Privacy Policy
Last updated: 21 February 2026
1. Who we are
Scottish AI Lessons is an AI-powered educational platform designed to help Scottish students prepare for SQA qualifications. We are the data controller for the personal data described in this policy.
If you have any questions about how we handle your data, please contact us at privacy@scottishailessons.com.
2. What data we collect
We collect the following categories of personal data:
Account data
- Full name
- Email address
- Password (stored as a cryptographic hash — we never see your actual password)
Educational data
- Lesson responses and answers you provide during teaching sessions
- Mastery and progress scores generated by our AI tutor
- Practice question responses and exam attempt data
- Revision notes and drawings you create
- Spaced repetition schedules for your study plan
Accessibility data
- Accommodations or additional support needs you tell us about during onboarding. This is special category data under UK GDPR and we only process it with your explicit consent (see section 3).
Payment data
- Payments are processed by Stripe. We store your Stripe customer ID and subscription status but we do not store your card number or bank details.
Technical data
- Authentication session cookies
- Error logs (collected via Sentry only with your analytics consent)
AI interaction data
- Conversations you have with our AI tutors during lesson sessions
3. How we use your data
Under UK GDPR we must have a lawful basis for every way we use your personal data. Here is how each purpose maps to a legal basis:
| Purpose | Lawful basis |
|---|---|
| Account creation & authentication | Performance of contract (Art. 6(1)(b)) |
| Delivering AI-powered lessons and tracking progress | Legitimate interest (Art. 6(1)(f)) — delivering the educational service you signed up for |
| AI-powered assessment, feedback & mastery scoring | Legitimate interest (Art. 6(1)(f)) |
| Payment processing via Stripe | Performance of contract (Art. 6(1)(b)) |
| Processing accessibility / accommodation needs | Explicit consent (Art. 9(2)(a)) |
| Non-essential cookies (functional & analytics) | Consent (PECR Regulation 6) |
| Error tracking & service reliability | Legitimate interest (Art. 6(1)(f)) |
4. Who we share your data with
We share your data with the following third-party service providers (processors) who help us run the platform:
| Provider | Purpose | Data shared |
|---|---|---|
| Appwrite Cloud | Database, authentication & file storage | Account data, educational data, files |
| Anthropic | AI-powered tutoring (Claude models) | Lesson prompts & conversation context |
| OpenAI | AI-powered tutoring (GPT models) | Lesson prompts & conversation context |
| LangChain / LangGraph | AI orchestration & conversation state | Conversation state & agent execution data |
| Stripe | Payment processing | Name, email, payment details |
| Sentry | Error tracking (only with analytics consent) | Error traces, browser metadata |
We do not sell your personal data to anyone.
5. International transfers
Some of our service providers are based in the United States. When your data is transferred outside the UK we ensure appropriate safeguards are in place, including:
- The UK-US Data Bridge (where applicable)
- Standard Contractual Clauses (UK Addendum) with each US-based provider
- Processor-specific data processing agreements
6. How long we keep your data
| Data category | Retention period |
|---|---|
| Account & profile | Duration of your account + 30 days after deletion |
| Educational data (lessons, mastery, evidence) | Duration of your account |
| Payment records | 7 years (legal requirement) |
| Error logs (Sentry) | 90 days |
| AI conversation history | 1 year |
| Inactive accounts | Notified after 2 years of inactivity, deleted 30 days later |
7. Your rights
Under UK GDPR you have the following rights:
- Right of access — request a copy of all the data we hold about you
- Right to rectification — ask us to correct inaccurate data
- Right to erasure — ask us to delete your account and data
- Right to restrict processing — ask us to limit how we use your data
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interest
- Rights related to automated decision-making — our AI generates mastery scores and lesson recommendations. You can request human review of any significant AI decision.
To exercise any of these rights, email us at privacy@scottishailessons.com. We will respond within 30 days.
8. Children's privacy
Scottish AI Lessons is designed for students aged 13 and over. If you are under 13 you may not create an account.
If you are aged 13 to 17, we encourage you to review this policy with a parent or guardian. We apply the highest privacy settings by default for all users and do not profile students for marketing purposes.
Parents and guardians may contact us at privacy@scottishailessons.com to exercise data rights on behalf of their child.
9. Cookies
We use a small number of cookies to keep you logged in and (with your consent) to improve our service. For full details on which cookies we use and how to manage them, see our Cookie Policy.
10. Changes to this policy
We may update this policy from time to time. For material changes we will notify you by email. For minor changes we will update the “Last updated” date at the top of this page. We encourage you to review this policy periodically.
11. Complaints
If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
We would appreciate the chance to address your concerns before you contact the ICO, so please reach out to us first at privacy@scottishailessons.com.