Last updated: [DATE — update before publishing] · Version 1.0
This Privacy Policy explains how eòlas, operated by [REGISTERED ENTITY NAME] ("eòlas", "we", "us", "our"), collects, uses, and protects personal data when you use the eòlas platform at marker.failte.dev and associated subdomains.
We are committed to handling personal data responsibly and in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
1. Who We Are
The data controller for personal data processed through eòlas is:
- Organisation: [REGISTERED ENTITY NAME] (placeholder — add registered company/trading name)
- Registered Address: [ADDRESS] (placeholder)
- ICO Registration Number: [ZXXXXXXx] (placeholder — register with the ICO before launch)
- Contact: hello@failte.dev
2. What Data We Collect
We collect different categories of personal data depending on how you use eòlas:
2.1 Account Registration Data
- First and last name
- Email address (stored encrypted)
- Mobile phone number (stored encrypted; used for multi-factor authentication)
- Password (hashed; not stored in recoverable form)
- Account type (educator, student, or parent/guardian)
- School name and/or school identifier
2.2 Profile Data (collected at profile completion)
- Educator: subjects taught, school affiliation
- Student: age range (broad category only), parental consent confirmation
- Parent/guardian: child's school name
2.3 Academic Submission Data
- Student written submissions (essays, practice paper answers) uploaded for assessment
- AI-generated marks and feedback associated with each submission
- Educator annotations and mark adjustments
2.4 Payment Data
- We collect your email address and billing name for payment records. Card details are processed entirely by Stripe and are never stored by eòlas.
- Transaction records (purchase amount, credit bundle, date) are retained for accounting purposes.
2.5 Technical / Usage Data
- IP address (used for security logging and abuse prevention)
- Browser type and operating system
- Pages visited and actions taken within the platform (for analytics and troubleshooting)
- Device verification status (for multi-factor authentication)
2.6 SSO Identity Data
If you sign in using Google or Microsoft (Entra), we receive your name, email address, and an anonymised identity token from the provider. We do not store your Google or Microsoft password.
3. Why We Collect It
| Purpose |
Data used |
| Providing the eòlas service (account management, project creation, marking) | Account data, submission data, profile data |
| Processing payments and issuing credits | Payment data, account data |
| Multi-factor authentication (SMS verification) | Mobile number, verification codes |
| Email account verification | Email address |
| Security monitoring and fraud prevention | IP address, usage data |
| Improving the platform (aggregated, anonymised analytics) | Usage data (anonymised) |
| Responding to your enquiries | Name, email, message content |
| Complying with legal obligations | As required by applicable law |
4. Legal Basis for Processing
We process personal data on the following legal bases under UK GDPR Article 6:
- Contract performance (Art. 6(1)(b)): Processing necessary to deliver the eòlas service to registered users.
- Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement analytics.
- Legal obligation (Art. 6(1)(c)): Retaining financial records as required by UK tax law.
- Consent (Art. 6(1)(a)): Marketing communications (where opted in); analytics cookies.
Where we process data relating to children (students under 18), we rely on parental consent as confirmed during the student registration process, in accordance with the Children's Online Privacy considerations under UK GDPR.
5. How We Store and Protect Your Data
- All data is stored on servers located within the EU/EEA.
- Personal identifiable information (name, email, mobile) is encrypted at rest using AES-256-CBC encryption.
- All data transmission uses TLS/HTTPS encryption.
- Access to the database is restricted to authorised personnel only, via authenticated, encrypted connections.
- We maintain regular backups and apply security patches promptly.
6. Third-Party Data Processors
We share personal data with the following trusted processors, each under a Data Processing Agreement:
| Processor | Purpose | Location |
| Google Cloud (Vertex AI / Document AI) | AI-based marking and document processing | US (adequacy/SCC) |
| Stripe | Payment processing | US (adequacy/SCC) |
| ClickSend | SMS multi-factor authentication | AU (adequacy/SCC) |
| Cloudflare | Bot/spam protection (Turnstile CAPTCHA) | US (adequacy/SCC) |
| Microsoft (Entra / Graph API) | SSO authentication and Teams integration (optional) | EU/US |
| Failte.dev (hosting) | Web hosting and infrastructure | EU |
We do not sell personal data to any third party, nor do we share it for advertising purposes.
7. Data Retention
- Account data: Retained for the duration of your active account, plus 2 years after account closure for legitimate business and legal purposes.
- Student submissions and AI feedback: Retained for the duration of the associated project and accessible while the account is active. Deleted upon account deletion or on request.
- Payment records: Retained for 7 years in accordance with UK tax law (HMRC requirements).
- Security logs (IP addresses): Retained for 90 days.
- Cookies: See Section 9.
8. Your Rights Under UK GDPR
You have the following rights regarding your personal data:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Ask us to correct inaccurate or incomplete data.
- Right to erasure ("right to be forgotten"): Request deletion of your data (subject to legal retention obligations).
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests or for direct marketing.
- Right to restrict processing: Request that we limit how we use your data in certain circumstances.
- Rights related to automated decision-making: We do not make legally significant automated decisions about individuals using eòlas — AI marks are always subject to educator review.
To exercise any of these rights, contact us at hello@failte.dev. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. Cookies
eòlas uses the following categories of cookies:
- Strictly necessary: Session cookies required for authentication and security. Cannot be disabled without breaking the service.
- Functional: Remember your preferences (e.g. dark/light mode). Can be disabled.
- Analytics: Aggregate usage statistics to help us improve the platform. Disabled by default; enabled only with your consent via the cookie banner.
- Marketing: Currently not used. Any future use will require explicit opt-in consent.
You can manage your cookie preferences at any time using the cookie settings panel accessible from the footer of any page.
10. Children's Data
eòlas is designed for use in secondary schools and may be used by students from approximately age 13 upwards. We take particular care with data relating to under-18s:
- Students under 18 may only register with parental or guardian consent, confirmed during the registration flow.
- Student personal data is never used for advertising or marketing purposes.
- Student submissions are only visible to the relevant educator, the student themselves, and any linked parent/guardian account.
- We encourage schools to review this Privacy Policy as part of their data protection assessment before deploying eòlas.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified to registered users by email at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent version.
12. Contact and Complaints
For any privacy-related queries or to exercise your rights:
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO): ico.org.uk/make-a-complaint or call 0303 123 1113.