Who we are

PICRAT Suite is an educational technology platform that helps teachers reflect on, evaluate and improve how they integrate technology into their teaching. It is built around the PICRAT framework (Kimmons, Graham and West, 2020).

For the purposes of UK GDPR and the Data Protection Act 2018, the data controller is Andy Perryer, an individual operating the platform from the United Kingdom. Where you sign up directly, PICRAT Suite acts as the data controller for your account data. Where your account is created or arranged on behalf of a school, multi-academy trust or other organisation, that organisation acts as the data controller and PICRAT Suite acts as the data processor under their instructions. A separate Data Processing Agreement is available for organisations on request.

If the platform's controller changes in future (for example if it transitions to a corporate owner), this page will be updated and material changes notified through the platform.

PICRAT Suite is not required to appoint a Data Protection Officer under Article 37 of UK GDPR (we do not carry out large-scale processing of special-category data or systematic monitoring as a core activity). Privacy queries are handled by Andy Perryer.

Any questions about this notice or about how your data is handled can be sent to privacy@picrat.com. We aim to respond within five working days.

What we collect and why

We collect personal data only where we have a lawful basis to do so. The two bases we rely on are legitimate interests (operating and improving the platform) and consent (for example, the optional research-use toggle in your Settings). You will never be asked to provide more data than the platform needs to function.

Account data and tool usage data are processed on the basis of legitimate interests in operating the platform to deliver a service you have signed up for. Research-use retention beyond standard periods is processed on the basis of explicit consent, which you can withdraw at any time from Settings. Where a school is the controller, the lawful basis for processing is determined by the school and recorded in the Data Processing Agreement we sign with them.

Account data

DataWhy
Name and emailAccount creation, sign-in, magic-link emails, monthly reports.
SchoolRequired at signup. Used for aggregated school-level dashboards. Free-text by default; tied to a verified school record once approved.
Password (hashed)Stored only as a bcrypt hash with 12 salt rounds. We never see your password in plain text.
Teaching profileAge groups taught, subjects, confidence ratings and goals you choose to share. Used to personalise tool suggestions.
Login recordsTimestamps and session metadata. Used for security and to identify dormant accounts.

Tool usage data

DataWhy
Lesson text and AI responsesText you submit to Analyse, Review, Generate or Coach is processed by an AI service to produce feedback. The original text and the AI response are stored against your account so you can revisit them.
Practice quiz resultsScenario answers, scores, streaks and progress. Used for progress tracking and to power the school dashboard.
Coach conversationsThe full message history with the Coach tool, so the conversation can resume across sessions.
Shared result linksPublic links you create to share a result with colleagues. Visible to anyone with the link.
Page feedbackOptional thumbs up or down plus any free-text comment you leave at the bottom of a page.

Analytics and reflection data

DataWhy
Page viewsWhich pages you visit and when. Used to understand how the platform is used and to fix what isn't working.
Interaction eventsButton clicks, tool usage timing and similar events. Tied to your account.
Confidence snapshotsSelf-reported PICRAT confidence and tech comfort, captured periodically. Optional.
AI feedbackThumbs up or down on AI responses. Used to improve prompt quality.

We do not collect special-category data (race, religion, health, sexuality, biometrics) and we ask you not to submit it through the AI tools. See the section on lesson content below.

How we use AI tools

The Analyse, Review, Generate and Coach tools each send the text you provide to a generative AI service that returns a response. The two AI providers we use are:

  • Google (Gemini API). Used by every teacher-facing AI tool. PICRAT Suite uses Google's Gemini API on the paid commercial tier. Under Google's paid-tier terms, customer prompts and responses are not used to train Google's foundation models or improve Google's products, and are retained briefly only for abuse monitoring before deletion.
  • Anthropic (Claude API). Used only by the admin teacher-profile generator, on aggregated and non-identifying usage data. Under Anthropic's commercial API Terms, inputs and outputs are not used to train Anthropic's models by default.

We hold the API keys server-side; they are never exposed to your browser. We do not send your data to either provider for any purpose other than producing the response shown to you in the tool.

