logo

Privacy

Privacy

FERPA compliantCASA Tier 2 verifiedGDPR compliantCOPPA compliant

Privacy Policy for Graded.Pro
Effective as of 9/5/26

Introduction

Graded.pro is committed to protecting the privacy of its users and the students whose work is processed through our platform. This Privacy Policy explains how personal data is collected, used, shared, and protected when you use our website, mobile applications, and related services (the “Service”).

The Service is operated by EdSystems Ltd, a company registered in England and Wales (company number 16551984), with its registered office at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ (“EdSystems”, “Graded Pro”, “we”, “us”, or “our”).

Graded Pro uses the OpenAI API to provide AI-assisted marking and feedback, whether by integrating with your school’s Learning Management System (LMS) or by allowing students to upload their work directly via our website or mobile applications. Grades and feedback are then returned to the appropriate channel.

Our Role and Yours

Graded Pro is used by individual educators, schools, educational institutions, and independent tutors. The role we play under data protection law depends on what is being processed and on whose behalf.

  1. Account data — Graded Pro is the controller.
    When you create an account with Graded Pro (whether as an individual teacher, an independent tutor, or through a School Account), we act as a data controller for the account information you provide directly — your name, email address, password, account preferences, and billing details. We process this information so that we can provide the Service to you and meet our legal obligations.

  2. Pupil Data in a school context — the school is the controller.
    When teachers upload student work, names, or other information about identifiable students (“Pupil Data”) into Graded Pro in their capacity as employees, contractors, or other agents of a school or educational institution, the school is the data controller for that Pupil Data, and Graded Pro acts as a data processor on the school’s behalf. The school decides what Pupil Data is processed and why; Graded Pro processes Pupil Data only on the school’s documented instructions, as set out in our Data Processing Agreement.

  3. Pupil Data with independent tutors — the tutor is the controller.
    Where you use Graded Pro as an independent tutor, self-employed educator, or otherwise on your own account (rather than on behalf of a school or institution), you are the data controller for the student data you process, and Graded Pro acts as a data processor on your behalf under these Terms and this Privacy Policy. As controller, you remain responsible for your own obligations under applicable data protection law, including (where applicable) registration with the relevant supervisory authority, providing privacy notices to parents and students, identifying an appropriate lawful basis for processing, and obtaining any consents that may be required.

  4. Account types and Pupil Data.
    Schools using a School Account enter into our Data Processing Agreement directly. Individual Teacher Free and Teacher Pro accounts are intended for two distinct uses: (a) where you act on behalf of a school, for exploring the Service and working with anonymised, fictional, or non-pupil materials only — real Pupil Data should be routed through a School Account; and (b) where you are an independent tutor or self-employed educator acting as your own controller, for use with student data on the basis of these Terms and this Privacy Policy. Our Terms and Conditions describe these arrangements in clause 4.

Compliance with Privacy and Security Standards

  1. UK and EU GDPR
    We process personal data in accordance with the UK General Data Protection Regulation, the EU General Data Protection Regulation, the UK Data Protection Act 2018, and other applicable data protection laws.

  2. FERPA (Family Educational Rights and Privacy Act)
    Where the Service is used by US schools, we support those schools in meeting their FERPA obligations in handling student educational records, limiting disclosure of personally identifiable information to authorised individuals and processing data solely for legitimate educational purposes.

  3. COPPA (Children’s Online Privacy Protection Act)
    Where the Service is used with children under 13 in the United States, we support schools and tutors in meeting COPPA requirements. Pupil Data is processed solely for educational purposes on the instructions of the controller (the school or independent tutor), which is responsible for obtaining any parental consent required.

  4. CASA Tier 2 Validation
    Our security and data-handling processes are validated under CASA Tier 2 by TAC Security, providing independent assurance of our controls.

What We Process and Why

  1. Account information (controller: Graded Pro)
    Names, email addresses, passwords, account settings, and billing information.
    Lawful bases under UK and EU GDPR: performance of a contract (Article 6(1)(b)); legitimate interests in operating and securing the Service (Article 6(1)(f)); legal obligation, for example for tax and accounting records (Article 6(1)(c)).

