Security, governance, and compliance. Built for education.

All Acarise platform data is hosted on Amazon Web Services (AWS) infrastructure located within UK and EU regions. Production, staging, and development environments are fully separated to prevent cross-contamination of data. School and student data is stored exclusively in the production environment, which is isolated behind dedicated security groups and access policies.

Infrastructure is provisioned using code-managed templates to ensure consistency and auditability. Backups are encrypted and retained in accordance with our data retention schedule. All data — both in transit and at rest — is encrypted using industry-standard protocols (TLS 1.2+ for transit, AES-256 for storage).

Acarise operates a strict role-based access control (RBAC) model. Platform users — including students, teachers, tutors, and administrators — are assigned permissions appropriate to their role. No user can access data outside their designated scope.

Internally, access to production systems and personal data is restricted to authorised personnel on a need-to-know basis. Administrative actions are logged and subject to periodic review. Staff with data access undergo background checks and complete data protection training before being granted any system privileges.

Schools and multi-academy trusts retain administrative control over their own user accounts and can manage access, reporting, and engagement data through their institutional dashboard.

Acarise uses artificial intelligence to personalise learning, generate practice content, and surface progress insights — but AI operates within clearly defined boundaries set by educators.

Teachers and tutors control what AI features are available to their students. AI-generated content is treated as a learning aid, not as formal academic output. No solely automated decisions with legal or similarly significant effects are made on learners — all meaningful outcomes are reviewed by a human educator.

AI interactions are logged for quality assurance, safeguarding monitoring, and continuous improvement. Automated content filtering is in place to detect harmful or inappropriate material. Users are prohibited from attempting to manipulate, jailbreak, or extract system-level instructions from any Acarise AI tool, in line with our Acceptable Use Policy.

Acarise collects only the personal data necessary to deliver and improve the platform. For students, this includes name, year group, school or tutor organisation, session activity, and progress data generated through platform use. We do not collect unnecessary demographic data, social media profiles, or information unrelated to the educational service.

Technical data such as device type, browser information, and IP address is collected to maintain platform security and performance. All data collection is reviewed against operational need, and we do not retain data beyond the periods set out in our retention schedule.

Acarise processes personal data under several lawful bases as defined by UK GDPR:

Contract — where processing is necessary to deliver the platform and services that a school, trust, or tutor has subscribed to.

Legitimate Interests — for platform improvement, abuse detection, and security monitoring, balanced against the rights of individuals.

Legal Obligation — where we are required to process data to comply with applicable laws and regulations.

Consent — for optional activities such as marketing communications and non-essential analytics, which can be withdrawn at any time.

Vital Interests — in safeguarding and child protection situations where immediate action is required.

For school and institutional accounts, the school or trust typically acts as the controller or joint controller, and Acarise processes data on their behalf under a data processing agreement. For private tutor accounts, Acarise acts as the data controller. We do not sell personal data to third parties under any circumstances.

Under UK GDPR, all individuals whose data we process have the following rights:

Right of Access — request a copy of the personal data we hold about you.

Right to Rectification — ask us to correct any inaccurate or incomplete data.

Right to Erasure — request deletion of your data in certain circumstances.

Right to Restriction — ask us to limit how your data is used while a concern is being resolved.

Right to Data Portability — receive your data in a structured, machine-readable format.

Right to Object — object to processing based on legitimate interests or direct marketing.

Rights related to Automated Decision-Making — you will not be subject to solely automated decisions that produce legal or similarly significant effects.

To exercise any of these rights, contact privacy@acarise.com. We respond to all requests within 30 days. If a request is made through a school or trust, we will coordinate with the institution's data protection contact to ensure it is handled appropriately.

If you are dissatisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.