About lesson content. When you paste a lesson plan or activity into Analyse, Review, Generate or Coach, the text is sent to Google's Gemini API. Please do not include identifiable pupil information in that text. PICRAT works just as well with "Pupil A" or "a small group of Year 4 readers" as it does with real names. If identifiable pupil data is submitted by accident, it will be processed and retained in line with the lesson-text retention period below, and you can request deletion at any time.

Sub-processors

The third parties we use to operate the platform act as sub-processors on our behalf. They process personal data only as needed to deliver their service, and only under contract.

ProviderPurposeRegion
Google (Gemini API, paid tier)Generative AI for lesson analysis, review, generation and coaching.Globally routed by Google. Google is certified under the UK extension to the EU-US Data Privacy Framework.
Anthropic (Claude API)Generative AI for admin-side teacher profile summaries (aggregated data only).United States. Covered by Anthropic's Standard Contractual Clauses and the UK IDTA.
Heroku (Salesforce)Application hosting. Production runs in Heroku's EU region (Ireland).EU (Ireland). Salesforce is bound by approved Binding Corporate Rules for any intra-group transfers.
Heroku PostgresManaged PostgreSQL database. Co-located with the application.EU (Ireland)
SMTP email providerTransactional email (sign-in magic links, monthly reports, notifications).EU / global
GoDaddyDomain registrar and DNS for picrat.com.Global

Where a sub-processor is located outside the UK or EEA, we rely on the following transfer mechanisms, as required by Articles 46 and 49 of UK GDPR:

  • Google (Gemini API). Transfers are covered by Google's certification under the UK extension to the EU-US Data Privacy Framework, supported by the UK International Data Transfer Addendum to the EU Standard Contractual Clauses.
  • Anthropic (Claude API). Transfers covered by Anthropic's signed Standard Contractual Clauses and the UK International Data Transfer Addendum.
  • Heroku (Salesforce). Production data is hosted in the EU (Ireland). Salesforce is bound by Binding Corporate Rules approved for intra-group transfers.
  • Other providers. Where any other sub-processor is located outside the UK or EEA, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses or an equivalent approved transfer mechanism.

Cookies and similar technologies

PICRAT Suite uses one cookie and two browser-storage values, all strictly functional. We do not use marketing, advertising or third-party analytics cookies.

ItemTypePurposeLifetime
connect.sidHTTP cookie (httpOnly, Secure, SameSite=Lax)Keeps you signed in.30 days
picrat_checkin_cooldownlocalStorageStops the confidence check-in toast firing too often.Until cleared
picrat_interaction_countlocalStorageCounts interactions to time the check-in toast.Until cleared

Under the Privacy and Electronic Communications Regulations (PECR), strictly necessary cookies do not require prior consent. The two localStorage values store data only on your device and are not transmitted to us. You can clear all three at any time using your browser's site-data controls.

How long we keep your data

We retain data only as long as it is needed for the purpose for which it was collected. An account is treated as dormant after two years without sign-in.

DataRetentionThen
Active account dataFor the life of the accountDeleted on account closure
Dormant account (no sign-in for 2 years)2 years from last sign-inAccount deleted; analytics anonymised if research consent given, otherwise hard-deleted
Lesson text and AI responses (Analyse, Review)2 years after the account becomes dormant; 3 years total once orphanedUser reference removed at 2 years; row hard-deleted at 3 years
Coach conversations1 year after the last messageHard-deleted
Practice quiz data2 years after the account becomes dormantAnonymised
Interaction events12 months from creationHard-deleted
Confidence snapshots2 years from creationAnonymised if research consent given, otherwise hard-deleted
Shared result links1 year from creation, or immediately on account closureHard-deleted; the link returns "not found"
Magic-link tokens24 hours from creation (links expire after 15 minutes)Hard-deleted
Sessions (connect.sid)30 daysPruned automatically

If you opt in to research use via Settings, anonymised usage data with all identifying information removed may be retained beyond these periods for aggregate educational research. Anonymised data is no longer personal data under GDPR and is therefore not subject to retention limits. You can revoke this consent at any time.

