack → Settings → Danger Zone → "Delete Account"
• You'll receive a confirmation email with a secure link
• All data deleted within 30 days

Subject Access Request or Other Rights

• Email us at: privacy@writetrack.co.uk
• Include: Your name, email, and the right you wish to exercise
• We will respond within 30 days
• We may ask for ID verification to prevent unauthorized access

Parents Requesting Deletion of Child Data

• Contact your child's school/teacher first
• Or email us directly: privacy@writetrack.co.uk
• Provide: Child's name, year group, school name

We will respond to all requests within 30 days. If we need more time, we'll let you know why and keep you updated.

We implement industry-standard technical and organizational measures to protect your data:

Technical Measures

• Encryption in transit (HTTPS/TLS 1.3)
• Encryption at rest (database and file storage)
• Secure password hashing (bcrypt)
• Row-level security (RLS) policies on all database tables
• Multi-factor authentication available for accounts
• Regular security audits and penetration testing
• Automatic security updates and patches

Organizational Measures

• Access controls: Only authorized personnel can access data
• Data Processing Agreements with all third-party providers
• Regular staff training on data protection
• Incident response plan for data breaches
• Audit logs for data access and changes

Data Breach Notification

If we discover a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within 72 hours, as required by UK GDPR Article 33-34.

We use cookies to provide essential functionality. For full details, see our Cookie Policy.

Essential Cookies (Always Active)

• Session authentication (Supabase Auth)
• CSRF protection
• Load balancing

Analytics Cookies (Optional)

• Anonymized usage analytics
• Error tracking
• No personally identifiable information collected

We do NOT use marketing cookies or third-party tracking pixels. We do NOT track children across websites or apps.

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service features.

• Minor changes: We will update the "Last updated" date at the top of this page
• Significant changes: We will notify you by email or prominent notice on our platform at least 30 days before changes take effect
• Continued use: By continuing to use WriteTrack after changes are published, you accept the updated policy

We encourage you to review this policy periodically to stay informed about how we protect your data.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

We aim to respond to all enquiries within 5 business days. For Subject Access Requests and other data protection rights, we will respond within 30 days as required by UK GDPR.