Privacy Policy
Last updated: April 2025
Introduction
At Top Marks AI ("we," "us," or "our"), we take your privacy seriously. This Privacy Policy outlines how we collect, use, disclose, and protect your personal data when you interact with our AI-powered grading and assessment platform (the "Services").
Top Marks AI provides automated grading solutions to schools, educational institutions, and corporations. We act as a data processor for educational institutions that use our Services, processing student and staff data on their behalf. However, in some cases, we may also act as a data controller for certain business operations, as described in this policy.
We are committed to complying with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (GDPR), and the Children's Online Privacy Protection Act (COPPA) where applicable.
Please take the time to read this Privacy Policy carefully, as it explains how we collect, use, and store your personal data. We keep our Privacy Policy under regular review, and you can see the last update date above.
If you have any questions about our Privacy Policy, please contact us through the details set out in the 'Contact Us' section below.
1. What Data Do We Collect About You?
"Personal Data" is data that relates to you and identifies or can be used to identify you – this might be your name, email address, or other digital identifiers relating to you such as cookies, IP addresses or logs.
The types of personal data we collect include:
1.1 Student Data (processed on behalf of schools)
- Full name
- Exam or essay responses, including handwritten responses converted into text
- Assessment results and feedback
- Email addresses (for notifications)
1.2 Staff Data
- Full name
- Email address
- Institution name
- Communication records
1.3 Automatically Collected Data
When you access our website or platform, we may collect:
- Device Information: IP address, browser type, operating system
- Usage Data: Pages visited, interactions with our Services, time spent on our platform
- Cookies and tracking technologies: Used to enhance the user experience and gather analytics
We do not collect special category data, such as health information or biometric data, as part of our Services.
We may also aggregate and anonymise your personal data to form statistical or demographic data ('Aggregated Data'). For example, we may aggregate your Usage Data (where you are a Website User) to calculate the percentage of users accessing a specific website or platform feature. Such aggregated and anonymised data is not Personal Data and does not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your Personal Data so that it can directly or indirectly identify you, we treat the combined data as Personal Data which will be used in accordance with this Privacy Policy.
2. How Do We Collect Your Personal Data?
We collect your data in the following ways:
- Directly from you: When you sign up, communicate with us, or use our Services.
- From educational institutions: Schools provide student and staff data for assessment purposes.
- Automatically: Through cookies and other tracking technologies when you interact with our website or platform.
3. How Do We Use Your Personal Data?
We process personal data for the following purposes:
| What we use your Personal Data for | What Personal Data we collect | Our lawful basis for processing |
|---|---|---|
| To provide automated grading services | Student names, assessment responses | Performance of a contract with educational institutions |
| To communicate with staff about assessment results and updates | Staff names, email addresses | Legitimate interests (service improvement) |
| To improve and develop our platform | Usage data, device information | Legitimate interests (business operations) |
| To ensure security and fraud prevention | IP address, login activity | Legitimate interests (security measures) |
| To comply with legal obligations | Any necessary personal data | Compliance with legal requirements |
We do not use personal data for marketing purposes unless you have explicitly consented.
4. Do We Share Your Personal Data?
We do not sell or rent personal data. However, we may share data in the following circumstances:
- With Service Providers: Trusted third-party vendors assisting in platform functionality (e.g., cloud hosting providers).
- For Legal Compliance: When required by law or regulatory authorities.
- With Educational Institutions: Schools may access student grading and feedback data.
Where we share your Personal Data with third parties, we require them to respect the security of your Personal Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Personal Data for their own purposes and only permit them to process your Personal Data for specified purposes and in accordance with our instructions.
5. Children's Privacy
Some students using our Services may be under the age of 13. To comply with COPPA:
- Parental Consent: We require educational institutions to obtain parental consent before sharing minors' data with us.
- Limited Data Collection: We only collect data necessary for educational assessment.
- Parental Rights: Parents can request access to or deletion of their child's data by contacting their school or us directly.
6. How Do We Protect Your Data?
We have put in place security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. These measures include using bank-grade encryption to protect your data when we store it and we ensure that, if we are sending it across the internet, it is encrypted. We also limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to access it.
Where we have given you (or you have chosen) a password, you are responsible for keeping this password confidential. Please do not share your password with anyone.
