InclusiveXR Ltd ("we", "us") is the data controller for staff accounts and a data processor acting on behalf of your school, MAT or local authority for pupil data. Our ICO registration is held under InclusiveXR Ltd, Bristol, United Kingdom.
1. Data we process
- Staff accounts: name, work email, role, school affiliation, login timestamps.
- Pupil records: anonymised key, year group, SEND needs, EHCP status, parental-consent date. We do not collect pupil names.
- Session telemetry: AR module, duration, completion %, engagement score.
- Pupil voice: transcript, sentiment score, safeguarding flag. Audio is discarded immediately after transcription.
2. Lawful basis
Public task (Article 6(1)(e)) for school-led use; explicit parental consent (Article 9(2)(a)) for SEND-category data; legitimate interest for service security and product improvement.
3. Sub-processors
- Supabase Inc. — database & authentication (EU region).
- Google (Gemini API) and OpenAI (Whisper) — transient processing of transcripts only. No data is used for model training.
- Cloudflare — edge delivery and DDoS protection.
4. Retention
Pupil records: retained for the duration of the school's licence + 12 months, then deleted. EHCP PDFs: retained until manually deleted by the SENCO. Audio recordings: 0 seconds — never persisted.
5. Your rights (UK GDPR)
Subject access, rectification, erasure, restriction, portability, and objection. Email dpo@inclusivexr.co.uk. We respond within 30 days.
6. International transfers
All primary storage is UK/EU. Where AI inference occurs in the US (transient), it is covered by the EU-US Data Privacy Framework and Standard Contractual Clauses.
7. Complaints
You can complain to the UK Information Commissioner's Office at ico.org.uk.