Skip to content
Markable logo
Markable logoBack to home

Privacy Policy

Markable — Privacy Policy

Version: 1.0 Effective date: 8 May 2026 Last reviewed: 8 May 2026 Contact: support@markable.uk ICO Registration Number: C1917001

This policy explains how Markable handles personal data. It applies to teachers and schools using the Markable AI-assisted annotation and feedback platform. It is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. It should be read alongside our Terms of Service, Cookie Policy, and (for schools) our Data Processing Agreement.

1. Who we are

Markable is operated by Joanne Renwick (proprietor) as a sole trader. We are registered with the Information Commissioner's Office under registration number C1917001 and can be contacted at support@markable.uk.

ICO registration is required under the Data Protection (Charges and Information) Regulations 2018 and is a separate obligation from the lawful basis requirements under UK GDPR Article 6.

For the avoidance of doubt:

  • When a school uses Markable to process scripts produced by its students, the school is the data controller and Markable is a data processor acting on the school's documented instructions under the Data Processing Agreement.
  • When Markable processes information about teachers as account holders (registration, billing, support), Markable is a data controller for those purposes.

2. The personal data we process

Teacher account data (Markable as controller):

  • Name and work email address
  • School name
  • Login credentials (passwords are stored as a salted hash)
  • Authentication and access logs (IP address, device/browser identifier, timestamps)
  • Multi-factor authentication metadata
  • Billing information (processed by Stripe; Markable does not store full card details)
  • Support correspondence

Student-related data (school as controller, Markable as processor):

  • Student reference codes or initials assigned by the teacher
  • The text content of student scripts uploaded for annotation
  • The teacher's marks, comments, grades, and audit metadata associated with each script

The Service is designed not to require, and the Terms of Service require teachers not to upload, full student names, addresses, dates of birth or other direct identifiers, or any special category data.

3. PII detection at upload

When a script is uploaded, an automated scan runs in our processing environment to detect possible names and other PII patterns. If a likely match is found, the teacher is presented with a warning and must either confirm the detected text is not real PII (e.g., a fictitious character or party name in a scenario) and continue, or remove the script. The PII scan does not transmit script content to any third party.

4. Lawful bases for processing

ICO registration is not a lawful basis. Lawful basis is a separate UK GDPR Article 6 requirement, identified per processing activity below.

Markable as data controller (teacher account processing):

| Processing activity | Lawful basis | | --- | --- | | Operating teacher accounts and providing the Service | Contract — Article 6(1)(b) | | Operational/transactional emails | Contract — Article 6(1)(b) | | Optional product-update or marketing emails | Consent — Article 6(1)(a), withdrawable | | Billing and tax record-keeping | Legal obligation — Article 6(1)(c) | | Security monitoring and fraud prevention | Legitimate interests — Article 6(1)(f) | | Aggregated, de-identified usage analytics | Legitimate interests — Article 6(1)(f) |

A Legitimate Interests Assessment is documented and available on request. Markable does not rely on legitimate interests for any processing of student data.

School as data controller (student script processing):

When a school uses Markable, the school determines its own lawful basis. Typical bases are:

  • Public task (Article 6(1)(e)) — for state-funded schools and colleges;
  • Legitimate interests (Article 6(1)(f)) — for independent schools.

Markable as processor follows the controller's documented instructions and does not select the lawful basis for the school.

5. Purposes of processing

We process personal data only:

  1. To operate Markable and provide the Service;
  2. To support teacher-led marking and feedback for assessment;
  3. To produce student feedback reports authored or confirmed by teachers;
  4. To maintain the audit trail required for assessment integrity;
  5. To meet our security, billing, tax, and statutory record-keeping obligations;
  6. To respond to support enquiries and incident reports;
  7. To improve the platform using aggregated, de-identified usage data only;
  8. To comply with lawful requests from competent authorities.

Markable will not use student script content to train any AI model under any circumstances.

6. Recipients and sub-processors

Each sub-processor is bound by a written contract containing the obligations required by Article 28 UK GDPR.

| Sub-processor | Function | Region | Personal data processed | | --- | --- | --- | --- | | Anthropic, PBC | LLM inference for script analysis | USA | Script text only — no student personal data | | Supabase | Application database and file storage | EU (AWS Frankfurt) | All platform data | | Vercel | Application hosting | UK / EU / USA | No persistent personal data | | Stripe | Payment processing | UK / EU / USA | Teacher billing data | | Inngest | Background job orchestration | USA | Script identifiers and job status only | | Microsoft Corporation (mailbox hosting via GoDaddy as reseller) | Business and transactional email | UK (Microsoft 365 UK data residency) | Teacher email and message contents | | HighLevel Inc. (Go High Level) | CRM and email automation | USA | Teacher email and message contents | | Browser speech recognition (Google/Apple) | Voice-to-text transcription on marking page | USA | Audio captured via microphone during voice-to-text use only — not stored by Markable |

Voice-to-text feature

The marking page includes an optional voice-to-text feature that allows teachers to dictate comments using their device microphone. This feature uses the Web Speech API built into your browser. Audio captured via this feature is transmitted to and processed by your browser provider — Google if you are using Chrome or Chromium-based browsers, or Apple if you are using Safari. Markable does not receive, store or have access to the audio recording at any point. Only the transcribed text is saved by Markable as part of your assessment record. Teachers who do not wish to use browser-based speech recognition may type their comments directly instead.

