GDPR Compliance

FutureDL Limited (trading as Waveform) is committed to protecting personal data and complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This document explains how we meet our obligations and how you can exercise your rights.

1.1 Our Commitment

We process personal data lawfully, fairly, and transparently. We collect data only for specified, explicit, and legitimate purposes. We ensure data is adequate, relevant, and limited to what is necessary. We maintain data accuracy and keep records up to date. We store data only for as long as necessary. We implement appropriate security measures to protect data.

1.2 Scope

This document applies to all personal data we process as part of providing Waveform services to UK secondary schools. It covers student data, teacher data, school staff data, and any other personal information we collect or process.

2.1 Contractual Necessity

We process personal data to fulfil our contract with schools to provide AI-powered marking and assessment services. This includes processing student work, generating feedback, and providing teachers with class insights. Without this processing, we cannot deliver our core services.

2.2 Legitimate Interests

We rely on legitimate interests for certain processing activities where they do not override individual rights and freedoms. Our legitimate interests include: ensuring platform security and preventing fraud, improving service quality and developing new features, providing technical support to users, and maintaining business records for operational purposes. We have conducted legitimate interests assessments to ensure our processing is proportionate and appropriate.

2.3 Legal Obligations

We process data to comply with legal obligations, including: responding to lawful requests from law enforcement or regulatory authorities, complying with court orders or legal processes, meeting our obligations under education sector regulations, and fulfilling safeguarding duties under Keeping Children Safe in Education (KCSIE).

2.4 Consent

For students under 16, we rely on consent provided by schools (acting in loco parentis) and parental consent where required. Schools must obtain appropriate consents before using Waveform with students. We do not rely on consent as our primary legal basis, ensuring that withdrawal of consent does not prevent schools from fulfilling their educational obligations.

3.1 Right of Access (Article 15)

You have the right to obtain confirmation that we are processing your personal data and to access that data. You can request a copy of your personal data and information about how we process it. We will respond to access requests within one month, free of charge for the first request.

3.2 Right to Rectification (Article 16)

You have the right to have inaccurate personal data corrected and incomplete data completed. Teachers can update most information directly through their account dashboard. For other corrections, contact us at hello@waveform.co.uk. We will respond to rectification requests within one month.

3.3 Right to Erasure (Article 17)

You have the right to request deletion of your personal data in certain circumstances: when the data is no longer necessary for the purposes it was collected, when you withdraw consent and there is no other legal basis for processing, when you object to processing and there are no overriding legitimate grounds, when the data has been unlawfully processed, or when deletion is required to comply with a legal obligation. We will respond within one month and delete data within 30 days, subject to any legal obligations to retain certain information.

3.4 Right to Restrict Processing (Article 18)

You have the right to restrict processing in certain circumstances: when you contest the accuracy of the data (restriction applies while we verify accuracy), when processing is unlawful but you prefer restriction to erasure, when we no longer need the data but you need it for legal claims, or when you have objected to processing (restriction applies while we verify whether our legitimate grounds override yours). During restriction, we will only process data with your consent, for legal claims, to protect others' rights, or for important public interests.

3.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller. This right applies when: processing is based on consent or contract, and processing is carried out by automated means. We will provide data in JSON or CSV format where technically feasible. This right does not apply to data processed for legitimate interests or legal obligations.

3.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests or for direct marketing purposes. When you object, we will stop processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is necessary for legal claims. We do not use personal data for direct marketing, so this ground does not typically apply.

3.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that produce legal effects or similarly significantly affect you. Our AI marking system generates suggestions, but all decisions are reviewed by teachers before being published to students. You have the right to: obtain human intervention in the decision-making process, express your point of view, and contest the decision. Teachers always maintain final control over marks and feedback.

3.8 How to Exercise Your Rights

To exercise any of these rights, contact us at hello@waveform.co.uk with: your full name and contact details, the right you wish to exercise, sufficient information to identify you and locate your data, and any supporting documentation if required. Students and parents should initially contact their school, which can facilitate requests on their behalf. We will respond within one month, with possible extension to two months for complex requests.

4.1 Lawfulness, Fairness, and Transparency

We process data lawfully based on appropriate legal grounds as outlined in section 2. We process data fairly, ensuring we do not use it in ways that are unduly detrimental to data subjects. We are transparent about our processing activities through our Privacy Policy and this compliance document.

4.2 Purpose Limitation

We collect personal data for specified, explicit, and legitimate purposes: providing AI-powered marking services, generating personalised student feedback, enabling class performance analysis, facilitating communication between teachers and students, ensuring platform security, and improving service quality. We do not process data for purposes incompatible with these original purposes without obtaining consent or establishing a new legal basis.

4.3 Data Minimisation

We collect only data that is adequate, relevant, and limited to what is necessary for our purposes. We regularly review data collection practices to ensure we are not collecting excessive data. We do not require unnecessary personal information from users.

4.4 Accuracy

We take reasonable steps to ensure personal data is accurate and kept up to date. Teachers can update information directly through the platform. We provide mechanisms for data subjects to request corrections. We verify data accuracy through validation processes where appropriate.

4.5 Storage Limitation

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Active accounts: data retained while the school maintains an active account. Account deletion: data deleted within 30 days of account closure. Backup retention: deleted data may persist in backups for up to an additional 30 days. Legal requirements: certain data may be retained longer if required by law.

4.6 Integrity and Confidentiality

We implement appropriate technical and organisational measures to ensure data security, including: encryption of data in transit (TLS 1.3) and at rest (AES-256), secure authentication and access controls, regular security audits and penetration testing, automated threat detection and monitoring, employee security training and confidentiality agreements, and incident response procedures.

4.7 Accountability

We demonstrate compliance with data protection principles through: maintaining records of processing activities, conducting data protection impact assessments, implementing privacy by design and by default, training staff on data protection obligations, and documenting our data protection policies and procedures.

5.1 UK Data Residency

All personal data is stored and processed exclusively within the United Kingdom. We do not transfer personal data outside the UK. Our servers are located in UK data centres, ensuring full compliance with UK data protection laws.

5.2 Third-Party Processors

Any third-party services we use for processing personal data also maintain UK data residency. Our contracts with third-party processors include: requirements to process data only in the UK, data protection obligations equivalent to those in UK GDPR, security measures to protect data, and notification requirements for data breaches.

5.3 No Cross-Border Transfers

We have specifically designed our infrastructure to avoid international data transfers, eliminating the need for transfer mechanisms such as adequacy decisions, standard contractual clauses, or binding corporate rules. This provides maximum protection for UK data subjects and ensures compliance with UK data protection laws.

6.1 Breach Detection

We have implemented systems and procedures to detect potential data breaches, including: automated security monitoring and alerting, regular security audits and assessments, employee training on identifying security incidents, and incident reporting channels for staff and users.

6.2 Breach Response

Upon detecting a data breach, we will: immediately contain the breach to prevent further data loss, assess the severity and potential impact of the breach, document all aspects of the breach and our response, and implement measures to prevent similar breaches in future.

6.3 Notification to ICO

We will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of a breach that poses a risk to individuals' rights and freedoms. Our notification will include: description of the nature of the breach, categories and approximate number of data subjects affected, likely consequences of the breach, and measures taken or proposed to address the breach.

6.4 Notification to Data Subjects

When a breach poses a high risk to individuals' rights and freedoms, we will notify affected data subjects without undue delay. Our notification will include: description of the nature of the breach, contact point for further information, likely consequences of the breach, and measures taken or recommended to mitigate adverse effects. We will communicate directly with schools, which should inform affected students and parents as appropriate.

6.5 Breach Records

We maintain records of all data breaches, including: facts relating to the breach, its effects, and remedial action taken. These records enable us to demonstrate compliance with our notification obligations and to identify patterns that may require changes to our security measures.

7.1 Age-Appropriate Processing

We recognise that children's data requires special protection. Our services are designed for GCSE students (typically ages 14-16) in UK secondary schools. We process children's data with particular care, ensuring: processing is necessary and proportionate, security measures are robust and appropriate, information about processing is clear and age-appropriate, and children's rights can be effectively exercised.

7.2 Consent Requirements

For students under 16, processing based on consent requires authorisation from the holder of parental responsibility. Schools obtain appropriate consents before using Waveform with students. We provide schools with template consent forms and information sheets. Parents can withdraw consent at any time by contacting the school.

7.3 Transparency for Children

We ensure that information about data processing is communicated in a clear, plain language manner appropriate for children. Our Privacy Policy uses straightforward language to explain data practices. Schools should supplement our information with age-appropriate explanations for their students.

7.4 Safeguarding

We comply with Keeping Children Safe in Education (KCSIE) guidance. Our safeguarding measures include: appropriate staff vetting and training, clear procedures for reporting concerns about child welfare, secure handling of sensitive information about children, and cooperation with schools and authorities on safeguarding matters.

