Introduction

This Privacy Notice explains how Sphinx AI Limited (“we,” “us,” “our”) manages personal data in compliance with the General Data Protection Regulation (GDPR) through the RileyBot Hosted Service (“RileyBot”). This applies to all users, including educational institutions, teachers, students, and parents (“you,” “your”).

ICO registration reference: ZB653369

  1. Information Collection

1.1. Types of Information Collected:

  1. Personal Information: Names, email addresses, year groups, class details, and SEND information of students and teachers.
  2. Usage Data: Records of interactions with RileyBot, such as query logs and conversation history.
  3. Technical Data: Browser types and versions, access times, and information on the devices used to access RileyBot.

2. Information Usage

2.1. Service Provision: Utilise collected data to provide and maintain the functionality of RileyBot, ensuring a personalized and efficient user experience.

2.2. Communication: Employ user data to communicate important service updates, support needs, and educational resources.

2.3. Compliance and Safety: Use data to adhere to legal obligations, enhance user safety, and ensure the secure operation of RileyBot.

3. GDPR Compliance and Consent

3.1. Consent Process:

  1. Under 13: The school will obtain explicit consent from parents/guardians, including details on how consent is recorded, stored, and managed.
  2. Over 13: Directly obtain consent from students in a clear, informed, and voluntary manner.

3.2. Data Controller and Processor Relationship: 

In compliance with GDPR Article 28, the relationship between the school (as the data controller) and Sphinx AI Limited (as the data processor) is governed by the following principles:

a. Subject Matter, Duration, Nature, and Purpose of Processing:

  • Subject Matter: The processing involves personal data provided by the school for the operation of the RileyBot service.
  • Duration: Data processing will continue for the duration of the contract between the school and Sphinx AI Limited.
  • Nature and Purpose: The nature of processing is digital, involving the storage, retrieval, and management of personal data to facilitate educational support through RileyBot.
  • Type of Personal Data and Categories of Data Subjects: Personal data includes student names, email addresses, year groups, class details, and SEND information. Students will be advised not to enter Special Category Data, however this will be processed if they choose to do so. Data subjects are primarily students and educators.

b. Processing on Documented Instructions of the Controller: Sphinx AI Limited will process data solely based on the documented instructions from the school, ensuring compliance with GDPR and safeguarding data subject rights.

c. Duty of Confidence: All personnel involved in data processing are obliged to maintain the confidentiality of the data, adhering to strict non-disclosure agreements and privacy policies.

d. Appropriate Security Measures: As detailed in Section 5 of this policy, comprehensive security measures, including encryption, access controls, and regular audits, are implemented to ensure data protection.

e. Provisions Regarding the Use of Sub-Processors: Sphinx AI Limited will inform the school of any intended changes concerning the addition or replacement of sub-processors, thereby giving the school the opportunity to object to such changes.

f. Data Subjects’ Rights: We are committed to facilitating the exercise of data subjects’ rights under the GDPR, including access, rectification, erasure, and data portability.

g. Assistance to the Controller: Sphinx AI Limited will assist the school in fulfilling their obligations under the GDPR, particularly concerning security, breach notifications, impact assessments, and consultations with supervisory authorities.

h. End-of-Contract Provisions: Upon termination of the contract, Sphinx AI Limited will, at the choice of the school, delete or return all personal data processed, and delete existing copies unless EU or national law requires storage of the data.

i. Audits and Inspections: The school, or an auditor appointed by the school, has the right to conduct audits and inspections. Sphinx AI Limited will cooperate fully with such audits to verify compliance with the GDPR.

j. Data Processing Agreement (DPA): The information above should be read alongside the Data Processing Agreement which forms part of the Service Level Agreement (SLA).

3.3. Sub-Processors and Third Parties:

  1. List and Types: 
  • Microsoft: hosts the RileyBot platform
  • Open AI: facilitates the LLM utilised for providing responses and runs extreme content via its profanity filter
  • Wonde: collects agreed data from the school MIS and syncs this with the RileyBot platform on a daily basis

b. Geographical Considerations and Compliance: To ensure the highest standards of data protection, especially regarding the transfer and processing of data outside the European Union (EU), Sphinx AI Limited adopts the following detailed and sensible approach using :

  • The International Data Transfer Agreement (“IDTA”) which facilitate the lawful transfer of personal data outside the UK; and
  • The EU Standard Contractual Clauses (“EU SCCs”) and the UK International Data Transfer Addendum (“UK Addendum”).
  • Regular Audits and Assessments: We conduct regular audits and assessments of our sub-processors to verify their compliance with GDPR and our data protection standards. This includes reviewing their security measures, data handling practices, and any other relevant compliance certifications.
  • Contractual Obligations: Our contracts with sub-processors include clear terms regarding data protection responsibilities, GDPR compliance, and the requirement to notify us immediately in case of a data breach or non-compliance.
  • Data Protection Impact Assessments (DPIAs): For new sub-processors or significant changes in data processing activities, we conduct DPIAs to evaluate and mitigate any potential risks associated with the processing and transfer of personal data.
  • Transparency with Clients: We maintain transparency with our clients, the schools, regarding our use of sub-processors. This includes providing them with the option to object to new sub-processors and keeping them informed of any changes in our sub-processing arrangements.
  • User Consent and Notification: When required, we obtain consent from users for the transfer of their data to sub-processors outside the EU and notify them about where and how their data is being processed.
  • Continuous Monitoring and Improvement: Our approach to international data transfers and the use of sub-processors is continuously monitored and improved to align with evolving legal requirements, best practices, and technological advancements.

