Skilly Contract Pack · 28 April 2026

Hit Print and choose “Save as PDF” for an offline copy.

Skilly Contract Pack

For school principals, Boards of Management, Data Protection Officers, and procurement leads.

This pack contains everything a school needs to evaluate Skilly from a legal, data-protection, and contractual standpoint. It is a single consolidated document so you do not need to chase down separate files.

What's in the pack

Section	What it is	Time to read
1 · Privacy Policy	What personal data we hold, why, and what your rights are	~10 min
2 · Terms of Service	The contract under which schools subscribe	~8 min
3 · Cookie Policy	How we use cookies (short answer: minimally, no tracking)	~3 min
4 · Sub-processors	The third parties we engage to deliver the platform	~2 min
5 · Data Processing Agreement (specimen)	The Article 28 GDPR contract each school signs with us	~10 min
6 · DPIA reference	Pointer to our internal vendor Data Protection Impact Assessment	< 1 min

Total reading time: ~35 minutes. All sections are written in plain English; legal points are still legal points but they are signposted clearly so you can dip in.

How to use this pack

If you are a principal or BOM chair: read sections 1 and 2 to understand what the platform does and what you are agreeing to. Sections 3–6 are reference material your DPO will care about.
If you are a Data Protection Officer: read all six sections. Sections 4, 5 and 6 are the ones you will mark up before signing.
If you are in procurement: section 2 (Terms) and the pricing in your Order Form are what you need.

What you will sign

To go live with Skilly, two documents are countersigned:

An Order Form — pupil count, pricing, start date, named admin contact. Not in this pack; we send a tailored version.
A Data Processing Agreement (DPA) — section 5 below, with [CUSTOMER LEGAL NAME] and [CUSTOMER REGISTERED ADDRESS] filled in for your school.

The Privacy Policy, Terms of Service, Cookie Policy and Sub-processors page are published on app.skilly.ie/privacy, /terms, /cookies and /sub-processors respectively. Their authoritative form is the live web version; this consolidated pack is a snapshot for offline review.

Who we are, in one paragraph

Skilly is the trading name of Skillscan Limited, an Irish company (CRO 565995, VAT IE3375591CH) registered at 5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18. We build and run the Skilly platform: a classroom tool that helps secondary schools run reflective SPHE lessons, support pupil wellbeing, and surface safeguarding concerns for the school's coordinator. Our primary supervisory authority is the Data Protection Commission of Ireland; we comply with EU GDPR, UK GDPR, the Irish Data Protection Act 2018, and Children First 2015.

For any question about this pack, please email legal@skillysolutions.com or call +353 87 418 8829.

Section 1

Privacy Policy

What personal data Skilly holds, why, and your rights. The published live version is at app.skilly.ie/privacy.

Privacy Policy

Effective: 22 April 2026 · Version 2.1.0 Supersedes: Privacy Policy dated 1 October 2019

1. Who we are

Skilly is the trading name of Skillscan Limited, an Irish company. We build and run the Skilly platform — a classroom tool that helps secondary schools run reflective SPHE (or equivalent pastoral) lessons, support pupil wellbeing, and surface safeguarding concerns for the school's coordinator to review.

Field
Legal entity	Skillscan Limited
Trading name	Skilly
Company registration (CRO)	565995
VAT registration	IE3375591CH
Registered office	5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland
General email	hello@skilly.ie
Data Protection email	legal@skillysolutions.com
Data Protection phone	+353 87 418 8829

This policy covers both our website (skilly.ie) and our platform (the application your school accesses after signing up). It applies in Ireland, across the European Union, and in the United Kingdom. Where EU GDPR and UK GDPR differ on any substantive point, we apply the stricter rule.

2. Summary in one paragraph

We hold two groups of personal data: (1) data about pupils and staff using the Skilly platform on behalf of their school, and (2) data about visitors to skilly.ie, people who contact us, and people signing up to hear from us. We don't sell data to anyone, we don't use pupil or staff data for marketing, we don't use anyone's data to train AI models, and we keep the minimum amount for the minimum time. If anything is unclear, email legal@skillysolutions.com.

3. Who decides what happens to your data

Under the GDPR one or more organisations is legally "in charge" of any given piece of personal data — the "data controller" — and may use a service provider to handle it on their behalf — a "data processor". For Skilly the split is:

When you use the Skilly platform (pupils, teachers, coordinators, admins signed into the app): your school is the data controller and Skillscan Limited is the data processor. We handle your data under the school's written instructions, captured in a Data Processing Agreement between us.
When you use skilly.ie, contact us, or subscribe to product updates: Skillscan Limited is the data controller. We decide directly what happens to your data.

This distinction matters mainly for who you contact when you want to exercise a right (see §14). In plain English: platform questions → your school first; website and sales-lead questions → us directly.

4. What data we collect on the Skilly platform

When a school enrols pupils and staff on the platform we hold the following categories. The school (not us) decides which pupils are enrolled, which classes they're in, and what activities they complete.

4.1 Identity and account data

Full name (first and last)
Email address
Role (student, teacher, coordinator, admin)
Class group (e.g. "2A") and year group (e.g. "2nd Year")
Teacher–class assignments
Bcrypt-hashed password (never stored in plain text)
Account creation date and last-login timestamp
The IP address and user agent string of each login (security and audit only — 90-day retention)

4.2 Pupil SPHE activity

Reflective writing submitted by the pupil in response to a curriculum prompt
Mood indicator chosen by the pupil on a 5-point scale
Self-ratings given at the start of a strand ("pre-assessment")
Daily mood check-ins ("pulse") with an optional short sentence
Weekly wellbeing survey responses (six indicator scores plus an optional short note)
Any media attachment a pupil adds to a reflection (image, voice note, short video)
Assessment submissions — Junior Cycle Classroom-Based Assessment files and Senior Cycle Key Assignment artefacts