We also implement Regular Security Audits, where we continuously monitor and assess potential risks.
7. How Long Do We Keep Your Data?
We have a retention policy which sets out how long we keep information for. We only keep your personal information for as long as reasonably necessary to fulfil the purposes set out in this Privacy Notice and to comply with our legal and regulatory obligations.
The exact period will depend on your relationship with us and the type of Personal Data we hold and process, for example:
- Student assessment data: Retained for grading purposes and deleted based on agreements with educational institutions.
- Staff contact details: Retained for communication and support unless deletion is requested.
- Legal Compliance: Some data may be retained for compliance with applicable laws.
If an account is inactive for 24 months, we will notify the account holder before deletion.
8. International Data Transfers
How do we protect your Personal Data when sending it outside the UK and/or Europe?
Countries outside the UK and/or the European Economic Area (which means all the European Union (EU) countries plus Norway, Iceland and Liechtenstein, together "EEA") may have a lower standard of protection for Personal Data than that required by UK and/or EEA data protection laws. The information we collect from you may be transferred to and stored outside the UK and/or EEA (including for example the United States of America) and will also be processed by people operating outside the UK and/or EEA who work for us or one of our suppliers.
If we need to transfer your data to a company based outside the UK and/or EEA (e.g. to provide technology for email, subscription and payment support), we will take steps to make sure your personal data is handled in line with UK and/or European data protection law by implementing appropriate safeguards, such as entering into the UK's International Data Transfer Agreement (for transfers of personal data from the UK) or the approved EU Standard Contractual Clauses (for transfers of personal data from the EEA). If you would like any more detail on the specific mechanism used by us to transfer your Personal Data outside the UK and/or EEA, please get in contact with us through the details set out in the 'Contact us' section below.
A summary of our regular data transfers is set out below:
| Country/jurisdiction to where we transfer personal data | Purpose for the transfer | Safeguard used to protect your personal data |
|---|---|---|
| UK | Hosting provider SaaS tools to administer our business | Encryption |
| European Union | SaaS tools to administer our business (Render, MongoDB on AWS in Ireland, Amplitude) | Encryption |
| USA | SaaS tools to administer our business (AI providers) | N/A - No personal data transferred |
9. Your Rights
Under UK GDPR, EU GDPR, and applicable privacy laws, you may have the following rights:
- Access: Request copies of your personal data.
- Correction: Update inaccurate or incomplete data.
- Deletion: Request data erasure where legally applicable.
- Restriction: Limit processing under certain conditions.
- Objection: Object to processing based on legitimate interests.
- Data Portability: Receive data in a structured format.
To exercise your rights, contact us at info@topmarks.ai.
10. Marketing, Opting Out and Cookies and Tracking Technologies
We may send marketing communications by email, SMS or other communication channels with information relating to other products and services you may be interested in. We will do so where we have appropriate marketing permissions from you. You may check or change your marketing permissions and are free to opt-out at any time.
We will get your express opt-in consent before we share your Personal Data with any other company for the purposes of third-party marketing. You can ask us or third parties to stop sending you marketing messages at any time by contacting us through the details set out in the 'Contact us' section below. Where you opt-out of receiving marketing messages, this will not apply to Personal Data provided to us as a result of a product/service purchase or any other transaction.
There may be circumstances where we can lawfully send marketing messages without your express consent, for example, where you have enquired about or have purchased products and services from us, and it is in our legitimate interests to get in touch with you about similar products and services – this is known as the 'soft opt-in'.
Even if you have opted out of marketing communications, we may still need to send you service communications from time to time either because we are legally required to do so, or to provide you with important updates relating to our services.
We use cookies to enhance user experience. Users can manage cookie preferences through browser settings. For more details, see our Cookie Policy.
11. Updates to This Privacy Policy
We may update this Privacy Policy periodically. Significant changes will be communicated via:
- Website notices
- Direct email notifications (if applicable)
12. Contact Us
For any questions about this Privacy Policy or to exercise your rights, please contact us:
- Email: info@topmarks.ai
- Address: Harben House, Harben Parade, Finchley Road, London, United Kingdom, NW3 6LH
Thank you for taking the time to review our Privacy Policy.
We use cookies to enhance your experience. By continuing to visit this site you agree to our use of cookies. Learn more in our Cookie Policy.