Privacy Policy

Data controller

AILitKit is operated by IN&ED. For data protection enquiries, including any concern about a guide that was generated, blocked, or flagged, contact hello@ailitkit.com. We aim to respond within 5 working days.

What we collect

When you create an account we collect:

• Email address (for sign-in and transactional email).
• Display name (optional).
• School or trust name (optional).
• Country, and where applicable emirate, used to apply the right regional framework set and safeguarding context (for example, UK accounts are flagged as following Keeping Children Safe in Education).
• Teaching preferences: primary key stage and primary subject.
• Onboarding status, communication preferences, and a record of which transactional emails we have sent you.
• If you applied through the early-access route: your role, urgency, scale, timeline, intended subject, commitment answer, GDPR consent confirmation, and an internal application score and tier. Application records are retained whether or not you activate an account so we can prevent duplicate applications and report on the early-access programme.
• If you are part of a school or trust account: your membership role (member, admin, owner, trust admin), the organisation you belong to, and invitation history.
• If you are a paying customer or a founding member: Stripe customer and subscription identifiers, founding-member status, founding pricing forfeiture date, and timestamps for the founding-conversion reminders we have sent.

When you generate a guide we store, on the guide row: your input data (subject, key stage, year group, topic, free-text description), the generated guide itself, your activity selections inside the guide, and any feedback you choose to submit. Uploaded curriculum text is processed for that single generation only and is not retained — only the filename and upload date persist on the guide row.

Separately, the safeguarding classifier writes one row per request to a safety-audit log. Allowed requests retain no input data in this log — only the verdict and decision metadata. Sensitive or blocked requests additionally retain a 250-character snippet of your topic and free-text description, plus a boolean flag if an upload was involved. The snippet exists so a reviewer can confirm the decision against the actual request; uploads themselves are never in the audit log. See the "Safety and audit logs" section below for the full retention story.

How we process your data

Guide generation is powered by Google Gemini, accessed through OpenRouter. OpenRouter operates a zero data retention policy. Your prompts and outputs are not stored, logged, or used for model training by either OpenRouter or the model provider.

Before any guide is generated, your subject, key stage, topic and any free-text description are checked by a layered content-safety classifier so we never produce content that breaches established safeguarding standards. The classifier runs in two layers:

• First pass — Meta Llama Guard 4 (12B), via OpenRouter. A first-pass classifier against the industry-standard MLCommons hazard taxonomy (including child sexual exploitation, indiscriminate weapons, suicide and self-harm, and hate). The request is sent under our account's “Always enforce zero data retention” policy, so it is routed only to providers that contractually do not retain, log or train on the input. If Llama Guard returns "safe", the request is allowed; if it returns "unsafe", the request falls through to the second pass.
• Second pass — Curriculum reviewer (Google Gemini, via OpenRouter). A curriculum-aware second opinion that runs only when Llama Guard flagged the request. It decides whether the flagged topic fits an established curriculum context, for example KS3 PSHE drug awareness, KS4 RSHE consent and contraception, GCSE Biology reproduction, or A-level Psychology mental health. The reviewer is aligned to the UK statutory curriculum and applies the same age-appropriate, awareness-not-instruction framing to comparable content from other curricula. Hard-block categories (child sexual exploitation, indiscriminate weapons) are blocked regardless of the reviewer's opinion.

All AI processing APIs we use operate under zero data retention or processing-only terms. Every OpenRouter call we make — Llama Guard 4 for the first-pass classifier, Google Gemini for the curriculum reviewer, and Google Gemini for guide generation — is sent under our account's “Always enforce zero data retention” data policy. OpenRouter only routes these requests to providers that contractually do not retain, log, or train on the input; if no zero-retention provider is available the request fails closed rather than falling back to a retaining route. Scaleway processes embedding requests in Paris and does not retain the input text. Upstash QStash delivers job payloads and discards them after processing. The only place your input persists in connection with the classifier is our own audit log, and only on flagged decisions: we record the verdict, layer, category, model used and latency for every request, and additionally a 250-character snippet of your topic and free-text description (plus a boolean flag for whether an upload was involved) only when the decision is "sensitive" or "blocked". Allowed decisions are logged with metadata only and retain no input snippet. See "Safety and audit logs" below.