Your rights

Under UK GDPR you have the following rights, all of which are exercisable without charge:

  • Information. This notice is the principal way we provide you with information about how we process your personal data. You can request further detail at any time using the contact address at the top.
  • Access. Use the "Export all my data" button on your Settings page to download a structured JSON file containing everything we hold about you.
  • Rectification. Update your profile and account details from Settings.
  • Erasure. Use the "Delete my account" button on Settings. Your account, profile and directly linked data are removed. Lesson text and similar records are anonymised so they no longer link to you.
  • Restriction of processing. You can ask us to keep your data but stop active processing of it (for example while you contest the accuracy of your data or object to processing). Email the address above and we will mark your records as restricted.
  • Portability. The JSON export is provided in a structured, machine-readable format.
  • Object. If you wish to object to any specific processing, contact us using the address at the top of this notice.
  • Withdraw consent. The research-use toggle in Settings can be turned off at any time. Email subscriptions can be cancelled with the unsubscribe link in any monthly report.
  • Not be subject to automated decision-making. PICRAT Suite does not make automated decisions that produce legal or similarly significant effects about you. The AI tools provide feedback, suggestions and reflective questions; they do not assign grades, performance ratings, capability judgements or any other binding outcome about you or your teaching.
  • Complain to a regulator. If you are not satisfied with our response you can complain to the UK Information Commissioner's Office at ico.org.uk.

Security

We protect your data with the following technical and organisational measures:

  • Passwords hashed with bcrypt (12 salt rounds); never stored in plain text.
  • Session cookies set httpOnly, Secure and SameSite=Lax.
  • Sign-in flow regenerates the session ID to prevent session fixation.
  • All database queries use parameterised placeholders to prevent SQL injection.
  • HTTP security headers via Helmet, including a strict Content Security Policy and HSTS.
  • Rate limiting on authentication routes, the AI proxy and write-side API endpoints.
  • HTTPS enforced in production with automatic HTTP to HTTPS redirect.
  • AI API keys held server-side only; never exposed to the browser.
  • Routine application updates and dependency patching.

No system can be made perfectly secure. If you become aware of a security issue, please email privacy@picrat.com with the subject line "security" and we will acknowledge within two working days.

Personal data breaches

If we become aware of a personal data breach that affects your data, we will notify the relevant data controllers (your school, where applicable) without undue delay and in any case within 72 hours of becoming aware of it, in line with Article 33 of UK GDPR. Notification will include the nature of the breach, the categories and approximate numbers of data subjects affected, the likely consequences, and the measures taken or proposed to address it. Where the breach is likely to result in a high risk to your rights and freedoms, we will notify you directly under Article 34.

Children's data

PICRAT Suite is built for use by teachers (adults). Pupils do not have accounts and do not access the platform directly. Registration requires an email address and is intended for educators and school staff.

Because teachers may submit lesson plans through the AI tools, we ask all users not to include identifiable pupil information (names, dates of birth, attendance records, SEN diagnoses, or anything that could identify an individual child). Where pupil data is inadvertently submitted, it is processed and retained on the same schedule as other lesson text above and can be deleted on request.

The Information Commissioner's Office's Age Appropriate Design Code (Children's Code) applies to services likely to be accessed by children. PICRAT Suite is not such a service: it is teacher-facing, requires registration, and contains no content directed at children. If pupil-facing features are added in future, this section will be updated and the Code's standards applied.

Changes to this notice

We review this notice at least annually and update it when our processing changes. Material changes are communicated through the platform. The date at the top of the page reflects the most recent revision.

Contact

For data-protection queries, requests or complaints, email privacy@picrat.com. If your school's data protection officer needs a signed Data Processing Agreement, an updated sub-processor list, or any further documentation to complete a Data Protection Impact Assessment, please email the same address. If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk.

This notice is written to be readable. It is not a substitute for legal advice. If your school's data-protection officer needs additional documentation (for example a signed Data Processing Agreement or sub-processor list), email the address above and we will respond.