Data Processing Agreement
Our commitment to GDPR compliance and responsible data processing
Effective Date: 4th June 2025
Implementation: This agreement takes effect immediately upon publication on 4th June 2025 and applies to all data processing activities.
This Agreement is effective from 4th June 2025 and forms part of the Terms and Conditions between the Customer and Mind Bloom Learning (trading as AI Lesson Planner).
1. Parties
This Data Processing Agreement (the "Agreement") is between:
- Mind Bloom Learning, a sole trader operating in the United Kingdom, trading as AI Lesson Planner (the "Processor" or "Company")
- and
- The individual or entity subscribing to or using the AI Lesson Planner platform (the "Controller" or "Customer").
2. Definitions
The following terms are defined as in the UK GDPR:
Personal Data, Controller, Processor, Data Subject, Processing, Data Protection Officer, Personal Data Breach
Other definitions:
- Data Protection Legislation: The UK GDPR, the Data Protection Act 2018, and any future applicable data privacy laws in the United Kingdom.
- Sub-processor: Any third party engaged by the Processor to process Personal Data on its behalf.
- Data Loss Event: Any event resulting in unauthorised access to, destruction of, or disclosure of Personal Data.
- Platform: The AI Lesson Planner tool and associated services provided via mindbloomlearning.com.
3. Roles
The parties acknowledge that:
- The Customer acts as the Data Controller when they submit Personal Data into the AI Lesson Planner platform.
- Mind Bloom Learning acts as the Data Processor of that data.
4. Processing Instructions
The Processor shall only process Personal Data in accordance with:
- The documented instructions of the Controller
- The purposes listed in the Schedule of Processing
- Applicable UK law (if required by law to act without instruction, Processor will inform the Customer unless prohibited)
5. Customer Warranties
The Customer warrants that:
- They have a lawful basis to input and process all Personal Data via the Platform.
- All such data was collected in compliance with applicable Data Protection Legislation.
- They will indemnify the Processor against claims arising from a failure to comply with this clause.
6. Security Measures
The Processor shall implement appropriate technical and organisational measures to protect Personal Data including:
- Data encryption in transit and at rest
- Access controls and password protection
- Regular assessment of platform security
- Prompt response to Personal Data Breaches
Processor personnel are subject to confidentiality obligations and trained in data handling.
7. Sub-processing
The Controller authorises the use of sub-processors listed in Annex B. The Processor shall:
- Enter into written agreements with all sub-processors imposing data protection obligations
- Inform the Customer of any changes to sub-processor use
- Remain liable for actions of any sub-processor
8. Data Transfers
Personal Data may be processed outside the UK or EEA. The Processor ensures:
- Adequate safeguards are in place (e.g. standard contractual clauses)
- Sub-processors are compliant with UK GDPR transfer requirements
- Data Subjects maintain enforceable rights and remedies
9. Retention and Deletion
- Data is stored securely in the platform while the Customer account is active.
- All Personal Data is deleted upon account cancellation or after 24 months of inactivity, unless required by law to retain
- At the Customer's written request, the Processor will delete all Personal Data unless legally required to retain a copy
10. Data Subject Rights
The Processor will assist the Controller in responding to any:
- Data Subject Access Requests
- Requests for rectification, restriction, objection, erasure, or data portability
- Communications from the Information Commissioner's Office (ICO)
11. Data Breaches
If the Processor becomes aware of a Data Loss Event, it shall:
- Notify the Customer without undue delay
- Provide updates and full details as they become available
- Assist the Controller in mitigating risk and notifying the ICO or Data Subjects (as required)
12. Audit and Records
- The Processor will maintain records of processing activities (as required by Article 30 UK GDPR)
- The Customer may audit the Processor's compliance with this Agreement once every 24 months
- Any audits must provide reasonable notice and minimise business disruption
13. Data Protection Impact Assessments (DPIAs)
Where required, the Processor will assist the Customer in completing DPIAs and consulting with the ICO regarding high-risk processing.
14. Liability and Indemnity
- Each party shall indemnify the other against any direct loss caused by its breach of this Agreement.
- The Processor's total liability shall not exceed the subscription fees paid by the Customer in the 12 months prior to the claim.
- Nothing limits liability for fraud, negligence causing death or injury, or statutory liability that cannot be excluded.
15. Governing Law
This Agreement is governed by the laws of England and Wales. Disputes shall be resolved by the courts of England and Wales.
Schedule A: Processing Details
| Description | Details |
|---|---|
| Subject matter | Personal Data input by Customer into AI Lesson Planner tools. |
| Nature and purpose | To generate lesson plans or outputs for the Customer's educational use. |
| Duration | Until the Customer deletes their account or 24 months after inactivity. |
| Type of Personal Data | May include names, lesson context, performance data, SEN details. Determined by the Customer. |
| Categories of Data Subject | Students, teachers, school staff, parents/guardians. Determined by the Customer. |
| Return or deletion of data | Data is stored in NeonDB. It is automatically deleted after account closure or inactivity. The Customer may delete it manually at any time. |
Annex B: Authorised Sub-processors
| Sub-processor | Purpose | Location | Link |
|---|---|---|---|
| Neon | Database infrastructure | USA/EU | neon.tech |
| Vercel | Hosting and frontend | USA/EU | vercel.com |
| OpenAI | AI model inference | USA | openai.com |
| Stripe | Payment processing | USA/EU | stripe.com |
The Processor ensures that all sub-processors provide an adequate level of data protection in line with UK GDPR requirements.
Emergency Contact
For urgent legal, safety, or data protection concerns relating to this agreement, contact: support@mindbloomlearning.com
For data processing queries: support@mindbloomlearning.com