Taught by Humans log - < tbh />

Data & Security Policy

Last updated: 3rd March 2026

This page sets out how Taught by Humans handles data on its platform, which third-party services we use, and what security measures we have in place. It is designed to give learners, business customers and procurement teams a clear, honest picture.

Our Privacy Policy for individual users covers how we use personal data. Our Business Terms of Service reference this page for data processing commitments.

1. Our Approach

We follow a proportionate approach to data protection, aligned with the UK GDPR and the Data Protection Act 2018. We are registered with the ICO as a data controller and hold Cyber Essentials certification. We are working towards Cyber Essentials Plus.

We collect the minimum data necessary. We do not sell data. We do not use your content to train AI models.

2. What Data We Hold

Individual users

  • Name and email address (required for account creation).
  • Learning data: module progress, confidence scores, chatbot conversations.
  • Optional profile information you choose to share (e.g. role, learning preferences, neurodiversity information shared voluntarily to improve your experience).
  • Device and session data for security and analytics.

Business customers

  • Organisation name, contact details, and billing information.
  • User accounts and access data for your team.
  • Content uploaded by your organisation.
  • Usage data (anonymised and aggregated for platform improvement only).

3. Sub-processors

We use the following third-party services to operate the platform. All are bound by appropriate data protection terms, including Standard Contractual Clauses (SCCs) and UK Addendum where data is processed outside the UK or EEA.

Supabase — Database and authentication

  • Stores user profiles, authentication, learning data and conversation logs.
  • Data location: EU (AWS). No international transfer — covered by UK-EEA adequacy decision.
  • Encrypted at rest. Hashed passwords. 2FA available.

Vercel — Platform hosting

  • Hosts the platform frontend and backend.
  • Data location: EU edge infrastructure (US-owned company). Governed by SCCs and UK Addendum.
  • SOC 2 compliant. Data processed is transient. Encryption in transit.

OpenAI API — AI features

  • Powers AI personalisation, chatbot responses, and content embeddings.
  • Data location: United States. Governed by SCCs and UK Addendum.
  • Data sharing is off. No personal data is used for model training.
  • OpenAI retains data for a maximum of 30 days (abuse reporting only). Zero-retention is available on request for specific projects.
  • All API requests are pseudonymised — no full names, email addresses or sensitive data are sent to OpenAI.
  • We use Chat Completions and Embeddings APIs only. We manage all conversation history ourselves.

Brevo — Email

  • Sends transactional emails (login links, reminders, updates). Marketing emails require opt-in.
  • Data location: EU (Belgium). ISO 27001:2013 certified. No international transfer.

Google Workspace — Internal operations only

  • Used for internal admin only. Not used to process learner data.
  • Data location: Global (including US). Governed by SCCs and UK Addendum.

We also use Notion (internal documentation), Slack (internal communication) and Sentry (error handling). None of these process learner personal data.

4. Security Measures

Organisational

  • Internal data handling policy covering roles, access rules and procedures, reviewed annually.
  • Data protection compliance overseen by the CEO. Registered with the ICO as a data controller.
  • All new tools and features reviewed for privacy and security before rollout.
  • Staff trained on data protection and cybersecurity at onboarding and annually.

Technical

  • Personal data encrypted at rest (AES-256 via Supabase) and in transit (TLS 1.2+).
  • Role-based access controls. Database access restricted to essential technical staff.
  • No data stored on local devices. Production systems hosted in the EU.
  • Secure authentication via Supabase Auth.

Monitoring and incident response

  • Access logs maintained within Supabase.
  • Data incidents reported to the ICO within 72 hours where required.
  • CEO notified immediately of any incident and leads the response.

Backups and continuity

  • Regular automated backups managed by Supabase with built-in redundancy.
  • Business continuity procedures documented and maintained.

5. Certifications

  • Cyber Essentials — certified.
  • Cyber Essentials Plus — in progress.
  • ISO 27001 — held by key sub-processors (Supabase via AWS, OpenAI, Brevo).

We are a small team and do not currently hold ISO 27001 directly. We follow equivalent secure development and data handling practices internally.

6. Data Retention

  • Individual accounts: retained while active. Dormant accounts deleted after 12 months of inactivity.
  • Business customer data: retained for the contract duration plus any legally required period.
  • On business contract termination: 30-day export window, then deletion within 30 days. Written confirmation on request.
  • OpenAI: maximum 30-day retention. Zero-retention available on request.

7. International Transfers

Where data is processed outside the UK or EEA (Vercel, OpenAI, Google Workspace), transfers are governed by Standard Contractual Clauses and the UK International Data Transfer Agreement Addendum. We review transfer mechanisms when sub-processor terms change.

8. Business Customer Data Processing

For business customers, tbh acts as data processor for personal data relating to your users. A Data Processing Agreement (DPA) is available on request. We will notify business customers of material changes to sub-processors with 30 days written notice.

9. Changes

We update this page when our sub-processors or practices change. Material changes are notified to business customers with 30 days notice. The date at the top shows when it was last updated.

Questions? Contact us or email [email protected]



Taught by Humans log - < tbh />

We might be powered by tech.
But we're Taught by Humans.

Sign up for our newsletter