Keyword matching and semantic search use embedding models hosted by Scaleway in Paris, France (EU jurisdiction). Scaleway processes embedding requests without retaining the input text. Embeddings are generated from curriculum content only and do not contain personal data.

Guide generation tasks are scheduled via Upstash QStash (EU-hosted, Frankfurt). Job payloads are delivered and immediately discarded after processing — QStash does not retain message payloads.

Automated decisions and how to appeal

The pre-generation safeguarding classifier is an automated process that can refuse or modify a guide-generation request without human involvement. We treat its decisions as automated decision-making within the scope of UK GDPR and EU GDPR Article 22 and apply the safeguards Article 22 requires:

• This policy explains the existence and logic of the automated classifier, and the consequences of its decisions, in the "How we process your data" section above.
• Most flagged requests are escalated to a curriculum-aware reviewer before the final decision, which provides a meaningful, curriculum-aware check rather than a purely binary block.
• You can request human review of any decision by emailing hello@ailitkit.com with the date, subject, key stage and topic. A human will review the decision, take your point of view into account, and respond within 5 working days. This is how you exercise your right to human intervention, express your point of view, and contest the decision.

A small number of categories are hard-blocked without escalation to the reviewer: content categorised as child sexual exploitation, weapons of mass destruction, or other unlawful material. We rely on Article 22(2)(a) (decision necessary for performance of the contract for a teacher-only AI literacy planning service that is not capable of producing such content) and Article 22(2)(b) (compliance with applicable law, including UK and EU laws criminalising child sexual abuse material and proliferation-related content) for these hard-block categories. The email route above remains available if you believe a hard-block was applied to a request that did not in fact fall within one of these categories.

Teacher review of AI-generated content

Every guide is generated by AI and is clearly labelled as such. AILitKit is a planning aid, not a substitute for professional judgement. You must review every guide before classroom use to confirm activities, framing and language are appropriate for your specific learners and your school's policies. If a guide contains anything you consider inaccurate, biased, age-inappropriate, or unsafe, please report it to hello@ailitkit.com — we use these reports to tune the safeguarding rubric and the system prompt.

Lawful basis

We process your data under Article 6(1)(b) (contract performance) for account management and guide generation, and Article 6(1)(f) (legitimate interests) for service security, abuse prevention, the layered safeguarding classifier described above, and lifecycle communications tied to your subscription or founding-member status. For users in the UAE the equivalent bases are consent (account creation) and legitimate interest (guide generation and safety) under PDPL Article 5.

Payments

Payments are processed by Stripe. We do not store your card details. Stripe's privacy policy applies to payment processing. We retain a record of webhook event identifiers received from Stripe (event ID, event type, timestamp) so we can deduplicate retries and reconcile your subscription state; this log does not contain card data.

Email

All email is sent via Resend. We send three categories of email:

• Transactional email — account activation, password reset, email change confirmations, subscription receipts, renewal reminders, account-deletion confirmations, and organisation invitations sent on behalf of a school or trust admin. We rely on Article 6(1)(b) (contract performance) for these. You cannot opt out of transactional email while you have an active account because they are necessary for the service.
• Lifecycle email — a small number of automated messages tied to the programme you signed up for, for example a single onboarding nudge if you start signup but do not complete it, a welcome to your first generated guide, and (for founding members) two pricing-conversion reminders before access ends and a notification when access ends. We rely on Article 6(1)(f) (legitimate interests) for these.
• Product and service updates — occasional emails about new features, improvements, and educational content relevant to AI literacy in schools. For existing customers and free-account holders we rely on the "soft opt-in" under PECR Regulation 22(3) and Article 6(1)(f) (legitimate interests). For applicants who have not yet activated an account, we rely on the consent given at the point of application. To opt out, email hello@ailitkit.com with "Unsubscribe" in the subject line. We will action your request within 5 working days and the opt-out does not affect transactional or lifecycle email tied to your account.

