Privacy practices designed for school procurement review.
Outleap processes personal data to support the post-18 application workflow, managed review, references where enabled, and cohort visibility. Schools remain the data controller; we act as a data processor under clear contractual terms, with GDPR-aligned practices documented in our trust pack.
GDPR alignment
Lawful basis
The school, as data controller, decides and documents the lawful basis for processing in its own DPIA. Schools typically rely on a public task or legitimate interests basis for structured educational support, or contractual necessity where Outleap is engaged as part of the post-18 programme. We support that assessment; we do not make it for the school.
Data minimisation
We collect only what the platform needs to operate: student name, email, school affiliation, evidence-bank entries, statement drafts, and school-supervised feedback. No marketing profiling, and no third-party data sharing beyond what is needed for service delivery.
Purpose limitation
Student data is processed solely for evidence capture, the managed review workflow, references where enabled, staff review and cohort visibility — for the modules your school has activated. It is not used for model training, advertising, or any purpose outside the school's application workflow.
Children's data
Outleap is used by an under-18 cohort, so we design to the ICO's Age Appropriate Design Code: high privacy by default, data minimisation, and the best interests of the child as a primary consideration. There are no nudges that weaken a student's privacy.
Data residency and security
UK/EU data residency
All data is processed and stored in UK/EU-hosted Google Cloud infrastructure. No data is transferred outside the UK/EEA without appropriate safeguards.
Encryption
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via Google Cloud default encryption). Database access is authenticated and role-scoped.
Environment isolation
Staging and production are fully separated — different Firebase and GCP projects, different data stores. Production data is not used in development or testing.
Retention and access
Retention periods
Student data is retained for the duration of the school's licence plus a defined wind-down period. Schools can request deletion at any time. Specific schedules are documented in the trust pack.
Access controls
Role-based access is enforced at the application and infrastructure level. Students see only their own data; teachers see only their assigned students; school admins see their school's data. Cross-school access is prevented by design.
Data subject rights
Schools can exercise data subject rights (access, rectification, erasure, portability) through the platform or by contacting us. We respond to requests within statutory timeframes.
AI data handling
No training on pupil data
Student content and AI outputs are not used to train AI models. Processing uses the student's evidence and drafts for feedback and reference preparation only, and data is not retained by the AI provider for training.
School stays in control
AI assistance is supervised and bounded. Your school sets the controls, can require staff review of feedback, and anything the system flags as a concern is always held for a member of staff. AI is a tool in the workflow, not an autonomous decision-maker, and it makes no safeguarding decisions.
The full trust pack
For procurement, the trust pack includes a DPA template, DPIA starter, retention policy and AI-safety policy. To review them with your team, book a trust review.