Privacy Policy

1. Who We Are

Bloom is an AI-powered education platform designed for UK schools. We act as a Data Processor on behalf of the school (the Data Controller) under the UK GDPR and the Data Protection Act 2018.

2. Lawful Basis for Processing

We process personal data under the following lawful bases:

• Legitimate Interests (Article 6(1)(f)): Delivering educational services and improving the platform.
• Contract (Article 6(1)(b)): Fulfilling our data processing agreement with your school.
• Consent (Article 6(1)(a)): AI-powered features for children under 13 require verifiable parental consent per the ICO Children's Code.

3. What Data We Collect

• Account data: Name, email address, year group, school affiliation, role.
• Learning data: Lesson responses, scores, AI conversation transcripts, learning profiles.
• Usage data: Session activity, feature usage, accessibility preferences.
• Technical data: Browser type, IP address (for security logging only), device type.

4. How We Use Your Data

• Delivering personalised learning experiences.
• Generating AI-powered lessons, assessments, and progress reports.
• Providing analytics to teachers and school administrators.
• Maintaining platform security and preventing misuse.

5. AI Processing

Bloom uses AI to generate lesson content, provide real-time assistance, and create progress reports. All AI outputs are clearly labelled and subject to teacher review. Student data sent to AI services is processed in accordance with our Data Processing Agreement and is not used to train AI models.

6. Data Residency

All personal data is stored in EU/UK data centres (Supabase EU region). AI processing via OpenAI is subject to a Data Processing Agreement that ensures GDPR-compliant processing.

7. Data Retention

• Active accounts: Data retained while the school account is active.
• Inactive student accounts: Anonymised after 2 academic years of inactivity.
• Deleted accounts: Personal data removed within 30 days of a verified deletion request.
• Audit logs: Retained for 7 years per DfE record-keeping requirements.
• AI conversation logs: Deleted after 1 academic year.

8. Your Rights (Data Subject Rights)

Under UK GDPR, you have the right to:

• Access your personal data (Article 15) — available via "My Data" in your account.
• Rectification of inaccurate data (Article 16).
• Erasure ("right to be forgotten") (Article 17) — submit a deletion request in your account settings.
• Data portability (Article 20) — export your data in JSON format.
• Object to processing (Article 21).
• Restrict processing (Article 18).

For student data, requests should be made via the school. Schools can also exercise these rights on behalf of their students.

9. Children's Data (ICO Children's Code)

Bloom complies with the ICO Age Appropriate Design Code. For students under 13:

• Verifiable parental consent is required for AI-powered features.
• Privacy settings are set to high by default.
• Data collection is minimised to what is strictly necessary.
• Geolocation and profiling for marketing purposes are disabled.
• AI content is filtered for age appropriateness.

10. Cookies

We use essential cookies required for authentication and platform functionality. Optional analytics cookies are only activated with explicit consent. We do not use marketing or advertising cookies.

11. Data Security

• All data encrypted in transit (TLS 1.3) and at rest (AES-256).
• Role-based access control with principle of least privilege.
• Regular security audits and penetration testing.
• Comprehensive audit logging of all data access.

12. Data Breach Procedures

In the event of a data breach, we will notify the ICO within 72 hours as required by Article 33 of UK GDPR. Affected schools and individuals will be notified without undue delay where the breach poses a high risk to rights and freedoms.

13. Contact

For privacy queries or to exercise your data rights, contact our Data Protection Officer at dpo@bloom.education.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.