Who we are
PICRAT Suite is an educational technology platform that helps teachers reflect on, evaluate and improve how they integrate technology into their teaching. It is built around the PICRAT framework (Kimmons, Graham and West, 2020).
For the purposes of UK GDPR and the Data Protection Act 2018, the data controller is Andy Perryer, an individual operating the platform from the United Kingdom. If the platform's controller changes in future (for example if it transitions to a corporate owner), this page will be updated and material changes notified through the platform.
Any questions about this notice or about how your data is handled can be sent to andy.perryer@cognita.com. We aim to respond within five working days.
What we collect and why
We collect personal data only where we have a lawful basis to do so. The two bases we rely on are legitimate interests (operating and improving the platform) and consent (for example, the optional research-use toggle in your Settings). You will never be asked to provide more data than the platform needs to function.
Account data
| Data | Why |
|---|---|
| Name and email | Account creation, sign-in, magic-link emails, monthly reports. |
| School (optional) | Aggregated school-level dashboards. Free-text by default; tied to a verified school record once approved. |
| Password (hashed) | Stored only as a bcrypt hash with 12 salt rounds. We never see your password in plain text. |
| Teaching profile | Age groups taught, subjects, confidence ratings and goals you choose to share. Used to personalise tool suggestions. |
| Login records | Timestamps and session metadata. Used for security and to identify dormant accounts. |
Tool usage data
| Data | Why |
|---|---|
| Lesson text and AI responses | Text you submit to Analyse, Review, Generate or Coach is processed by an AI service to produce feedback. The original text and the AI response are stored against your account so you can revisit them. |
| Practice quiz results | Scenario answers, scores, streaks and progress. Used for progress tracking and to power the school dashboard. |
| Coach conversations | The full message history with the Coach tool, so the conversation can resume across sessions. |
| Shared result links | Public links you create to share a result with colleagues. Visible to anyone with the link. |
| Page feedback | Optional thumbs up or down plus any free-text comment you leave at the bottom of a page. |
Analytics and reflection data
| Data | Why |
|---|---|
| Page views | Which pages you visit and when. Used to understand how the platform is used and to fix what isn't working. |
| Interaction events | Button clicks, tool usage timing and similar events. Tied to your account. |
| Confidence snapshots | Self-reported PICRAT confidence and tech comfort, captured periodically. Optional. |
| AI feedback | Thumbs up or down on AI responses. Used to improve prompt quality. |
We do not collect special-category data (race, religion, health, sexuality, biometrics) and we ask you not to submit it through the AI tools. See the section on lesson content below.
How we use AI tools
The Analyse, Review, Generate and Coach tools each send the text you provide to a generative AI service that returns a response. The two AI providers we use are:
- Google (Gemini API). Used by every teacher-facing AI tool. Google's API Terms state that paid API inputs and outputs are not used to train Google's foundation models.
- Anthropic (Claude API). Used only by the admin teacher-profile generator, on aggregated and non-identifying usage data. Anthropic's API Terms state that API inputs and outputs are not used to train their models by default.
We hold the API keys server-side; they are never exposed to your browser. We do not send your data to either provider for any purpose other than producing the response shown to you in the tool.
Sub-processors
The third parties we use to operate the platform act as sub-processors on our behalf. They process personal data only as needed to deliver their service, and only under contract.
| Provider | Purpose | Region |
|---|---|---|
| Google (Gemini API) | Generative AI for lesson analysis, review, generation and coaching. | EU / global |
| Anthropic (Claude API) | Generative AI for admin-side teacher profile summaries (aggregated data only). | EU / US |
| Heroku (Salesforce) | Application hosting. Production runs in Heroku's EU region (Ireland). | EU (Ireland) |
| Heroku Postgres | Managed PostgreSQL database. Co-located with the application. | EU (Ireland) |
| SMTP email provider | Transactional email (sign-in magic links, monthly reports, notifications). | EU / global |
| GoDaddy | Domain registrar and DNS for picrat.com. | Global |
Where a sub-processor is located outside the UK or EEA, we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or an equivalent transfer mechanism, as required by Articles 46 and 49 of UK GDPR.
Cookies and similar technologies
PICRAT Suite uses one cookie and two browser-storage values, all strictly functional. We do not use marketing, advertising or third-party analytics cookies.
| Item | Type | Purpose | Lifetime |
|---|---|---|---|
| connect.sid | HTTP cookie (httpOnly, Secure, SameSite=Lax) | Keeps you signed in. | 30 days |
| picrat_checkin_cooldown | localStorage | Stops the confidence check-in toast firing too often. | Until cleared |
| picrat_interaction_count | localStorage | Counts interactions to time the check-in toast. | Until cleared |
Under the Privacy and Electronic Communications Regulations (PECR), strictly necessary cookies do not require prior consent. The two localStorage values store data only on your device and are not transmitted to us. You can clear all three at any time using your browser's site-data controls.
