Data Protection & Privacy

Built for UK school compliance — the documents your DPO will ask for

The Business School is registered in Finland (TBS Education Ltd Oy) and complies with UK GDPR, EU GDPR and the UK Data Protection Act 2018. The four documents below are the full compliance pack your school data protection officer typically needs before approving a new classroom tool.

Why this page exists

UK schools rightly require a data-protection review before adopting any new classroom tool. These documents cover every question a Data Protection Officer (DPO) typically asks — privacy policy, processing agreement, internal handling procedures and a one-page summary for quick approval.

Download the compliance pack

All four documents are kept in sync. For most schools the one-page summary is enough for initial approval; the privacy policy and DPA are what a DPO will sign.

1-page summary

Data Protection Summary (2026)

A concise one-page overview — what we collect, where it's stored, how long, and who to contact. Written for busy data protection officers.

PDF · ~5.6 KB
Download PDF
Privacy policy

Privacy Policy (2026)

Our full privacy policy — what data is collected, lawful basis for processing, data subject rights, retention periods and international transfers.

PDF · ~7 KB
Download PDF
Processor agreement

Data Processing Agreement (DPA) 2026

Article-28 compliant Data Processing Agreement for schools. Ready to sign — covers controller/processor roles, security measures, sub-processors and breach notification.

PDF · ~7.1 KB
Download PDF
Internal policies

Internal Data Policies (2026)

Our internal data handling policies — access controls, staff training, incident response, data minimisation principles and security review cadence.

PDF · ~6.5 KB
Download PDF

How we handle data — the short version

Students: no accounts are created. Students join a session by typing a PIN and choosing a nickname. No personal data is tied to a student.

Teachers: only an email address is stored (to enable saved sessions and support). Teachers can request full deletion at any time.

Hosting: Netlify (EU region) for the frontend and serverless functions; Neon Postgres (EU region) for persistent session data; Anthropic Claude API for the post-session AI reports. All processors are listed in the DPA.

Retention: free-tier sessions are ephemeral. Paid-tier saved sessions are retained for as long as the teacher wants — teacher controls deletion.

International transfers: kept inside the EU/EEA wherever possible. Where transfers outside the EU occur (e.g. AI inference), they are covered by Standard Contractual Clauses under UK / EU GDPR.

Contact for data protection enquiries

Controller: TBS Education Ltd Oy (Finland) · Business ID 3614159-3

UK ICO Registration: ZC133810 (verify on the public ICO register)

Email: sakari.laajoki@gmail.com

For subject access requests, erasure requests, or DPA-related questions, please use the email above. We aim to respond within 72 hours.