Privacy and Data Residency Policy
Last Updated: January 6, 2026
1. Privacy at a Glance
We believe that educational tools should be safe, transparent, and private by default. Because our platform is used in educational settings, we hold ourselves to a higher standard of data protection.
- Your Content is Yours: We do not claim ownership of the roleplays you publish or the transcripts generated by your students.
- No AI Training: We do not use your data (prompts, transcripts, or audio) to train our Artificial Intelligence models.
- Data Location: Your primary data (transcripts, emails, roleplay details) is stored securely in Sweden (EU).
- Student Safety: We design our services with the “Best Interests of the Child” in mind, complying with the UK Age Appropriate Design Code (AADC).
2. Introduction
This Privacy Policy explains how Zenobits Ltd (“we”, “us”, “our”) collects, uses, and protects personal data when you use our roleplay publishing service (the “Service”).
We are a company incorporated in the United Kingdom.
- Our Role: For teacher/administrator accounts and the content you author, we act as the Data Controller.
- School Use: For student data processed during roleplays assigned by a school or institution, we generally act as a Data Processor on behalf of the institution (the Data Controller).
This policy adheres to the UK General Data Protection Regulation (UK GDPR), the Data (Use and Access) Act 2025, and the EU GDPR.
3. Data We Collect
We collect and process the following categories of personal data:
A. Data Provided by Teachers or Administrators
- Identity Data: Names, usernames.
- Contact Data: Email addresses (used for login, password resets, and service notifications).
- Content Data: The text of the roleplay scenarios, character definitions, and prompts you author.
B. Data Generated During Roleplays (Students & Users)
- Interaction Data: Transcripts of text conversations between the user and the AI character.
- Audio Data: Voice inputs processed by our real-time AI.
- Note: Audio is processed instantly (“in-memory”) to generate text and audio responses. We do not persistently store raw audio files after the session is complete.
- Performance Data: Scores, feedback, or assessments generated by the system based on the roleplay objectives.
C. Technical Data
- Device Information: IP address, browser type, and operating system.
- Usage Logs: Timestamps of when roleplays are accessed to ensure service stability and security.
4. How We Use Your Data & Lawful Basis
We only process your personal data when we have a legal basis to do so.
| Purpose | Lawful Basis (UK GDPR) |
|---|---|
| To provide the Service (hosting roleplays, generating AI responses, storing transcripts) | Performance of Contract |
| To manage your account (login, authentication, password resets) | Performance of Contract |
| To ensure security (fraud prevention, abuse monitoring, safeguarding) | Legitimate Interests (and “Recognised Legitimate Interests” for safeguarding under DUAA 2025) |
| To improve our Service (analytics, debugging technical issues) | Legitimate Interests |
5. Artificial Intelligence and Automated Processing
Our Service uses the Azure OpenAI Realtime API (provided by Microsoft) to power the interactive roleplay characters. Transparency regarding AI is a core part of our commitment to you.
No Model Training
Microsoft does not use your prompts, completions, or audio data to train their foundation models (e.g., GPT-4o). Your data remains isolated within our cloud environment.
Abuse Monitoring & Retention
To prevent the generation of harmful content (e.g., hate speech, violence), Azure OpenAI retains prompts and completions for 30 days in a secure environment.
- This data is encrypted and accessible only to authorized Microsoft engineers in the event of a flagged abuse incident.
- After 30 days, this data is permanently deleted.
Automated Decision Making
The AI may provide feedback or scoring on a roleplay. Users have the right to request a human review if they believe an AI-generated evaluation significantly impacts their educational progress.
6. Data Residency and International Transfers
We are committed to keeping your data secure. We have architected our system to ensure primary data storage remains within the European Economic Area (EEA), utilizing the “EU Data Boundary.”
Location of Data
| Component | Provider | Region | Status |
|---|---|---|---|
| Primary Database | Microsoft Azure | Sweden Central | Data At Rest (Storage) |
| AI Processing | Microsoft Azure | Sweden Central (Data Zone Standard) | Processing |
| Application Hosting | Render | Frankfurt, Germany | Processing (Compute) |
| Email & Support | Google Workspace | Global | Communication |
International Transfers
While our primary infrastructure is in the EU/EEA, some subprocessors (like Google and Render) are US-headquartered. We ensure these transfers are legal under UK and EU law:
- Render & Google: We rely on the UK-US Data Bridge (the UK Extension to the EU-US Data Privacy Framework). Both Render and Google are certified under this framework, ensuring they provide data protection adequate to UK standards.
- Standard Contractual Clauses (SCCs): Where the Data Bridge does not apply, we rely on standard contractual clauses to guarantee the safety of your data.
7. Children’s Privacy (Age Appropriate Design)
We comply with the UK Age Appropriate Design Code (AADC).
- High Privacy by Default: Student accounts are set to high privacy settings by default.
- Data Minimization: We only collect the data absolutely necessary to run the roleplay. We do not use “nudge” techniques to keep students online longer than necessary.
- Teacher Supervision: Transcripts are visible to the teacher/administrator who assigned the roleplay. Students are clearly informed of this visibility before they begin.
8. Data Retention
- User Accounts: Retained until you delete your account.
- Transcripts: Retained until deleted by the teacher/administrator.
- Abuse Logs (Azure): Retained for strictly 30 days, then deleted.
- Backups: Encrypted backups are retained for 30 days for disaster recovery purposes.
9. Your Rights
Under the UK GDPR and EU GDPR, you have the following rights:
- Right to Access: Request a copy of the data we hold about you.
- Right to Rectification: Correct inaccurate data.
- Right to Erasure (“Right to be Forgotten”): Ask us to delete your data.
- Right to Restrict Processing: Pause how we use your data.
- Right to Data Portability: Get your data in a usable format.
For International Users:
- California Residents (CCPA): We do not “sell” or “share” your personal data as defined by the CCPA. You have the right to know what information we collect and to request deletion.
10. Security
We use industry-standard security measures:
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Access Control: Strict role-based access to our production environment.
- Vendor Vetting: We only use compliant, tier-1 cloud providers (Microsoft Azure, Render, Google).
11. Subprocessors
We use the following third-party service providers to help us provide the Service:
| Subprocessor | Role | Location |
|---|---|---|
| Microsoft Corporation (Azure) | Database, AI Inference, Storage | Sweden (EU) |
| Render Services, Inc. | Application Hosting | Germany (EU) |
| Google LLC (Workspace) | Email & Customer Support | Global (US HQ) |
12. Contact Us
If you have any questions about this policy, or if you wish to exercise your rights, please contact our Privacy Lead:
- Email: info@zenobits.co.uk
You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK (www.ico.org.uk).