The short version
This policy covers young people aged 5-18+. Conversations are not fully private because safeguarding staff can access them. Everything is encrypted with per-student keys. We never train AI on student data. Parents can consent, withdraw, and request deletion. KCSIE, UK GDPR, and the Children's Code all apply.
Who we are
Poyntr Ltd is the data controller. Your institution is a joint controller for safeguarding decisions and consent management. Responsibilities are set out in a data processing agreement. We comply with UK GDPR, DPA 2018, the UK Age Appropriate Design Code (Children's Code), and KCSIE.
What we collect
Student identity. Name, date of birth, year group, institution, unique student identifier.
Institutional context. SEN status, LAC status, FSM eligibility, EAL status. Provided by the institution, not the student. Helps the companion provide sensitive, appropriate support.
Conversations. Text messages between the student and the AI companion.
Detection data. Wellbeing signals and safeguarding flags from 23 youth-specific detectors.
Voice and emotion. Audio processed in real-time for transcription and tone analysis. Raw audio is not stored.
Memory. Encrypted contextual summaries for continuity across conversations. Per-student keys.
Parent/guardian data. Name, contact details, relationship, consent records (date, method, scope).
Staff data. Name, email, job title, safeguarding role, access logs, DBS check confirmation (not the certificate).
Technical data. IP address, browser, device, session timestamps. Strictly necessary cookies only.
How we use it
Companion service. Processing conversations, generating AI responses, maintaining memory for continuity.
Safeguarding. 23 youth-specific detectors analyse conversations for wellbeing concerns and safeguarding risks. Alerts go to designated staff.
Staff visibility. DSLs, deputy DSLs, pastoral staff, and counsellors can access conversations within their scope. Teaching staff cannot.
Consent management. Processing parental consent for under-16s and managing the consent lifecycle.
Analytics. Anonymised, aggregated wellbeing trends for the institution. Never individual content. Trust and local authority level aggregation where applicable.
Legal compliance. Safeguarding duties under KCSIE, Prevent duty, data retention obligations.
Legal basis
Contract (Article 6(1)(b)) for the service. Legitimate interests (Article 6(1)(f)) for safeguarding detection, with LIA and DPIA completed. Consent (Article 6(1)(a)) for under-16s, self-consent for 16+. Vital interests (Article 6(1)(d)) for crisis situations. Legal obligation (Article 6(1)(c)) for KCSIE and Prevent. Special category data processed under Articles 9(2)(a), 9(2)(c), and 9(2)(g) (DPA 2018 Schedule 1 Part 2 paragraph 18).
Safeguarding visibility
DSL and deputy DSLs. Full access to all student conversations and alerts within their institution.
Pastoral staff. Scoped to students in their assigned groups.
School counsellors. Scoped to referred students only.
Teaching staff. No access to student conversations.
Audit logging. Every staff access is recorded: who, which student, when, why. Immutable. Retained 7 years.
Student awareness. Students are clearly informed during onboarding and within the interface that conversations may be viewed by safeguarding staff. Children's Code requirement.
Data sharing
All service providers bound by DPAs. AI conversation processing, voice processing, text embeddings, and cloud infrastructure. No provider retains student data beyond real-time processing. External agency referrals (CAMHS, police, children's services) are the institution's decision, not ours. We do not sell, rent, or trade student data.
Never used to train AI
Student conversations, memories, journal entries, detection results, and voice data are never used to train AI models. Third-party providers contractually prohibited from training on student data. We improve the platform using only anonymised aggregates. Students can request full export or erasure at any time.
International transfers
Primary storage in European data centres. Some processing (AI, transcription, voice) involves US providers. Protected by UK IDTA or UK Addendum to EU SCCs, DPAs, Transfer Impact Assessments, and contractual prohibitions. Additional Children's Code protections applied to all international transfers of children's data.
Security
AES-256-GCM encryption at rest. Per-student encryption keys via HKDF. TLS 1.3 in transit. European data centres. Role-based access with audit logging. Regular security review.
Data retention
Active accounts. Retained while the student's account is active.
After last interaction. 3-year default retention, aligned with safeguarding record-keeping practices. Institutions may configure shorter.
Leaving the institution. Account deactivated. Data retained for the configured period from deactivation.
Turning 18. Safeguarding visibility ends for new conversations. Historical data retained per institution's safeguarding obligations.
Erasure on request. Honoured unless there is a legal obligation to retain (e.g. safeguarding records under KCSIE). Partial erasure clearly explained.
Audit logs. 7 years regardless of account status.
Rights of young people
Access, rectification, erasure (subject to safeguarding), restriction, portability, objection, and automated decision-making rights. Detection flags concerns for human review, it does not make automated decisions. Students 16+ exercise rights themselves. Under 16, parents exercise rights with the student's views taken into account per the Children's Code.
Parental rights
Access to child's data (with student views considered for 16+). Withdraw consent for under-16s (account deactivated). Request erasure (subject to safeguarding). Be informed about data use. Complain to the institution's DPO, to Poyntr, or to the ICO.
Cookies
Strictly necessary session cookie only. No tracking, analytics, or advertising cookies. No separate cookie consent required under PECR 2003.
Changes
Material changes notified to the institution at least 30 days in advance. Clear summary of what changed and why when children's data processing is affected. Institutions responsible for informing students and parents.
Contact
Data protection: [email protected]. Safeguarding: [email protected]. ICO: ico.org.uk, 0303 123 1113.