4.3 Teacher-generated data about pupils

Teacher override of the AI score (1–5)
Teacher note attached to a reflection (visible to the pupil)
Teacher written feedback (visible to the pupil)
Pastoral notes — private staff-only notes about a pupil, not visible to the pupil
Learning profile — differentiated-learning flags set by a teacher (autism, dyslexia, ADHD, custom needs) plus relevant UI preferences

4.4 Safeguarding flags — special category data

The platform automatically surfaces safeguarding flags when the AI detects wording in a pupil's reflection that appears to indicate a welfare concern. Each flag contains:

A verbatim quote from the pupil's reflection (capped at 30 words)
An AI-generated safeguarding observation
A category — for example "Anxiety", "Self-harm", "Abuse", "Bullying", "Low mood", "Peer pressure", "Wellbeing concern"
A severity (high / medium / low)
Severity votes from the AI, the class teacher, and the coordinator — the highest severity wins
Status (open or closed), who acted on it, when, and what action was taken
The escalation level reached (if an unacknowledged high-severity flag automatically chased the principal)

Safeguarding data is special category personal data under Article 9 GDPR because it can reveal information about a pupil's mental or physical health — and where a disclosure is made, may relate to Article 10 matters (criminal offences). We handle this category with stricter access controls, stricter retention, and full audit logging (see §7 for AI, §10 for retention, §11 for security).

4.5 Operational data

Audit log of every significant action (who read or changed what, when)
Email log of every transactional email we sent on the school's behalf (recipient, subject line, delivery status — never the body)
Short-lived technical logs (IP, user agent, timestamps) retained for 90 days for security and debugging only

4.6 What we do NOT hold

For clarity:

Date of birth — never collected; age is inferred from year group only
Home address, phone number, geolocation — not collected
Payment card data — handled entirely by our payment sub-processor; card details never reach our servers
Biometric or genetic data — never collected
Religious, political, or trade-union affiliation — never collected; if a pupil voluntarily mentions any of these in reflection text it is handled under the same safeguards as other reflection content
Data about non-enrolled third parties — if a pupil mentions another person by name in a reflection, we apply PII redaction before any AI processing (see §7)

5. What data we collect on the skilly.ie website

When you visit the website, contact us, or sign up for product updates, we hold:

Essential technical data — your IP address, browser type, pages visited, referrer. Used in aggregate for site improvement only.
Contact-form submissions — name, email, the school or organisation you mentioned, your role, and the message you sent us.
Newsletter subscribers — email address, optionally your name and school.
Recruitment applications — your CV, cover letter, and contact details.

We do not run third-party analytics, advertising, or tracking pixels on skilly.ie. See §13 for the complete list of cookies we set.

6. Why we process each category (lawful bases)

Data	Controller	Lawful basis
Pupil platform data — identity, reflections, moods, assessments	The school	Art. 6(1)(e) public task (Education Act 1998 in Ireland; equivalent statutory schooling functions in other jurisdictions)
Pupil safeguarding and wellbeing data (special category)	The school	Art. 9(2)(g) substantial public interest — pursuant to Children First 2015 (Ireland), Keeping Children Safe in Education (UK), or national equivalent — plus Art. 9(2)(i) preventive and social protection where relevant
Staff platform data	The school	Art. 6(1)(b) contract + Art. 6(1)(f) legitimate interest (security, audit)
Website technical logs	Skillscan	Art. 6(1)(f) legitimate interest — operating a functional website
Essential cookies (see §13)	Skillscan	ePrivacy — strictly necessary, no consent required
Contact-form enquiries	Skillscan	Art. 6(1)(f) legitimate interest — replying to your enquiry
Newsletter subscription	Skillscan	Art. 6(1)(a) consent — you opted in
Recruitment applications	Skillscan	Art. 6(1)(b) pre-contract steps + Art. 6(1)(f) legitimate interest

The school (not Skillscan) should document its lawful basis for the platform processing in its own Data Protection Policy, Acceptable Use Policy, or Enrolment Policy. The school is also responsible for obtaining parental consent at enrolment for pupils below the applicable Digital Age of Consent:

Ireland: 16 (Data Protection Act 2018, s.31)
United Kingdom: 13 (UK Data Protection Act 2018, s.9)
Other EU Member States: between 13 and 16, depending on national law

7. How our AI works — and what it sees

Skilly uses AI to perform two distinct jobs on pupil reflection text. Both are disclosed here transparently under Articles 13, 14 and 22 GDPR.

7.1 Reflection scoring

When a pupil submits a reflection, the platform sends it to an AI service (Anthropic's Claude model, operated by Anthropic PBC in the United States) and receives back:

A score from 1 to 5 against a published SPHE rubric
Formative written feedback (typically 75–150 words)

The score is advisory. The class teacher can override it, and the effective score stored against any reflection is always the teacher's override where one is given — never the AI's. No score is "solely automated": there is always a human review step.

7.2 Safeguarding flag detection

A second, separate AI call scans the same reflection for safeguarding concerns (see §4.4). The AI creates the flag record automatically, but the response to a flag is entirely human-driven: a named coordinator reviews it, votes on severity, records action taken, and closes it. Unresolved high-severity flags chase the principal automatically until a human acknowledges.

7.3 What the AI sees (and does not see)

Before any reflection text leaves our servers we apply PII redaction:

The pupil's own name → [STUDENT]
Any other person-name in the text → [PERSON_1], [PERSON_2], …
Email addresses, phone numbers, postal addresses, Eircodes, PPSN, IBAN numbers, credit card numbers and URLs are stripped

The AI receives only the strand/topic, the activity prompt, the pupil's mood label (e.g. "Good"), and the redacted reflection text. It does not receive the pupil's name, email, class, year group, teacher, school name, or any prior scores.

