better-ed

Privacy Policy

Last updated: May 25, 2026
Version: 1.1

1. Introduction

better-ed is a voice-enabled AI assessment platform for K-12 education, operated by Predictive Systems, Inc. (Philippines) and Better Oy (Finland). This Privacy Policy explains how personal data is processed across all of our activities — the assessment Service delivered to schools, our marketing website, and our sales and support contacts.

We comply with applicable data-protection law in every jurisdiction we operate in. Where institutional customers need the specific regulatory detail their procurement teams require — GDPR, EU AI Act, UK GDPR, COPPA, FERPA, state K-12 laws, the Philippine Data Privacy Act, NPC Advisory 2024-04, and DepEd Order No. 003 s. 2026 — we cover it in our Data Processing Agreement and supporting documentation. Contact privacy@better-ed.ai for any of these on request.

2. Who controls your data

Different activities have different controllers. Under data-protection law, the controller decides why and how personal data is processed and is the entity you contact to exercise your rights.

ActivityData controllerOur role
School-deployed assessment Service — pupil voice recordings, transcripts, AI-generated outputs, pupil performance data, teacher and admin accounts created under an institutional contractThe school, municipality, or institutionBetter Oy is processor for EU/EEA institutions; Predictive Systems, Inc. is processor for US and Philippines institutions, and sub-processor to Better Oy for EU operational support
Marketing website, demo requests, sales outreach, support enquiries, business contactsPredictive Systems, Inc.Controller

For school-deployed activitiesthe school determines purposes and lawful basis. We process pupil and teacher data only on the school’s documented instructions. The Data Processing Agreement governs the relationship. Direct rights requests to your school first; we support the school in handling them.

For everything else — marketing site, sales, and support — Predictive Systems, Inc. is the controller, and you can contact us directly.

Throughout this Policy we use tags to show which controller applies:

School-controlledprocessing inside the assessment Service, under the school’s instructions.

PSI-controlled processing on the marketing site and in sales and support channels.

3. Personal data we process

3.1 In the school-deployed assessment Service School-controlled

  • Identity and account data: name, email, school or institution affiliation, role, account credentials.
  • Voice recordings: captured during assessment sessions, classified as personal data. Voice is processed for content analysis (the substance of what the pupil said) and is not used for speaker identification or biometric matching. If a future feature requires voice as biometric data, we will obtain explicit consent in line with applicable law before doing so.
  • Transcripts and assessment outputs: automated transcripts, AI-generated scores and feedback, teacher annotations.
  • Pupil performance data: progress, mastery indicators, attempt logs.
  • Technical telemetry: device type, browser, IP address, session timestamps, error logs — for security, fraud prevention, and service reliability.

3.2 On our marketing site and in our sales and support channels PSI-controlled

  • Cookies and similar technologies on better-ed.ai (subject to consent on the cookie banner; details in our Cookie Policy).
  • Contact forms, demo requests, sales-call notes, support tickets.
  • HubSpot business marketing contacts for B2B outreach to schools and education organisations.

4. Why we process it, and on what lawful basis

For school-deployed activities, the school selects the lawful basis under its applicable data-protection law. We process pupil and teacher data only on the school’s documented instructions.

We do not use identifiable pupil data to improve our AI models or for any product-development purpose of our own. Where the school has instructed us in writing, or after irreversible anonymisation, aggregated and de-identified data may be used to improve assessment accuracy.

For activities where Predictive Systems, Inc. is the controller, our lawful bases are:

ActivityPurposeLawful basis
Marketing site analytics, cookiesImprove and personalise the marketing siteConsent — cookie banner
Run and secure the marketing siteService the site, prevent abuse, debugLegitimate interests
B2B sales outreachContact schools and education organisations about our offeringLegitimate interests
Support, contract administrationRespond to enquiries, manage the customer relationshipContract / legitimate interests
Legal complianceTax, accounting, regulatory obligationsLegal obligation

5. AI transparency, human oversight, and automated decisions

We use AI in the assessment Service. We are transparent about it and we keep humans in control.

  • We inform users when AI is used in an assessment, describe how it works in plain language, and explain its limitations.
  • AI outputs are decision-support, not authoritative grades. Educators retain final authority and may review, override, or adjust any AI-generated result.
  • Where an AI-generated score is used as input to a decision that significantly affects a pupil, the pupil (or their parent/guardian) has the right to obtain human intervention, express a point of view, and contest the decision. The route is the appeal mechanism operated by the school. We support the school by providing decision logs and explanatory information.
  • We treat AI-generated assessment outputs as high-risk under applicable AI risk frameworks and apply the corresponding controls: human-in-the-loop, audit logging, transparency notices, bias monitoring, and the appeal mechanism above.

6. Where your data is stored (residency)

We operate region-isolated infrastructure with separate administration consoles:

  • EU/EEA tenants: Google Cloud Platform, region europe-north1 (Finland). EU pupil and teacher data is not replicated outside the EEA.
  • US, Philippines, and rest of the world: Microsoft Azure, US East. Azure OpenAI inference runs in the same region.

