Login
Try now

Privacy Policy

Privacy and Data Policy

This Privacy and Data Policy outlines how Public Sector Analytics Ltd t/a askKira, a Limited Company registered in England and Wales (Company Number: 14889377) operating in the field of education technology, collects, uses, processes and safeguards data from users of our AI educational chatbot for educators – askKira.com. We are committed to maintaining the privacy and security of your personal information while providing valuable insights to industry leaders to drive informed decision-making within the education sector.

Introduction and Overview

Our Role as Data Processor

askKira operates as a data processor, acting on the instructions of your institution (the data controller) when handling user-submitted content. We process data solely for the purpose of delivering our services as specified in our Data Processing Agreement.

Data Controller

The data controller for your personal information is you or your institution, depending on your subscription type. Public Sector Analytics Limited acts as a data processor, processing data only on the instructions of the data controller.

Consent

As an individual using our AI educational chatbot, you consent to the collection and processing of your data as described in this policy. You can withdraw your consent at any time by discontinuing use of our services. You can also opt-out of marketing from askKira by clicking Unsubscribe at the bottom of any of our emails, declining cookies on our website or by completing this form.

Data Collection and Usage

Types of Data Collected

We collect user information such as name, email address, educational background and professional interests, as well as interactions and queries made with the AI chatbot.

Additionally, we collect specific personal information including name, email address, job title and date of birth. This information is collected for the purpose of generating user accounts and enabling personalisation of our services.

Purpose of Data Collection

Your data is collected when you engage with our chatbot, subscribe to our services, download resources or contact us for support. This engagement allows us to gather the information necessary to provide you with our services and support. As you interact with our services, we automatically collect data regarding your device and usage patterns through cookies and similar technologies. This data enhances our service’s functionality and user experience.

Additionally, we utilise your demographic data for marketing purposes, such as sending email newsletters to keep you updated on our latest products, services and industry insights. Aggregated and anonymised data may be shared with industry leaders to inform educational policies and strategies. 

We may fine-tune or train our AI models with our own proprietary inputs to enhance its utility and relevance to our users. This process is part of our commitment to providing a service that is responsive to the needs of our user base. We do not use user inputted data for fine-tuning or training our AI models.

The chat history feature is powered by a secure database that stores key-value pairs, linking a user ID to their submitted queries and responses. These records are accessible only to the individual user whose unique key matches the stored entry.

No Training or Sharing of User Data

No user-submitted data is used to train any language models, nor is it shared externally or made viewable by any third party, nor is any data passed into a system that would retain it outside the secured infrastructure.

Data Processing and Sharing

Data Processing

Public Sector Analytics Ltd (t/a askKira) enters into Data Processing Agreements (DPA) with all third-party service providers and external consultants who process anonymised data on our behalf. These agreements ensure that data is processed in compliance with UK GDPR, upholding stringent data protection and privacy standards. 

Anonymised data is processed by our business intelligence platform and external consultants, under separate DPAs, to provision the Public Sector Analytics insights offering. This processing is conducted based on clients’ opted-in selection in their order form for anonymised usage and behavioural analytics and is used to generate insight and intelligence reports. The DPA governs how data processors handle the data, including maintaining confidentiality, ensuring data security and adhering to the specified processing purposes. All processors are subject to regular audits to ensure ongoing compliance with these obligations.

Users can request deletion or subject access requests in accordance with GDPR rights, including access, deletion and data portability.

All data entered into the platform either through account set up or user input is processed in real time to generate responses, after which it is only stored for user-facing features (such as saved conversations, account profile data or automatic organisational insights). We apply a privacy-by-design approach, meaning we collect the minimum data required to deliver the service.

Formal Data Processing Agreement

A formal Data Processing Agreement can be issued for signing as part of your contract with us.

Data Sharing

We anonymise user data for analytics to understand service usage and improve educational outcomes. This approach ensures privacy while contributing valuable insights to the educational leaders.

No data from the platform is sold or shared with third-party products or services, either directly or through partnerships. askKira does not sell, share or transfer any user-submitted data to third-party products or services – either directly or through partnerships.

Aggregated and anonymised data may be shared with industry leaders, policymakers and educational institutions to drive informed decision-making within the education sector.

Public Sector Analytics Insights Dashboard

Public Sector Analytics provides an insights dashboard that shares anonymised usage and behavioural insights from across all of an organisation’s askKira userbase. This dashboard informs a school of their users’ behaviours benchmarked and compared to other similar organisations’ userbase. It’s important to note that no personal data is processed for the provision of this insights dashboard. All data used to generate insights has any identifiable traits or markers removed. We also implement a minimum sample size to generate insights to avoid bias and exposure.

Organisational users can opt-in to the Public Sector Analytics insights offering via the order form. This opt-in allows us to process anonymised usage and behavioural analytics data for the purpose of generating insight and intelligence reports, which are only visible to the Organisation themselves.

Our business intelligence platform processes anonymised data to provision the Public Sector Analytics insights offering for organisations. This processing is done in accordance with the opt-in provided in the order form for organisations.

