Privacy Policy

This Privacy Policy explains how FutureDL Limited (trading as Waveform) collects, uses, and protects your personal information when you use our AI-powered marking platform. We are committed to protecting the privacy and security of all users, particularly students under the age of 18.

1.1 Who We Are

FutureDL Limited is a UK-registered company (Company Number: 14534210) with our registered office at Windmill Green, 24 Mount Street, Manchester, England, M2 3NX. We provide educational technology services to UK secondary schools, specifically designed for GCSE students.

1.2 Our Commitment

We take data protection seriously and comply fully with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the guidance set out in Keeping Children Safe in Education (KCSIE). All student data is processed and stored exclusively within the United Kingdom.

2.1 Student Data

We collect the following information about students: name, year group, class assignments, submitted work (including written answers and uploaded images), assessment results, feedback received, and usage data (login times, feature usage). This data is necessary to provide our marking and feedback services.

2.2 Teacher and School Staff Data

For teachers and school administrators, we collect: name, email address, school affiliation, subject areas taught, class rosters, marking preferences, and account activity logs. This information enables teachers to create assignments, review student work, and manage their classes effectively.

2.3 School Data

We collect school name, address, type of institution, and administrative contact information. This data is used for account management and service delivery purposes.

2.4 Technical Data

We automatically collect certain technical information including IP addresses, device type, browser type, operating system, and usage analytics. This data helps us maintain and improve our platform's performance and security.

3.1 Primary Purposes

We use your data to provide our core services: processing and marking student assignments, generating personalised feedback, identifying learning patterns, providing teachers with class insights, facilitating communication between teachers and students, and improving our platform's accuracy and functionality.

3.2 AI Processing

Student work is processed using enterprise-grade third-party AI services to power our marking functionality. These services operate under strict data processing agreements and are fully GDPR-compliant. We do not use student data to train general AI models. All processing is conducted solely to provide marking and feedback services to your school.

3.3 Service Improvement

We may use aggregated, anonymised data to improve our platform's performance and develop new features. This aggregated data cannot be used to identify individual students or teachers.

4.1 Contractual Necessity

Processing student and teacher data is necessary to fulfil our contract with your school to provide marking and assessment services.

4.2 Legitimate Interests

We process data based on legitimate interests in: providing effective educational services, ensuring platform security, preventing fraud and abuse, and improving service quality. We balance these interests against individuals' rights and freedoms.

4.3 Legal Obligations

We process data to comply with legal obligations under UK GDPR, Data Protection Act 2018, and education sector regulations including safeguarding requirements under KCSIE.

4.4 Consent

For students under 16, we rely on consent provided by the school (acting in loco parentis) and parental consent where required. Schools must obtain appropriate consents before using our services with students.

5.1 Third-Party Services

We use carefully selected third-party services to operate our platform: AI service providers (for assignment marking under strict data processing agreements), cloud hosting providers (UK-based servers only), form processing services (Typeform, for contact enquiries only), and email delivery services (for system notifications). All third parties are contractually bound to protect your data and use it only for specified purposes.

5.2 No Data Selling

We never sell, rent, or trade personal data to third parties for marketing or any other purposes.

5.3 Legal Requirements

We may disclose personal data if required by law, court order, or governmental authority, or to protect the rights, property, or safety of Waveform, our users, or others.

5.4 School Access

School administrators and teachers can access student data within their own school. Students can only access their own data. We maintain strict access controls to prevent unauthorised access.

6.1 UK Data Residency

All personal data is stored and processed exclusively within the United Kingdom. We do not transfer data outside the UK.

6.2 Server Location

Our servers are located in UK data centres, ensuring full compliance with UK data protection laws and maintaining low latency for UK users.

7.1 Active Accounts

We retain student and teacher data for as long as the school maintains an active account with Waveform. This enables continuous access to historical assignments and progress tracking.

7.2 Account Deletion

When a school account is deleted, all associated personal data is permanently deleted within 30 days. During this 30-day period, data is marked for deletion and inaccessible to users, but retained to allow for account recovery if deletion was accidental.