  2. Pupil Data (controller: the school or the independent tutor, depending on context)
    Typically the student’s first name, the work submitted (text, images, or scanned handwriting), the rubric or assignment to which it relates, and the resulting feedback and grade.
    Lawful basis under UK and EU GDPR: determined by the relevant controller. For schools, this is typically public task (Article 6(1)(e)) for state schools and legitimate interests or contract for independent schools. For independent tutors, this is typically performance of a contract (Article 6(1)(b)) with the parent or adult student, or legitimate interests where contract does not apply. Where the work contains special category data, the controller is responsible for identifying the relevant Article 9 condition and for instructing us accordingly.

  3. Cookies and local storage
    We use cookies and local storage to maintain session information, remember user preferences, and improve the Service. See our cookie banner or settings for details.

How Pupil Data Is Handled

Pupil Data submitted to Graded Pro is processed solely to provide marking, feedback, and related educational services to the relevant controller (a school or, where applicable, an independent tutor). Specifically:

  • We do not use Pupil Data to train AI models, and our terms with OpenAI confirm that submitted work is not retained by OpenAI for training.
  • We do not sell, rent, or lease Pupil Data, and we do not share it with third parties for marketing or advertising.
  • The only third parties involved in processing Pupil Data are the sub-processors listed below, each engaged solely to deliver the Service.
  • Pupil Data is processed only on the documented instructions of the controller. For schools, those instructions are set out in our Data Processing Agreement; for independent tutors, those instructions are reflected in your use of the Service under these Terms and this Privacy Policy.

How Information Is Used

Personal data is used to:

  • Provide the Service and support educational activities;
  • Process student work and return marks and feedback to the relevant LMS, account, or channel;
  • Maintain, secure, and improve the Service;
  • Communicate with users about their accounts, billing, or material changes to the Service; and
  • Meet our legal and regulatory obligations.

Sub-processors

We use the following sub-processors to provide the Service. Each is engaged under a written agreement that includes data protection obligations consistent with UK and EU GDPR.

  • OpenAI, L.L.C. (United States) — provides the AI marking models. We send the student’s first name (transmitted over TLS) and the work to be marked. OpenAI does not retain submitted work for training under our API terms.
  • DigitalOcean, LLC (United States; with EU data centre options) — hosting and storage of platform data. Data is encrypted in transit and at rest.
  • Google LLC (United States) — for users who choose to integrate with Google Classroom; processing is limited to the permissions you grant.
  • Stripe LLC — processing of payments for paid accounts. Card details are handled directly by the payment provider; we do not store full card numbers.
  • Mailgun Inc — for account-related emails such as verification, password reset, and service notices.

A current list is maintained on this page. Schools using a School Account will be notified of material changes to this list in accordance with the Data Processing Agreement.

International Transfers

Some of our sub-processors are located outside the United Kingdom and the European Economic Area, in particular in the United States. Where personal data is transferred outside the UK or EEA, we put in place appropriate safeguards as required by UK and EU GDPR. These typically include:

  • The European Commission’s Standard Contractual Clauses for transfers from the EEA;
  • The UK International Data Transfer Addendum (or the UK International Data Transfer Agreement) for transfers from the United Kingdom; and
  • Where applicable, reliance on the EU–US Data Privacy Framework and the UK Extension where the relevant sub-processor is certified.

Schools and tutors may request a copy of the transfer documentation relevant to their use of the Service by contacting our Data Protection Officer.

Data Security

  1. Hosting. Our infrastructure is hosted by DigitalOcean, which provides industry-standard physical and network security controls.

  2. Encryption. Data is encrypted in transit using TLS, including data sent to and received from the OpenAI API. Data at rest in our databases and storage is encrypted using industry-standard methods.

  3. Access control. Personal data is accessed only by authorised personnel for legitimate processing purposes, with access logged and reviewed.

  4. OpenAI data use. Under our terms with OpenAI, submitted student work is not stored by OpenAI for training purposes. Further information is available in OpenAI’s Trust and Safety and Enterprise Privacy documentation.

  5. Breach notification. If a personal data breach occurs that affects Pupil Data, we will notify the relevant controller (the school or, where applicable, the independent tutor) without undue delay, and in any event within the timescales set out in our Data Processing Agreement (for schools) or as required by applicable data protection law, so that the controller can meet its own notification obligations to the relevant supervisory authority and to affected individuals.

Retention and Deletion

  1. Pupil Data. Pupil Data is retained only for as long as the relevant controller (the school or, where applicable, the independent tutor) requires it for the educational purposes for which it was submitted. Teachers and tutors can delete individual submissions at any time; deleted submissions are removed from our active systems and are removed from routine backups within 30 days.

