Skip to content
Mark My Tests

Privacy notice

Last updated: 21 April 2026. This notice covers the Mark My Tests web application (the “Service”). For school-level Data Processing Agreements, contact your organisation’s TestLens / data protection lead.

Who we are

The Service is operated as part of the TestLens v2 platform rebuild (“we” / “us”). The data controller for your personal data is your organisation when you use a school account; we act as processor where a contract exists, and as controller for account and billing metadata required to operate the Service.

Data we process

  • Account: name, email, organisation linkage, role (for signed-in users).
  • Session content: uploaded test papers, mark schemes, pupil names or identifiers, scanned scripts, and derived marks and comments.
  • Technical: IP address, rate-limit counters, device/browser metadata, audit logs for security.
  • Billing: Stripe customer id, payment status, credit ledger entries.

Purposes and lawful bases

We process data to provide marking, review, export, billing, support, and security (performance of contract; legitimate interests in securing the Service and improving reliability). Where we rely on consent (e.g. optional marketing), you may withdraw it without affecting processing required for the core Service.

Retention

  • Scripts and uploaded artefacts: deleted within 7 days after processing completes, unless you or your school configure a longer retention through an agreed workflow.
  • Session and wizard state: subject to session expiry (see product constants, typically 30 days) and your save/export actions.
  • Billing and ledger: kept for statutory accounting periods.

Subprocessors (non-exhaustive)

We use vetted providers including:

  • Google Cloud / Vertex AI — AI inference. Configured so customer content is not used to train public foundation models (per Google’s enterprise terms).
  • Supabase / PostgreSQL — application database and auth.
  • Stripe — payments.
  • Trigger.dev or equivalent workers — background jobs.
  • Email provider (e.g. Resend) — transactional email.
  • Sentry — error monitoring (with redaction).

International transfers

Where data leaves the UK/EEA, we rely on appropriate safeguards (e.g. UK IDTA / EU SCCs) as required by law. Vertex and storage regions are selected to minimise transfer where configurable.

Your rights

Subject to exemptions, you may request access, rectification, erasure, restriction, portability, and may object to certain processing. Contact your school DPO for pupil data; contact your organisation admin or support path for account data. You may complain to the ICO (UK).

Further reading

Security · Terms · FAQ.