7.4 Our contract with the AI provider

We use Anthropic PBC (United States) for AI inference. We have in place:

A signed Data Processing Agreement
The zero-retention contractual rider: Anthropic does not retain reflection text or AI outputs beyond the 30-day minimum required for operational abuse-monitoring, after which it is deleted from their systems
Written confirmation that reflection text is not used to train any Anthropic foundation model
EU-U.S. Data Privacy Framework certification plus Standard Contractual Clauses 2021 as a second safeguard

7.5 Your right to human review (Article 22)

Because a teacher override is always available and every flag is reviewed by a named human coordinator before any action is taken, your Article 22 right to human review is built into the product. If you nonetheless wish to make a formal Article 22 request in writing, contact the school first (they are the controller for platform data).

8. Safeguarding — when information is shared with statutory bodies

If a safeguarding flag surfaces a concern that the school escalates under Children First (Ireland), Keeping Children Safe in Education (UK), or equivalent, the school is the party that makes any statutory report to Tusla, the relevant UK authority, or An Garda Síochána. Skillscan's role is to surface the concern to the school's coordinator — who is the Designated Liaison Person (DLP) for their school. The school makes the statutory report.

Where a court, the Data Protection Commission, the ICO, or any other authority with legal power compels Skillscan directly to produce platform data, we will:

Notify the affected school without delay, unless a court order prohibits such notification
Produce only the specific data legally required
Log the event in the audit trail

9. Children's data — our commitments

The platform is used by pupils aged 12 to 18. Many are below the Digital Age of Consent applicable to them. Our commitments specifically in relation to pupils:

We rely on the school, as the data controller, to have obtained consent from each pupil's parent or guardian as part of the school's enrolment process, and to operate under the school's published Acceptable Use Policy and Child Safeguarding Statement.
We do not market to pupils at any age — pupils receive only transactional platform emails (password resets, new assignment notifications, and the like).
We build the product with pupil safety as a design constraint: PII redaction before AI processing, strict tenant isolation, audit logging of every staff-side access to pupil data, and an age-protective rubric that adapts to the pupil's year group and any documented learning profile.

If you are a parent or guardian with a question about your child's data on Skilly, please contact the school first — the school is the controller. If the school cannot answer, we will assist them on request.

10. Sub-processors

We use the following sub-processors to deliver the platform. Every sub-processor is contractually bound to equivalent data-protection obligations. A current, versioned list is published at skilly.ie/sub-processors.

Sub-processor	Purpose	Location	Transfer safeguard
Supabase Inc.	Primary database + file storage	EU (Frankfurt)	Data remains within EEA
Vercel Inc.	Application hosting + edge delivery	Primarily EU region; US fallback for edge caching	EU-U.S. Data Privacy Framework + SCCs 2021
Anthropic PBC	AI inference — reflection scoring + safeguarding detection	United States	EU-U.S. DPF + SCCs 2021 + Zero-Retention Rider
Resend Inc.	Transactional email delivery	Primarily EU; US API endpoint	EU-U.S. DPF + SCCs 2021

Before we add or replace a sub-processor we notify each subscribing school at least 30 days in advance and give them an opportunity to object. If a school reasonably objects on data-protection grounds we will either address the objection or allow the school to terminate the subscription with a pro-rata refund.

11. International transfers

Where pupil, staff, or marketing data is transferred outside the European Economic Area or the United Kingdom, we rely on one or more of:

Adequacy decision — the European Commission has determined the destination country provides adequate protection (not currently relied upon as sole basis for any of our sub-processors)
EU-U.S. Data Privacy Framework — for transfers to our US sub-processors (Anthropic, Resend, Vercel US edge), both of whom are DPF-certified
Standard Contractual Clauses 2021 — as a second-layer safeguard alongside the DPF
Zero-retention contractual rider — specifically for the AI path with Anthropic
Supplementary technical measures — PII redaction before transmission (see §7.3) so what leaves the EEA is minimised

You can request copies of the SCCs with any sub-processor by emailing legal@skillysolutions.com.

12. How long we keep data

We retain data in line with the school's documented retention policy (for platform data) or the below defaults (for website and marketing data) — whichever is applicable.

Category	Retention
Pupil reflection text	While the pupil is enrolled + until the end of the academic year in which they leave the school, after which the text is nulled. A structural row (date, strand, score — no content) is retained so the school can continue anonymised statistics in its Self-Evaluation cycle.
Pupil mood / pulse / wellbeing survey data	While enrolled + 12 months after leaving, then deleted
Pupil assessment submissions (CBA / Key Assignment files)	7 years after the certifying examination, in line with State Examinations Commission records retention
Safeguarding flag records	Until the subject reaches age 25, in line with Tusla Children First retention guidance. Longer than other pupil data so late disclosures can be contextualised.
Staff data	While employed and active on the platform + 2 years after departure
Login IP / user agent technical logs	90 days from the login event
Email delivery log (recipients, subject, status — never body)	2 years
Audit log entries	7 years, for GDPR accountability + DPC / ICO inspection readiness
All school data on subscription end	30-day export grace window → purged within 90 days
Website technical logs	90 days
Contact-form submissions	2 years from last correspondence
Newsletter subscribers	Until you unsubscribe + 30 days
Recruitment applications	12 months from application, unless you consent to longer

A school can instruct us in writing to delete a specific platform category earlier; we will comply unless there is a legal obligation preventing us.

13. Cookies

We set only the cookies strictly necessary to run the site and the platform:

skilly-session — authenticated session cookie, only set after you log in. HttpOnly, Secure, SameSite=Strict.
skilly-consent — remembers your response to the cookie banner.
skilly-csrf — cross-site request forgery token used on form submissions.

Under the ePrivacy Regulations 2011 none of these require consent because they are strictly necessary to deliver the service you requested. We currently run no analytics, advertising, or behavioural-tracking cookies on skilly.ie. If we introduce any in future we will display a consent banner and update this policy.

