GDPR Compliance
How EngagedLab complies with the General Data Protection Regulation and protects the rights of data subjects in the European Economic Area and United Kingdom.
Last updated: January 15, 2026
GDPR at a Glance
1. Legal Bases for Processing
We process personal data under the following GDPR legal bases. Each processing activity maps to at least one lawful basis:
Contract Performance (Art. 6(1)(b))
Account creation, providing the platform service, processing subscriptions, delivering generated lab content
Legitimate Interest (Art. 6(1)(f))
Learning analytics, platform security, fraud prevention, improving AI model quality (using aggregated data)
Legal Obligation (Art. 6(1)(c))
Tax records, responding to legal requests, regulatory compliance
Consent (Art. 6(1)(a))
Marketing emails (opt-in), optional analytics cookies, research participation
2. Your Rights Under GDPR
If you are located in the EEA or the UK, you have the following rights regarding your personal data:
Right of Access (Art. 15)
You can request a complete copy of all personal data we process about you. We provide this in a structured, machine-readable format within 30 days.
Right to Rectification (Art. 16)
You can request correction of inaccurate personal data. Most profile data can be edited directly in your account settings.
Right to Erasure (Art. 17)
You can request deletion of your personal data ("right to be forgotten"). We comply unless we have a legal obligation to retain specific records.
Right to Restrict Processing (Art. 18)
You can request that we limit processing of your data while a dispute is resolved or while we verify whether our legitimate interests override your rights.
Right to Data Portability (Art. 20)
You can export your data (account info, generated labs, learning analytics) in JSON/CSV format via your profile settings or by contacting us.
Right to Object (Art. 21)
You can object to processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7(3))
Where processing is based on consent, you can withdraw it at any time. Withdrawal does not affect the lawfulness of prior processing.
Right to Lodge a Complaint (Art. 77)
You can file a complaint with your local data protection supervisory authority if you believe your rights have been violated.
How to exercise your rights: Email privacy@engagedlab.co.uk with your request. We verify your identity and respond within 30 days. Complex requests may be extended by an additional 60 days with notice.
3. Controller vs. Processor Responsibilities
When EngagedLab is the Controller
Individual educator accounts (free and paid):
- • We determine the purposes and means of processing
- • We respond directly to data subject requests
- • We are responsible for lawful processing
- • We conduct Data Protection Impact Assessments
When EngagedLab is the Processor
Institutional deployments (Department & Enterprise plans):
- • The Institution is the Controller
- • We process data per the Institution’s documented instructions
- • We assist the Institution in fulfilling DSAR obligations
- • A Data Processing Agreement (DPA) governs the relationship
4. Sub-Processors
We engage the following sub-processors. All are bound by GDPR-compliant Data Processing Agreements:
| Sub-Processor | Purpose | Location | Data Processed |
|---|---|---|---|
| Google Cloud Platform (Vertex AI) | AI content generation and infrastructure | EU (Belgium/Netherlands) | Source text content (no PII sent to AI models) |
| Stripe | Payment processing | US (EU SCCs) | Email, payment method, billing address |
| Resend | Transactional email delivery | US (EU SCCs) | Email address, name |
| Cloud Infrastructure Provider | Application hosting, database, backups | EU (Primary), UK (Secondary) | All platform data (encrypted) |
| Pino / Logging Provider | Application error monitoring | EU | Error logs (anonymised user IDs) |
Institutional controllers are notified 30 days before any new sub-processor is engaged, with the right to object.
5. International Data Transfers
Our primary infrastructure runs in EEA data centres. When data is transferred to countries without an EU adequacy decision, we rely on:
- Standard Contractual Clauses (SCCs) — Latest version adopted by EU Commission Decision 2021/914
- UK International Data Transfer Agreement (IDTA) — For UK-to-third-country transfers
- Transfer Impact Assessments (TIAs) — Conducted for each sub-processor in non-adequate jurisdictions
- Supplementary measures — Encryption, pseudonymisation, and access controls as recommended post-Schrems II
For institutions requiring strict data residency, we offer EU-only and UK-only hosting configurations where all data, including backups, remains within the specified jurisdiction.
6. Data Protection Impact Assessments
In accordance with Article 35 of the GDPR, we conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to data subjects. DPIAs have been completed for:
- Bayesian Knowledge Tracing — mastery probability modelling from student interactions
- AI-generated content pipeline — processing source materials through language models
- Learning fingerprints — aggregated learner behaviour patterns
- Misconception detection — identifying common errors in student responses
- Cross-institutional analytics — aggregated, de-identified performance benchmarks
DPIA summaries are available to institutional partners upon request under NDA.
7. Data Breach Procedures
In compliance with Articles 33 and 34 of the GDPR, our breach response process is:
Incident detection of containment
Automated monitoring triggers alerts. Security team assesses scope and implements containment.
Internal assessment
Determine nature, scope, categories of data affected, and likely consequences for data subjects.
Controller & supervisory authority notification
Notify the ICO (or relevant DPA) within 72 hours if the breach poses a risk to individuals. Notify institutional controllers immediately.
Data subject notification
If the breach is likely to result in a high risk to individuals, affected data subjects are notified without undue delay.
Remediation & lessons learned
Document the breach, implement corrective measures, update security protocols, and publish an incident post-mortem.
8. Data Retention Schedule
We retain personal data only as long as necessary for the purposes outlined in our Privacy Policy:
| Data Category | Retention | Deletion Method |
|---|---|---|
| Account profile data | Account lifetime + 90 days | Hard delete from database |
| Learning analytics | Account lifetime (anonymised on deletion) | PII stripped, data anonymised |
| Payment records | 7 years (UK Companies Act) | Automated expiry |
| Server access logs | 90 days | Automated rotation & purge |
| Encrypted backups | 30 days (rolling) | Automated overwrite |
9. Privacy by Design & Default (Art. 25)
We embed data protection into our engineering practices:
- Data minimisation: We collect only what is necessary. AI models receive source text without PII.
- Pseudonymisation: Internal analytics use hashed user IDs. Learning fingerprints do not contain direct identifiers.
- Default privacy settings: Marketing communications are opt-in. Analytics dashboards show only the requesting user’s data by default.
- Security reviews: All features involving personal data undergo security and privacy review before deployment.
- Automated testing: CI/CD pipelines include checks for PII leakage in logs and API responses.
10. Data Processing Agreement
For institutional deployments, we execute a GDPR-compliant Data Processing Agreement (DPA) under Article 28 that includes:
- • Subject matter, duration, nature, and purpose of processing
- • Types of personal data and categories of data subjects
- • Controller’s obligations and rights
- • Sub-processor management and notification procedures
- • International transfer mechanisms (SCCs/IDTA)
- • Audit rights and cooperation obligations
- • Data return and deletion procedures upon termination
- • Breach notification commitments
To request a copy of our DPA template, contact legal@engagedlab.co.uk.
11. Contact & Supervisory Authority
Data Protection Officer
Email: dpo@engagedlab.co.uk
Official website: EdTechLab.co.uk
Post: EdTechLab LTD, Level 3, 1 Finsbury Avenue, London EC2M 2PP, United Kingdom
Supervisory Authority
UK Information Commissioner’s Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Web: ico.org.uk