Data Protection – Report Hero

Data protection by design and by default

Report Hero has been designed in line with the UK GDPR data protection principles:

These principles are embedded in how the service operates, both where Report Hero acts as a data controller and where it acts as a data processor.

Acting as data controller

Report Hero acts as a data controller in relation to:

Teacher account data

When a teacher signs up to use Report Hero, we process:

• Name
• Email address
• School name
• Account and subscription information
• Usage data (e.g. number of reports generated)

Payment details are handled securely by a third-party payment provider and are not stored by Report Hero.

Teacher accounts remain active until the user deletes the account or cancels their subscription. Inactive accounts without an active subscription are deleted after 6 months.

Acting as data processor

When teachers or schools use Report Hero to create reports, they may choose to enter pupil and report-related information. In these cases:

• The school or teacher acts as data controller
• Report Hero acts as a data processor

Report Hero processes this data only in accordance with the controller's instructions and in line with the terms of our Data Processing Agreement (DPA).

We support controllers by:

• Providing tools to delete data directly within the app
• Permanently removing data when deleted
• Assisting with account deletion if required by a school
• Supporting data subject rights requests where applicable

Pupil and report data

When using Report Hero, teachers may enter:

• Pupil first names and surnames
• Notes and information used to generate reports
• Draft report text

This data:

• Is stored securely in the UK
• Remains visible only to the teacher
• Is retained until the teacher deletes it
• Is permanently removed from our systems when deleted

Teachers can export report text for use in school systems. Once exported, responsibility for that data transfers to the teacher or school.

AI processing and anonymisation

Report Hero uses AI to assist with drafting report text. Strong safeguards apply:

Automatic anonymisation

Pupil names and identifiable information are removed before any data is sent for AI processing.

UK-based AI processing

All AI processing takes place within the UK. Data does not leave the UK for processing.

No training on user data

User inputs and generated reports are not used to train AI models.

In limited cases, anonymised data may be reviewed internally only where necessary for debugging or quality assurance. Personal data is not used for this purpose.

Storage and security

Report Hero uses UK-hosted infrastructure provided by AWS and Azure.

Security measures include:

• UK-based servers only
• Encryption of data in transit and at rest
• Access controls and monitoring
• Industry-standard security certifications provided by our infrastructure partners

No data is transferred or stored outside the UK.

Data minimisation and safeguarding

Report Hero is designed to minimise personal data use.

• Only data necessary to create reports is processed
• Pupil data is anonymised before AI processing
• Teachers are encouraged to review all outputs before use

As with any generative AI system, outputs may require review to ensure accuracy, appropriateness, and the removal of any unintended bias. Teachers and schools remain responsible for safeguarding and final content decisions.

Data subject rights

Data controllers are responsible for identifying the lawful basis for processing personal data and responding to data subject rights requests.

Report Hero supports controllers by:

• Providing deletion tools within the app
• Permanently removing deleted data
• Acting in accordance with documented controller instructions

Where required, requests can also be directed to:

📧 privacy@report-hero.org