10.1 Privacy and Data Protection

CurricuLLM follows strict rules to protect teacher and student privacy. For UK schools we align with the UK GDPR, the Data Protection Act 2018, and the Department for Education's guidance on generative AI in education (including the Generative AI Product Safety Expectations). The same technical and organisational controls are applied everywhere we operate.

Minimal data collected

Accounts are created using school logins (Google or Microsoft). Only names, emails, and school details are stored. Technical data like IP addresses and usage patterns are collected via cookies and analytics, with non-essential cookies blocked until consent is given on the UK site.

No prompt training

Anything typed into CurricuLLM is not used to train AI models. Your conversations remain private and are not used to improve external AI systems.

Studio content and sharing

Studio allows users to upload, create, edit, and export teaching and learning materials. If you select that Studio content is suitable for students or ok to share with other teachers, that content may be visible to other users inside CurricuLLM where sharing is enabled.

We encourage users not to include personal information in shared content, especially pupil names or identifying details. Shared content may be reviewed for safety, quality, and compliance through human review and automated checks.

If you later turn sharing off, we will stop new sharing within a reasonable time. However, copies may remain where other users have already accessed or exported the content, or where stored in backups, logs, or required for legal or safety reasons.

International data transfers

For UK schools, personal information is stored and processed in cloud regions located in the United Kingdom. Limited information may be transferred to the United States for AI inference services. International transfers from the United Kingdom are protected by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supplemented by the technical and contractual safeguards described below.

AI inference processing in the United States is limited to real-time inference tasks only and is not used to train AI models.

Third party providers and subprocessors

We share data only with essential service providers for secure hosting, authentication, and service delivery. Key subprocessors include:

• Microsoft Azure - Cloud infrastructure, hosting, compute services, and AI inference
• Google Cloud - Cloud infrastructure, compute services, and AI inference
• OpenAI - AI inference processing for platform features
• Anthropic - AI inference processing for platform features
• Amazon Web Services - Cloud infrastructure, hosting, and storage services
• Neo4j - Graph database services
• Supabase - Database and backend services
• Auth0 - Authentication and identity management
• Mailgun - Email delivery services

All providers operate with safeguards including encryption, contractual data protections, and (for international transfers) the UK IDTA / UK Addendum. No personal information is disclosed for marketing or profiling purposes.

Control and data rights

Teachers, pupils, and schools can exercise UK GDPR rights (access, rectification, erasure, restriction, objection, portability) by contacting hello@curricullm.com. Data is retained only as long as necessary for service provision or legal compliance. Upon account deletion, data is deleted or anonymised within a reasonable timeframe.

Complaints and resolution

If you believe your privacy has been breached or mishandled, contact hello@curricullm.com. We will acknowledge receipt within 5 business days, investigate, and respond with an outcome within 30 days. If you are not satisfied with our response, you may escalate the matter to the Information Commissioner's Office (ICO) at ico.org.uk.

For full details, see our Privacy Policy.