We do not sell your email address, do not share it for third-party marketing, and do not run advertising trackers. Your email is shared with Resend solely for delivery of the messages described above.

File uploads

Uploaded files are processed to extract curriculum text, then the original file is automatically deleted from our servers once your guide is generated. The extracted text is also cleared after generation. Only the filename and upload date are retained for your records.

As a safety net, an hourly background check removes any uploaded file that, for any reason, was not deleted by the per-generation cleanup. No upload remains on our servers for longer than one hour after processing.

Do not upload documents containing personal data, student names, staff names, school addresses, or any information that could identify individuals. AILitKit only needs curriculum content: schemes of work, lesson plans, and topic descriptions.

Data you should not share

AILitKit is designed to process curriculum content only. Do not enter or upload: student names or details, staff personal information, safeguarding records, SEN/EHCP documents, pastoral notes, or any document containing identifiable personal data. If you accidentally upload a document containing personal data, contact hello@ailitkit.com immediately for deletion.

School and trust accounts

If you join AILitKit through a school or trust account, your school's administrators (and, where applicable, your trust's administrators) can:

• See your name, email, role and active/invited status on their member roster.
• Manage your seat, including removing you from the organisation.
• See a list of guides generated by accounts in their organisation showing the scope, subject, key stage, date, and the teacher's name — metadata only. They cannot read the contents of your guides.
• See safeguarding decisions flagged as "sensitive" or "blocked" for accounts in their organisation, so the safeguarding lead can step in if a colleague is repeatedly hitting the gate. Each row includes the teacher's name, the verdict, the category, and a short snippet of the topic or description — the same 250-character snippet retained in the audit log, displayed in the admin view truncated at 120 characters; this is a render-time view of the audit log row, not a separate stored copy of your input. They cannot see decisions that were allowed.

If you are an organisation administrator, the same rules apply to you in reverse: you are accountable, under your school's own data protection policies, for accessing colleague metadata only as needed to administer the account.

Safety and audit logs

We keep a small set of internal logs that exist for safety, security and billing reconciliation rather than analytics:

• Safeguarding decisions. Every classifier run records the verdict (allow/sensitive/blocked), which layer reached the verdict, the category, the model used, and the latency. For decisions flagged "sensitive" or "blocked" we additionally retain a 250-character snippet of your topic and free-text description, plus a boolean flag if an upload was involved, so a reviewer can confirm the decision against the actual request. Allowed decisions retain no input snippet — by design, allowed requests are not reviewed by humans, so the verdict and metadata are sufficient. Uploaded curriculum text is never written to this log at any verdict. The log is retained for as long as the underlying account exists. School and trust admins see only sensitive and blocked entries for their organisation, never allowed entries.
• Stripe webhook idempotency log. A record of Stripe event identifiers and types we have received, used to prevent duplicate processing on Stripe retries. No card data is held here.
• Administrative alerts. Where an automated job fails (for example, a webhook signature mismatch or a stuck cleanup), we record an alert for our operations team. These records are retained until resolved and may be retained for a further 90 days for trend analysis.
• Background processing. Cleanup, founding-member reminders and onboarding nudges run as scheduled jobs on Vercel Cron and Upstash QStash. These jobs touch the data described above and do not introduce new categories of processing.

Hosting and data storage

Your account data and generated guides are stored in Supabase (database and authentication, EU region). Uploaded files are automatically deleted after guide generation and are not retained. The application is hosted on Vercel. Both services process data in accordance with GDPR and Standard Contractual Clauses for any transfers outside the EEA.

Cookies and analytics

We use essential cookies for authentication. We do not currently run any third-party analytics, advertising trackers, or marketing pixels. If we add analytics in future, we will update this page first and only use a privacy-focused, anonymous tool.

Third-party services summary

Data retention

Account data is retained while your account is active. Generated guides are retained until you delete them or your account. Deleted guides sit in your Recently Deleted view for a 30-day undo window, then are permanently purged by an automated cleanup job. Uploaded files are automatically deleted after guide generation, with an hourly safety check that removes any file the per-generation cleanup missed.

