Privacy Policy

CurricuLLM is an AI powered SaaS platform for educational staff and students. The platform is generally designed to be suitable for students aged 10 and above as a guideline. Schools are responsible for determining the appropriate age for student use based on their own policies and context. For UK schools we align with the UK GDPR, the Data Protection Act 2018, and the Department for Education's guidance on generative AI in education, including the Generative AI Product Safety Expectations.

We collect

Account Information
Names and emails via Google or Microsoft authentication, and school affiliations.

User Provided Information
Users may enter content into the platform, including in Studio. Users might inadvertently enter personal details. We discourage including sensitive information.

Technical Data
IP addresses, device types, browsers, and usage patterns, via cookies and analytics.

Third Party Information
Limited information from Google or Microsoft for authentication purposes only. Or information from systems that users choose to connect.

We collect personal information directly from you when you create an account using Google or Single Sign On authentication, when you enter content into the platform, and when you contact us. We also collect information automatically through cookies and analytics tools when you use the Service. Where schools connect external systems (LISS, LTI), we may receive information from those systems on behalf of the school. Personal information is held in secure cloud infrastructure provided by our subprocessors, protected by the measures described in Section 6.

If you do not provide the personal information we request, we may not be able to create or maintain your account, provide the Service, or respond to your enquiries. For example, if you do not authenticate via Google or SSO, we cannot create your account. Providing content within the platform is voluntary, and choosing not to do so will not affect your ability to access other features of the Service.

We use personal information to

• Provide, operate, and enhance our services.
• Communicate service updates.
• Maintain platform safety and compliance.
• Conduct anonymised research and user surveys for product improvement.

CurricuLLM does not use prompts or user content to train AI models.

Studio allows users to upload, create, edit, and export teaching and learning materials, including audio and video outputs.

If a user selects that Studio content is suitable for students, or ok to share with other teachers, then that content may be visible to other users inside CurricuLLM where sharing is enabled.

We encourage users not to include personal information in shared content, especially student names or identifying details.

We may review shared content for safety, quality, and compliance. This may involve human review and automated checks.

If you later change your selection to turn sharing off, we will stop new sharing within a reasonable time. Copies may still remain where other users have already accessed or exported the content, or where it is stored in backups, logs, or required for legal or safety reasons.

When you use AI-powered features of the Service, the content you provide in your prompts and any attached context (such as curriculum selections or uploaded materials) is sent to our AI inference providers for processing. Only the information necessary to generate a response is transmitted.

AI processing is performed in real time. Your prompts and content are not used to train, fine-tune, or improve any AI model. Our contracts with AI inference providers prohibit the use of user data for model training. Prompt data is not retained by our AI providers beyond the duration of the inference request, except where a provider's standard processing requires short-term transient storage, after which it is deleted.

We apply the following safeguards to AI data processing:

• All data transmitted to AI providers is encrypted in transit.
• AI inference providers are contractually bound not to use, store, or train on user data.
• Content filters are applied to both inputs and outputs to reduce the risk of harmful or inappropriate content.
• Schools may configure filter strictness levels through their admin settings.
• AI outputs are intended as drafts for educator review, not as final materials for direct student use without teacher oversight.

Users have the following controls over AI functionality:

• You choose what content to include in your prompts. You control whether to attach curriculum context or upload materials.
• Use of AI features is voluntary.
• Schools can configure content filter levels and manage which features are available to staff and students.
• You may request deletion of your data at any time in accordance with Section 11.

Our AI inference providers are listed in Section 16 (Subprocessors), along with their locations and the specific models currently in use.

Data is retained only as long as necessary for service provision or legal compliance. Upon account deletion requests, data is deleted or anonymised within a reasonable timeframe.

All data is stored securely, protected by encryption, restricted access, regular security audits, and industry standard practices.

For UK schools, personal information is stored and processed in cloud regions located in the United Kingdom. Limited information may be transferred to the United States for the purposes of AI inference. International transfers from the United Kingdom are protected by the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, together with the contractual safeguards described in Section 9.

AI inference processing in the United States is limited to real-time inference tasks only and is not used to train AI models.

When transferring information internationally, we ensure appropriate safeguards and contractual protections are in place, and maintain compliance with the UK GDPR and the Data Protection Act 2018.

We share data only with essential service providers for secure hosting, authentication, and service delivery.

Some AI inference processing may occur with approved providers in the United States, with safeguards including encryption, contractual data protections, and regional privacy controls.

We may disclose personal information to the following categories of recipients: cloud hosting and infrastructure providers, authentication providers, AI inference providers, email delivery providers, and database service providers. These recipients are listed in Section 15 (Subprocessors). We do not sell personal information or disclose it to recipients for marketing or profiling purposes.

We use cookies for authentication, preference management, and analytics. Users may manage preferences via their browser settings.

Region detection. When you first visit our marketing website, we make a single client-side request to a third-party IP geolocation service (currently ipapi.co) to detect the country your IP address resolves to. We use this only to route you to the correct regional version of the site (for example, sending United Kingdom visitors to /uk/) and to remember that choice in a first-party cookie (cl_region) and in your browser's local storage. The country result is not stored on our servers, and you can change your region at any time using the country selector in the site header.

Consent for non-essential cookies (UK visitors). On the UK version of our site (/uk/*), we comply with UK GDPR and the Privacy and Electronic Communications Regulations (PECR). Strictly necessary cookies (region preference, security, basic site functionality) are always on because the site cannot work without them. All other cookies and trackers — including Google Analytics, Amplitude product analytics and session replay, ad-campaign attribution (ad_attribution), and our SEO optimisation script — are blocked by default. We will not load them until you have given explicit consent via the cookie banner shown on your first UK visit. Your choice is stored in a first-party cookie (cl_consent) and you can change it at any time using the "Cookie preferences" link in the site footer.

Users may request access, correction, or deletion of their data, by emailing hello@curricullm.com.

We provide schools with a parental notification template. We minimise student data collection, utilise content filters, and do not engage in direct student marketing.

Significant policy changes will be communicated via email and prominently on our platform. Users are encouraged to regularly review policy updates.

Questions or privacy requests, hello@curricullm.com

If you believe your privacy has been breached or mishandled, you may contact us at hello@curricullm.com.

We will

• Acknowledge receipt of your complaint within 5 business days.
• Investigate and respond with an outcome within 30 days.
• If further time is required, we will let you know and explain why.

If you are not satisfied with our response, you may escalate the matter to the UK Information Commissioner's Office (ICO) at ico.org.uk.

We use the following subprocessors to provide our services. These subprocessors may process personal information on our behalf in accordance with our contractual agreements and privacy requirements.

UK pupil and school data is stored and processed in subprocessor regions located in the United Kingdom. Any subprocessor location listed below outside the United Kingdom (such as the United States for AI inference) constitutes a restricted international transfer under UK GDPR. These transfers are covered by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supplemented by the technical and organisational measures described in Section 7.

The following AI models are currently used within the platform. This list may change as models are updated, added, or retired.