Privacy Policy
Privacy is of utmost importance at Assessment Bot.
See how we keep your data safe here.
Effective Date: 22/01/2024
This privacy policy applies to the Assessment Bot marking tool created by Assessment Bot ("we" or "us"). We take privacy seriously and handle all personal data in compliance with the GDPR. This policy outlines what information we collect, how we use it, and your rights under the regulation.
Terms and Definitions
Personal Data (PII): Any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Controller: The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Processor: A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.
Data Subject: Any individual whose personal data is being collected, held, or processed.
GDPR (General Data Protection Regulation): A regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
The service: the marking assistance provided by Assessment Bot, in whole or in part.
Information We Collect
We only collect the minimum amount of personal data needed to provide the add-on's services per Google's limited use policy. The personal data collected is:
Google account information such as your name and email address.
The school you work at.
Data on your usage of the tool which includes data necessary to the functioning of the tool and to allow us to optimise it further. This data includes:
The times you submit work to be marked by Assessment Bot.
The amount of data (but not what the data actually is) consumed with each submission.
Errors that occur during the processing of that data so that we can monitor the performance of Assessment Bot.
Data used to optimise the performance of the Assessment Bot tool which includes:
Mark scheme, question, and student answer data. We do not collect any personally identifying information associated with this content. Any student personally identifying information is processed solely within your Google account and not by us.
Detailed diagnostics and usage data to allow us to:
Identify abuse, errors and other problems with our service.
Refine and improve the service we deliver to you.
Data submitted to third party services for the purpose of marking the work or for communications purposes such as bulk emailing.
Communications data such as emails
Data Retention
We retain the following data for as long as you hold an account with us. The data below is deleted immediately after you close your account.
Your name
Your email address
Your Google Workspace email address if different.
Your school
The amount of AI data you consume (tokens).
We retain the following data for up to 1 year, and most is deleted after 30 days:
Detailed diagnostics and usage data to support allow us to:
Identify abuse, errors and other problems with our service.
Refine and improve the service we deliver to you.
We retain the following data for more than 1 year:
Data we are legally required to hold.
Past communications such as emails for technical support or for customer assistance.
How We Use Information
We use the information collected only to operate and improve the add-on. This includes:
Create and administer your account on the Platform.
Manage the security of the service.
Assess student work.
Communicate with you for purposes other than marketing.
Answer to your assistance requests.
Provide technical support (fixing the bugs You notify us).
Conduct research and improve the service.
Make aggregated statistics about the use of the service.
Who we share your personal data with:
We may share data on a 'need-to-know' basis with the following individuals or organisations:
The authorised members of our teams,
Financial organizations (banks, etc.),
Supervisory authorities such as the British Data Protection Authority (Information Commissioner's Office),
Where appropriate, the competent courts, mediators, accountants, auditors, lawyers, bailiffs, debt collection agencies.
We currently share some or all of your personal data with the following providers:
Google - To host the service, store any data associated with the service, and provide services essential to the running of the service, such as emails. The vast majority of this data is stored either in Google's Data Centres in Belgium or London. A small amount of data may be stored within other GDPR compliant jurisdictions, covered under the UK Adequacy Regulations. You can read how they store this data in detail here.
Other data processors
We use these providers to mark the work and send student's answers, the mark scheme and questions. Ordinarily, no PII is ever shared with these providers, however, if a someone inadvertently included some PII within an answer, question or mark scheme, (e.g. they entered their name or email address in the wrong box on the Google Form) it could be processed by the following providers.
Microsoft Azure - This data is stored exclusively in Microsoft's London data centre.
Microsoft retains Customer Data stored in Online Services in a limited function account for 90 days after the expiration or termination of the customer’s subscription. This is to allow the customer to extract the data. Following this 90-day period, Microsoft will disable the customer’s account and delete the Customer Data and Personal Data stored in Online Services within an additional 90 days, unless there is an authorization under the Data Processing Agreement (DPA) to retain the data.
You can read more here.
OpenAI: The data we send to the OpenAI API may be stored on servers located in various locations, including potentially outside the European Economic Area (EEA), Switzerland, or the UK. OpenAI is committed to ensuring appropriate safeguards for data transfers and storage, in compliance with relevant data protection regulations.
OpenAI retains the data outlined above for up to 30 days, unless a legal requirement mandates otherwise. You can read more here.
Mistral: This is processed in Mistral's data servers in Sweden.
Mistral retains prompts and outputs you send via the service for 30 rolling days to monitor abuse.
Flutterflow: to provide your account portal. All PII is handled and stored by Google (as outlined above), however Flutterflow retains usage data to allow it to monitor and optimise the service it provides to us and to you. You can read more information here.
Lawful Basis to process personal data
In the section below, we detail the lawful basis for collecting and processing your data.
Contractual Necessity
Google Account Information (Name, Email Address): Essential for creating and managing the user's account.