We will give schools at least 30 days' written notice before adding or replacing a sub-processor that processes student personal data.

7. International transfers

Where personal data is transferred outside the United Kingdom, Markable relies on:

  • UK adequacy decisions where one applies;
  • The UK International Data Transfer Agreement (IDTA);
  • The European Commission Standard Contractual Clauses with the UK Addendum;
  • The UK extension of the EU–US Data Privacy Framework where the recipient is certified.

A Transfer Risk Assessment is maintained and available to schools' DPOs on request. Text content sent to Anthropic does not contain student names, dates of birth, addresses, or school names. Anthropic does not use API-submitted data to train its models.

8. Retention

| Data category | Retention period | | --- | --- | | Student script text and associated marks | Until deleted by the teacher, or 12 months after the teacher's last login, whichever is sooner | | Teacher account data | Duration of Subscription + reasonable post-Subscription period | | Audit trail | 7 years | | Authentication and security logs | 12 months | | Support correspondence | 3 years | | Billing records | 7 years (HMRC) | | Backups | Rolling 30-day window |

Teachers can delete individual scripts and entire class datasets at any time.

9. Security

Markable applies appropriate technical and organisational measures including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256);
  • Multi-factor authentication, available and strongly encouraged for all teacher accounts;
  • Row-level security in the application database;
  • Role-based, least-privilege access for staff;
  • Logging of authentication and administrative actions;
  • A documented patching cadence and dependency management programme;
  • Backup with point-in-time recovery;
  • Vendor security review for all sub-processors;
  • Documented incident response, including the 72-hour breach notification requirement under UK GDPR Article 33 and 24-hour notification to schools as Controllers.

10. Your rights

Under UK GDPR you have the rights to be informed; of access; to rectification; to erasure; to restrict processing; to data portability; to object; and rights related to automated decision-making (see section 11).

For data where the school is the controller (student-related data):

  1. The data subject (or parent/guardian) sends the request to the school.
  2. The school decides whether to comply and instructs Markable as processor.
  3. Markable assists the school within 5 working days.

For data where Markable is the controller (teacher account data):

Email support@markable.uk. We will acknowledge within 5 working days and respond substantively within 30 calendar days.

You also have the right to complain to the Information Commissioner's Office (ico.org.uk; 0303 123 1113).

11. Use of artificial intelligence and automated processing

This section provides the transparency disclosure required by UK GDPR Articles 13(2)(f), 14(2)(g), and 22.

What the AI does: Markable uses a large language model (currently Anthropic Claude) to analyse uploaded script text and produce:

  • Paragraph-level annotations highlighting strengths and areas for development;
  • Identification of mark-scheme content present or absent in a response;
  • Suggested improvement priorities, which the teacher reviews.

What the AI does not do: Markable does not produce or suggest marks, mark bands, or grades. All marks, bands, comments, and grades are determined and entered by the teacher.

Logic in plain English: A large language model is given the script text and the relevant mark scheme context. It generates annotations by predicting plausible commentary given that input. It is not a calculation. The same input may not always produce identical output.

Significance and consequences: AI annotations are not the determinative factor in any mark, comment, or grade. The teacher takes full responsibility. Markable does not engage in solely automated decision-making within the meaning of UK GDPR Article 22(1).

Limitations to be aware of:

  • Large language models can produce confident-sounding output that is wrong;
  • The same input can produce different output on different runs;
  • Performance can vary across writing styles.

In-product transparency: A first-time-use disclosure is shown to teachers before their first upload, with a tick-box acknowledgement. A persistent indicator is shown on screens where AI is operating.

12. Children's data

Children do not hold accounts on Markable. Where data we process concerns children, we apply the principles of the ICO Age Appropriate Design Code: data minimisation, no profiling for advertising, no nudge techniques, default to most protective settings, and age-appropriate transparency through the Student/Parent Privacy Notice template provided to schools.

13. How to raise a concern

Email support@markable.uk with the subject line "Compliance Concern". We will acknowledge within 5 working days and respond substantively within 20 working days.

Marking disputes are not handled by Markable; they are a matter for the school's normal assessment appeals procedure.

If you remain dissatisfied, escalation routes include the ICO (data protection), Ofqual (qualification regulation), the relevant Local Authority Designated Officer (safeguarding), and the relevant awarding organisation.

14. Cookies

Markable uses only strictly necessary cookies for authentication, session management, and security, and a privacy-preserving analytics product configured not to set tracking cookies. We do not use third-party advertising cookies. See our Cookie Policy for detail.

15. Changes to this policy

Material changes will be notified to teachers (and via the school's account contact, to the school) by email at least 14 days before they take effect. Continued use after a change takes effect constitutes acceptance.

16. Contact

Markable (sole trader, proprietor: Joanne Renwick) support@markable.uk