8.1 Accountability

Data protection matters at FutureDL Limited are overseen by our company directors, who are responsible for ensuring compliance with UK GDPR and DPA 2018. Our directors maintain oversight of: data protection policies and procedures, staff training on data protection, responses to data subject requests, data protection impact assessments, and relationships with supervisory authorities.

8.2 Contact for Data Protection Matters

For data protection enquiries, questions, or concerns, contact us at: hello@waveform.co.uk. Mark urgent data protection matters as 'URGENT: Data Protection' in the subject line. We aim to respond to data protection enquiries within 48 hours and formal data subject requests within the legally required timeframes.

8.3 Staff Training

All staff receive training on data protection principles and their responsibilities under UK GDPR. Training covers: understanding of data protection principles, recognising and reporting data breaches, responding to data subject requests, secure handling of personal data, and privacy by design principles.

9.1 Documentation

We maintain records of our processing activities as required by Article 30 of UK GDPR. Our records include: name and contact details of the controller (FutureDL Limited), purposes of processing, categories of data subjects and personal data, categories of recipients of personal data, details of transfers (we do not transfer data outside the UK), retention periods, and descriptions of technical and organisational security measures.

9.2 Categories of Data Processed

We process the following categories of personal data: student data (name, year group, class membership, submitted work, assessment results, feedback, usage data), teacher data (name, email address, school affiliation, subject areas, class rosters, marking preferences, account activity), school data (school name, address, type, administrative contacts), and technical data (IP addresses, device information, browser type, usage analytics).

9.3 Recipients of Data

We may share personal data with: third-party AI service providers (under strict data processing agreements), cloud hosting providers (UK-based only), form processing services (for contact enquiries only), law enforcement or regulatory authorities (when legally required), and schools and teachers (within appropriate access permissions).

10.1 Privacy by Design

We implement privacy by design principles throughout our service development: data protection is considered at every stage of system design, privacy-enhancing technologies are integrated into our platform, access controls are built into the system architecture, data minimisation is implemented at the collection stage, and security measures are embedded in our technical infrastructure.

10.2 Privacy by Default

We implement privacy by default settings to ensure: only necessary data is processed for specific purposes, minimal data is accessible to each user based on their role, data is stored only for as long as necessary for processing, and data is not made accessible to unlimited numbers of individuals without user intervention.

10.3 Data Protection Impact Assessments

We conduct data protection impact assessments (DPIAs) for processing activities that are likely to result in high risk to individuals' rights and freedoms. Our DPIAs consider: the nature, scope, context, and purposes of processing, risks to individuals' rights and freedoms, and measures to address risks and demonstrate compliance. We consult with relevant stakeholders and update DPIAs when processing activities change significantly.

11.1 Information Commissioner's Office

The supervisory authority for data protection in the UK is the Information Commissioner's Office (ICO). We are registered with the ICO and comply with our obligations under UK GDPR and DPA 2018.

11.2 Right to Complain

You have the right to lodge a complaint with the ICO if you believe we have not complied with data protection laws. Contact details for the ICO: Website: ico.org.uk, Telephone: 0303 123 1113, Email: casework@ico.org.uk, Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We encourage you to contact us first to resolve any concerns, but you have the right to complain directly to the ICO at any time.

11.3 Cooperation with ICO

We cooperate fully with the ICO and respond to enquiries within required timeframes. We provide requested information and documentation to demonstrate compliance. We implement any recommendations or requirements issued by the ICO.

We review this GDPR compliance document regularly to ensure it remains accurate and up to date. We will notify users of any material changes via email and by posting notice on our platform at least 30 days before changes take effect.

The current version was last updated on 13 October 2025. Previous versions are available upon request.

13.1 Data Protection Enquiries

For questions about data protection, to exercise your rights, or to raise concerns: Email: hello@waveform.co.uk. Mark urgent matters as 'URGENT: Data Protection'. We respond to data protection enquiries within 48 hours and formal requests within one month.

13.2 Company Information

FutureDL Limited, Trading as Waveform, Company Number: 14534210, Registered in England and Wales, Registered Office: Windmill Green, 24 Mount Street, Manchester, England, M2 3NX

13.3 Further Information

For more information about our data practices, please see: Privacy Policy at /privacy, Terms of Service at /terms. For general enquiries about Waveform, contact us at hello@waveform.co.uk or visit /contact.