
How CurricuLLM handles and protects your data.
CurricuLLM follows strict rules to protect teacher and student privacy. For UK schools we align with the UK GDPR, the Data Protection Act 2018, and the Department for Education's guidance on generative AI in education (including the Generative AI Product Safety Expectations). The same technical and organisational controls are applied everywhere we operate.
Accounts are created using school logins (Google or Microsoft). Only names, emails, and school details are stored. Technical data like IP addresses and usage patterns are collected via cookies and analytics, with non-essential cookies blocked until consent is given on the UK site.
Anything typed into CurricuLLM is not used to train AI models. Your conversations remain private and are not used to improve external AI systems.
Studio allows users to upload, create, edit, and export teaching and learning materials. If you select that Studio content is suitable for students or ok to share with other teachers, that content may be visible to other users inside CurricuLLM where sharing is enabled.
We encourage users not to include personal information in shared content, especially pupil names or identifying details. Shared content may be reviewed for safety, quality, and compliance through human review and automated checks.
If you later turn sharing off, we will stop new sharing within a reasonable time. However, copies may remain where other users have already accessed or exported the content, or where stored in backups, logs, or required for legal or safety reasons.
CurricuLLM primarily stores and processes information within Australia and New Zealand.
For paid customers, hosting is transferred from Australia to the United Kingdom.
However, for the purposes of providing AI inference services, limited information may be processed in the United States. This processing is limited to real time inference tasks only and is not used to train AI models.
When transferring information internationally, we ensure appropriate safeguards and contractual protections are in place, and maintain compliance with the UK GDPR and the Data Protection Act 2018.
We share data only with essential service providers for secure hosting, authentication, and service delivery. Key subprocessors include:
All providers operate with safeguards including encryption, contractual data protections, and (for international transfers) the UK IDTA / UK Addendum. No personal information is disclosed for marketing or profiling purposes.
Teachers, pupils, and schools can exercise UK GDPR rights (access, rectification, erasure, restriction, objection, portability) by contacting hello@curricullm.com. Data is retained only as long as necessary for service provision or legal compliance. Upon account deletion, data is deleted or anonymised within a reasonable timeframe.
If you believe your privacy has been breached or mishandled, contact hello@curricullm.com. We will acknowledge receipt within 5 business days, investigate, and respond with an outcome within 30 days. If you are not satisfied with our response, you may escalate the matter to the Information Commissioner's Office (ICO) at ico.org.uk.
For full details, see our Privacy Policy.