14. How we keep your data safe

We apply appropriate technical and organisational measures, including:

HTTPS-only transport with HSTS preload
Bcrypt password hashing (cost factor 12)
HMAC-SHA256 signed session cookies with role-aware expiry (admin 8 hours; coordinator 24 hours; staff and pupils 3 days)
Multi-layer PII redaction before any AI call
Zero-retention contractual rider with the AI provider
Row-level tenant isolation at the database, API and application layers
Brute-force login protection with account lockout
Rate limiting on AI and authentication endpoints
Full audit logging of significant actions
Content Security Policy, HSTS, and related security headers
SameSite=Strict session cookies as CSRF defence
Dependency vulnerability scanning on every release
Annual external penetration testing
A documented incident-response plan including 72-hour DPC / ICO breach notification

A full description of our technical and organisational measures is provided in Annex 2 of the Data Processing Agreement we sign with each school. We also maintain a Data Protection Impact Assessment (DPIA) covering the platform's processing as a whole — schools' DPOs can request a copy by emailing legal@skillysolutions.com.

14.1 If a breach happens

If a personal data breach affecting platform data occurs we will:

Notify the affected school within 24 hours of becoming aware
Provide the school with the information it needs to meet its own 72-hour duty under Article 33 GDPR / UK GDPR to the Data Protection Commission or the Information Commissioner's Office
Support the school with any Article 34 communication to affected data subjects
Log the event in our internal breach register and external audit trail

15. Your data protection rights

Under the GDPR you have the following rights, exercisable at any time without charge:

Right	What it means
Access (Art. 15)	Get a copy of the personal data we hold about you
Rectification (Art. 16)	Correct inaccurate data
Erasure (Art. 17)	Have your data deleted ("right to be forgotten") — subject to legal retention obligations
Restriction (Art. 18)	Pause our processing while a dispute is resolved
Portability (Art. 20)	Receive your data in a machine-readable format
Objection (Art. 21)	Object to processing based on legitimate interest, including marketing
Not to be subject to solely-automated decisions (Art. 22)	Request human review of any automated decision affecting you
Withdraw consent	Where processing is based on consent, you can withdraw it at any time

15.1 How to exercise your rights

Platform data (pupils, parents, staff of a subscribing school) — please contact your school first. They are the controller. The platform has built-in tools to support them:

You can download a copy of your own data at any time from the Account page of the platform (built-in SAR export, Article 15).
You can request erasure through the same page.
Your school's admin can trigger a full export or erasure on your behalf.

Website, marketing, and sales-lead data — email us at legal@skillysolutions.com. We will:

Acknowledge within 5 working days
Respond in substance within the statutory 30 calendar days; if the request is complex we may extend by up to 60 further days and will tell you so
Not charge a fee unless the request is manifestly unfounded or excessive

16. How to complain

We would rather hear from you first, but you always retain the right to complain to a supervisory authority.

Ireland / EU — the Data Protection Commission: www.dataprotection.ie · +353 (0)761 104 800 · info@dataprotection.ie · 6 Pembroke Row, Dublin 2, D02 X963, Ireland
United Kingdom — the Information Commissioner's Office: ico.org.uk · +44 303 123 1113

The DPC is our lead supervisory authority under the GDPR one-stop-shop mechanism for EU-wide processing.

17. Representatives

European Union — because Skillscan Limited is established in Ireland (an EU Member State) we are not required to appoint a separate Article 27 representative for EU data subjects. Our Irish registered office serves that function.
United Kingdom — for Article 27 UK GDPR purposes, our UK Data Representative is:

Imagine Education Ltd Crossmead, Denver Road, Exeter, Devon, EX3 0BS, United Kingdom

UK residents can contact the UK representative or Skillscan directly — both routes reach the same data-protection function.

18. Changes to this policy

When we make a material change (adding a sub-processor, changing retention, adding a product feature with privacy implications) we will:

Publish the updated policy at skilly.ie/privacy
Post a dated changelog at the bottom
For platform users: notify the school's admin by email
For marketing contacts: notify you by email only if the change is material to you

Non-material changes (typographical fixes, re-ordering sections) are published with a bumped version number but without notification.

19. Contact

Data protection questions, or to exercise your rights:

📧 legal@skillysolutions.com 📞 +353 87 418 8829 📮 Data Protection · Skillscan Limited · 5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland

Platform support:

📧 skillycare@skillysolutions.com

Version history

Version	Date	Summary
2.1.0	22 April 2026	Full rewrite of the 1 October 2019 policy. Single-flow structure. Adds AI processing declaration, named sub-processors (Supabase, Vercel, Anthropic, Resend), Children First framing, Tusla-aligned safeguarding retention (to age 25), and EU + UK GDPR coverage.
1.0.0	1 October 2019	Original policy — superseded.

Section 2

Terms of Service

The contract under which schools subscribe to the Skilly platform. The published live version is at app.skilly.ie/terms.

Terms of Service

Effective: 22 April 2026 · Version 2.0.0 Supersedes: Skilly Standard Terms of Service dated 1 October 2019

These Terms govern your use of the Skilly platform. They are the contract between Skillscan Limited, an Irish company trading as Skilly ("Skilly", "we", "us"), and the school, education centre, or other organisation subscribing to the platform ("Customer", "you").

By signing an Order Form, ticking an acceptance box on sign-up, or otherwise accessing the platform, you agree to these Terms. If you are accepting on behalf of an organisation, you confirm you have authority to bind it.

These Terms are written in plain English. The legal points are still legal points — but we have aimed to keep them readable so a school principal, a Board of Management, or a coordinator can sit down with this document and understand what they are agreeing to.

1. Who we are

Field
Legal entity	Skillscan Limited
Trading name	Skilly
Company registration (CRO)	565995
VAT registration	IE3375591CH
Registered office	5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland
General contact	hello@skilly.ie
Legal / data protection	legal@skillysolutions.com
Customer support	skillycare@skillysolutions.com

2. What we provide

The "Platform" is the Skilly software-as-a-service application, accessed at app.skilly.ie or any successor address we notify you of, together with any related services described in your Order Form. Today the Platform includes:

Pupil reflection journalling against the SPHE / equivalent curriculum
AI-assisted reflection scoring and formative feedback
AI-assisted safeguarding flag detection routed to the school's coordinator
Pupil mood and wellbeing check-ins
Teacher review, override and pastoral notes
Coordinator dashboards, escalation ladder, and Wellbeing Framework / SSE evidence reports
Junior Cycle Classroom-Based Assessment and Senior Cycle Key Assignment workflows
Admin tools: user management, year-plan publishing, audit logs

We may add, remove, or modify features over time (see §15). Your Order Form sets out exactly what your subscription covers.

3. Your account and users

When you subscribe we create a tenant for your organisation. You decide who has access. Each individual user logs in with their own credentials.

You are responsible for:

Identifying who is enrolled (pupils and staff) and ensuring they are entitled to use the Platform.
Keeping account credentials secure and immediately telling us at skillycare@skillysolutions.com if you believe an account has been compromised.
Making sure no single account is shared by more than one person, except where the Platform expressly supports a shared role (for example, a class-roster login generated by a teacher).
Removing users who leave the school promptly via the admin tools.

4. Pricing and payment

4.1 Pricing model

Skilly is sold on an annual per-pupil licence. Specific tier rates, the Order Form scope, and any additional services (for example, "Skilly Launch" onboarding) are recorded in the Order Form you sign. Hosting is included in the licence.

4.2 Invoicing and payment

Unless otherwise agreed in your Order Form:

Invoices are issued annually in advance on the subscription start date and on each renewal anniversary
Payment terms are 30 days from the invoice date
All amounts are in euro (€) and are exclusive of VAT, which we add at the rate prevailing at the time of supply
Schools can pay by SEPA bank transfer or by credit card via our payment processor

4.3 Late payment

If an invoice is more than 30 days overdue we will email a reminder. If an invoice remains unpaid 60 days after the due date we may, on reasonable notice, suspend non-essential platform features (we will not suspend safeguarding alerts or audit-log access during a payment dispute that you are reasonably and actively trying to resolve).

4.4 Price changes

We may revise our published licence rates from time to time. New rates apply only to renewal periods commencing after the change, never mid-term, and we will give you at least 60 days' notice before any price change takes effect. If you do not wish to renew at the new rate you may decline renewal under §6.

5. Trial period

If your Order Form provides for a trial, the trial runs for 30 days from the start date unless we agree a longer period in writing (longer is sometimes appropriate for a school that wants to align a trial with an academic term). During the trial:

The Platform is provided free of charge
All features described in the Order Form are available
These Terms apply in full
Either party may end the trial at any time on email notice

If you choose to continue at the end of the trial, the paid subscription begins automatically on the day after the trial ends, on the terms set out in your Order Form. If you do not choose to continue, your tenant data is exported and purged in line with §11 below.

6. Term, renewal, and cancellation

6.1 Term and renewal

The initial subscription period is 12 months from the start date in your Order Form, unless your Order Form says otherwise. We renew automatically for further 12-month periods aligned to the same date.

6.2 Notice of non-renewal

Either party may decline renewal by giving written notice at least 60 days before the renewal date. Schools plan budgets a term in advance, so we deliberately use 60 days rather than the more usual 30. Schools may also be aligned to a Sept–Aug academic year — if the Order Form specifies an academic-year cycle, the same 60-day notice applies but counted from 31 July.

6.3 Cancellation by you

You may cancel mid-term for material breach by us that is not cured within 30 days of written notice (see §13). Outside that, the current subscription period is non-refundable, but you remain entitled to use the Platform until the end of the period you have paid for.

6.4 Cancellation by us

We may suspend or terminate your access:

For non-payment, after 60 days overdue and 14 days written notice
For material breach not cured within 30 days of written notice (e.g. a serious breach of §7 below)
Immediately and without notice if there is reasonable evidence the Platform is being used for illegal purposes or in a way that creates an imminent risk to other users

If we cancel for our own commercial reasons (rare — we'll let you finish the year) we will refund any pre-paid fees for the unexpired portion of the term.

6.5 What happens on cancellation

Within 30 days of the subscription ending you may export all your data via the admin tools (or by request to support, if the platform self-service is for any reason unavailable). After that 30-day grace window, we purge all tenant data within a further 60 days, except for legally required retention as set out in our Privacy Policy and DPA.

7. Acceptable use

You and your users may use the Platform for the lawful purpose of supporting pupils' SPHE, wellbeing, and pastoral education within your school. You may not, and may not allow others to:

Use the Platform in breach of any law applicable to you
Reverse-engineer, copy, or build a competing product from the Platform
Use the Platform to assess or rank pupils for selection, scholarship, or admission decisions outside the school's normal pastoral practice
Bypass or attempt to bypass any access control, rate limit, or audit log
Upload material that is unlawful, abusive, defamatory, harmful, or that infringes a third party's rights
Introduce malware, attempt unauthorised access, or interfere with the integrity of the Platform
Use the Platform to send unsolicited marketing communications
Resell or sublicense access to anyone outside your enrolled users

If you become aware of any breach of this section by anyone using your tenant, please notify us at skillycare@skillysolutions.com so we can help you respond.

8. Customer data, safeguarding, and AI

8.1 Roles under data protection law

The school is the data controller for personal data processed on the Platform. Skillscan Limited is the processor. Our processing obligations are set out in the Data Processing Agreement (DPA) which forms part of these Terms by reference. The DPA template is available on request from legal@skillysolutions.com.

The Platform is designed to process information that includes special category personal data (pupil wellbeing, safeguarding signals). The Customer confirms that:

It has a lawful basis under Article 6 and (where relevant) Article 9 GDPR for that processing
It has conducted, or will conduct, a Data Protection Impact Assessment proportionate to the scale of its deployment
It has obtained any parental consent required for pupils below the applicable Digital Age of Consent (16 in Ireland; 13 in the UK; varies elsewhere in the EU)
It will not use the Platform to store payment card data, US-HIPAA-protected health data, or material subject to export control

Our Privacy Policy (skilly.ie/privacy) describes in detail what data we hold, why, and for how long. The DPA controls the contractual specifics.

