← Back to Home

GDPR Compliance

Last updated: December 2025

Our Commitment

TeacherStation is committed to GDPR compliance and respecting your data protection rights. We have designed our service with privacy by design principles and implement robust data protection measures.

Lawful Basis for Processing

We process personal data under the following lawful bases:

Processing ActivityLawful Basis
Account creation and managementContract performance
Report generationContract performance
Payment processingContract performance
Service notificationsLegitimate interests
Analytics and improvementLegitimate interests
Marketing communicationsConsent

Your Rights Under GDPR

As a data subject, you have the following rights:

Right of Access (Article 15)

You can request a copy of all personal data we hold about you.

Right to Rectification (Article 16)

You can request correction of inaccurate personal data.

Right to Erasure (Article 17)

You can request deletion of your personal data ("right to be forgotten").

Right to Restrict Processing (Article 18)

You can request we limit how we use your data in certain circumstances.

Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format.

Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing.

Rights Related to Automated Decision Making (Article 22)

You have rights regarding automated decision-making and profiling.

How to Exercise Your Rights

To exercise any of your rights, you can:

  • Email us at Support@TeacherStation.co.uk
  • Use the data export and deletion features in your account settings
  • Contact our Data Protection Officer directly

We will respond to your request within 30 days. In complex cases, we may extend this by an additional 60 days with notice.

Data Processing for Schools

When processing student data:

  • Controller: The school or teacher is the data controller for student information
  • Processor: TeacherStation acts as a data processor on your behalf
  • Sub-processors: We use Anthropic (AI processing), Supabase (database), and Stripe (payments)
  • DPA: Enterprise customers can request a Data Processing Agreement

International Data Transfers

Some of our service providers are based outside the UK/EEA. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the ICO/European Commission
  • Adequacy decisions where applicable
  • Supplementary measures as required

Data Protection Measures

We implement technical and organisational measures including:

Technical Measures

  • ✓ Encryption at rest and in transit
  • ✓ Access controls and authentication
  • ✓ Regular security testing
  • ✓ Secure development practices

Organisational Measures

  • ✓ Staff training on data protection
  • ✓ Data minimisation principles
  • ✓ Incident response procedures
  • ✓ Regular policy reviews

Data Retention

Data TypeRetention Period
Account informationDuration of account + 30 days
Student dataDuration of account + 30 days
Generated reportsDuration of account + 30 days
Payment records7 years (legal requirement)
Analytics data12 months (anonymised)

Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority (ICO) within 72 hours where required. If the breach is likely to result in high risk to individuals, we will also notify affected users without undue delay.

Supervisory Authority

You have the right to lodge a complaint with a supervisory authority. In the UK:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

Contact Our DPO

For data protection queries, please contact our Data Protection Officer:

Privacy Policy →Terms of Service →