HENLEY EDUCATION

Last updated: March 4, 2026

1. Who We Are

Henley Education ("we", "us", "our") is an AI-powered educational platform that helps students improve their academic performance through personalized learning and assessment tools.

Data Protection Contact:

Email: Privacy@henleyed.co.uk

2. What Personal Data We Collect

For Students:

Name and username
Email address (optional)
School information and year group
Assessment results and academic performance data
Learning preferences and practice session data
Progress tracking and achievement records

For Parents:

Name and email address
Account login credentials
Relationship to student(s)
Communication preferences

For Teachers:

Name and professional email
School affiliation and department
Class and student data uploaded for analysis
Usage analytics and platform interaction data

3. Legal Basis for Processing

We process your personal data based on:

Consent: You have given clear consent for processing your personal data
Legitimate Interest: Processing is necessary for educational purposes and platform improvement
Legal Obligation: Compliance with educational regulations and data protection laws

4. How We Use Your Data

Provide personalized educational content and assessments
Track student progress and generate performance analytics
Enable communication between students, parents, and teachers
Improve our AI algorithms and educational effectiveness
Send important updates and educational notifications
Ensure platform security and prevent misuse

5. Data Sharing and Third Parties

We may share your data with:

Educational Partners: Schools and authorised teachers
AI Service Provider: Mistral AI — see Section 5a below for full details
Database & Hosting: Supabase Inc. (US company, data stored in AWS eu-west-2, London)
Payment Processing: Stripe Inc. (US company) — payment and subscription data only
Content Delivery Networks: Google Fonts, jsDelivr, Cloudflare — static assets only, no personal data shared
Legal Requirements: When required by law or court order

5a. Artificial Intelligence Systems

When a student submits a written answer for marking, that answer is sent to Mistral AI (operated by Mistral AI SAS, Paris, France) to generate automated marking feedback. This is the only external AI service we use.

What is sent to Mistral AI:

The student's written answer — automatically pre-processed to remove personal identifiers before transmission (see below)
The question text
The mark scheme for that question

What is never sent to Mistral AI:

Student name, username, or email address
School name or school code
Any other personally identifying information

Before a student's answer leaves our systems, it passes through an automated pseudonymisation step that strips email addresses, phone numbers, UK postcodes, and inline name disclosures. The AI service therefore receives subject-matter text only.

Data retention at Mistral AI: Mistral AI does not use API inputs to train its models and retains API request data for a limited period in line with its standard API data policy. See mistral.ai/terms for current details.

AI feedback is for guidance only. All AI-generated marks and feedback are indicative. Teachers retain full oversight and may review or override any AI-generated result.

We never:

Sell your personal data to third parties
Use student data for commercial advertising
Share identified student data outside the EU without adequate safeguards

6. Your Rights Under GDPR

You have the right to:

Access: Request copies of your personal data
Rectification: Correct inaccurate or incomplete data
Erasure: Request deletion of your personal data
Portability: Receive your data in a machine-readable format
Object: Object to processing for direct marketing or legitimate interests
Restrict: Limit how we use your data
Withdraw Consent: Revoke consent at any time

To exercise these rights:

Log into your account settings
Contact us at Privacy@henleyed.co.uk
We will respond within 30 days

7. Data Retention

Student Data: Retained while enrolled + 2 years for educational continuity
Parent Data: Retained while child is enrolled + 1 year
Teacher Data: Retained while employed + 3 years for professional records
Assessment Data: Anonymized after 5 years for research purposes
Account Data: Deleted within 30 days of account closure request

8. Data Security

We protect your data through:

End-to-end encryption for data transmission (HTTPS/TLS)
Encrypted data storage in EU-based servers
Multi-factor authentication for staff accounts
Regular security audits and penetration testing
Staff training on data protection best practices
Access controls and audit logging

9. Children's Privacy (Under 16)

Student accounts can only be created with parental permission. This is enforced at the point of registration — a student cannot sign up without a parent or guardian completing the consent step first. For all student users:

Parental permission is obtained before any data is collected
Parents can review and delete their child's data at any time via the parent portal
Enhanced privacy protections apply to all student accounts regardless of age
No behavioural advertising or profiling
Only data necessary for educational purposes is collected

10. Cookies and Tracking

We use essential cookies for:

User authentication and session management
Platform functionality and user preferences
Security and fraud prevention

You can manage cookie preferences in your browser settings.

11. Data Breach Notification

In case of a data breach:

We will notify authorities within 72 hours
Affected users will be informed if high risk exists
We will provide clear information about the incident
Steps taken to mitigate harm will be communicated

12. Automated Decision-Making (Article 22 UK GDPR)

The platform uses AI (Mistral AI) to generate automated marking feedback on student practice answers. We wish to be transparent about how this works:

What the AI does: Generates indicative marks and written feedback on submitted answers
Effect on students: AI feedback is for personal learning guidance only. It does not determine grades, school performance records, or any formal outcome
Human oversight: Teachers retain full oversight and may review, correct, or override any AI-generated result at any time
No significant legal or similar effect: Because AI feedback is informal and teacher-overridable, it does not constitute automated decision-making with significant effects under Article 22
Your right to human review: You may request that any AI-generated feedback be reviewed by a teacher by contacting your teacher directly or emailing Privacy@henleyed.co.uk

13. International Transfers

Some of our third-party providers are based outside the UK. We ensure appropriate safeguards are in place for all transfers:

Provider	Country	Data Transferred	Transfer Mechanism
Mistral AI SAS	France (EU)	Pseudonymised student answers	UK Adequacy Regulation (EU)
Supabase Inc.	US company; data stored in AWS London (eu-west-2)	All platform data	UK International Data Transfer Agreement (IDTA)
Stripe Inc.	US	Payment data (name, card details, billing address)	UK–US Data Bridge
Google Fonts / jsDelivr / Cloudflare	US	IP address in CDN access logs (static assets only)	UK–US Data Bridge / Standard Contractual Clauses

14. Changes to This Policy

We may update this privacy policy to reflect:

Changes in law or regulation
New features or services
Improved data practices

Users will be notified of significant changes via email and platform notifications.

15. Contact and Complaints

Data Protection Queries:

Email: Privacy@henleyed.co.uk
Response Time: Within 5 working days

Complaints:

If unsatisfied with our response, you can complain to:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Phone: 0303 123 1113

Back to Platform