This page is a summary of the Data Protection Impact Assessment that Revision Genie maintains for its core processing activities. The full internal DPIA is held by our Data Protection Officer and is reviewed at least annually and whenever a significant new processing activity is introduced.
The purpose of a DPIA is to identify and reduce risks to people's rights and freedoms that come from how we process their personal data. We treat children's data with particular care, in line with the ICO's Age Appropriate Design Code.
1.1 Provide an AI-powered educational platform that helps students learn and revise.
1.2 Track learning progress so students, teachers and (where applicable) schools can see how a student is getting on.
1.3 Operate safety and safeguarding systems, including flagging conversations that suggest a user may be at risk.
1.4 Process payments and manage subscriptions.
1.5 Improve the service over time using aggregated and anonymised analytics.
2.1 Account data: name, email, age (year of birth), school affiliation, OAuth provider (if any), hashed password (if any).
2.2 Learning data: study activity, quiz responses, exam attempts and marks, skill ratings, mistakes, memory notes.
2.3 Communication data: AI chat (not retained by default), support tickets, in-app feedback.
2.4 Technical data: IP address, device/browser metadata, basic usage events.
2.5 Payment data: Stripe customer and payment references.
Personal data is processed by:
Microsoft Azure OpenAI (AI inference and embeddings) - UK / EU regions, no training on customer data.
Azure Speech Services (text-to-speech for language lessons).
MongoDB Atlas (primary database).
Vercel and Vercel Blob (hosting and file storage).
Upstash Redis (cache and rate limiting).
Stripe (payments).
Google and Microsoft (optional sign-in only).
Resend (transactional email).
Each processor is bound by a data processing agreement and assessed for UK GDPR-equivalent protections.
4.1 Risk: AI responses could contain inappropriate or harmful content.
Mitigation: Azure OpenAI content filters plus our own safeguarding checks; clear AI identity disclosure; per-message feedback and reporting; human review for flagged messages.
4.2 Risk: AI could be used to write coursework verbatim, undermining academic integrity.
Mitigation: System prompts orient tutors towards teaching and explaining rather than producing finished work; schools can monitor student activity where authorised.
4.3 Risk: Cross-session memory could store sensitive personal data (e.g. mental health, classmates' names).
Mitigation: AI is instructed to save only stable, learning-relevant facts; users can view, edit and wipe all memory notes at any time.
4.4 Risk: User-uploaded documents in My Genies could contain third-party copyrighted material or personal data of third parties.
Mitigation: Acceptable Use Policy prohibits uploading content the user is not entitled to upload; storage and retention are limited; users can delete files at any time.
4.5 Risk: Safeguarding-flagged conversations contain sensitive disclosures.
Mitigation: Access is restricted to trained staff; retention is time-limited; disclosure to schools or authorities follows safeguarding policy.
5.1 Encryption in transit (TLS) and at rest by all processors.
5.2 Role-based access controls on production systems.
5.3 Privacy-protective defaults for users under 18.
5.4 Minimisation: we only collect and pass through data needed for the immediate purpose.
5.5 Regular reviews of access logs and security configuration.
6.1 Age-appropriate defaults and reduced data collection for users under 18.
6.2 No behavioural profiling or personalised advertising.
6.3 School-managed accounts allow teachers and school admins to provide supervision where authorised.
7.1 Access, rectification, erasure, restriction, objection and portability are all supported - see our Privacy Policy.
7.2 Right to lodge a complaint with the Information Commissioner's Office (ico.org.uk).
For questions about this DPIA summary, our processing activities, or to exercise your data protection rights, please contact our Data Protection Officer, Joel Martin, at joel@revisiongenie.com.