Privacy Policy

Everybody Reads
58 Mill St
Kirkcaldy
Scotland
KY1 1SD

Email: info@everybodyreads.org.uk

We follow strict data minimisation throughout the platform.

Teacher data

• Name
• School email address
• Class or school affiliation
• Platform activity needed to operate the service

Student data (pseudonymised)

Teachers create student profiles using labels such as initials or display names.

We do not collect:

• Full names
• Email addresses
• Dates of birth
• Home information
• Special category data

Data linked to a pseudonymised student ID may include:

• Reading age or band selected by a teacher
• Generated story history
• Comprehension responses and scores
• Engagement and progress metrics

Platform usage data

• Device type
• Interactions within the platform
• Stories generated and completed
• Responses to comprehension tasks

This data is used only to deliver and improve our services. We do not use data for advertising or commercial resale.

We process personal data under the following lawful bases:

• Consent provided by teachers during account creation
• Contract, where we provide access to schools under a subscription
• Legitimate Interests needed to operate and improve the service
• Legal compliance where required

Schools determine their own lawful basis when providing student data.

We use data only for educational purposes, including:

• Generating personalised stories and comprehension questions
• Providing teachers with progress and insight dashboards
• Operating core platform features
• Improving accuracy and safety of AI outputs
• Sending essential service communications to teachers

We do not use any personal data for profiling beyond assigning appropriate reading levels and content.

We use controlled, template-based prompts to generate literacy content. The system does not allow free chat or open-ended student input.

Safety layers include:

• Fixed narrative structures
• Age-banded vocabulary lists
• Teacher-selected reading ages and themes
• Banned word filters before generation
• OpenAI moderation tools
• Post-generation checks for reading age, tone and suitability
• No pupil-to-pupil or pupil-to-AI messaging

The AI is purpose-built for children's reading. It does not have the ability to generate unrestricted content. All outputs follow age-appropriate vocabulary lists, fixed story structures and school-safe themes defined by our literacy guidelines.

Only anonymised data is sent to OpenAI. OpenAI does not train models on our data.

We use a small number of GDPR-compliant sub processors to deliver the service:

• Vercel for hosting and edge functions
• Neon (AWS EU region) for database services
• OpenAI API for story and question generation using anonymised data only
• SendGrid (Twilio) for teacher onboarding and service emails

We do not sell or rent data and we do not share data with any independent Data Controllers.

We apply technical and organisational measures to protect data including:

• Encryption in transit and at rest
• Role-based access control
• Audit logging and monitoring
• Pseudonymisation of all student data
• Regular internal reviews of permissions and system behaviour
• Controlled development and release processes
• Independent sub processor security reviews

Only authorised personnel can access system-level data.

We maintain an internal security framework focusing on:

Risk management

Ongoing assessment of risks to confidentiality, integrity and availability. Controls are adapted as the platform evolves.

Secure development

Testing, code reviews where applicable, safety evaluation of prompts and moderation pipelines.

Monitoring

Tracking of unusual activity, system errors or potential misuse.

Access controls

Principle of least privilege applied across all systems.

Business continuity

Backups, disaster recovery processes and service resilience planning.

We have a documented incident response process. If a security issue or content error occurs:

• Immediate containment and removal of affected content
• Internal investigation and root cause analysis
• Notification to the school as soon as possible where required
• Full transparency on findings and corrective steps
• Support with parent communication if the school requests it
• Review of filters and processes to prevent recurrence

Where data is processed outside the UK or EU, we use Standard Contractual Clauses and other approved safeguards.

• Student data is retained only for the duration of the school subscription
• Teacher accounts remain active until deletion is requested
• Upon termination all associated data is deleted or anonymised
• Schools may request erasure at any time

Teachers and schools may request:

• Access
• Correction
• Deletion
• Restriction
• Data portability
• Objection

Requests can be submitted to info@everybodyreads.org.uk.

Schools may act on behalf of their students.

Our platform may contain links to external resources. We are not responsible for their privacy practices and encourage users to review their policies.

We may update this policy to reflect service improvements or regulatory changes. Significant updates will be communicated to schools or teachers through the platform or by email.

By using Everybody Reads, you agree to the practices described in this policy. If you do not agree, you should stop using the service.

This Privacy Policy will be reviewed annually or whenever significant changes occur within our operations or IT infrastructure. Updates will be made to ensure the policy remains relevant and effective in addressing evolving security threats.