3.4. Audits and Compliance Monitoring:

To ensure ongoing adherence to the General Data Protection Regulation (GDPR) and other relevant data protection laws, Sphinx AI Limited has established comprehensive procedures for regular compliance reviews and updates:

  1. Regular Compliance Reviews: We conduct compliance reviews on a bi-annual basis, or more frequently if significant changes in data protection laws or our operational practices occur. These reviews cover all aspects of our data handling practices, including data collection, storage, processing, and sharing. The reviews are carried out by our internal compliance team, which includes legal experts and data protection officers.
  2. Updating Procedures: Following each review, we update our data protection policies and practices to align with the latest legal requirements and best practices. Updates to our policies are communicated promptly to all relevant stakeholders, including the educational institutions we partner with, through official communication channels like email notifications or updates on our website.
  3. Training and Awareness: Regular training sessions are conducted for our staff to ensure they are up-to-date on the latest data protection laws and understand their roles and responsibilities in maintaining compliance.
  4. External Audits: We engage with independent external auditors to conduct periodic audits of our data protection practices, ensuring an unbiased evaluation of our compliance with GDPR and other privacy regulations. These external audits are conducted annually or in response to significant changes in our data processing activities or data protection laws.
  5. Continuous Monitoring: We utilise advanced monitoring tools to continuously oversee our data processing activities, ensuring they align with our stated policies and GDPR requirements. Our team is prepared to respond promptly to any identified issues, including potential data breaches, ensuring swift resolution and mitigation.
  6. Documentation and Record Keeping: We maintain detailed records of all data processing activities, as required under GDPR. All reviews, updates, training sessions, and external audits are thoroughly documented, creating an audit trail that demonstrates our ongoing commitment to data protection compliance.

3.5. Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority, particularly in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of personal data relating to you infringes on the GDPR. We encourage you to contact us first, and we will do our utmost to resolve your concern.

3.6. ICO Contact Information: Information Commissioner’s Office (ICO) is the UK’s supervisory authority for data protection issues. If you wish to lodge a complaint or seek advice from the ICO, you can do so by contacting them at www.ico.org.uk, or via their helpline at 0303 123 1113.

4. Data Sharing and Disclosure

4.1. Restricted Sharing: we do not sell, share, or rent any personal information with third parties.

4.2. Legal Requirements: Information may be disclosed if required by law or legal processes.

4.3. Service Providers: Data is only shared with service providers under strict confidentiality agreements for service-related purposes.

4.4. Consent-Based Sharing: Beyond the above, information with third parties will only be shared when explicit consent has been provided.

5. Data Security

5.1. Security Measures

  1. Network Security: Utilising Azure’s robust network security, including firewall protection, intrusion detection systems, and network segmentation to safeguard data.
  2. Access Controls: Implementing strict access controls to ensure only authorised personnel have access to sensitive data. This includes role-based access control (RBAC) and the principle of least privilege.
  3. Monitoring and Logging: Continuously monitoring and logging activities on our servers and databases to detect and respond to potential security threats promptly.
  4. Regular Security Patches and Updates: Leveraging Azure’s infrastructure to receive automatic security patches and updates, ensuring the platform is protected against the latest vulnerabilities.

5.2. Data Encryption: in line with our commitment to data protection, we employ rigorous encryption protocols for data both in transit and at rest:

  1. In Transit: All data transmitted to and from RileyBot is encrypted using Transport Layer Security (TLS) protocol, ensuring that any data exchanged over the internet is secure from interception.
  2. At Rest: Data stored on Azure’s servers is encrypted using Advanced Encryption Standard (AES) with 256-bit keys. This encryption level is widely recognized as robust and is used by governments and financial institutions for sensitive data protection.

5.3. Security Audits

  1. Internal Audits: Our internal team of security experts regularly reviews and assesses our security infrastructure and policies. This includes examining our adherence to Azure’s security best practices.
  2. External Compliance Checks: We engage third-party auditors to perform annual compliance checks, ensuring our alignment with industry standards and regulations, such as GDPR.
  3. Vulnerability Assessments: Regular vulnerability scanning and penetration testing are conducted to identify and address potential security weaknesses in our system.
  4. Compliance with Azure’s Standards: As a client of Microsoft Azure, we benefit from their compliance with a broad set of international and industry-specific standards, including ISO/IEC 27001, HIPAA, and GDPR, providing an additional layer of assurance.

6. Data Retention and Deletion

6.1. Retention Period: Core personal data in the form of name, email address, age and class roster are held for the duration of the subscription as they are necessary to provide the RileyBot services. Conversation histories are held for a 30 day period after which they are deleted from the user’s account.

6.2. Deletion: Conversation histories are deleted after 30 days. After which point an anonymised version is held for future usage analysis but is in no way linked to an identifiable individual. All personal data is deleted from all servers if a request to terminate the service is made by a customer, or an individual user removes their consent, in compliance with legal and regulatory requirements.

7. User Rights and Choices

7.1. Access and Correction: Users have the right to access, review, and correct their personal information.

7.2. Data Portability: Users are able to obtain and reuse their data for their own purposes across different services.

7.3. Consent Withdrawal: Users (or parent/guardians where relevant) are able to withdraw their consent for the use of their data at any time.

8. Changes to this Policy

Updates Notification: Schools will be notified of significant changes to this policy, along with individual users and those in a position to give/withdraw consent, ensuring transparency and up-to-date information.

9. Contact Us

9.1. Queries: Please contact us at support@sphinxai.education for any questions or concerns regarding this policy.

This Privacy Notice, aligned with GDPR requirements, is subject to updates and will be periodically reviewed.

Acknowledgement

By using RileyBot, you acknowledge your understanding and acceptance of this Privacy Notice.