Privacy and governance summary

This page summarises the key controls for schools and trusts reviewing Feedback Flow. It is intended to support privacy impact assessment discussions and should be read alongside the Privacy Policy, Data Processing Agreement, and the school's own data protection assessment.

Short position for governance teams

Feedback Flow is designed as a teacher-directed marking and feedback tool. The school remains the controller for pupil work and decides the lawful basis for using the service. Feedback Flow acts as a processor for pupil work and only processes that data to provide transcription, marking support, feedback workflows, and storage configured by the teacher or school.

Pupil Consent

For normal classroom marking and feedback, pupil consent is not expected to be the default lawful basis. In many UK school contexts the school will usually consider public task, official authority, legitimate interests, or another lawful basis depending on its legal status and policy position.

The product records teacher acceptance of terms, privacy information, and student-data handling acknowledgement during account creation.
The teacher confirms they have authority from their school or institution before uploading pupil work.
Schools should decide whether any additional pupil or parent notice, permission, or consent is required by their local policy.
If a school decides consent is required for a specific use, the school should manage that consent outside Feedback Flow before uploading pupil work.

Sharing Personal Data

Feedback Flow does not sell pupil or teacher data and does not use advertising or third-party analytics. Personal data is shared only with service providers needed to run the product.

Supabase stores application data and files.
Cloudflare hosts the application and serverless functions.
Google Gemini API receives pupil work and prompts only when AI transcription or marking support is used. Billing-enabled API terms state that prompts, files, and responses are not used to improve Google products or models.
Known student names are removed from AI text prompts and replaced with temporary placeholders before API requests are sent; upload display names are generic rather than original filenames.
Stripe processes subscription and payment data for teacher or school billing.

Controls already in the web app

Teacher sign-up includes a required student-data acknowledgement before account creation.
Synced data is user-scoped in Supabase, with Row Level Security used for tenant isolation.
The My Data page lets teachers review stored profile, class, pupil, response, feedback, and mark scheme data.
Profile/account controls support data export and account deletion requests.
The Privacy Policy and DPA list processors, purposes, retention position, international transfer safeguards, and contact details.

Points to confirm with the trust

Lawful basis

Ask whether the trust intends to rely on public task, legitimate interests, contract, consent, or another lawful basis for using Feedback Flow in its setting. Feedback Flow should not force pupil consent as the answer if the trust has a better lawful basis for routine educational assessment.

AI processing boundary

Confirm whether the trust is comfortable with pupil work being sent to Google Gemini API for transcription and feedback support, subject to the safeguards described in the Privacy Policy and DPA. Feedback Flow removes known student names from text prompts and file display names, but names visible inside scanned pages can still be present in the uploaded file content unless the school removes or masks them before upload.

Pupil-facing access

Pupil-facing access is not part of the current active scope. If it is reintroduced later, confirm whether the trust wants pupils to access feedback directly and what assessment data, teacher feedback, and transcriptions should be visible.

Data minimisation

Confirm what staff should avoid uploading, especially unnecessary special category data, safeguarding disclosures, medical information, highly sensitive personal details, or visible pupil names within scanned work.