Legal

Data Processing Agreement

Our commitment to GDPR compliance and responsible data processing

Effective Date: 4th June 2025

Implementation: This agreement takes effect immediately upon publication on 4th June 2025 and applies to all data processing activities.

This Agreement is effective from 4th June 2025 and forms part of the Terms and Conditions between the Customer and Mind Bloom Learning (trading as AI Lesson Planner).

1. Parties

This Data Processing Agreement (the "Agreement") is between:

  • Mind Bloom Learning, a sole trader operating in the United Kingdom, trading as AI Lesson Planner (the "Processor" or "Company")
  • and
  • The individual or entity subscribing to or using the AI Lesson Planner platform (the "Controller" or "Customer").

2. Definitions

The following terms are defined as in the UK GDPR:

Personal Data, Controller, Processor, Data Subject, Processing, Data Protection Officer, Personal Data Breach

Other definitions:

  • Data Protection Legislation: The UK GDPR, the Data Protection Act 2018, and any future applicable data privacy laws in the United Kingdom.
  • Sub-processor: Any third party engaged by the Processor to process Personal Data on its behalf.
  • Data Loss Event: Any event resulting in unauthorised access to, destruction of, or disclosure of Personal Data.
  • Platform: The AI Lesson Planner tool and associated services provided via mindbloomlearning.com.

3. Roles

The parties acknowledge that:

  • The Customer acts as the Data Controller when they submit Personal Data into the AI Lesson Planner platform.
  • Mind Bloom Learning acts as the Data Processor of that data.

4. Processing Instructions

The Processor shall only process Personal Data in accordance with:

  • The documented instructions of the Controller
  • The purposes listed in the Schedule of Processing
  • Applicable UK law (if required by law to act without instruction, Processor will inform the Customer unless prohibited)

5. Customer Warranties

The Customer warrants that:

  • They have a lawful basis to input and process all Personal Data via the Platform.
  • All such data was collected in compliance with applicable Data Protection Legislation.
  • They will indemnify the Processor against claims arising from a failure to comply with this clause.

6. Security Measures

The Processor shall implement appropriate technical and organisational measures to protect Personal Data including:

  • Data encryption in transit and at rest
  • Access controls and password protection
  • Regular assessment of platform security
  • Prompt response to Personal Data Breaches

Processor personnel are subject to confidentiality obligations and trained in data handling.

7. Sub-processing

The Controller authorises the use of sub-processors listed in Annex B. The Processor shall:

  • Enter into written agreements with all sub-processors imposing data protection obligations
  • Inform the Customer of any changes to sub-processor use
  • Remain liable for actions of any sub-processor

8. Data Transfers

Personal Data may be processed outside the UK or EEA. The Processor ensures:

  • Adequate safeguards are in place (e.g. standard contractual clauses)
  • Sub-processors are compliant with UK GDPR transfer requirements
  • Data Subjects maintain enforceable rights and remedies

9. Retention and Deletion

  • Data is stored securely in the platform while the Customer account is active.
  • All Personal Data is deleted upon account cancellation or after 24 months of inactivity, unless required by law to retain
  • At the Customer's written request, the Processor will delete all Personal Data unless legally required to retain a copy

10. Data Subject Rights

The Processor will assist the Controller in responding to any:

  • Data Subject Access Requests
  • Requests for rectification, restriction, objection, erasure, or data portability
  • Communications from the Information Commissioner's Office (ICO)

11. Data Breaches

If the Processor becomes aware of a Data Loss Event, it shall:

  • Notify the Customer without undue delay
  • Provide updates and full details as they become available
  • Assist the Controller in mitigating risk and notifying the ICO or Data Subjects (as required)

12. Audit and Records

  • The Processor will maintain records of processing activities (as required by Article 30 UK GDPR)
  • The Customer may audit the Processor's compliance with this Agreement once every 24 months
  • Any audits must provide reasonable notice and minimise business disruption

13. Data Protection Impact Assessments (DPIAs)

Where required, the Processor will assist the Customer in completing DPIAs and consulting with the ICO regarding high-risk processing.

14. Liability and Indemnity

  • Each party shall indemnify the other against any direct loss caused by its breach of this Agreement.
  • The Processor's total liability shall not exceed the subscription fees paid by the Customer in the 12 months prior to the claim.
  • Nothing limits liability for fraud, negligence causing death or injury, or statutory liability that cannot be excluded.

15. Governing Law

This Agreement is governed by the laws of England and Wales. Disputes shall be resolved by the courts of England and Wales.

Schedule A: Processing Details

DescriptionDetails
Subject matterPersonal Data input by Customer into AI Lesson Planner tools.
Nature and purposeTo generate lesson plans or outputs for the Customer's educational use.
DurationUntil the Customer deletes their account or 24 months after inactivity.
Type of Personal DataMay include names, lesson context, performance data, SEN details. Determined by the Customer.
Categories of Data SubjectStudents, teachers, school staff, parents/guardians. Determined by the Customer.
Return or deletion of dataData is stored in NeonDB. It is automatically deleted after account closure or inactivity. The Customer may delete it manually at any time.

Annex B: Authorised Sub-processors

Sub-processorPurposeLocationLink
NeonDatabase infrastructureUSA/EUneon.tech
VercelHosting and frontendUSA/EUvercel.com
OpenAIAI model inferenceUSAopenai.com
StripePayment processingUSA/EUstripe.com

The Processor ensures that all sub-processors provide an adequate level of data protection in line with UK GDPR requirements.

Emergency Contact

For urgent legal, safety, or data protection concerns relating to this agreement, contact: support@mindbloomlearning.com

For data processing queries: support@mindbloomlearning.com