Privacy Policy

ExAIm Limited Privacy Policy & GDPR Compliance

Effective Date: 1st March 2025
Last Updated: 1st March 2025

1. Introduction

ExAIm Limited (“ExAIm,” “we,” “us,” or “our”) is registered in England and Wales (ICO Registration Number ZB842876) and operates internationally, including Dubai, UAE, holding a valid Technology License in Dubai. ExAIm is committed to safeguarding the privacy and security of our business-to-business (B2B) clients, educational institutions (“Institutions”), and their administrators, teachers, and students (“End Users”).

This Privacy Policy details how ExAIm collects, processes, shares, transfers, and retains personal data, outlining user rights under the UK General Data Protection Regulation (UK GDPR) and UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (“UAE PDPL”).

2. Scope of Policy

ExAIm serves as a Data Processor on behalf of educational Institutions, who act as Data Controllers. This policy applies to all data handled by ExAIm through our platform and related services across jurisdictions in which we operate.

3. Information We Collect

Institutional Data:

  • Institution name, address, and registration number
  • Administrator’s name, email, and telephone number
  • Billing and payment details

End User Data:

  • Name, date of birth, and class assignment
  • Assessment responses, grades, and analytical insights

4. Purpose and Legal Basis of Data Processing

ExAIm processes personal data exclusively for:

Purpose of Processing

Legal Basis (UK GDPR and UAE PDPL)

Automated grading & personalised feedback

Performance of contract (with Institution)

Educational performance analytics

Performance of contract

Technical support & troubleshooting

Performance of contract

Enhancing platform functionality & developing new features

Legitimate interests

Compliance with data protection & regulatory obligations

Legal obligation

5. AI-driven Assessment Transparency

ExAIm employs Artificial Intelligence (AI) to automate assessment grading, including open-ended responses. AI analyses End User responses solely to generate grades, personalised feedback, and insights. Human oversight is always provided, enabling teachers to review, verify, and modify AI-generated outcomes. Automated assessments never solely dictate academic outcomes without institutional review.

6. Special Categories & Children’s Data

ExAIm does not collect or process special categories of personal data (e.g., special educational needs or health information).

Children’s Data:
ExAIm services involve processing data of students under 18 years of age. Institutions (Data Controllers) confirm responsibility for obtaining lawful consent or ensuring alternative lawful bases (such as educational obligations or parental authorisation), complying with UK GDPR Article 8 and UAE PDPL.

7. Data Sharing & International Transfers

ExAIm does not sell or rent personal data. Data sharing occurs solely:

  • With subprocessors compliant with GDPR and UAE PDPL for essential services (hosting, analytics, support)
  • Upon explicit direction by Institutions (e.g., reporting to parents or authorities)
  • To comply with legal obligations or official regulatory requests

Explicit Subprocessors:

  • Google Cloud Platform (GCP): ExAIm maintains a formal Data Processing Agreement (DPA) with Google Cloud Platform (GCP) that incorporates appropriate safeguards, including Standard Contractual Clauses, ensuring compliance with GDPR and UAE PDPL. The complete Data Processing Addendum can be found here.

International Data Transfers:
ExAIm stores personal data on Google Cloud Platform, with data primarily hosted in the UK and/or EU. If data transfers occur outside these regions, we rely on SCCs and other appropriate safeguards.

Subprocessor Updates:
Institutions will receive email notifications at least 30 days in advance of any changes to subprocessors. An updated subprocessor list can be requested at any time.

8. Data Retention Policy

Data is retained only as long as necessary for:

  • Contractual obligations with Institutions
  • Compliance with legal obligations or dispute resolution

After contract termination, personal data is securely deleted or returned within 60 days, per GDPR and UAE PDPL requirements.

9. Data Security & Breach Notification

ExAIm implements robust technical and organisational measures to protect personal data, including but not limited to:

Encryption:

    • Data encrypted at rest using industry-standard AES-256 encryption.
    • Data encrypted in transit using Transport Layer Security (TLS) protocols.

Access Controls and Authentication:

  • Strict role-based access controls (RBAC) ensure users have only necessary privileges.
  • Secure login mechanisms, including mandatory multi-factor authentication (MFA) for administrative accounts.

Infrastructure Security:

  • All data storage and processing infrastructure hosted exclusively on Google Cloud Platform (GCP), which maintains compliance with industry-leading standards, including:
    • SOC 2 Type 2 certification
    • ISO 27001 certification
    • Compliance with GDPR requirements and UAE PDPL data protection standards.
    • Regular independent audits and third-party certifications.

Data Encryption:

  • GCP provides encryption at rest by default using the Advanced Encryption Standard (AES-256).
  • All data transferred to and from the platform is encrypted using Transport Layer Security (TLS) protocols.

System Monitoring & Breach Response:

  • Continuous security monitoring and logging enabled it to detect unusual activities.
  • Immediate notification procedures in place for identifying and addressing potential security breaches, with notification provided to Institutions within 72 hours as required by GDPR and UAE PDPL.

10. Responsibilities of Institutions (Data Controllers)

Institutions agree to:

  • Ensure lawful collection, processing, and sharing of personal data, including lawful consent for children’s data.
  • Inform End Users, parents, or guardians of processing practices.
  • Comply fully with applicable local and international data protection laws.

11. User Rights under GDPR & UAE PDPL

Users have specific rights regarding their personal data. These rights include the ability to:

  • Access their personal data.
  • Correct inaccurate or incomplete personal data.
  • Request deletion of personal data when no longer necessary or processed unlawfully.
  • Limit or object to specific types of data processing.
  • Request portability of their personal data in a structured, machine-readable format.

Exercising Your Rights: End Users should direct their requests to the relevant Institution (Data Controller). ExAIm, as a Data Processor, will assist Institutions promptly, transparently, and in accordance with applicable data protection laws.

Right to Lodge Complaints: Users have the right to lodge a complaint with the relevant data protection supervisory authority if they believe their rights have been infringed:

  • For UK Users:
    Information Commissioner’s Office (ICO)
    Website: https://ico.org.uk

  • For UAE Users: Relevant Data Protection Authority under UAE Federal Decree-Law No. 45 of 2021 (UAE PDPL), typically the UAE Data Office or local Emirate data protection authorities. More information can be found via:
    https://u.ae/en

12. Jurisdiction and Governing Law

  • For UK-based or international Institutions, this Privacy Policy is governed exclusively by the laws of England and Wales, with disputes subject to English courts.
  • For UAE-based Institutions, this Privacy Policy is governed exclusively by the laws of Dubai and the UAE, with disputes subject exclusively to Dubai Courts.

13. Dedicated Privacy Contact

For privacy-related inquiries, complaints, or to exercise your data protection rights under the UK GDPR or UAE PDPL, please contact our designated Data Protection Officer (DPO):

Data Protection Officer (DPO)

ExAIm Limited

2 Crossways Business Centre,

Bicester Road, Kingswood,

Aylesbury, HP18 0RA,

United Kingdom

Email: privacy@exaim.ai

Note: Our DPO is based in the United Kingdom and manages privacy compliance and inquiries for all jurisdictions, including the UK and UAE.

14. Policy Updates

We regularly review and update this policy. Institutions will be notified via email at least 30 days in advance of significant changes.

By using ExAIm services, Institutions acknowledge and accept this Privacy Policy and our commitment to robust privacy and data protection standards across jurisdictions.

Main Menu

© 2024 ExAIm | All Rights Reserved