ClassGrade
GDPR & Data Compliance

Compliance is not a feature. It's the default.

ClassGrade holds client data in-region, uses it for nothing other than the service you contracted for, and provides a DPA from day one. Here's what that means in practice.

Your data is yours

Client data — student records, submissions, assessment results — belongs to the client. ClassGrade processes it on your behalf under a Data Processing Agreement. We never claim ownership. You can export or delete all data at any time.

Zero training use

Student data is never used to train machine learning models — ours or anyone else's. AI models used for grading and content generation are trained exclusively on licensed datasets, not on client content or student submissions.

Data held in-region

For UK and European clients, all client data — including student records and assessment data — is stored within the UK and EU. No personal data is transferred outside the UK/EEA without a lawful transfer mechanism in place.

DPA available from day one

A Data Processing Agreement is available to all clients from the point of contract. You don't need to request it or chase for it — it's a standard part of every ClassGrade agreement.

GDPR-compliant by default

GDPR compliance is not a configuration task or an add-on. ClassGrade is architected to be compliant by default: data minimisation, purpose limitation, and lawful basis for processing are built into every feature, not bolted on after the fact.

Mainstream sub-processors only

We use a small number of mainstream, audited sub-processors — AWS, Google Cloud, and established AI providers with contractual commitments equivalent to or stronger than our own. The full sub-processor list is available on request.

Data subjects and categories

Students

Usernames, assessment results, activity completions, audio recordings (for spoken assessments), and learning path data.

Teachers

Name, email address, class assignments, and platform usage data.

School administrators

Name, email address, configuration preferences, and audit logs.

Parents (where enabled)

Email address used for report delivery. No other personal data collected.

Data subject rights

Data subjects — including students, teachers, and parents — have the right to access, correct, delete, and restrict the processing of their personal data. Requests should be directed to your school or group administrator in the first instance. If you cannot obtain a response, contact privacy@blueberryml.com.

BlueberryML Ltd acts as a data processor. Your school or school group is the data controller. Requests for data deletion, export, or restriction should be handled by the data controller in the first instance.

Data protection contact

For data protection enquiries, sub-processor lists, or DPA requests:

privacy@blueberryml.com

Privacy policy

For the full privacy policy covering how ClassGrade processes personal data:

View Privacy Policy →

Questions about data compliance?

If you're a DPO, procurement team, or legal counsel evaluating ClassGrade — we're happy to answer questions directly.

Get in Touch