Thinking Paper

Privacy Policy

Last updated: 23 December 2024

1. Introduction

Thinking Paper ("we", "us", or "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you use our AI-powered writing and learning platform at thinkingpaper.app (the "Service").

We are a UK-based service and comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the EU General Data Protection Regulation (EU GDPR) where applicable.

Data Controller: Kompass Education
Contact: darren@kompass.education

2. Data Sovereignty Commitment

All your data remains within UK and EU infrastructure. We have made a deliberate architectural decision to ensure that no user data transits through or is stored in jurisdictions outside the UK/EU. All data is stored and processed exclusively within UK and EU data centres.

This ensures compliance with UK and EU data protection requirements and provides you with the assurance that your intellectual work remains under appropriate legal protections.

3. Information We Collect

3.1 Account Information

When you create an account, we collect:

  • Email address
  • Display name (optional)
  • Avatar image (optional)
  • Authentication credentials (securely hashed)

In a future release, we plan to support sign-in via Microsoft Azure AD or Google Workspace for organisational accounts. If you use these options when available, we will receive your email, name, and organisational identifiers from these providers.

3.2 Content You Create

We store the content you create while using the Service:

  • Documents and text content
  • Folders and organisational structure
  • Uploaded files (PDFs, images)
  • Projects and associated materials
  • Defence Mode responses and Cognitive Provenance certificates

3.3 AI Interaction Data

When you interact with our AI features, we log:

  • Your queries and the AI's responses
  • Token usage (for service management)
  • Safety classifications (to ensure appropriate use)
  • Timestamps and context

Important: Google (our AI provider) does not use your data to train their models. Your content is processed solely to provide you with the Service and is not retained by Google beyond the immediate request.

3.4 Technical Data

We automatically collect:

  • IP address
  • Browser type and version
  • Device information
  • Pages visited and features used
  • Error logs (for service improvement)

3.5 Student Magic Links (Anonymous Access)

For students accessing the Service via magic links (without creating an account), we collect only:

  • A display name (entered by the student)
  • Session tokens (temporary)

No email address or other personal data is collected for magic link users. This approach minimises data collection for younger users while still enabling educational functionality.

4. How We Use Your Information

We use your information for the following purposes:

4.1 Service Delivery

  • Providing and maintaining the writing platform
  • Processing your content with AI for feedback and analysis
  • Generating Cognitive Provenance certificates
  • Enabling document storage and retrieval
  • Facilitating collaboration within organisations

4.2 Safety and Safeguarding

  • Monitoring AI interactions for harmful content
  • Supporting designated safeguarding leads in educational settings
  • Maintaining audit trails for accountability

4.3 Service Improvement

  • Analysing usage patterns to improve features
  • Debugging errors and technical issues
  • Ensuring service reliability and performance

4.4 Communication

  • Sending essential service notifications
  • Responding to your enquiries
  • Providing support

5. Legal Basis for Processing

Under UK GDPR, we process your data on the following legal bases:

  • Contract: Processing necessary to provide you with the Service you have requested
  • Legitimate Interests: Service improvement, security, fraud prevention, and analytics (where our interests do not override your rights)
  • Legal Obligation: Compliance with safeguarding requirements in educational settings, tax and accounting obligations
  • Consent: For optional features such as marketing communications (where applicable)

6. Data Sharing

We share your data only with trusted service providers who process data on our behalf. All our service providers operate within UK and EU jurisdictions and have signed Data Processing Agreements (DPAs) in compliance with UK GDPR requirements.

We do not sell your personal data to third parties.

6.1 Organisational Sharing

If you use Thinking Paper through a school, university, or business, your organisation's administrators may have access to:

  • Your account information
  • Usage statistics
  • Content you create (subject to your organisation's policies)
  • Safety flags and escalations (for designated safeguarding leads)

7. Data Retention

We retain your data for different periods depending on its nature:

  • Account and content data: Until you delete your account or request deletion
  • AI interaction logs (unflagged): 90 days
  • AI interaction logs (flagged for review): 1 year
  • Safeguarding records (escalated): 3 years (as required by Department for Education guidance)
  • Audit logs: Up to 2 years
  • Magic link student sessions: Approximately 120 days after last activity

After these periods, data is automatically deleted through our retention management system.

8. Your Rights

Under UK GDPR, you have the following rights:

  • Right of Access: Request a copy of all personal data we hold about you
  • Right to Rectification: Correct any inaccurate or incomplete data
  • Right to Erasure: Request deletion of your personal data (subject to legal retention requirements)
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Restrict Processing: Limit how we use your data in certain circumstances
  • Right to Object: Object to processing based on legitimate interests
  • Rights related to Automated Decision-Making: Our AI provides recommendations only; no fully automated decisions affecting your rights are made without human oversight

To exercise any of these rights, please contact us at darren@kompass.education. We will respond within one month.

9. Children's Privacy

Thinking Paper may be used by children in educational settings. We take additional care to protect children's data:

  • Magic Links: Students can access the Service without providing personal data (no email required)
  • Minimal Data Collection: We collect only what is necessary for the educational purpose
  • Parental/Guardian Rights: Parents or guardians may contact us to access, correct, or delete their child's data
  • School Responsibility: When used in schools, the school acts as the data controller for student data and is responsible for obtaining appropriate consents

For children under 13 (or under 16 in certain EU jurisdictions), we recommend use through organisational accounts where the school manages consent and data protection responsibilities.

10. Security

We implement robust security measures to protect your data:

  • Encryption in Transit: All data is transmitted using TLS 1.3 encryption
  • Encryption at Rest: All stored data is encrypted using industry-standard methods
  • Access Controls: Row-level security ensures users can only access their own data
  • Regular Audits: We maintain comprehensive audit logs of all significant actions
  • Secure Authentication: Support for single sign-on (SSO) and secure password policies

11. Cookies

We use cookies and similar technologies for:

  • Essential Cookies: Required for authentication and core functionality (no consent required)
  • Analytics Cookies: To understand how the Service is used (with your consent where required)

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect Service functionality.

12. International Data Transfers

As stated in Section 2, we do not transfer your data outside the UK and EU. All our infrastructure and service providers operate within these jurisdictions, eliminating the need for international transfer mechanisms such as Standard Contractual Clauses.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Posting the updated policy on this page with a new "Last updated" date
  • Sending an email notification for material changes (where we have your email)

We encourage you to review this policy periodically.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

  • Email: darren@kompass.education
  • Subject: Thinking Paper Privacy Enquiry

If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Telephone: 0303 123 1113