PROVISIONAL TEMPLATE — drafted for review by qualified counsel before reliance. Not legal advice.
This Privacy Policy explains how personal data is handled in connection with the OET-style examination preparation platform (the "Platform") operated from the Republic of Ireland and made available to language academies, training colleges and similar institutions ("Academies") and, through them, to their students and staff. It is written to meet the standard of the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR") and the Irish Data Protection Act 2018.
1. Controller and processor — who is responsible for your data
The Platform is a business-to-business, white-label service. Roles under the GDPR are split, and the split is deliberate:
- The Academy is the data controller for the personal data of its students,
teachers and administrators (account data, class rosters, exam responses and scores, and related usage data). The Academy determines the purposes and means of that processing and is your first point of contact for your rights.
- The Platform operator is a data processor acting only on each Academy's
documented instructions under a written contract that satisfies Article 28 GDPR (see the Data Processing Agreement at section 12).
- The Platform operator is itself a controller only for data it determines
the purposes of in its own right — for example, its public marketing website, prospective-customer enquiries, billing relationships with Academies, and the security/audit logging it operates to run the service safely.
Where this Policy describes choices made by your Academy, please direct your request to your Academy; where it describes the operator's own controller activities, contact the operator at the address in section 11.
2. Legal bases for processing (Article 6 GDPR)
Processing is carried out on one or more of the following bases:
- Performance of a contract (Art. 6(1)(b)) — to create accounts, deliver
examinations, grade responses and report results to the Academy.
- Legitimate interests (Art. 6(1)(f)) — to secure the Platform, prevent
abuse, maintain audit trails, and improve reliability; balanced against your rights and freedoms.
- Legal obligation (Art. 6(1)(c)) — to comply with accounting, tax and other
statutory duties.
- Consent (Art. 6(1)(a)) — where specifically requested, e.g. optional
communications; consent may be withdrawn at any time.
For data the Academy controls, the applicable legal basis is determined by the Academy as controller.
3. Special categories of data
The Platform is not designed to process special-category data (Article 9 GDPR), such as health, biometric or sensitive personal data, beyond the examination-performance data inherent to a language-proficiency assessment. Although the subject matter of practice materials may be clinically themed (e.g. medical English), candidate exam responses and scores are treated as performance data, not health data about the candidate. You should not submit real patient information or your own sensitive health information into free-text or spoken responses.
4. Categories of personal data processed
- Account data — name, email address, role, profession/track, and
authentication data (including multi-factor settings for privileged roles).
- Roster data — class and cohort membership provided by the Academy.
- Exam data — written and spoken responses, transcripts, grades, scores,
feedback and provenance status (feedback remains verified:false until a teacher signs it off).
- Usage and telemetry — log data, device/browser metadata, proctoring and
integrity events (e.g. fullscreen exits) generated during timed assessments.
- Billing data — for Academies, the commercial and payment information needed
to administer licences (handled by our payment processor; we do not store full card numbers).
Authoritative examination state (answers and scores) is held server-side; it is not stored in your browser or in cookies.
5. Sub-processors
The operator engages vetted sub-processors to deliver the service. Each is bound by a written contract with data-protection terms consistent with Article 28 GDPR. A current list is maintained and Academies are notified in advance of material changes so they may object.
| Sub-processor | Purpose |
|---|---|
| Anthropic | AI-assisted grading and tutoring of exam responses |
| Simli | Photo-real avatar rendering for speaking and tutoring |
| Vercel | Application hosting and delivery (EU region where applicable) |
| Stripe | Payment and subscription processing (Academy billing) |
| Resend | Transactional email (invitations, notifications) |
Content submitted for grading or tutoring is not used to train third-party models.
6. International transfers
The Platform's baseline is the EU/EEA. Where a sub-processor or an Academy is located outside the EEA, personal data may be transferred to a "third country". Such transfers are made only under an appropriate Article 46 GDPR safeguard:
- Adequacy decisions of the European Commission, where one exists for the
destination country; otherwise
- the European Commission's Standard Contractual Clauses (SCCs), supplemented
by a transfer risk assessment and technical/organisational supplementary measures (e.g. encryption, access controls) where required; and
- for transfers to or from the United Kingdom, the **UK International Data
Transfer Agreement (IDTA)** or the UK Addendum to the SCCs.
The Platform serves a worldwide customer base — including Academies and students in Australia, India, Bangladesh, Pakistan, the Philippines, Korea, Japan, the United States, Mexico and wider Latin America, and Nigeria and across Africa. In those jurisdictions the relevant local data-protection law may also apply (for example, India's Digital Personal Data Protection Act 2023, Brazil's LGPD, and comparable regimes), with the Academy acting as controller for its students' data and responsible for any local registration or notice obligations.
7. Your rights
Subject to the conditions in the GDPR (and equivalent local law), you have the right to: access your personal data; rectification of inaccurate data; erasure ("right to be forgotten"); restriction of processing; portability; and to object to processing based on legitimate interests. Where processing is based on consent, you may withdraw it at any time.
Because your Academy is the controller of student, teacher and roster data, requests relating to that data are routed to your Academy, which the operator supports as processor. For data the operator controls (e.g. marketing or billing enquiries), contact the operator directly. We respond within the statutory timeframe (generally one month).
8. Retention
Personal data is retained only as long as necessary for the purposes above, for the duration of the Academy's licence, and thereafter as required by law (e.g. financial records) or to resolve disputes. On termination, Academy data is deleted or returned in accordance with the Data Processing Agreement, save for backups that age out on a defined cycle.
9. Security
The operator applies appropriate technical and organisational measures, including: encryption in transit and at rest; role-based access control (RBAC) and least-privilege administration; multi-factor authentication for privileged roles; tamper-evident audit logging; lockdown and anti-copy controls on examination surfaces; and segregation of tenant data in a multi-tenant architecture.
10. Personal data breaches
In the event of a personal data breach, the operator will notify the affected Academy without undue delay so the Academy, as controller, can meet its obligations under Articles 33 and 34 GDPR (notification to the supervisory authority within 72 hours where required, and to data subjects where the risk is high). For data the operator controls, the operator will notify the supervisory authority and affected individuals as required.
11. Contact and Data Protection Officer
Privacy enquiries to the operator may be directed to the data protection contact identified on the operator's website. Where a statutory Data Protection Officer is appointed, their contact details will be published there.
12. Data Processing Agreement (DPA)
A Data Processing Agreement satisfying Article 28 GDPR is made available to every Academy and is incorporated into the B2B Terms of Service. It governs the operator's processing on the Academy's instructions, the sub-processor list, security measures, assistance with data-subject requests, breach notification, and deletion/return on termination.
13. Supervisory authority and complaints
The operator's lead supervisory authority is the Irish Data Protection Commission (DPC), 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland — www.dataprotection.ie. You have the right to lodge a complaint with the DPC or with the supervisory authority in your country of residence. For student/roster data you may also complain to, or seek redress from, your Academy as controller.
14. Changes to this Policy
We may update this Policy to reflect changes in law, the service, or our sub-processors. Material changes affecting Academies will be notified in advance. The "Last updated" date and version below indicate the current revision.