Privacy Notice

Last updated: 10 January 2026

This Privacy Notice explains how Wurksy AI ("Wurksy", "we", "us", or "our") processes personal data when you use the Wurksy AI platform and related services (the "Service").

Wurksy AI is designed for use within educational institutions to support academic integrity, transparency, and controlled use of artificial intelligence in teaching and assessment.

Where Wurksy AI is deployed by a university or college, that institution acts as the Data Controller, and Wurksy AI operates as a Data Processor under a contractual Data Processing Agreement (DPA).

A formal Data Processing Agreement (DPA) governs the processing of personal data between Wurksy AI and each deploying institution.

Data Access and Hosting Model

Wurksy AI is designed using a zero-access architecture. This means Wurksy AI does not independently access, view, or use personal data for its own purposes.

All data processed within the Service is controlled by the deploying institution. Wurksy AI provides infrastructure that enables processing strictly under the institution's instructions.

• Wurksy AI does not sell or monetise personal data
• Wurksy AI does not profile or analyse users for its own purposes
• Wurksy AI staff do not routinely access user content
• Any access for support is strictly authorised, logged, and limited

In many deployments, data is hosted within infrastructure controlled by the institution (for example, Microsoft Azure environments), meaning Wurksy AI does not maintain independent copies of institutional data.

Legal and Regulatory Framework

• UK GDPR and Data Protection Act 2018
• EU GDPR
• FERPA (USA) – where applicable
• Industry-standard security practices aligned with frameworks such as ISO/IEC 27001

Compliance Position

Wurksy AI is designed to support compliance with applicable data protection and education regulations. Formal compliance obligations, including roles and responsibilities, are defined within agreements with each deploying institution.

References to regulatory frameworks reflect alignment in design and operation, and do not imply independent certification unless explicitly stated.

Personal Data Processing

Wurksy AI does not collect or use personal data for its own independent purposes. Personal data is processed only on behalf of the institution to deliver the Service.

Types of data processed

• Identity data (name, institutional email, ID)
• Academic context (modules, assignments)
• AI interaction data (prompts, responses, logs)
• User-uploaded content (lecture materials, documents)
• Technical data (IP address, device, logs)

Wurksy AI does not determine the purpose or means of processing. These are defined by the Data Controller (the institution).

The Service is not intended for special category data (e.g. health or biometric data).

Data Minimisation

Wurksy AI is designed to process only the minimum amount of personal data necessary to deliver the Service and support academic integrity functions.

Purpose of Processing

• Deliver controlled AI learning environments
• Enforce assignment-specific AI rules
• Generate AI usage audit records (AI Index)
• Support academic integrity processes
• Maintain system performance and security

Legal Bases

• Public Task – education and assessment
• Contract – provision of services
• Legitimate Interests – integrity and security
• Consent – where applicable

AI Processing and Third Parties

Wurksy AI integrates with enterprise AI providers such as OpenAI and Microsoft Azure OpenAI.

• Only the minimum necessary data is transmitted
• Enterprise configurations prevent use of data for model training
• Processing occurs within secure, controlled environments

Wurksy AI does not retain or reuse AI inputs or outputs for its own purposes. All processing is carried out strictly on behalf of the institution.

Sub-processors

Wurksy AI uses carefully selected sub-processors to deliver the Service, including cloud infrastructure providers and AI processing services.

• Sub-processors are subject to contractual data protection obligations
• Processing is limited to what is necessary to provide the Service
• Institutions are informed of material changes where required

International Data Transfers

Where data is transferred outside the UK or EEA, appropriate safeguards are applied:

• Standard Contractual Clauses (SCCs)
• UK International Data Transfer Agreements (IDTA)
• Regional hosting where available

Audit and Accountability

Wurksy AI maintains audit logs of system activity to support transparency and institutional oversight.

• AI interactions may be logged for academic integrity review
• Administrative access is monitored and recorded
• Institutions retain oversight of processing activities

Data Subject Rights

• Access and portability
• Correction
• Erasure (where applicable)
• Restriction and objection

Requests should be directed to the institution acting as Data Controller.

Security Measures

• Encryption in transit (TLS)
• Role-based access controls
• Least-privilege access policies
• Audit logging of system activity
• Segregation of institutional data
• Secure cloud infrastructure

FERPA Considerations (US Institutions)

Where Wurksy AI is deployed by US-based institutions, it is intended to operate in a manner consistent with FERPA requirements.

• Processing occurs under institutional control
• Access limited to authorised educational purposes
• No independent use or disclosure of student data

Formal FERPA roles are defined within institutional agreements.

Complaints

• UK: Information Commissioner's Office (ICO)
• EU: Relevant Data Protection Authority
• US: Institutional FERPA contact

Changes to this Notice

This Privacy Notice may be updated periodically. Material changes will be communicated within the Service.

Contact

If you have questions about this Privacy Notice or how your data is handled, please contact your institution's data protection officer or reach us at info@wurksyai.com.