How long we keep your data
We retain data only as long as it is needed for the purpose for which it was collected. An account is treated as dormant after two years without sign-in.
| Data | Retention | Then |
|---|---|---|
| Active account data | For the life of the account | Deleted on account closure |
| Dormant account (no sign-in for 2 years) | 2 years from last sign-in | Account deleted; analytics anonymised if research consent given, otherwise hard-deleted |
| Lesson text and AI responses (Analyse, Review) | 2 years after the account becomes dormant; 3 years total once orphaned | User reference removed at 2 years; row hard-deleted at 3 years |
| Coach conversations | 1 year after the last message | Hard-deleted |
| Practice quiz data | 2 years after the account becomes dormant | Anonymised |
| Interaction events | 12 months from creation | Hard-deleted |
| Confidence snapshots | 2 years from creation | Anonymised if research consent given, otherwise hard-deleted |
| Shared result links | 1 year from creation, or immediately on account closure | Hard-deleted; the link returns "not found" |
| Magic-link tokens | 24 hours from creation (links expire after 15 minutes) | Hard-deleted |
| Sessions (connect.sid) | 30 days | Pruned automatically |
If you opt in to research use via Settings, anonymised usage data with all identifying information removed may be retained beyond these periods for aggregate educational research. Anonymised data is no longer personal data under GDPR and is therefore not subject to retention limits. You can revoke this consent at any time.
Your rights
Under UK GDPR you have the following rights, all of which are exercisable without charge:
- Access. Use the "Export all my data" button on your Settings page to download a structured JSON file containing everything we hold about you.
- Erasure. Use the "Delete my account" button on Settings. Your account, profile and directly linked data are removed. Lesson text and similar records are anonymised so they no longer link to you.
- Rectification. Update your profile and account details from Settings.
- Withdraw consent. The research-use toggle in Settings can be turned off at any time. Email subscriptions can be cancelled with the unsubscribe link in any monthly report.
- Portability. The JSON export is provided in a structured, machine-readable format.
- Object. If you wish to object to any specific processing, contact us using the address at the top of this notice.
- Complain to a regulator. If you are not satisfied with our response you can complain to the UK Information Commissioner's Office at ico.org.uk.
Security
We protect your data with the following technical and organisational measures:
- Passwords hashed with bcrypt (12 salt rounds); never stored in plain text.
- Session cookies set httpOnly, Secure and SameSite=Lax.
- Sign-in flow regenerates the session ID to prevent session fixation.
- All database queries use parameterised placeholders to prevent SQL injection.
- HTTP security headers via Helmet, including a strict Content Security Policy and HSTS.
- Rate limiting on authentication routes, the AI proxy and write-side API endpoints.
- HTTPS enforced in production with automatic HTTP to HTTPS redirect.
- AI API keys held server-side only; never exposed to the browser.
- Routine application updates and dependency patching.
No system can be made perfectly secure. If you become aware of a security issue, please email andy.perryer@cognita.com with the subject line "security" and we will acknowledge within two working days.
Children's data
PICRAT Suite is built for use by teachers (adults). Pupils do not have accounts and do not access the platform directly. Registration requires an email address and is intended for educators and school staff.
Because teachers may submit lesson plans through the AI tools, we ask all users not to include identifiable pupil information (names, dates of birth, attendance records, SEN diagnoses, or anything that could identify an individual child). Where pupil data is inadvertently submitted, it is processed and retained on the same schedule as other lesson text above and can be deleted on request.
The Information Commissioner's Office's Age Appropriate Design Code (Children's Code) applies to services likely to be accessed by children. PICRAT Suite is not such a service: it is teacher-facing, requires registration, and contains no content directed at children. If pupil-facing features are added in future, this section will be updated and the Code's standards applied.
Changes to this notice
We review this notice at least annually and update it when our processing changes. Material changes are communicated through the platform. The date at the top of the page reflects the most recent revision.
Contact
For data-protection queries, requests or complaints, email andy.perryer@cognita.com. If you are not satisfied with our response, you have the right to complain to the UK Information Commissioner's Office at ico.org.uk.
This notice is written to be readable. It is not a substitute for legal advice. If your school's data-protection officer needs additional documentation (for example a signed Data Processing Agreement or sub-processor list), email the address above and we will respond.