Skip to main content
← Back to home

Privacy Policy

Last updated: 2026-04-17

1. Introduction

Grade Drive Ltd ("we", "our", or "us") operates the GradeDrive exam marking service. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website and services, and sets out our obligations under the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (GDPR). Please read it carefully.

We act as a Data Controller in respect of account and billing information held about our subscribers, and as a Data Processor in respect of any student data uploaded by users of the service. Our processing of student data is governed by the Data Processing Addendum described in our Terms of Service.

2. Information we collect

We collect information that you provide directly and information that is generated when you use our service:

  • Account data (Controller): Name, email address, and password when you register; profile preferences (e.g. language, theme) that you set. Billing and payment information (e.g. card details, billing address) is collected and stored directly by our payment processor, Stripe, on our behalf — we do not store full card details on our own servers.
  • Student data (Processor): Student names, PDF content, candidate numbers, and centre numbers uploaded by teachers or institutions. We process this data strictly to provide the marking service on the instructions of the relevant teacher or institution.
  • Assessment and submission data: Mark schemes, exam papers, and student submissions you upload; results, scores, and feedback produced by our marking service.
  • Usage and technical data: How you use the service (e.g. pages visited, actions taken), usage limits and quotas, and standard log data (IP address, browser type, timestamps).

3. How we use your information

We use the information we collect to:

  • Provide, operate, and improve the exam marking service
  • Process mark schemes and submissions to generate marks and feedback
  • Manage your account and enforce our terms
  • Send you service-related communications (e.g. security or policy updates)
  • Comply with legal obligations and protect our rights
  • Analyse usage in an aggregated, non-personal way to improve the product

No AI training: We do not use uploaded student work, PDFs, or any student data to train our AI models or the underlying Google Cloud APIs. Assessment and submission content is processed solely to deliver marking results to you.

Legal basis for processing: We process account data on the basis of Contractual Necessity (to fulfil our agreement with you). Schools and teachers process student data on the basis of Public Task or Legitimate Interests; our role as Processor is to facilitate that processing under a Data Processing Addendum (DPA) with the relevant Data Controller.

4. Data location & retention

Storage: All data is hosted on secure servers located in the EU/EEA.

Retention:We retain student data for 18 months from the time of upload, or until the user manually deletes the records, whichever is earlier. Account and billing data is retained for as long as your account is active and for such further period as required by law. Users are responsible for adhering to their institution's own data retention policies.

If you use the self-service account deletion flow, we will cancel any active subscription immediately, delete stored assessment files and results associated with your account, and anonymise the account record so it no longer identifies you. We may retain minimal scrubbed billing and usage audit data where required for legal, accounting, fraud-prevention, or security purposes.

5. Security

We implement appropriate technical and organisational measures to protect your data against unauthorised access, loss, or misuse, including high-level encryption standards. Data in transit is encrypted (e.g. TLS); data at rest is stored in secure, access-controlled environments.

6. Sharing and third parties

We may share data with service providers that help us operate the platform (e.g. hosting, analytics, AI processing). Such providers are bound by confidentiality and data-processing obligations. We do not sell your personal data. We may disclose information where required by law or to protect our rights, safety, or property.

Payment processing (Stripe): All payment transactions are processed by Stripe, Inc., our third-party payment processor. When you make a purchase, your billing information (such as card details and billing address) is transmitted directly to and stored by Stripe. We receive only limited billing metadata (e.g. last four card digits, expiry, billing postcode) necessary to manage your subscription. Stripe processes this data in accordance with its own Privacy Policy. Where Stripe processes data of EU/UK residents, it does so under appropriate safeguards including Standard Contractual Clauses.

7. Cookies and similar technologies

We use cookies and similar technologies for essential operation (e.g. authentication and preferences), and optionally for analytics. You can control non-essential cookies via your browser or our cookie preferences where offered.

8. Your rights

Under the UK GDPR and EU GDPR, individuals have the right to:

  • Access and receive a copy of your personal data
  • Correct or update inaccurate data
  • Request erasure of your data
  • Object to or restrict certain processing
  • Data portability
  • Withdraw consent where processing is consent-based
  • Lodge a complaint with a supervisory authority (in the UK, the ICO)

Because we act as a Processor for student data, requests relating to student records should be directed to the relevant school or teacher (the Data Controller). We will assist in fulfilling such requests manually upon verification. For requests relating to your own account data, contact us using the details on our Contact page.

9. International transfers

All data is stored within the EU/EEA. Where any processing involves transfers outside the EU/EEA, we ensure appropriate safeguards (e.g. standard contractual clauses or adequacy decisions) are in place as required by applicable law.

10. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised version on this page and update the "Last updated" date. Continued use of the service after changes constitutes acceptance of the updated policy. For material changes, we may provide additional notice (e.g. by email or in-product).

11. Contact

For privacy-related questions or requests, contact us at the address or email provided on our Contact page.