Privacy Policy
Last updated: April 2026 | Version: 2.2 | Effective Date: Upon Account Creation
At Mark Mate, we are committed to protecting the privacy of educators and students. This policy explains how Marking Solutions Ltd ("we", "us", or "Mark Mate") processes personal data in compliance with the UK GDPR, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
1. Who We Are
- Data Controller: Marking Solutions Ltd (Company No: 10453100).
- ICO Registration: ZB717528
- Data Protection Contact: james@markmate.co.uk
- Registered Office: Acacia Cottage, Bourton, Gillingham, SP8 5BJ.
2. The Data We Collect
We collect only the data necessary to provide high-quality educational assessment.
A. For Teachers & Administrators (Users)
| Category | Data Collected | Purpose |
|---|---|---|
| Identity | Name, title, email address | Account ID and communication |
| Authentication | Hashed password, 2FA secrets | Secure access |
| Subscription | Stripe ID, payment type, last 4 digits | Billing and tax compliance |
| Integration | Wonde ID (if synced from school MIS) | System interoperability |
B. For Students (Managed by Schools)
| Category | Data Collected | Purpose |
|---|---|---|
| Identity | Name, email (optional) | Identification within the class |
| Educational | Grades, learning objectives, feedback | Progress tracking |
| Identifiers | UPI, Wonde MIS ID | Accurate data sync with school systems |
Special Note on UPI: We treat Unique Pupil Identifiers as high-sensitivity data. They are used solely for MIS synchronisation and are never shared with AI providers.
3. How We Use Your Data (Lawful Basis)
We process your data under the following legal bases:
- Contractual Necessity: Providing the Mark Mate service you subscribed to.
- Legitimate Interests: Platform security, fraud prevention, and service improvement.
- Public Task: Schools using the platform to perform statutory duties.
- Legal Obligation: Financial record-keeping for HMRC/Stripe.
4. Artificial Intelligence & Data Use
4.1 No Automated Decision-Making
Mark Mate does not use AI to make autonomous decisions regarding student grades. All AI features produce drafts that require human teacher review and approval before use.
4.2 Detailed Data Sent to AI Providers
To protect student privacy, we do NOT send student names, emails, UPIs, or school names to AI providers. We only send the following context necessary for the task:
- AutoMark: Uploaded images/documents of student work, learning objective text, rubric descriptions, and year group number.
- Feedback Transformation: The existing feedback text, transformation instructions, and year group number.
- Voice Processing: Transcribed teacher notes and learning objective context.
4.3 OpenAI Non-Training Guarantee
We use OpenAI's API. Under our agreement, your data is NOT used to train OpenAI's models.
4.4 Data Retention (AI)
OpenAI retains API inputs/outputs for up to 30 days solely for the purpose of abuse and safety monitoring (per the OpenAI Data Processing Addendum), after which it is permanently deleted.
4.5 Product Improvement (Internal)
To enhance the pedagogical accuracy and performance of Mark Mate, we may process de-identified or aggregated data derived from the platform. This data is stripped of all Personal Data (names, school identifiers) so it can no longer be associated with an individual. We use this anonymous data to train and refine our proprietary internal feedback algorithms.
5. Third-Party Sub-Processors
| Processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Wonde Ltd | MIS Data Sync | UK | N/A (UK Based) |
| Stripe, Inc. | Payments | USA/UK | UK-US Data Bridge |
| OpenAI, LLC | AI Processing | USA | SCCs + UK Addendum |
| Bento | Transactional Email & Marketing Automation | USA | SCCs + UK Addendum |
| Umami Software, Inc. | Cookieless, anonymous website analytics (no personal data processed) | USA | SCCs + UK Addendum |
6. Data Retention & Deletion
- Active Accounts: Data is kept while the account is active.
- Deleted Accounts: All user and student data is permanently purged within 30 days of account deletion.
- Backups: 7-day rolling backups (automatically overwritten).
- Financial Records: Payment records are retained by our payment processor (Stripe) for 7 years as required by UK tax law. These records are not stored within the Mark Mate application.
7. Cookies & Session Data
We use the following cookies:
| Cookie | Purpose | Duration |
|---|---|---|
markmate_session |
Maintains your logged-in session | 120 minutes of inactivity |
XSRF-TOKEN |
Prevents cross-site request forgery attacks | Session |
remember_web_* |
"Remember me" functionality (if enabled) | Persistent |
We do not use advertising cookies, tracking cookies, or third-party analytics cookies that identify individuals. For privacy-friendly usage statistics we use Umami, which is cookieless and does not collect personal data. For more details, see our Cookie Policy.
8. Your Rights
Under UK GDPR, you have the right to Access, Rectify, Erase, and Port your data.
- To exercise these rights, email support@markmate.co.uk.
- We respond to all requests within 30 days.
- For Students: Please contact your school (the Data Controller) first.
9. Security Measures
- Encryption: All data is encrypted in transit (HTTPS/TLS) and sensitive tokens are encrypted at rest (AES-256).
- Access: Role-based access control (RBAC) ensures teachers only see their assigned students.
- Safeguarding: We utilise automated moderation tools to detect and block content that violates educational safety standards.
10. Children's Data
Mark Mate processes data about children on behalf of schools. Schools are the Data Controller; Mark Mate is the Data Processor. Schools are responsible for ensuring the appropriate legal basis and parental notification for processing student data.
11. Contact
For questions regarding this policy or our data practices:
- Data Protection Lead: james@markmate.co.uk
- Mailing Address: Marking Solutions Ltd, Acacia Cottage, Bourton, Gillingham, SP8 5BJ.