8.2 Safeguarding

The Platform is an aid to your school's safeguarding function. It is not a replacement for your school's Designated Liaison Person (DLP) or for your statutory duties under Children First 2015 (Ireland), Keeping Children Safe in Education (UK), or the equivalent in your jurisdiction. AI-generated flags surface concerns to your coordinator; the response — including any report to Tusla, the Garda Síochána, or another statutory body — is the school's responsibility, executed by named human staff.

Email alerts from the Platform are best-effort delivery. They are not a guaranteed notification channel. Critical safeguarding decisions should never depend solely on whether an email arrived.

8.3 AI processing

Reflection text submitted by pupils is processed by an AI service (Anthropic's Claude model) to produce a rubric score and formative feedback, and separately to detect safeguarding concerns. Before transmission, identifying information is redacted (pupil name, other person names, addresses, contact details). The teacher's override is the final score on every reflection; every safeguarding flag is reviewed by a named human coordinator before any action is taken. AI-only decisions are not made about any pupil.

We do not use Customer data to train AI models — our own or any third party's. This is contractually binding with our AI sub-processor.

8.4 Customer content ownership

You retain all rights in the data your users contribute to the Platform. You grant us a limited licence to host, store, and process that data solely to the extent necessary to provide the Platform under these Terms and the DPA. We acquire no ownership in your content.

9. Service availability

We aim to keep the Platform available at least 99.5% of the time measured monthly, excluding scheduled maintenance windows announced at least 48 hours in advance, and excluding force-majeure events (§16). The service is monitored continuously; any incident is logged and a status page is maintained.

We do not currently offer service credits for falling short of this target. We will, however, communicate honestly and quickly about any incident, publish a post-incident summary for any outage longer than 30 minutes, and put corrective actions in place. Schools that need a higher availability commitment with credits should contact us — this is available on a paid uplift but is not part of the standard subscription.

10. Support

Standard support is included with every subscription:

Email support at skillycare@skillysolutions.com, staffed during normal Irish working hours (Mon–Fri, 09:00–17:30)
A Help section inside the platform with role-specific walkthroughs and an "Ask Skilly" assistant
A Privacy / DPA / sub-processor reference set at skilly.ie/privacy and skilly.ie/sub-processors
Notification of new features and material changes via the admin's email and an in-platform changelog

Higher-touch support (named contact, faster response targets, training visits) is available on a paid uplift described in your Order Form.

11. Confidentiality

Each party will treat as confidential any non-public information obtained from the other under these Terms, will use it only for the purposes of the Terms, and will protect it with at least the same care as it uses for its own confidential information of similar sensitivity. This obligation does not apply to information that is public knowledge through no fault of the receiving party, lawfully held by the receiving party before disclosure, or independently developed without reference to the disclosing party's information.

Either party may disclose confidential information to the extent required by law or by a competent regulator. Where legally possible, the disclosing party will give the other party prompt prior notice so that an objection can be made.

12. Intellectual property

We retain all intellectual property rights in the Platform, including its software, content, design, and brand. Subject to your compliance with these Terms, we grant you a limited, non-exclusive, non-transferable right to access and use the Platform during your subscription.

You retain all intellectual property rights in your Customer data and content uploaded to the Platform.

If you suggest improvements or feature ideas, we may use them without obligation to you. We will not, however, identify you as the source of any suggestion in our marketing without your written consent (subject to §17).

13. Warranties

We warrant that we will provide the Platform with reasonable skill and care and in accordance with these Terms.

To the maximum extent permitted by law, all other warranties — including any implied warranty of fitness for a particular purpose or merchantability — are excluded. The Platform is provided "as is". We do not warrant that the Platform will be uninterrupted or error-free, nor that AI-generated content (rubric scores, formative feedback, safeguarding observations) will be free of error. Teachers' professional judgement and human review remain the final arbiters of every score and every safeguarding response.

14. Liability

Neither party excludes or limits its liability for: death or personal injury caused by negligence; fraud or fraudulent misrepresentation; or any liability that cannot lawfully be excluded.

Subject to the above:

Neither party is liable for indirect, special, incidental, or consequential loss, including loss of profits, revenue, anticipated savings, or business opportunity, even if advised of the possibility.
Skillscan's aggregate liability under these Terms in any 12-month period is limited to the fees you paid us in the 12 months before the event giving rise to the claim, except that for liability arising directly from a breach by Skillscan of its data-protection obligations under the DPA, the limit is the greater of (a) 200% of those 12 months of fees, or (b) €100,000.

The carve-out for data protection reflects the sensitivity of the data the Platform processes. It is a contract limit — your statutory rights as a data subject are unaffected.

15. Changes to the Platform

We may make changes to the Platform from time to time — adding features, refining design, or improving safeguards. We will not materially reduce the functionality of any feature you contracted for without giving you at least 30 days' written notice. If a material reduction is unacceptable to you, you may terminate that part of your subscription on a pro-rata refund basis.

For minor enhancements, security patches, or visual changes, we may roll them out without notice. The Privacy Policy and DPA continue to apply to any changes.

16. Force majeure

Neither party is liable for delay or failure to perform caused by an event beyond its reasonable control — including failure of public utilities or telecommunications networks, civil unrest, fire, flood, government action, or pandemic. The party affected will use reasonable efforts to resume performance and will keep the other informed.

17. Publicity

We may, with your prior written consent (which you may give in your Order Form), refer to you as a customer on our website and in marketing materials, and use your school crest in a tasteful way consistent with any usage guidelines you provide. You may withdraw consent at any time on written notice.

18. Notices

Notices under these Terms must be in writing and sent:

To Skillscan: legal@skillysolutions.com — with a hard copy to Skillscan Limited, 5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland, marked for the attention of the General Counsel
To you: at the email address of the school admin recorded in your Order Form

A notice is treated as given on the next working day after sending.

