Skip to content
Mark My Tests
Privacy notice

How we handle your data.

Last updated: 21 April 2026. This notice covers the Mark My Tests web application (the “Service”). For school-level Data Processing Agreements, contact your organisation's data protection lead.

Who we are

The Service is operated by Mark My Tests (“we” / “us”). The data controller for your personal data is your organisation when you use a school account; we act as processor where a contract exists, and as controller for account and billing metadata required to operate the Service.

Data we process

  • Account: name, email, organisation linkage, role (for signed-in users).
  • Session content: uploaded test papers, mark schemes, pupil names or identifiers, scanned scripts, and derived marks and comments.
  • Technical: IP address, rate-limit counters, device/browser metadata, audit logs for security.
  • Billing: Stripe customer id, payment status, credit ledger entries.

Purposes and lawful bases

We process data to provide marking, review, export, billing, support, and security (performance of contract; legitimate interests in securing the Service and improving reliability). Where we rely on consent (e.g. optional marketing), you may withdraw it without affecting processing required for the core Service.

Retention

  • Scripts and uploaded artefacts: deleted within 7 days after processing completes, unless you or your school configure a longer retention through an agreed workflow.
  • Abandoned guest drafts: uploaded files are removed after 24 hours of inactivity if marking or extraction is not started.
  • Guest results: paid guest results stay available for 7 days after completion unless saved into an account.
  • Billing and ledger: kept for statutory accounting periods.

Subprocessors (non-exhaustive)

We use vetted providers including:

  • Google Cloud / Vertex AI— AI inference. Configured so customer content is not used to train public foundation models (per Google's enterprise terms).
  • Supabase / PostgreSQL — application database and auth.
  • Stripe — payments.
  • Trigger.dev or equivalent workers — background jobs.
  • Email provider (e.g. Resend) — transactional email.
  • Sentry — error monitoring (with redaction).

International transfers

Where data leaves the UK/EEA, we rely on appropriate safeguards (e.g. UK IDTA / EU SCCs) as required by law. Vertex and storage regions are selected to minimise transfer where configurable.

Your rights

Subject to exemptions, you may request access, rectification, erasure, restriction, portability, and may object to certain processing. Contact your school DPO for pupil data; contact your organisation admin or support path for account data. You may complain to the ICO (UK).

Further reading