Try for free

FAQs - data compliance

At Marking.ai, protecting the privacy and security of our users is one of our highest priorities. We’re fully committed to meeting the requirements of the UK and EU General Data Protection Regulation (GDPR) as well as other global protection acts, maintaining transparent, responsible data practices.

This page answers the most common questions we receive about how we handle personal data, where it’s stored, and the safeguards we have in place to keep it secure. For schools, teachers, and partners, our goal is simple — to ensure that your data, and your students’ data, is protected at every step.

  • What is Marking.ai’s role under GDPR?
    Marking.ai acts primarily as a Data Processor under the GDPR and UK Data Protection Act 2018. This means we process personal data on behalf of schools, teachers, or educational institutions (the Data Controllers) who decide what data is collected and for what purpose.
  • What personal data does Marking.ai process?

    We process only the data required to provide our marking and feedback services. This typically includes:

    • Teacher account information (name, email).

    • Student submissions and assessment content.

    • Marking and feedback outputs generated by our system.
      We do not sell, share, or use this data for advertising or unrelated profiling.

    • Student name

  • What is Marking.ai’s lawful basis for processing personal data?

    Our lawful basis depends on context:

    • For teacher accounts, contractual necessity (to deliver our service).

    • For student data, legitimate interest or public task, as determined by the school.
      Each school or institution remains the Data Controller responsible for ensuring a lawful basis.


  • Where is data stored?
    All data is securely stored within the European Union or United Kingdom, depending on the hosting region selected. We use Supabase (PostgreSQL) for our backend and ensure all data is encrypted at rest and in transit (AES-256, TLS 1.2+).
  • How does Marking.ai keep data secure?

    We apply multiple layers of security, including:

    • Role-based access control and least-privilege permissions.

    • Encrypted connections (HTTPS / TLS 1.2+).

    • Regular access reviews and activity logging.

    • Data minimisation and retention policies.

    • Secure deletion procedures when accounts are closed.


  • Who has access to our data?
    Only authorised Marking.ai team members with a legitimate operational need have access (e.g. support or engineering staff). All staff are bound by confidentiality agreements and trained in GDPR principles.
  • Does Marking.ai use any sub-processors?
    Yes, we use carefully selected sub-processors who meet GDPR requirements (e.g. Supabase for infrastructure, OpenAI or Google for AI processing). We maintain a public Sub-processor Register that lists each vendor and their region.
  • How long is data retained?
    We retain personal data only as long as necessary to provide our services or as required by law. Schools or teachers can request deletion of data at any time, and full account deletion permanently removes associated records.
  • How can a teacher or institution delete their data?
    You can request data deletion via your account settings or by contacting our Data Protection Officer (DPO) at connect@marking.ai. Upon verification, we delete all personal data and backups within 30 days.
  • How can users exercise their GDPR rights?
    Data subjects (e.g. teachers or students) have the right to access, rectify, erase, restrict, or port their personal data. Requests should be sent to connect@marking.ai and will be processed in coordination with the Data Controller (your school).
  • How does Marking.ai handle data breaches?
    We have a documented Incident Response Plan. If a breach occurs, we notify affected Data Controllers without undue delay and within 72 hours, following GDPR Article 33.
  • Is Marking.ai GDPR certified?
    There is no official GDPR certification. However, Marking.ai follows the UK GDPR and EU GDPR frameworks and maintains documentation to demonstrate compliance. We are also pursuing Cyber Essentials Plus certification as part of our security roadmap.
  • Does Marking.ai sign Data Processing Agreements (DPAs)?
    Yes. Every institutional client receives a DPA outlining our roles, responsibilities, and security commitments. You can request a copy via connect@marking.ai.
  • Who is Marking.ai’s Data Protection Officer (DPO)?
    Our DPO oversees all aspects of data protection and compliance.
    📧 connect@marking.ai

Still have any questions?

Can’t find the answer you’re looking for? Please contact our team.
Get in Touch