19. General

19.1 Assignment

Neither party may assign these Terms without the other's consent (not unreasonably withheld), except that Skillscan may assign in connection with a merger, acquisition, or sale of substantially all of its assets, provided the assignee assumes the obligations under these Terms and the DPA.

19.2 No third-party rights

These Terms create rights and obligations only between Skillscan and the Customer. No other person may enforce them.

19.3 Entire agreement

These Terms (together with your Order Form, the Privacy Policy at skilly.ie/privacy, and the DPA) are the entire agreement between us on their subject matter and supersede all prior agreements, proposals, or representations. Where a term in your Order Form expressly references and overrides a clause in these Terms, the Order Form prevails for that point.

19.4 Severability

If any provision of these Terms is held unenforceable, the rest remain in full force, and the parties will negotiate in good faith a replacement that achieves the same intent.

19.5 No waiver

No delay or failure to enforce any right under these Terms is a waiver of that right.

19.6 Survival

Sections that by their nature are intended to survive termination — including §7 (acceptable use, where it relates to data already on the Platform), §8 (data protection), §11 (confidentiality), §12 (IP), §13 (warranties), §14 (liability), and §18 (notices) — survive termination of the subscription.

19.7 Governing law and jurisdiction

These Terms are governed by the laws of Ireland. The parties submit to the exclusive jurisdiction of the Irish courts, with the Commercial Court of the High Court of Ireland (Dublin) as the venue for any material dispute.

The United Nations Convention on Contracts for the International Sale of Goods does not apply.

20. Contact

For commercial questions and to negotiate or sign an Order Form:

📧 hello@skilly.ie

For legal and data-protection matters:

📧 legal@skillysolutions.com 📞 +353 87 418 8829 📮 Skillscan Limited · 5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland

For day-to-day support if you are already a customer:

📧 skillycare@skillysolutions.com

Version history

Version	Date	Summary
2.0.0	22 April 2026	Full rewrite of the 1 October 2019 Terms. Plain-English single-flow structure. Governing law restored to Ireland (was New York). Removes the prohibition on processing sensitive personal data (the Platform's core function). Adds AI-processing terms, safeguarding allocation of responsibility, academic-year aligned non-renewal notice, and a data-protection-specific liability carve-out.
1.0.0	1 October 2019	Original Terms — superseded.

Section 3

Cookie Policy

How we use cookies. We set only the three strictly-necessary cookies needed to run the site and the platform — no analytics, no advertising, no tracking. Live at app.skilly.ie/cookies.

Cookie Policy

Effective: 22 April 2026 · Version 2.0.0 Supersedes: Cookie language in the Privacy Policy dated 1 October 2019

This Cookie Policy explains what cookies are, which cookies the Skilly platform sets, and what choices you have. It is published by Skillscan Limited (trading as Skilly) and forms part of our Privacy Policy.

In one sentence: we set only the cookies that are strictly necessary to run the site and the platform. We do not run analytics, advertising, or behavioural-tracking cookies. There is currently no consent banner because nothing we set requires your consent under the ePrivacy Regulations.

1. Who we are

Field
Legal entity	Skillscan Limited
Trading name	Skilly
Company registration (CRO)	565995
Registered office	5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland
Data protection contact	legal@skillysolutions.com

2. What is a cookie?

A cookie is a small text file placed on your device by a website you visit. Most modern web applications use cookies to keep you signed in, to protect forms from cross-site request forgery, and to remember preferences. Cookies are sent back to the website that set them on each subsequent request.

Cookies are governed in Ireland and the EU by the ePrivacy Regulations 2011 (which implement Directive 2002/58/EC) and, where the cookie also processes personal data, by the General Data Protection Regulation 2016/679.

The ePrivacy framework distinguishes between:

Strictly necessary cookies — required to deliver a service the user has explicitly requested. These do not require consent.
Non-essential cookies — including analytics, advertising, social-media plugins, and behavioural tracking. These require informed prior consent before being set.

3. The cookies we currently set

We currently set only strictly necessary cookies. There are three of them.

Cookie	Purpose	Lifetime	Type	Consent required?
`skilly-session`	Authenticated user session — only set after you sign in. HttpOnly, Secure, SameSite=Strict. Without this cookie you cannot stay signed in between pages.	Per role: 8 hours for admins, 24 hours for coordinators, 3 days for teachers and pupils	First-party · session token	No (strictly necessary)
`skilly-csrf`	Cross-site request forgery protection token, used to verify form submissions originate from the platform itself. Without this, any state-changing action would be vulnerable to CSRF attacks.	Session (deleted when you close your browser)	First-party · security token	No (strictly necessary)
`skilly-consent`	Records your response to any cookie banner so we do not ask again. Today this cookie is rarely set, because we do not currently run a banner — but it is reserved so the moment we add anything that needs consent your preference will be remembered immediately.	1 year	First-party · preference	No (strictly necessary)

We do not set any other cookies on the platform.

4. What we do NOT use

We do not currently set any of the following on either skilly.ie or app.skilly.ie:

Analytics cookies — no Google Analytics, no Plausible (cookie-mode), no Fathom, no Hotjar, no Mixpanel, no FullStory.
Advertising / retargeting pixels — no Google Ads, no Meta / Facebook Pixel, no LinkedIn Insight Tag, no TikTok Pixel.
Social media widgets — no Facebook Like buttons, no embedded Twitter timelines, no YouTube auto-embeds with cookies (we use privacy-enhanced embed mode where video is shown).
Session-replay tools — no recording of user sessions.
Third-party fonts — fonts are self-hosted; no Google Fonts cookie.
Third-party CDNs setting cookies — we do not embed any third-party scripts that set cookies.

If you inspect cookies in your browser's developer tools while using the platform you should see only the three cookies in the table above and no others. If you ever see a cookie not on this list, that is a defect — please tell us at legal@skillysolutions.com.

5. Other browser storage

Some web applications use technologies similar to cookies — local storage, session storage, IndexedDB. The Skilly platform uses session storage sparingly to cache role-specific UI state (for example, your preferred filter on a page) for the duration of a single tab session. Nothing in session storage is shared with any third party, persists between browser sessions, or carries personal identifiers. It is cleared when you close the tab.

