top of page
White Structure

Privacy and Security

Pilot Generative AI – Easy-Read Terms

Important: This is a simplified summary of our Data Processing Agreement (DPA). It is for convenience only. The full legal DPA always takes precedence.

Introduction – What This Covers

When your organisation (“Controller”) uses Pilot, we sometimes process personal data on your behalf. This agreement sets out how that works under UK GDPR.

Who Does What

  • You (the Controller): You decide what data is collected, why, and how long to keep it. You must have a lawful basis and give the right notices to individuals.

  • Us (Pilot, the Processor): We only process data on your instructions. We don’t use it for our own business purposes, except to run and improve the services.

What Data Might Be Processed

Depending on your use of Pilot’s services, data could include:

  • Basic details: names, contact info, logins.

  • Learner/staff/service-user data: education, employability, safeguarding, or welfare records.

  • Usage data: logs, progress tracking, preferences.

  • Technical info: IP addresses, device/browser details.

  • Communications: support requests, feedback, messages.

The people this relates to may include staff, students, learners, service users, parents, or guardians.

Why We Process Data

We only process data to:
✅ Deliver and configure the services.
✅ Provide secure logins, support, and system reliability.
✅ Improve services using aggregated or anonymised data (not personal).
✅ Meet legal, regulatory, or safeguarding duties.
❌ We never use your data for marketing or profiling.

Our Safeguards

We commit to:

  • Keeping data secure with encryption, access controls, and monitoring.

  • Ensuring staff and subcontractors are bound by confidentiality.

  • Using approved safeguards if data ever leaves the UK/EEA.

  • Assisting you with data subject rights requests (access, deletion, correction, etc.).

Sub-Processors

  • We may use trusted providers (hosting, infrastructure, analytics, etc.).

  • They are bound by strict contracts with the same obligations.

  • We’ll notify you of new Sub-Processors, and you can raise objections.

  • We remain fully responsible for their actions.

Data Breaches

  • If a breach happens, we’ll notify you promptly (within 72 hours where required).

  • We’ll explain what happened, what data was affected, and how we’re fixing it.

  • We’ll fully cooperate with your own regulatory duties (e.g. ICO notifications).

Special Provisions for Schools & Education

  • Staff handling child/learner data receive safeguarding training.

  • Learner data is normally deleted or anonymised within 7 years, unless law or policy requires longer.

  • Our platforms include tools for flagging and reviewing safeguarding concerns.

  • AI outputs are support only – not a substitute for professional judgment.

Ending the Agreement

When services end:

  • We securely delete or return your data (your choice), unless law requires us to keep it.

  • If deletion isn’t possible, we protect it from further use.

Governing Law

This agreement is governed by the laws of England and Wales, with disputes handled by the courts here.

bottom of page