EdHubAI

Privacy Policy

Last updated: 2026-04-29

1. Introduction

EdHub AI Limited ("EdHub AI", "we", "us", or "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, and share information when you use our education management platform and related services (the "Service").

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

2. Data Controller

EdHub AI Limited acts as a data processor on behalf of schools (our customers), who are the data controllers. For data we collect directly from website visitors, EdHub AI Limited is the data controller.

Contact: [email protected]

3. Information We Collect

3.1 School Platform Data (Processor Role)

When schools use our platform, they may input data about students, staff, and parents. This data is controlled by the school. We process it on their behalf and may include:

  • Student names, dates of birth, and educational records
  • Staff names, contact details, and employment information
  • Parent/guardian names and contact information
  • Attendance records and academic grades
  • Medical information (allergies, conditions) as provided by schools
  • Behavioural records and safeguarding notes

3.2 Website Visitor Data (Controller Role)

  • Name and email address (when submitting contact or demo forms)
  • School name and role (from demo requests)
  • IP address and browser information (automatically collected)
  • Cookie data and analytics information

3.3 Account Data

  • Email address and password (hashed with bcrypt)
  • User role and permissions
  • Login activity and session information
  • Notification preferences

4. How We Use Your Data

We use personal data for the following purposes:

  • Service delivery: Providing and maintaining the education platform
  • Authentication: Verifying user identity and managing access
  • Communication: Sending notifications, announcements, and support responses
  • Analytics: Understanding usage patterns to improve the Service
  • Security: Detecting and preventing unauthorised access
  • Legal compliance: Meeting regulatory obligations

5. Legal Basis for Processing

We process personal data under the following legal bases:

  • Contract: Processing necessary to perform our agreement with schools
  • Legitimate interest: Service improvement, security, and fraud prevention
  • Consent: Marketing communications and non-essential cookies
  • Legal obligation: Compliance with education and data protection laws

6. Data Sharing

We do not sell personal data. We may share data with:

  • Sub-processors (current as of 2026-04-29):
    • Google Cloud Platform (Cloud Run, europe-west3) — application hosting; data processed in Frankfurt, EU
    • Neon — managed PostgreSQL database (sandbox and production); EU region
    • Cloudflare — CDN, DDoS protection, and object storage (R2); standard Cloudflare DPA applies
    • Sentry — error tracking and performance monitoring; may capture anonymised stack trace data
    • Resend — transactional email delivery (password reset, notifications)
    • Stripe — payment processing for fee collection (FeeFlow module); Stripe DPA applies
    • Google Workspace / Google Identity — SSO identity provider for schools using Google single sign-on
    • Microsoft Identity Platform — SSO identity provider for schools using Microsoft single sign-on
  • Schools: Data belongs to schools and is accessible by authorised school staff
  • Legal authorities: When required by law or to protect rights and safety

All sub-processors are bound by data processing agreements and maintain appropriate security standards. We do not use Vercel or Amazon Web Services (AWS) for any production processing.

7. Data Security

We implement appropriate technical and organisational measures including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Password hashing with bcrypt
  • JWT-based authentication with token rotation
  • Role-based access control (RBAC)
  • Multi-tenant data isolation (school-level and campus-level)
  • Input sanitisation and XSS prevention
  • Rate limiting on all API endpoints
  • Security headers (Helmet.js)
  • Regular security audits
  • Automated database backups with 30-day retention

8. Data Retention

We retain personal data for as long as necessary to provide the Service and comply with legal obligations:

  • Active accounts: Data retained while the school subscription is active
  • Demo accounts: Automatically deleted 30 days after trial expiry
  • Contact forms: Retained for up to 2 years
  • Backups: Retained for 30 days then permanently deleted
  • Audit logs: Retained for 7 years per regulatory requirements

9. Your Rights

Under UK GDPR, you have the following rights:

  • Access: Request a copy of your personal data
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of your data ("right to be forgotten")
  • Restriction: Request restriction of processing
  • Portability: Request your data in a machine-readable format
  • Objection: Object to processing based on legitimate interests
  • Withdraw consent: Withdraw consent at any time

For school platform data, please contact your school directly as they are the data controller. For website visitor data, contact us at [email protected].

10. Cookies

We use cookies and similar technologies for:

  • Essential cookies: Authentication tokens, session management (always active)
  • Analytics cookies: Google Analytics (with consent)
  • Marketing cookies: Facebook Pixel (with consent)
  • Experience cookies: Hotjar session replay (with consent)

You can manage cookie preferences using our cookie consent banner or through your browser settings.

11. Children's Privacy

Our platform processes data about children as part of school management. This data is controlled by schools who have appropriate legal bases (such as public task or legitimate interest in education). We do not knowingly collect personal data directly from children under 13 without parental/school consent.

11a. FERPA Notice (United States Schools)

For schools located in the United States, EdHub AI complies with the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. EdHub AI acts as a school official with a legitimate educational interest, processing student education records solely on behalf of the school under their direction.

  • Access & Amendment: Parents and eligible students may request access to or amendment of education records by contacting their school directly.
  • Disclosure: EdHub AI does not disclose education records without written consent, except as permitted by FERPA (school officials, health/safety emergencies, or judicial orders).
  • De-identified data: Aggregated, de-identified data may be used for product improvement provided no individual student can be identified.
  • Complaints: You may file a complaint with the U.S. Department of Education's Student Privacy Policy Office at studentprivacy.ed.gov.

FERPA inquiries: [email protected] — Subject: "FERPA Request"

12. International Transfers

Data may be transferred to countries outside the UK for hosting and processing. We ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) where required.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of material changes via email or through the platform. Continued use of the Service after changes constitutes acceptance.

14. Contact Us

EdHub AI Limited
Email: [email protected]
Website: https://edhubai.com

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.