  2. End of relationship. On termination of a School Account or closure of an Individual Account, all Pupil Data associated with that account is deleted from our active systems within 30 days, and from backups within 90 days, unless the controller requests return or continued retention as permitted by the Data Processing Agreement (for schools) or by applicable law.

  3. Account information. Account information is retained for as long as the account is active and for a reasonable period afterwards to meet legal, accounting, and dispute-resolution requirements.

Sharing of Information

  1. Sub-processors. We share personal data with the sub-processors listed above, solely as required to provide the Service.

  2. OpenAI API. For marking, we transmit the student’s first name (over TLS) and the work to be marked to the OpenAI API. We do not transmit other identifiers such as last names, email addresses, or profile pictures.

  3. Legal requirements. We may disclose personal data where required to do so by law, court order, or other legal process, or to protect the rights, property, or safety of EdSystems, its users, or others.

  4. No selling of data. We do not sell, rent, or lease personal data to any third party, and we do not use Pupil Data for marketing or advertising.

Interaction with Google Classroom

Graded.pro offers optional integration with Google Classroom to streamline the assignment and marking process. When you connect Graded.pro to Google Classroom, we request the minimum necessary permissions to access relevant course information, assignment details, and submission statuses. This data is used solely to facilitate marking and to provide marks and feedback back to teachers and students. We do not sell or share this information with any third party (beyond the OpenAI API for automated marking, as described in this policy), and we adhere to Google’s User Data Policy and applicable privacy regulations. You may revoke Graded.pro’s access to Google Classroom at any time by adjusting the permissions in your Google account settings.

Your Rights

Depending on your jurisdiction and your role (account holder, student, or parent), you may have rights in relation to personal data, including:

  • Access: the right to request a copy of personal data held about you.
  • Rectification: the right to request corrections to inaccurate or incomplete information.
  • Erasure: the right to request deletion of personal data in certain circumstances.
  • Restriction of processing: the right to request limits on how data is used in certain circumstances.
  • Objection: the right to object to certain types of processing, including processing based on legitimate interests.
  • Data portability: the right to receive personal data in a structured, commonly used format and to transmit it to another controller.
  • Complaint: the right to lodge a complaint with a data protection supervisory authority. In the United Kingdom this is the Information Commissioner’s Office (ICO); in the European Union it is the supervisory authority of your country of residence.

To exercise any of these rights in relation to account information, please contact our Data Protection Officer using the details below. To exercise rights in relation to Pupil Data, please contact the relevant controller in the first instance — this is your school in a school context, or your tutor where you have engaged an independent tutor — as the controller is responsible for the data; we will support the controller in responding.

If You Are a Parent, Student, or Data Protection Officer

If you are a parent, a student, or a school’s Data Protection Officer and you have questions about how Graded Pro processes Pupil Data, please contact the relevant controller in the first instance: your school where the Service is being used by a school, or your independent tutor where the Service is being used by a tutor. The controller is best placed to explain the educational purpose and lawful basis for the processing. We will support the controller in answering any questions, including subject access requests. You may also contact our Data Protection Officer directly at the address below for technical or platform-specific questions.

Children’s Privacy

Graded Pro is designed for use within an educational context. Where the Service is used with children under the age of 13 (or the equivalent age of digital consent in your jurisdiction), it is the responsibility of the controller — the school in a school context, or the independent tutor where a tutor is using the Service — to ensure that any necessary parental consents are in place and that processing is consistent with applicable laws including COPPA (in the United States) and the UK and EU GDPR.

We do not knowingly collect personal data directly from children outside an authorised educational context. If you believe a child has provided personal data to us outside an authorised setting, please contact our Data Protection Officer and we will take appropriate steps to delete it.

Data Protection Officer (DPO)

If you have any questions about how we collect, use, or protect personal data — including requests to exercise your data protection rights — please contact our Data Protection Officer:

Data Protection Officer
EdSystems Ltd (trading as Graded.Pro)
71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom
Email: [email protected]

The DPO is your first point of contact for any data-protection concerns, including data-subject access requests, breach notifications, and questions about this policy.

Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be posted on this page, and where reasonably practicable we will notify account holders by email. The “Effective as of” date at the top of this policy indicates when it was last updated. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

This Privacy Policy is effective as of 9/5/26 and supersedes all previous versions.