Safety and audit logs (safeguarding decisions, Stripe event ledger, administrative alerts) are retained for as long as is necessary for safety, security, and billing reconciliation, and in any case no longer than the underlying account.

If you delete your account, your authentication record and personal data are removed immediately. Reports, uploads, organisation memberships, and safeguarding-decision audit entries tied to your account are removed by database cascade at the same time, and any soft-deleted guides still in the 30-day undo window are purged by the next cleanup run. The Stripe webhook idempotency log records event identifiers we received from Stripe and is not tied to a user account; it is retained as a system log for billing reconciliation and contains no card data.

International transfers

Your data may be processed outside the UK/EEA by our service providers (Vercel, OpenRouter, Stripe, Resend, Supabase). These transfers are protected by Standard Contractual Clauses or equivalent safeguards. Our OpenRouter account is configured with the “Always enforce zero data retention” data policy: every request — guide generation, Llama Guard 4 first-pass classifier, and Gemini curriculum reviewer — is routed only to providers that contractually do not retain, log or train on the input. Embedding processing is EU-hosted (Scaleway, Paris) and task scheduling is EU-hosted (Upstash QStash, Frankfurt).

For users in the United Kingdom and Ireland

The UK General Data Protection Regulation (UK GDPR) applies to your use of AILitKit. You have the rights set out in UK GDPR Articles 15–22, including access, rectification, erasure, restriction, portability, objection, and the right not to be subject to a decision based solely on automated processing. The pre-generation safeguarding classifier is automated; see "Automated decisions and how to appeal" above for how to exercise your Article 22 rights. The Information Commissioner's Office (ICO) is the supervisory authority. You may lodge a complaint at ico.org.uk.

For users in the European Union

The EU General Data Protection Regulation (EU GDPR) applies to your use of AILitKit. You have the rights set out in EU GDPR Articles 15–22, including access, rectification, erasure, restriction, portability, objection, and the right not to be subject to a decision based solely on automated processing (Article 22). Your national Data Protection Authority is the relevant supervisory authority, and you may lodge a complaint with them directly.

EU AI Act: AILitKit is classified as a limited-risk AI system. We provide transparency about AI-generated content in every guide and disclose the use of automated content-safety classifiers above.

For users in the United States

FERPA: AILitKit does not collect, store, or process student education records. Teachers use the platform for professional planning only. No student data is required or accepted. AILitKit is compliant with FERPA by design.

COPPA: AILitKit is designed for adult teachers. Students do not create accounts or interact with the platform. We do not knowingly collect information from children under 13.

CCPA (California): California residents have the right to know what personal information is collected, request deletion, and opt out of sale. We do not sell personal information. You can export or delete your data from account settings.

To exercise your rights or file a complaint, contact your state Attorney General.

For users in the United Arab Emirates

UAE Federal Decree-Law No. 45/2021 (Personal Data Protection Law) applies to your use of AILitKit. We process your data on the basis of consent (account creation) and legitimate interest (guide generation and safety) under PDPL Article 5. Cross-border transfers are conducted with contractual safeguards under PDPL Article 22.

The UAE Data Office is the supervisory authority. AILitKit supports schools in meeting MoE AI literacy mandates effective from the 2025–26 academic year.

Children's data

AILitKit is designed for use by teachers (adults). Students should not create accounts or interact with the platform directly. We do not knowingly collect data from children. This position supports compliance with COPPA (US), the ICO Age Appropriate Design Code (UK), and similar child protection regulations worldwide.

Your rights

Under applicable data protection law, you have the right to access, correct, export, or delete your data, and to seek human intervention on automated decisions taken by the safeguarding classifier. You can export your data from your account settings, or contact hello@ailitkit.com for any data request. We aim to respond within 5 working days.

Changes to this policy

We may update this policy from time to time. Material changes will be notified via email or an in-app notice. The "Last updated" date at the top of this page records the most recent revision.