Third Party Services and Processing

Third-Party Services

We may engage third-party service providers to assist with data analysis and storage, but we ensure that they adhere to strict privacy and security standards. We may receive data about you from various third parties, including analytics providers and data aggregators, which complements the information we collect directly and supports our service improvement efforts.

We utilise third-party providers to facilitate our services. Our agreements with these providers ensure that your interactions with our chatbot are not used to train their models.

Our service providers include:

  • Amazon Web Services (AWS) – Provides secure cloud hosting and infrastructure to ensure the reliability and scalability of our platform.
  • Microsoft Azure – Supports certain AI powered functionalities and secure data storage.
  • OpenAI – Used for certain AI-powered functionalities. OpenAI does not use API data for training models, though it may temporarily log data for abuse prevention.
  • Google – Includes Google Analytics for understanding website traffic and user interactions to improve our services and for certain AI powered functionalities.
  • Hotjar – Provides heatmaps and behavioural analytics to optimise user experience. No personally identifiable information is collected.
  • Stripe – Processes secure online payments. Stripe follows strict financial security protocols and does not share payment details with unauthorised third parties.
  • Mailchimp – Manages our email communications. Subscribers can opt out at any time, and no data is shared beyond its intended use.
  • Wonde – Securely connects with education platforms to enable data access while maintaining strict compliance with GDPR and other data protection laws.
  • Cloudflare – Provides security and performance enhancements, including DDoS protection and traffic optimisation. No personal data is sold or shared.

We ensure that all our service providers comply with relevant data protection regulations, including GDPR and UK data protection laws. Data is only processed for its intended purpose, and we do not sell or share user data with third parties outside of these essential business functions.

Third-party Processing

All third-party processors are bound by contracts that require UK GDPR compliance.

If we change sub-processors, we commit to notifying our clients of the change and the reasons for it within a reasonable period of time, no more than 4 weeks after the change.

Data Security and Hosting

Data Hosting and Protection

Our services are hosted on Amazon Web Services (AWS) servers, with data stored at databases based in London (eu-west-2 region) and within the EEA. We ensure that all our service providers adhere to stringent data security standards regardless of location and operate under appropriate data processing terms that establish clear responsibilities for data protection in accordance with UK GDPR and EU GDPR. These terms establish our service providers as data processors acting under our instructions when handling your data, with appropriate safeguards for data transfers where relevant. Our Data Protection Agreement outlines the measures we take to safeguard personal and anonymised data. We are committed to ensuring that any personal data collected is processed lawfully, fairly and transparently in compliance with UK data protection laws (including UK GDPR). We only process data for specific, legitimate purposes and take steps to minimise the collection of unnecessary personal information. Individuals retain rights over their personal data, including access, correction, erasure and portability. We have implemented strict access control measures, encryption and other security protocols to ensure the protection of this data throughout its lifecycle.

Data Security

We do not share your personal data with third parties without your explicit consent, except as necessary to provide the service or as required by law. To ensure your data is stored securely and inaccessible to unauthorised parties, we have established a robust Information Security Policy that governs all aspects of data handling within Public Sector Analytics Ltd.

This policy includes:

  • Access Control: Only authorised personnel have access to sensitive and anonymised data, with access granted strictly on a case by case and need-to-know basis.
  • Encryption: All sensitive data is encrypted both in transit and at rest to protect against unauthorised access.
  • Monitoring and Auditing: We continuously monitor our systems for vulnerabilities and conduct regular audits to ensure compliance with our security policies.
  • Incident Response: In the event of a security breach, we have a well-defined incident response plan to mitigate damage, notify affected parties and resolve the issue efficiently.
  • Training: All employees and contractors undergo regular security awareness training to ensure they understand their responsibilities in protecting sensitive data.

These industry-standard security measures are designed to safeguard your data and ensure it is handled in compliance with relevant regulations.

Granular Permissions and User Access Management

To safeguard your personal data, we implement rigorous user access management and granular permissions. This approach ensures that only authorised personnel can access specific data types, strictly on a need-to-know basis. Our system’s design follows the principle of least privilege, ensuring that access rights are tailored to each user’s role and responsibilities, thereby minimising potential data exposure.

In the rare event that access to user-submitted content is required, it would only be by an authorised individual who holds an up-to-date DBS check, ensuring compliance with safeguarding requirements.

Data Breach Notification

In the event of a data breach, we are committed to notifying affected users and relevant authorities as soon as possible after becoming aware of the breach, and no later than 72 hours after discovery. We have procedures in place to detect, report and investigate suspected data breaches promptly.

In case of a breach involving our clients’ data, we will:

  • Contain and investigate the breach, assessing the extent of the data affected.
  • Notify the Information Commissioner’s Office (ICO) within 72 hours if the breach poses a significant risk to individuals’ rights and freedoms.
  • Inform affected individuals as required by law.
  • Implement measures to mitigate further risks and provide guidance to those affected on how to protect themselves.
  • Meticulously document all details of the breach for compliance and accountability purposes.

