Privacy Policy

1. Who We Are

OurClass, available at ourclass.cloud, is a UK education platform operated by Sizorax Ltd (Company No. 16955799).

Where a school, academy, or trust uses OurClass to provide educational services, that organisation will normally act as the Data Controller for pupil and staff data, and Sizorax Ltd will act as a Data Processor on its documented instructions under the UK GDPR and the Data Protection Act 2018.

Sizorax Ltd may also act as a controller for limited direct interactions such as website enquiries, support communications, contract administration, and service security or reliability monitoring.

2. Lawful Basis for Processing

Lawful basis depends on who is controlling the processing activity:

• School-controlled processing: The relevant school, academy, or trust decides the lawful basis for pupil and staff data processed through OurClass.
• Contract (Article 6(1)(b)): Sizorax Ltd may rely on contract where it is necessary to provide services directly to a customer organisation or respond to a request to enter into those services.
• Legitimate Interests (Article 6(1)(f)): Sizorax Ltd may rely on legitimate interests for limited support, security, service integrity, and operational administration activities where those interests are not overridden by data subject rights.
• Consent (Article 6(1)(a)): Where consent is used for a specific activity, such as certain non-essential telemetry choices or school-governed learner AI consent workflows, that consent is recorded and can be managed through the relevant process.

3. What Data We Collect

• Account data: Name, email address, year group, school affiliation, role.
• Learning data: Lesson responses, scores, AI conversation transcripts, learning profiles.
• Usage data: Session activity, feature usage, accessibility preferences.
• Technical data: Browser type, IP address (for security logging only), device type.

4. How We Use Your Data

• Delivering personalised learning experiences.
• Generating AI-powered lessons, assessments, and progress reports.
• Providing analytics to teachers and school administrators.
• Maintaining platform security and preventing misuse.

5. AI Processing

OurClass uses AI to generate lesson content, provide real-time assistance, and create progress reports. Teacher-facing generation features produce drafts for staff review, while learner-facing AI is subject to school controls, moderation, and safeguarding checks. Where school data is sent to AI subprocessors such as OpenAI, Sizorax Ltd applies contractual and technical safeguards appropriate to that use and configures the service so submitted school data is not used by OurClass for advertising or marketing.

6. Hosting, Data Residency, and Subprocessors

OurClass currently uses regional infrastructure including Vercel and Supabase in AWS eu-west-1 for core hosting, application delivery, authentication, and database services. Additional subprocessors may include OpenAI for AI features, Resend for transactional email, Stripe for billing, and Sentry for service monitoring where enabled.

Where personal data is transferred outside the UK or EEA, Sizorax Ltd relies on the relevant contractual and transfer safeguards made available for those services and will provide current details through the Subprocessors and International Transfers notice.

7. Data Retention

• Active accounts: Personal data is retained while the relevant school account remains active and the service is being provided.
• Deletion requests: Verified erasure requests enter a 30-day grace period so they can be cancelled if raised in error.
• Deletion completion: Once the grace period ends, OurClass removes login access, deletes user-scoped AI, learning, and consent records, and anonymises the remaining user record used for operational history.
• Audit and billing records: We retain only the records needed for safeguarding, security, financial reconciliation, and legal compliance, and we minimise personal data within those records wherever practical.

8. Your Rights (Data Subject Rights)

Under UK GDPR, you have the right to:

• Access your personal data (Article 15) - available through OurClass account tools where provided, or via your school on request.
• Rectification of inaccurate data (Article 16).
• Erasure ("right to be forgotten") (Article 17) - submit a deletion request in your account settings.
• Data portability (Article 20) - OurClass provides JSON exports of the core account, learning, AI conversation, and consent data we hold about you.
• Object to processing (Article 21).
• Restrict processing (Article 18).

For student data, requests should be made via the school. Schools can also exercise these rights on behalf of their students.

9. Children's Data (ICO Children's Code)

OurClass is designed to support the ICO Age Appropriate Design Code. Where learner-facing AI is enabled for younger students, schools can require parental consent and apply additional safeguards. OurClass supports:

• Recorded parental-consent status and per-student AI enablement controls.
• Versioned consent wording and privacy-notice records so the school can show what a parent or carer was told at the time of decision.
• Delivery, bounce, and complaint evidence for OurClass-sent consent emails where Resend webhook monitoring is configured.
• Public withdrawal links for granted consents and staff-recorded withdrawal workflows where a parent or carer asks the school to revoke consent.
• Evidence-backed school attestation workflows for cases where a school gathers consent outside OurClass and must record how that evidence is held.
• Privacy settings are set to high by default.
• Data collection is minimised to what is strictly necessary.
• Geolocation and profiling for marketing purposes are disabled.
• Learner-facing AI moderation, policy enforcement, and safeguarding escalation workflows.

10. Cookies and Service Monitoring

We use essential cookies required for authentication and platform functionality. We may also process limited service telemetry, error-monitoring, or security-monitoring data to maintain reliability, investigate faults, and protect the service. Where OurClass offers non-essential analytics or similar optional tooling, that processing should only be enabled through the relevant consent flow described in our Cookies and Telemetry notice.

We do not use marketing or advertising cookies.

11. Data Security

• Data is protected in transit using TLS and encrypted at rest where supported by infrastructure suppliers.
• Role-based access control with principle of least privilege.
• Security review and testing as part of ongoing service governance.
• Comprehensive audit logging of all data access.

12. Data Breach Procedures

If Sizorax Ltd becomes aware of a personal data breach affecting school-controlled data, we will notify the relevant school, academy, or trust without undue delay and support its assessment of any ICO or data-subject notification obligations. Where Sizorax Ltd acts as controller for a processing activity, we will assess and make notifications as required by Article 33 and Article 34 of UK GDPR.

13. Contact

For privacy queries or to exercise your data rights, contact Sizorax Ltd's privacy team at privacy@ourclass.cloud.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.