Data Protection
GDPR & Data Protection
Classfolio is designed to help schools use digital learning and artificial intelligence safely, transparently and responsibly.
Classfolio gives teachers powerful tools for creating lessons, assessments, assignments and learning resources while keeping schools in control of their data.
Data Controller
Who controls the data?
Under UK GDPR, there is an important distinction between the school as Data Controller and Classfolio as Data Processor.
Schools remain the Data Controller
Your school decides how Classfolio is used, which classes and students are created, and how teaching content is organised.
Classfolio acts as Data Processor
Classfolio processes data only to deliver the educational service your school has configured. We act on your instructions.
Schools own their educational data
All lessons, assessments, student work, and resources created in Classfolio belong to your school. You can request exports or deletion at any time.
Data Processing
How Classfolio uses data
Classfolio processes personal data solely to deliver educational functionality. Below is a clear breakdown of what is processed and for whom.
Teacher Data
- Account information
- Authentication details
- Created lessons
- Created assessments
- Created assignments
- Uploaded resources
Student Data
- Display names
- Class membership
- Assessment results
- Assignment submissions
- Lesson participation
- Progress and analytics
School Data
- Classes
- Resources
- Teaching content
- Performance information
Purpose of processing
Data is used solely to deliver educational functionality, including:
Classfolio does not sell school, teacher or student data.
AI & Privacy
AI and student data
Classfolio does not use school, teacher or student data to train AI models.
AI helps teachers to
- Create lessons
- Create assessments
- Create assignments
- Generate resources
- Generate quizzes
- Generate revision materials
- Support feedback creation
Teachers remain in control
- AI suggestions are reviewed by teachers before use
- Teachers can edit AI-generated content
- Teachers remain responsible for educational decisions
- AI assists teachers but does not replace teacher judgement
- AI should not be used as the sole basis for high-stakes educational decisions
Classfolio is designed to keep teachers in control. AI helps create content faster, but teachers decide what students see.
Student Privacy
How student privacy works in Classfolio
Classfolio is built around a layered access model. Students can only see their own work. Teachers can only access students they teach. Administrative access is restricted by role.
Classfolio supports a pseudonymous identity model. Display names — such as “Smith, J” or a school-managed alias — help minimise unnecessary personal data exposure while still allowing teachers to identify students appropriately within their school environment.
Classfolio does not claim to anonymise students. Display names are linked to authenticated identities.
Microsoft and Google sign-in
All users sign in using Microsoft or Google accounts. Classfolio does not manage user passwords — authentication is delegated entirely to Microsoft or Google identity providers.
Role-based permissions
Students only access their own information. Teachers access only the students they teach. Separate administrative roles exist for school-level management.
Data access boundaries
Firestore security rules enforce that students cannot read other students' data, results, or submissions — regardless of class membership.
Important Commitments
What Classfolio does not do
Many schools are understandably concerned about AI products that record classrooms or use student data without consent. Here is what Classfolio explicitly does not do.
Sell student data
Student data is never sold to any third party for any purpose.
Use student data for advertising
Classfolio contains no advertising. Student data is not used for ad targeting.
Train AI models on school data
School, teacher and student data is not used to train or fine-tune AI models.
Share school data with unrelated third parties
Data is only shared with subprocessors required to deliver the service.
Replace teacher professional judgement
All AI-generated content is a suggestion. Teachers review, edit and approve before students see it.
Make autonomous educational decisions
Classfolio does not automatically assign grades, stream students, or make consequential decisions about pupils.
Continuously record classrooms
Classfolio does not capture audio, video or screen recordings of lessons.
Continuously record student conversations
There is no continuous monitoring or recording of student activity beyond their session responses.
Security
Security controls
Classfolio continually reviews and improves security controls. Below is an overview of the measures in place.
Secure Authentication
- Google sign-in
- Microsoft sign-in
- Firebase Authentication
- School identity providers
Encryption
- Data encrypted in transit
- Secure HTTPS / TLS connections
- Firebase Storage encryption
- Secure API communication
Access Control
- Teacher permissions
- Student permissions
- Administrative permissions
- Firestore security rules
Infrastructure
- Secure cloud hosting
- Firebase / Google Cloud
- Monitoring and maintenance
- Ongoing security review
Data Management
Retention, export and deletion
Data is retained only for as long as required to provide the service and meet legal obligations. Schools and organisations using Classfolio should define their own retention schedule aligned with their data protection policy.
Where recycle-bin functionality exists within the platform, deleted content may be recoverable for a limited period before permanent removal.
Request a data export
Schools can request an export of their data — including classes, student records, lessons, and assessments.
Request data deletion
Schools can request deletion of their data. Contact privacy@classfolio.co.uk to submit a deletion request.
Access your data
Schools have access to their educational data through the platform. Additional access requests can be submitted to Classfolio.
Subprocessors
Our subprocessors
Classfolio only shares data with service providers where necessary to deliver platform functionality.
| Provider | Purpose |
|---|---|
| Firebase / Google Cloud | Hosting, database, storage and authentication services. Core platform infrastructure. |
| Google Gemini | AI-assisted lesson, assessment and resource generation. Used only when a teacher activates an AI feature. |
| Google Authentication | Google sign-in for teachers, students, and administrators via Google OAuth. Schools using Google Workspace benefit from school-managed identity. |
| Microsoft Authentication | Microsoft sign-in for teachers, students, and administrators via Microsoft OAuth. Schools using Microsoft 365 benefit from school-managed identity. |
Legal Documents
Supporting documents
Privacy Policy
Full details on how Classfolio collects, uses and protects personal data.
Cookie Notice
Information about the cookies and similar technologies used by Classfolio.
Terms of Service
The terms governing use of the Classfolio platform by teachers, students and schools.
Data Processing Agreement
A DPA is available on request for schools and trusts that require a signed agreement.
Related compliance pages
Security & Infrastructure
Authentication, access controls, encryption, infrastructure overview
Read moreSafeguarding
What Classfolio does and doesn't do in a safeguarding context
Read moreData Processing Agreement
DPA summary, commitments, and how to request a signed agreement
Read moreProcurement FAQ
Common questions from Headteachers, SBMs, DPOs and IT Managers
Read moreGet in touch
Data Protection Enquiries
If you have questions about how Classfolio handles data, want to submit a data subject access request, or need to discuss a Data Processing Agreement for your school or trust, please get in touch.
For privacy questions about your school's use of Classfolio, also contact the administrator for your Classfolio workspace.