Mark Scheme, Question, and Student Answer Data: Central to the core functionality of the assessment tool.
Data Submitted to Third-Party Services (for Marking or Communication Purposes): Necessary for the primary purpose of the service.
Legitimate Interests
The School You Work At: Relevant for tailoring the service to the educational context.
Data on Usage of the Tool (Submission Times, Data Consumption, Error Logs): For optimizing and maintaining the functionality of the tool.
Detailed Diagnostics and Usage Data: To improve the service, identify abuse and errors.
Communications Data (e.g., Emails): For customer support and service improvement (excluding aspects that fall under Legal Obligation).
Data Retained for Up to 1 Year (Diagnostics, Usage Data): For service optimization and troubleshooting.
Legal Obligation
Data Retained for More Than 1 Year (Legally Required Data, Past Communications): Data that must be kept for legal reasons.
Communications Data (e.g., Emails): Records of transactions and other legally necessary communications.
Consent
Google Analytics Data (IP Address, Location, Browser Type, etc.)
User Rights
You have certain rights under the GDPR in relation to your personal data, including:
The right to access your personal data
The right to have your data deleted
The right to have your data corrected or restricted from processing
The right to object to processing
The right to data portability Contact us via email below to make a request related to your rights.
Data Security
We take reasonable measures to secure and protect the information we collect. This includes following all relevant Cyber Security best practises and ensuring that all data stored with us, or with our third party processors is stored according to GDPR requirements, or equivalent adequacy provisions. However, no data transmission over the internet is 100% secure so we cannot guarantee security.
International Data Transfers
As part of our operations, personal data collected through the service may be processed on servers located outside of the country where you reside. This includes servers maintained by Google, our primary data hosting provider. We recognize that data protection laws can vary significantly among countries. However, regardless of where your information is processed, we are committed to applying the same level of protection as described in this Privacy Policy.
Legal Frameworks for Data Transfers
Adequacy Decisions
The European Commission, as well as authorities in the UK and Switzerland, have identified certain countries outside of the European Economic Area (EEA) that provide adequate protection for personal data. This means data can be transferred from the EU, EEA countries, the UK, and Switzerland to these countries without additional data protection measures. Google relies on these adequacy decisions for data transfers, ensuring compliance with these recognized standards.
EU-U.S. and Swiss-U.S. Data Privacy Frameworks:
Google complies with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF), including the UK Extension to the EU-U.S. DPF, as established by the US Department of Commerce. These frameworks govern the collection, use, and retention of personal information transferred from the EEA, Switzerland, and the UK to the United States. Google LLC, along with its wholly-owned US subsidiaries, adheres to the principles of these frameworks, as stated in their DPF certification. This includes adherence to the Onward Transfer Principle, ensuring responsible handling of data shared with third parties.
Cookies & Tracking
Cookies and tracking technologies are not used by the service.
The Assessment Bot website makes use of Google Analytics, which includes the following cookies and tracking technologies:
User Data
Types: IP address, location (derived from IP address), browser type, operating system, device information (like model and screen size).
Purpose: This information helps in understanding the demographics of your website visitors and their device preferences, enabling better website optimization and targeted content.
Traffic Data
Types: Referral URLs, search terms used to find the site, pages visited, duration of visit, and interactions on each page.
Purpose: To analyse how users arrive at your site and how they interact with it, which helps in improving website content, navigation, and overall user experience.
Session Data
Types: Session duration, user engagement with website content.
Purpose: To understand user engagement and identify areas where users spend most of their time, which can guide content development and layout decisions.
Behavioural Data
Types: User clicks, scroll behaviour, any interactions with website elements (like forms, buttons, or links).
Purpose: To gain insights into user behaviour on the website, allowing for optimization of user experience and conversion rates.
Cookies and Identifiers
Types: Google Analytics uses cookies to identify unique users, track user sessions, and store information about user interactions.
Purpose: Cookies enable tracking of individual user behaviour and session information to provide comprehensive analytics data.
Anonymized Data
Types: Google Analytics can anonymize IP addresses and other identifiable data.
Purpose: To provide privacy-focused tracking options that reduce the granularity of location data and other identifiers.
Age Limitation
This service is intended for use exclusively by educators and professionals in the field of education. As such, we do not knowingly collect, use, or disclose personal data from individuals under the age of 18. If you are under 18, please do not use our Assessment Bot marking tool or provide any personal information to us.
If we learn that we have collected personal information from a minor under 18 without verification of parental consent, we will take steps to remove that information from our servers as quickly as possible. If you believe that a minor under the age of 18 has provided personal information to us, please contact us at support@assessmentbot.com.
Changes to the Privacy Policy
We may modify this privacy policy from time to time to reflect changes in our practices. If we make any material changes, we will notify you via email and provide you an opportunity to review the revised policy.
Contact Us
Please contact us at support@assessmentbot.com with any questions about our privacy practices or this policy.