7. International data transfers

Where data crosses jurisdictions, we rely on appropriate legal transfer mechanisms (Standard Contractual Clauses, adequacy decisions, or other instruments approved under the applicable data-protection law) and apply supplementary measures including access controls, logging, encryption, and contractual restrictions on government access. The specific transfer architecture for each customer’s region is set out in the Data Processing Agreement and accompanying Transfer Impact Assessment, available on request at privacy@better-ed.ai.

8. Retention

We retain personal data only for as long as needed for the purposes set out in §4. The controller for each activity determines the retention period; the defaults below apply unless the controller has instructed otherwise.

Data categoryControllerDefault retention
Pupil voice recordingsSchoolPer the school’s instruction in the DPA; default deletion 90 days after the end of the academic year.
Pupil transcripts and assessment outputsSchoolPer the school’s instruction; default retention through the duration of the contract plus 30 days.
Teacher and admin account dataSchoolThrough the duration of the contract plus 30 days.
Technical telemetry and security logsShared (school activity logs governed by DPA; PSI infra logs by PSI)12 months.
Marketing contacts in HubSpotPSIUntil consent is withdrawn or 24 months of inactivity, whichever is sooner.
Cookies on the marketing sitePSIPer the Cookie Policy.
Support ticketsPSI24 months from closure.

9. Security

We implement technical and organisational measures appropriate to the risk. These include:

  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256);
  • Access controls based on least privilege; access to pupil personal data is logged and restricted to authorised personnel with a documented need;
  • Key management via the hyperscaler KMS in the relevant region;
  • Network isolation between EU and US/PH environments;
  • Regular security audits, vulnerability management, and penetration testing;
  • Sub-processor diligence under our DPA. The current list is published at better-ed.ai/sub-processors and institutional customers receive at least 30 days’ advance notice of any change affecting pupil or teacher data;
  • A documented incident response plan including notification of the affected institution(s) without undue delay and in any event within 72 hours of becoming aware of a personal-data breach.

10. Your rights

Depending on your location, you have rights regarding your personal data. The common set includes:

  • Access: request a copy of your personal data.
  • Rectification: correct inaccurate or incomplete data.
  • Erasure: request deletion, subject to legal retention duties.
  • Portability: receive your data in a structured, machine-readable format.
  • Restriction: limit how we process your data.
  • Objection: object to processing based on legitimate interests, including for direct marketing.
  • Withdraw consent at any time where processing is based on consent (without affecting prior lawful processing).
  • Lodge a complaint with your supervisory authority.

How to exercise your rights

  • For school-controlled data(assessment Service): contact your school’s data-protection contact first. We support the school in handling your request under the DPA.
  • For PSI-controlled data (marketing site, sales, support): contact us at privacy@better-ed.ai. We may ask for proof of identity. We respond within one month of receipt where required by applicable law; we will tell you if we need longer for complex requests.

Supervisory authority

You may lodge a complaint with the supervisory authority in your country. Common routes include the Office of the Data Protection Ombudsman in Finland (Tietosuojavaltuutetun toimisto), the Information Commissioner’s Office in the UK, your State Attorney General or the U.S. Department of Education in the United States, and the National Privacy Commission in the Philippines.

11. Children’s privacy

better-ed is designed for K-12 educational use. We follow the child-protection rules that apply in each jurisdiction we operate in, including the GDPR Article 8 child-consent framework in the EU/EEA, COPPA and applicable state laws in the United States, and DepEd Order No. 003 s. 2026 (which requires parental consent for all learners under 18) in the Philippines.

The school remains responsible for obtaining and documenting consent and for age-appropriate supervision in the school-deployed assessment Service.

New York-based school districts can request our Parents’ Bill of Rights for Data Privacy and Security and Supplemental Information by emailing privacy@better-ed.ai.

12. Cookies and tracking

We use cookies and similar technologies on our marketing site (PSI-controlled). See our Cookie Policy. The cookie banner provides a consent mechanism. User session analytics on the marketing site are active only after consent is given and are not used inside the pupil-facing assessment Service.

13. Contact

Data Protection Officer (DPO): Allan C. Tan, privacy@better-ed.ai

Privacy and data-protection enquiries: privacy@better-ed.ai
Legal and contractual matters: legal@better-ed.ai

Better Oy (EU/EEA contracting entity)
Lapinlahdenkatu 16, 00180 Helsinki, Finland

Predictive Systems, Inc. (US, Philippines, Rest of the world)
Unit 3006, One Corporate Centre, Julia Vargas Avenue, Ortigas Center, Pasig City, Metro Manila, Philippines

14. Changes to this Policy

We may update this Privacy Policy. Material changes are notified by updating this page and the “Last updated” date. For institutional customers we provide written notice to the account administrator at least 30 days before material changes take effect.