7.3 Backup Retention

Deleted data may persist in backup systems for up to an additional 30 days before complete removal. These backups are maintained solely for disaster recovery purposes and are not accessible for regular operations.

7.4 Legal Obligations

In exceptional circumstances, we may retain certain data longer if required by law or necessary for legal proceedings.

8.1 Technical Measures

We employ industry-standard security measures including: encryption of data in transit (TLS 1.3) and at rest (AES-256), secure authentication and access controls, regular security audits and penetration testing, automated threat detection and monitoring, and secure coding practices and regular security updates.

8.2 Organisational Measures

Our security practices include: strict employee access controls based on role requirements, mandatory security training for all staff, confidentiality agreements with all employees and contractors, incident response procedures, and regular backup and disaster recovery protocols.

8.3 Data Breach Procedures

In the unlikely event of a data breach, we will notify affected schools within 72 hours and report to the Information Commissioner's Office (ICO) as required by law. We will provide full details of the breach and steps being taken to mitigate harm.

9.1 Right of Access

You have the right to request a copy of the personal data we hold about you. Students and parents can request their data through their school. Schools can request data through their account administrator.

9.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. Teachers can update most information directly through their account dashboard.

9.3 Right to Erasure

You can request deletion of personal data in certain circumstances, including when the data is no longer necessary for the purposes it was collected, consent is withdrawn, or there are no overriding legitimate grounds for processing.

9.4 Right to Restrict Processing

You can request restriction of processing in certain circumstances, such as while we verify data accuracy or assess whether legitimate grounds for processing exist.

9.5 Right to Data Portability

You can request transfer of your data to another service provider in a structured, commonly used, machine-readable format where technically feasible.

9.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

9.7 Rights Related to Automated Decision-Making

Our AI marking suggestions are always reviewed by teachers before being published to students. You have the right to request human review of any automated decision that significantly affects you.

10.1 Age Requirements

Our services are designed for GCSE students (typically ages 14-16) in UK secondary schools. We do not knowingly collect data from children under 13 without explicit school and parental consent.

10.2 Parental Rights

Parents have the right to: access their child's data, request correction of inaccurate data, request deletion of their child's data, and object to processing of their child's data. These requests should be made through the school in the first instance.

10.3 School Responsibility

Schools are responsible for obtaining appropriate consents from parents before using Waveform with students. We provide schools with template consent forms and information sheets to support this process.

10.4 KCSIE Compliance

We comply with Keeping Children Safe in Education guidance, including appropriate safeguarding measures, staff vetting requirements, and reporting procedures for concerns about child welfare.

11.1 Essential Cookies

We use essential cookies necessary for the platform to function, including session management, authentication, and security. These cookies cannot be disabled as they are required for the service to operate.

11.2 Analytics

We use privacy-focused analytics to understand how users interact with our platform. This helps us improve usability and identify technical issues. Analytics data is aggregated and cannot identify individual users.

11.3 Cookie Management

You can manage cookie preferences through your browser settings. However, disabling essential cookies may prevent certain features from working correctly.

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify schools of any material changes via email and by posting a notice on our platform at least 30 days before changes take effect.

Continued use of Waveform after policy changes take effect constitutes acceptance of the updated policy. If you do not agree with changes, you may discontinue use of the service.

13.1 Data Protection Enquiries

For questions about how we handle your data, to exercise your rights, or to raise concerns, please contact us at: hello@waveform.co.uk

13.2 Data Protection Responsibility

Data protection matters are handled by our company directors, who oversee compliance with UK GDPR and DPA 2018. For urgent data protection concerns, please mark your email as 'URGENT: Data Protection'.

13.3 Postal Address

FutureDL Limited, Windmill Green, 24 Mount Street, Manchester, England, M2 3NX

13.4 Complaints

If you are not satisfied with how we handle your data protection concerns, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): Website: ico.org.uk, Phone: 0303 123 1113, Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF