Privacy Policy

Last updated: January 18, 2026

As teachers ourselves, we understand that the privacy of your data—and especially your students' data—is paramount. We built FeedbackFlow.AI (MarkMate) to save you time, not to harvest your information.

This policy outlines exactly what we collect, why we need it, and how we keep it under lock and key.

Our Core Promise to You

We do not sell your data. Ever. FeedbackFlow.AI is funded entirely by the credits you purchase to use our tools. We have zero interest in selling, trading, or sharing your personal information or your students' work with advertisers or third-party marketers. Your data is yours, full stop.

Data Controller & Processor Roles

FeedbackFlow.AI (Daniel) is the Data Controller for account, billing, and platform usage data.

For student work uploaded by schools, schools act as the Data Controller and FeedbackFlow.AI acts as the Data Processor on their behalf. Our Data Processing Agreement is available at this link.

What We Collect (and What We Don't)

We strictly limit data collection to what is absolutely necessary for the tools to function:

Teacher Account Information

Email address (required) - to manage your account and credits
Password (securely hashed, never stored in plain text)
Name - first name and surname for your profile
Optional details - phone, job role, subject, school, country, timezone, teaching experience, curriculum (to help tailor suggestions)

Student Data (Minimal)

We only store:

Student names you input (so you know whose work is whose)
Uploaded essays (PDF files of handwritten work)
Transcribed text (AI-generated from handwriting)
Grades and feedback you create or generate
Teacher notes about students (target grades, working grades, notes)

What We Do NOT Collect

Student dates of birth, addresses, or photos
Demographic data beyond what's in essays
Browsing history or tracking data
No third-party analytics (no Google Analytics, Facebook Pixel, or similar)

Legal Basis for Processing

Under GDPR, we process your data based on the following legal grounds:

For Teacher Data

Contract: Processing your account information is necessary to provide you with our service. Without your email and profile, we couldn't manage your account or deliver the tools you've signed up for.

For Student Data

Legitimate Interest: Teachers have a legitimate interest in efficiently marking and providing feedback on student work. Our service provides substantial educational benefit while minimizing data collection to only what's necessary for marking and transcription.

Important: By using this service, you confirm that you have the authority to upload student work and that you've obtained necessary consents from your school/institution. For students under 16 (in most EU countries), please ensure parental consent has been obtained where required by your institution's data protection policy.

Where Your Data Lives & How It's Secured

We take security seriously, using industry-standard infrastructure to keep your data safe.

Hosted in the EU: All data is stored on secure servers located in European Union data centers via Supabase (PostgreSQL database and file storage).

Security Measures

Encrypted in transit: All data transmission uses HTTPS (TLS 1.2+)
Encrypted at rest: Database and file storage are encrypted
Access control: Row Level Security ensures teachers only see their own data
Authentication: JWT tokens with 1-hour expiry and refresh token rotation
Rate limiting: Protection against brute force attacks (30 login attempts per 5 minutes per IP)
Local storage: Data is also cached in your browser's IndexedDB for offline access (encrypted by your browser)

Third-Party Data Sharing

To make FeedbackFlow.AI work, we share specific data with exactly these secure partners:

Google Gemini API (AI Processing)

What we share: Student essay PDFs, transcribed text, and marking prompts

Why: To provide AI-powered transcription and essay marking (core service functionality)

Google's policy: Google does not use data sent via their API to train their models

Location: Google Cloud (may involve international data transfer outside EU)

Important: When you upload essays, they are sent to Google's Gemini API for AI processing. While we use secure transmission and Google has committed to not using API data for model training, the data temporarily leaves our EU servers. We use Standard Contractual Clauses to ensure GDPR compliance for these transfers.

Stripe (Payment Processing)

What we share: Email (optional), purchase amount, user ID

Why: To process credit purchases securely

Security: Stripe is PCI-compliant. We never see or store your credit card details

GDPR: Stripe has Standard Contractual Clauses and is GDPR-compliant

Supabase (Infrastructure)

What we share: All application data (hosted infrastructure)

Location: EU data centers

GDPR: EU-hosted with Data Processing Agreement

Cloudflare (Hosting)

What we share: HTTP requests and function execution logs

Why: To host the application and run serverless functions

GDPR: Cloudflare has Standard Contractual Clauses

No Analytics Tracking: We do not use Google Analytics, Facebook Pixel, or any third-party analytics. The only tracking we perform is internal usage monitoring (token consumption for billing purposes).

Your Rights

It's your data. Under GDPR, you have comprehensive rights to control your personal information:

Right to Access

You can view all your data at any time via your Settings page and export everything with one click.

Right to Rectification

Update your profile, student information, and essays anytime through the app interface.

Right to Erasure ("Right to be Forgotten")

Delete your account and all associated data permanently via the Settings page. Once deleted:

Your profile and settings are removed
All student data (names, grades, notes) is deleted
All uploaded essays and transcriptions are erased
All classes, folders, and mark schemes are removed
Deleted items are kept in archive for 30 days, then permanently purged

Note: Data previously sent to Google Gemini for AI processing cannot be automatically deleted through our system. If you need to request deletion from Google, please contact us for assistance.

Right to Data Portability

Export all your data in JSON format via the Settings page. The export includes: profile, students, classes, essays, marking data, and all associated information.

Right to Restrict Processing

Right to Object

You can object to processing based on legitimate interest. We will cease processing unless we have compelling legitimate grounds.

How to Exercise Your Rights

Most rights can be exercised directly via your Settings page. For other requests or assistance, email daniel@feedbackflow.ai. We respond within 30 days as required by GDPR.

Data Retention

We only keep your data as long as necessary:

Active accounts: Data retained while your account is active and in use
Deleted items: Retained in archive for 30 days, then permanently deleted
Inactive accounts: Automatically deleted after 2 years of no login activity (we'll email you before deletion)
Usage logs: Retained for 1 year for billing and support purposes
Payment records: Retained for 7 years (legal requirement for tax/accounting)

Cookies & Local Storage

We use minimal cookies, all strictly necessary for the service to function:

Strictly Necessary Cookies

Authentication cookies (Supabase Auth) - to keep you logged in
Session management - to maintain your session state
Local storage (IndexedDB) - to cache data for offline functionality

No Tracking: We do not use analytics cookies, marketing cookies, advertising cookies, or share data with ad networks.

Read our full Cookie Policy.

You can disable cookies through your browser settings, but this may affect functionality (e.g., you won't stay logged in).

International Data Transfers

Your data is primarily stored in EU data centers. However, some data is processed by Google Gemini (US-based company) for AI functionality.

We protect international transfers using:

Standard Contractual Clauses (SCCs) - EU-approved contract terms
Data Processing Agreements with all processors
Encryption in transit and at rest
Access controls limiting who can access data

Children's Data

This service is designed for teachers to mark student work. Students may include minors (under 16 in most EU countries).

By using this service, you confirm:

You are a teacher/educator with authority to process student work
You have obtained necessary consents from your school/institution
For students under 16, parental consent has been obtained where required

If you are unsure about consent requirements for processing student data, please consult your school's data protection officer or administration before using this service.

Data Breach Notification

We have security measures in place to prevent data breaches. However, if a breach occurs affecting your data:

We will notify the relevant supervisory authority within 72 hours
We will notify you without undue delay if there's high risk to your rights and freedoms
We will document all breaches internally and take steps to prevent recurrence

Changes to This Policy

We may update this policy from time to time to reflect changes in our practices or for legal reasons.

We will notify you of significant changes via email
The "Last Updated" date at the top will always reflect the most recent version
Continued use of the service after changes constitutes acceptance
We recommend reviewing this policy periodically

Your Right to Complain

If you're unhappy with how we handle your data:

Contact us first: daniel@feedbackflow.ai - We'll do our best to resolve your concerns
Lodge a complaint: You have the right to lodge a complaint with your data protection supervisory authority:
- UK: Information Commissioner's Office (ICO) - ico.org.uk
- EU: Your national data protection authority - Find your authority

Contact Us

Questions about this policy? Want to exercise your rights? Need help with data deletion?

Data Controller: FeedbackFlow.AI (Daniel)

Contact: daniel@feedbackflow.ai

Response time: Within 30 days (usually much faster)