GDPR Compliance

How we protect personal data under UK and EU data protection regulations.

Last updated: 26 January 2026

🇬🇧

UK GDPR

Compliant with UK Data Protection Act 2018

🇪🇺

EU GDPR

Compliant with EU General Data Protection Regulation

📋

DPA Available

Data Processing Agreement for institutional customers

🔒

Data Minimisation

We only collect data necessary for the service

🗑️

Right to Erasure

Delete your data at any time upon request

📤

Data Portability

Export your data in machine-readable format

Data Controller

HigherEd-AI Ltd is the data controller responsible for your personal data.

  • Registered Address: Belfast, Northern Ireland, United Kingdom
  • Contact Email: tony@hied.ai
  • Data Protection Contact: dpo@hied.ai
  • Founder & Director: Tony McGinn

For organisations using HiEd.ai through an institutional subscription, the institution typically acts as the data controller for student data, with HiEd.ai acting as a data processor under a Data Processing Agreement (DPA).

Legal Basis for Processing

We process personal data under the following lawful bases as defined by Article 6 of the GDPR:

Contract Performance (Article 6(1)(b))

Processing necessary to provide our AI tutoring services:

  • Account creation and authentication
  • Delivering AI tutoring conversations
  • Processing payments for Private Learner accounts
  • Providing conversation transcripts and recordings

Legitimate Interests (Article 6(1)(f))

Processing necessary for our legitimate business interests:

  • Improving our AI tutoring technology
  • Ensuring platform security and preventing fraud
  • Providing customer support
  • Analysing platform usage (anonymised/aggregated)

Legal Obligation (Article 6(1)(c))

Processing required to comply with legal requirements:

  • Responding to lawful requests from authorities
  • Maintaining financial records as required by law
  • Fulfilling data subject access requests

Consent (Article 6(1)(a))

Where required, we obtain explicit consent for:

  • Marketing communications (opt-in only)
  • Optional analytics and cookies

Personal Data We Process

For Institutional Users (Students & Lecturers)

Data CategoryPurposeRetention
Name, EmailAccount identificationDuration of account
Voice recordingsAI conversation deliveryAs per institutional agreement
Conversation transcriptsAssessment & learning reviewAs per institutional agreement
Class enrolment dataAccess controlDuration of enrolment

For Private Learner Accounts

Data CategoryPurposeRetention
Email addressAccount identificationUntil account deletion
Voice recordingsAI tutoring sessions90 days or until deletion request
Conversation historyConversation memory featureUntil account deletion
Payment informationProcessing purchasesAs required by law (6 years)

Your Rights Under GDPR

Under UK and EU data protection law, you have the following rights regarding your personal data:

Right of Access

Request a copy of all personal data we hold about you. We will respond within 30 days.

Right to Rectification

Request correction of inaccurate personal data we hold about you.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing

Request limitation of processing while we verify accuracy or legitimacy.

Right to Data Portability

Receive your data in a structured, machine-readable format (JSON).

Right to Object

Object to processing based on legitimate interests or for direct marketing.

To exercise any of these rights, contact us at dpo@hied.ai. We will respond within 30 days. For institutional users, please contact your institution's data protection officer first.

Sub-Processors

We use the following third-party service providers (sub-processors) to deliver our services. All sub-processors are contractually bound to process data only as instructed and to implement appropriate security measures.

Sub-ProcessorPurposeLocationDPA
ElevenLabs Inc.AI voice synthesis and conversational AIEU (via EU data residency option)
Google Cloud Platform (Firebase)Authentication, database, file storageEU (europe-west1)
Vercel Inc.Website hosting and serverless functionsEU region deployment
Stripe Inc.Payment processing (Private Learner accounts)EU/US with SCCs

We notify institutional customers of any changes to our sub-processor list. Individual users can request notification of changes by emailing dpo@hied.ai.

International Data Transfers

We prioritise keeping data within the UK and EU. Where data transfer outside the EEA is necessary, we ensure appropriate safeguards are in place:

  • EU/UK Adequacy Decisions: Transfers to countries with adequacy decisions (e.g., transfers between UK and EU)
  • Standard Contractual Clauses (SCCs): EU-approved contractual terms with sub-processors in non-adequate countries
  • EU Data Residency: Our primary infrastructure uses EU-based servers (ElevenLabs EU residency, Firebase europe-west1)

Copies of relevant Standard Contractual Clauses are available upon request.

Data Security Measures

We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

  • Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Access Controls: Role-based access with principle of least privilege
  • Authentication: Secure authentication with optional multi-factor authentication
  • Monitoring: Continuous security monitoring and logging
  • Certifications: Infrastructure providers (Google Cloud, Vercel) are SOC 2 Type 2 certified and ISO 27001 compliant
  • Regular Reviews: Periodic security assessments and penetration testing

For more details, see our Security & Privacy page.

Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (ICO for UK) within 72 hours of becoming aware
  • Notify affected data controllers (institutions) without undue delay
  • Notify affected individuals if the breach is likely to result in high risk
  • Document all breaches and remediation actions taken

Our incident response procedures are tested annually and align with GDPR Article 33 & 34 requirements.

Data Processing Agreement (DPA)

For educational institutions and organisations, we provide a comprehensive Data Processing Agreement that covers:

  • Subject matter, duration, and nature of processing
  • Types of personal data and categories of data subjects
  • Obligations and rights of the controller
  • Sub-processor engagement terms
  • Security measures and audit rights
  • Data breach notification procedures
  • Data return and deletion upon termination

To request a DPA: Email info@hied.ai with your institution details. We typically process DPA requests within 5 business days.

Supervisory Authority

If you are not satisfied with our response to a data protection concern, you have the right to lodge a complaint with a supervisory authority:

UK: Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

EU residents may also contact their local data protection authority.

Contact Us

For any questions about this GDPR compliance information or to exercise your data rights:

We aim to respond to all data protection enquiries within 5 business days, and to complete data subject access requests within 30 days as required by GDPR.

Need a Data Processing Agreement?

We provide comprehensive DPAs for institutional customers. Get in touch to request one.

Request DPAView Security Info