Risk Assessment Strategy

Public Sector Analytics Ltd employs a comprehensive Risk Assessment Strategy to identify, evaluate and mitigate potential risks to data security and privacy. This strategy includes:

  • Regular Risk Assessments: We conduct periodic risk assessments to identify new and existing threats, vulnerabilities and risks to data security.
  • Mitigation Plans: For each identified risk, we develop and implement mitigation strategies, including technical, administrative and physical safeguards.
  • Ongoing Review: We regularly review and update our risk assessment processes to align with changes in the data landscape, regulatory requirements and emerging security threats.
  • Compliance Monitoring: Our risk assessment strategy is closely aligned with UK GDPR, ensuring that we meet our legal obligations in protecting personal data. Any significant changes or findings from assessments are shared with senior management and incorporated into our security strategy.

Cookies and Tracking

We use cookies and similar technologies to enhance your user experience, gather usage data for analytical purposes and for marketing initiatives. By using our AI educational chatbot, you consent to analytics tracking via Google, Hotjar and X to help us understand user behaviour, improve our services and provide personalised content and advertisements. You can manage your cookie preferences through your browser settings.

Data Retention

Data Retention Policies

We do not keep personal data for longer than necessary. Our data retention practices are designed to ensure that we only retain your personal information for as long as it is required to fulfil the purposes for which it was collected or to comply with legal and regulatory requirements.

Data is retained only for as long as required to support the features in use. For example, chat history is stored solely to enable users to review their past interactions. If a user has an active account, they can expect their chat history to always be available, unless they or their organisation choose for it to be deleted.

To ensure compliance with data protection regulations and best practices, we adhere to the following principles:

  • Data Inventory: We maintain a comprehensive inventory of the personal data we hold and the specific purposes for which it is required. This allows us to ensure that we only collect and retain data that is necessary for our operations.
  • Justified Retention Periods: We carefully consider and justify the length of time we keep personal data. Our retention periods are based on legal requirements, business needs and the rights and expectations of our users.
  • Retention Policy: We have established a policy with standard retention periods for different categories of data, which aligns with our documentation obligations. This policy is regularly reviewed and updated to reflect any changes in legal requirements or business practices.
  • Regular Reviews: We conduct periodic reviews of the personal data we hold. During these reviews, we assess whether the data is still necessary for the purposes for which it was collected. Data that is no longer needed is either erased or anonymised in accordance with our retention policy.
  • Right to Erasure: We have implemented appropriate processes to comply with individuals’ requests for erasure under ‘the right to be forgotten’. These processes ensure that we can respond to such requests promptly and effectively, erasing personal data from our systems when required.
  • Data for Specific Purposes: We clearly identify any personal data that we need to keep for public interest archiving, scientific or historical research or statistical purposes. This data is subject to additional safeguards and may be retained for longer periods as permitted by data protection regulations.
  • Anonymisation: Where possible, we anonymise data that we wish to retain for analytical purposes, ensuring that it can no longer be associated with individual users.

Our commitment to these data retention principles helps us maintain the trust of our users while ensuring that we have the necessary information to provide our services effectively.

Retention During and After Contract

Your data will be stored securely for the duration of our contract. Once you leave our service, your data will be retained in our database only for as long as necessary before being securely deleted. However, please note that some data may be present in system-wide cold storage backups, which we maintain as part of our data backup and restoration practices.

User Rights and Legal Information

Rights of Users

Access and Correction You have the right to access and correct your personal information held by us.

Erasure You can request the deletion of your data, and we will comply within a reasonable timeframe. Users can delete their own chat history via the interface. If administrators require content to be deleted at an organisational level, we can action this on request. This deletion is permanent.

Data Deletion Options

We can support automatic data deletion after a set period of time to align with your organisation’s records management policy. Please inform us of your specific requirements.

Data Subject Access Request Process

To request access to your personal data, you can contact our Data Protection Officer at [email protected]. We aim to respond to all legitimate requests within a reasonable timeframe. You may be required to provide identification to help us verify your identity. There is no fee for making a request unless the request is clearly unfounded, repetitive or excessive.

Intellectual Property Rights

There is no transfer of intellectual property when content is submitted to askKira. The interaction is best understood as akin to a teacher reading a piece of work—in this case, the review is done by a model rather than a person. askKira processes user-submitted content purely to generate a response in the moment. No IP rights are reused or transferred to us. The original author or organisation retains full rights over any content submitted to the platform, including pupils who retain IP rights over their own work in compliance with DfE guidance.

Legal Disclosures

While interactions with the chatbot are anonymised, please be aware that Public Sector Analytics Ltd, our parent company, may be required to disclose information in cases where there is a legal safeguarding duty to report, such as instances involving danger to oneself or to others.

General Information

Changes to Policy

We reserve the right to modify this policy at any time. Changes will be posted on our website, and continued use of our services will indicate your acceptance of these changes.

Contact Us

If you have any questions or concerns about this policy or the data we hold, please contact our Data Protection Officer at [email protected].

By using our Services, you agree to the terms of this Privacy and Data Policy. Your privacy and the security of your data are of utmost importance to us.

Last updated: 14 April 2025

Copyright © 2023 – 2025 Public Sector Analytics Limited. Company No 14889377. All rights reserved. Policies.

Linkedin Facebook X-twitter Instagram Tiktok Youtube