Back to simple version

Privacy Notice

MindStorm Coding — Spark AI Learning Platform

1. Data Controller

MindStorm Coding is the data controller for the personal data processed through the Spark platform. For data protection queries, contact us at the details provided by your MindStorm programme coordinator.

2. Lawful Basis for Processing

We process personal data under the following lawful bases:

  • Article 6(1)(b) — Contract: Account data (username, display name, age group) is processed as necessary for the provision of the Spark educational service.
  • Article 6(1)(e) — Public Task / Legitimate Interests: Chat transcripts are processed for the purpose of safeguarding children, which is a statutory duty of organisations working with minors.
  • Article 8 — Conditions for Consent (Children): For users under 13 years of age, verifiable parental consent is obtained prior to account creation via signed paper consent forms.

3. Data Collected

  • Username (chosen by the user, not a real name)
  • Display name (chosen by the user)
  • Age group (under 13 or 13-16)
  • Hashed password (irreversible cryptographic hash)
  • Chat messages (student inputs and AI responses)
  • Session metadata (timestamps, IP addresses for audit)
  • Consent records (reference to paper form, date, type)
  • AI-generated images — prompt text, DALL·E revised prompt, and image URL, stored per session for teacher review (Image Projects and Prompt Practice modes only)
  • Prompt iteration drafts — draft prompt text and Spark feedback saved per iteration in Prompt Practice mode

We do not collect: real names, email addresses, phone numbers, postal addresses, or photographs. The platform actively detects and removes personally identifiable information (PII) if accidentally submitted in chat messages.

Voice input:When students use the microphone feature, audio is processed entirely within the browser using the device's native Web Speech API. No audio data is transmitted to or stored by MindStorm Coding's servers. Only the resulting text transcript is sent via the standard chat pathway.

4. Third-Party Data Processors

We use the following third-party data processors. All are engaged under appropriate data processing agreements:

  • Anthropic (Claude API)— Chat messages (student inputs and Spark responses) are transmitted to Anthropic's API for AI processing. Anthropic is headquartered in the USA; transfers are made under standard contractual clauses. Anthropic does not train models on API traffic by default. See anthropic.com/privacy.
  • OpenAI (DALL·E 3 API)— When a student generates an image in Image Projects or Prompt Practice mode, the image prompt is transmitted to OpenAI's API. OpenAI is headquartered in the USA; transfers are made under standard contractual clauses. The prompt is not linked to the student's name or account on OpenAI's systems. See openai.com/policies/privacy-policy.
  • Supabase / Neon (Database hosting) — Student account data and chat transcripts are stored on a UK/EU-region hosted PostgreSQL database.
  • Vercel (Application hosting)— The platform is hosted on Vercel's edge infrastructure. Vercel processes request metadata (IP addresses, headers) as part of normal hosting operations.

No student data is shared with any other third party. Teacher access to transcripts is limited to authorised MindStorm staff for safeguarding purposes only.

5. Voice Input — Local Processing

The optional microphone feature uses the browser's native Web Speech API. Audio is processed entirely on the student's device; no audio data is transmitted to or retained by MindStorm Coding servers. Only the resulting text transcript enters the standard chat pipeline (covered by section 4 above). Students may review and edit the transcript before sending. This feature requires explicit browser permission and can be declined without any impact on platform functionality.

6. Data Retention

  • Routine chat data: deleted after 12 months where no safeguarding concern exists.
  • AI-generated images and prompt iterations: deleted after 12 months (same schedule as chat data).
  • Safeguarding-flagged data (including any images flagged by content moderation): retained for up to 7 years in accordance with UK education safeguarding records guidance.
  • Audit logs: retained for 3 years.
  • Deactivated accounts with no flags: deleted after 6 months.
  • All automated deletions are logged in the audit trail.

7. Data Subject Rights

Under UK GDPR, data subjects (students and their parents/guardians) have the right to:

  • Access their personal data (Subject Access Request)
  • Rectification of inaccurate data
  • Erasure of personal data (right to be forgotten), subject to Article 17(3)(d) safeguarding exceptions
  • Restriction of processing
  • Data portability
  • Object to processing

Requests can be made via your MindStorm teacher or programme coordinator. We aim to respond within one calendar month.

8. Security Measures

  • All data transmitted over HTTPS (TLS encryption in transit)
  • Database encryption at rest (AES-256)
  • Passwords stored as irreversible bcrypt hashes
  • Session tokens stored as SHA-256 hashes
  • Rate limiting on authentication endpoints
  • Role-based access control (students, teachers, administrators)
  • Comprehensive audit logging of all sensitive actions
  • Content safety filters on all chat inputs and outputs

9. Age Appropriate Design Code

This platform is designed in compliance with the ICO's Age Appropriate Design Code (Children's Code). High privacy settings are applied by default. No profiling, behavioural tracking, or nudge techniques are used. The platform does not use geolocation services.

10. Complaints

If you are unhappy with how your data is handled, you may contact the Information Commissioner's Office (ICO) at ico.org.uk or call 0303 123 1113.

Last updated: May 2026