Company No. 16832757

Registered Office: The Screening House, Cwm Cynon Business Park, Mountain Ash, CF45 4ER, United Kingdom

Website: BrightBoardAI.com

Last Updated: 25th November 2025

1. Introduction

This Privacy Policy explains how BrightBoard AI Ltd (“we”, “us”, “our”) collects, uses, stores and protects personal data when you access or use BrightBoardAI.com and our associated services. We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR). By using the Service, you agree to this Policy.

2. Data Controller

BrightBoard AI Ltd is the Data Controller responsible for determining how personal data is processed. If you have questions about this Policy, you may contact us using the details in section 16.

3. Personal Data We Collect

We may collect and process the following categories of personal data:

(a) Account information: name, email address, login credentials, profile details, exam board, locale.

(b) Usage data: pages visited, features used, interactions, logs, preferences, activity timestamps.

(c) Communication data: messages, enquiries, support requests.

(d) Payment data: billing information, transaction records (processed by third-party payment processors; we do not store full card details).

(e) Technical data: IP address, device type, browser type, operating system, cookies, identifiers, security logs.

(f) AI input data: prompts, questions, uploaded content and any data you submit for processing by our AI systems.

(g) AI output data: the responses or content generated by the system based on your input.

(h) Child data: limited account information for users aged 13–17, collected only with parental or guardian consent.

4. Special Category Data

We do not intentionally collect special category data (such as health data, religious beliefs or biometric identifiers). Users must not submit such data. If special category data is submitted, we will delete it where possible.

5. How We Use Personal Data

We process personal data for the following purposes:

(a) providing and improving the Service;

(b) account registration, authentication and security;

(c) generating AI output based on user input;

(d) responding to enquiries, support requests and feedback;

(e) monitoring usage patterns to improve functionality and safety;

(f) preventing fraud, misuse and security incidents;

(g) complying with legal obligations;

(h) sending service notifications and updates;

(i) managing payments and subscriptions (if applicable).

6. Legal Bases for Processing

We rely on the following legal bases under UK GDPR:

(a) Consent: for cookies, marketing communications and parental consent for Minor users.

(b) Contract: where processing is necessary to provide the Service you have requested.

(c) Legitimate interests: such as improving the Service, security monitoring and preventing misuse, where these interests do not override your rights.

(d) Legal obligation: where processing is required to comply with UK law.

7. Children’s Data (Ages 13–17)

We do not knowingly collect data from children under 13. If we discover such data has been collected, we will delete it.

Users aged 13–17 may use the Service only with parental or guardian consent. Parents or guardians accept responsibility for the Minor’s use of the Service and for the processing of data associated with their account.

8. AI Input and AI Output

Data submitted by users, including text, prompts and uploaded content, may be processed by AI systems to generate output. We do not claim ownership of user-submitted content.

We may use anonymised or aggregated AI input data to improve system accuracy, performance and safety.

We do not use personal data to train external third-party AI models.

9. Sharing Your Data with Third Parties

We may share personal data with the following types of third parties:

(a) Hosting providers and cloud infrastructure services;

(b) Payment processors such as Stripe or PayPal;

(c) Analytics providers for website performance monitoring;

(d) Security service providers to prevent fraud or misuse;

(e) Professional advisers such as lawyers or auditors;

(f) Regulators or authorities where required by law.

We do not sell personal data to third parties.

10. International Data Transfers

Personal data may be transferred outside the UK if required by our hosting or service providers.

Where transfers occur, we ensure appropriate safeguards such as:

(a) adequacy regulations;

(b) UK-approved International Data Transfer Agreements;

(c) Standard Contractual Clauses.

We take all reasonable steps to ensure personal data remains protected.

11. Data Security

We implement appropriate technical and organisational measures to safeguard personal data, including encryption, access controls, secure hosting and regular monitoring.

However, no method of transmission or storage is completely secure, and we cannot guarantee absolute security.

12. Data Retention

We retain personal data only for as long as necessary to provide the Service, meet legal obligations or resolve disputes. Retention periods vary depending on data type but generally include:

(a) Account data: retained while the Account is active and for a reasonable period after closure.

(b) AI input and output: retained for operational and safety purposes unless deleted by the user.

(c) Logs and technical data: retained for security and diagnostic purposes for a limited duration.

You may request deletion of your data as described in section 13.

13. Your Rights Under UK GDPR

You have the following rights:

(a) Right to access your personal data;

(b) Right to rectification of incorrect or incomplete data;

(c) Right to erasure of your data (“right to be forgotten”) in certain circumstances;

(d) Right to restrict processing;

(e) Right to data portability;

(f) Right to object to certain types of processing;

(g) Right not to be subject to purely automated decisions with significant effects;

(h) Right to withdraw consent at any time (where consent is the legal basis).

To exercise these rights, contact us using the details in section 16.

14. Cookies and Tracking Technologies

We use cookies and similar technologies to enable website functionality, enhance performance and analyse usage.

Essential cookies are required for the Service to operate.

Non-essential cookies require user consent in accordance with PECR.

For details, see our Cookie Policy.

15. Marketing Communications

We may send you emails about updates or important notices related to your account.

We only send marketing communications where we have your consent.

You may opt out of marketing at any time.

16. Contact Information

For privacy-related enquiries or to exercise your rights, contact us at:

Email: help@brightboardai.com

Postal Address: BrightBoard AI Ltd, The Screening House, Cwm Cynon Business Park, Mountain Ash, CF45 4ER, United Kingdom

Website: BrightBoardAI.com

17. Complaints to the ICO

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe your data rights have been violated.

ICO Website: ico.org.uk

Helpline: 0303 123 1113

18. Changes to This Privacy Policy

We may update this Policy from time to time. Updates will be posted on the Website. Continued use of the Service following changes indicates acceptance of the updated Policy.