6. If we add product analytics in future

Skilly is a young platform serving sensitive school data. We have made a deliberate choice not to ship third-party analytics today.

When the time comes to understand product usage in more depth (for example, which features teachers use most often, where coordinators get stuck), the route we will take is self-hosted, privacy-first analytics. Concretely:

A self-hosted instance of a privacy-respecting analytics tool such as Umami or PostHog Community Edition, deployed on our own infrastructure inside the EU
Configured to not set cookies (these tools support an anonymous-visitor mode using hashed identifiers, with no tracking across sessions)
Configured to not collect personal data — no IP address retention beyond what is needed for spam filtering, no cross-site tracking, no fingerprinting
Aggregate metrics only, never individual user behaviour

Properly configured along these lines, the resulting analytics typically falls outside the consent requirement of the ePrivacy Regulations, because nothing is being stored on or accessed from your device.

If we ever introduce anything that does require consent (a non-essential cookie, a third-party tracker, anything fingerprintable), we will:

Display a clear consent banner before any non-essential storage is accessed
Default to reject — non-essential cookies are off until you opt in
Update this Cookie Policy with the new tool, the new cookie, the lawful basis, and the retention period
Notify the school admin by email for material changes

We will not roll out tracking technology silently behind a "by continuing to use this site you agree" notice. That model does not meet the GDPR consent standard and we will not use it.

7. How to control cookies in your browser

Even though our cookies are strictly necessary and do not collect personal data, you remain in full control. You can:

Block all cookies — your browser will let you do this in its privacy settings. The platform will not work because you cannot stay signed in. We mention this for completeness; we do not recommend it for the Skilly platform itself.
Clear cookies — your browser will sign you out of the platform immediately. Useful on a shared school device.
Use private / incognito mode — cookies live only for the duration of the private window and are deleted when you close it.

Browser-specific instructions:

8. Children's privacy

The Skilly platform is used by pupils aged 12 to 18. We have deliberately limited the cookie footprint to the absolute minimum necessary so that pupils — including those below the Digital Age of Consent (16 in Ireland; 13 in the UK; varies elsewhere in the EU) — are not subject to any tracking or profiling on the platform.

For more on how we protect pupils' data generally, see Section 9 of our Privacy Policy.

9. Where this fits

This Cookie Policy sits inside our broader data-protection commitments:

Privacy Policy — what personal data we hold, why, and your rights
Sub-processors — the third parties we engage to deliver the platform
Terms of Service — the contract under which schools subscribe

10. Changes to this policy

When we make a material change — adding a new cookie, introducing analytics, changing a retention period — we will:

Publish the updated policy at skilly.ie/cookies
Update the version-history table below with the date and a description
Surface a notice on the next sign-in for affected users where the change directly affects them (for example, the appearance of a consent banner)

Non-material changes (typographical fixes, link updates) are published with a bumped version number but without notification.

11. Contact

For questions about this Cookie Policy or about how we handle data more generally:

📧 legal@skillysolutions.com 📞 +353 87 418 8829 📮 Data Protection · Skillscan Limited · 5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland

You also retain the right to lodge a complaint with the Data Protection Commission (Ireland) at www.dataprotection.ie or with the Information Commissioner's Office (UK) at ico.org.uk.

Version history

Version	Date	Summary
2.0.0	22 April 2026	First standalone Cookie Policy. Replaces the cookie language that was embedded in the 1 October 2019 Privacy Policy. Documents the three currently-set cookies, confirms the no-tracking baseline, and commits to a self-hosted privacy-first analytics path if and when the time comes.
1.0.0 (in Privacy Policy)	1 October 2019	Original cookie language (within Privacy Policy) — superseded.

Section 4

Sub-processors

The third parties we engage to deliver the platform. We notify schools 30 days before any change. Live at app.skilly.ie/sub-processors.

Sub-processors

The sub-processors Skillscan Limited engages to deliver the Skilly platform. Each is contractually bound to equivalent data-protection obligations to those Skillscan undertakes to schools.

Active sub-processors

Sub-processor	Purpose	Location	Transfer safeguard
Supabase Inc.	Primary database + file storage for the platform	EU (Frankfurt)	Within EEA
Vercel Inc.	Application hosting + edge delivery	Primarily EU; US fallback for edge caching	EU-U.S. Data Privacy Framework + SCCs 2021
Anthropic PBC	AI inference — reflection scoring + safeguarding detection	United States	EU-U.S. DPF + SCCs 2021 + Zero-Retention Rider
Resend Inc.	Transactional email delivery	Primarily EU; US API endpoint	EU-U.S. DPF + SCCs 2021

Change notifications

Before we add or replace a sub-processor we will notify each subscribing school at least 30 days in advance and give them an opportunity to object. If a school reasonably objects on data-protection grounds we will either address the objection or allow the school to terminate the subscription with a pro-rata refund.

This page is the authoritative list. We do not maintain sub-processor information in any other location. Last updated 22 April 2026.

Section 5

Data Processing Agreement (specimen)

The Article 28 GDPR contract each school signs with Skillscan Limited. This specimen version retains the [CUSTOMER LEGAL NAME] and [CUSTOMER REGISTERED ADDRESS] placeholders so you can see the exact text. We send a personalised version for signature.

Data Processing Agreement (DPA) — TEMPLATE

Document type: Internal template · sent to each school for signature alongside the Order Form Owner: Skillscan Limited · legal@skillysolutions.com Version: 1.0.0 Effective for new contracts: from 22 April 2026

📋 How to use this template

The school's name + registered address are inserted at signing (replace [CUSTOMER LEGAL NAME] and [CUSTOMER REGISTERED ADDRESS])

The Subscription Start Date is inserted from the Order Form

Annex 1 fields under "Volume estimate" are filled in based on the school's enrolment numbers

The school's DPO contact (if appointed) goes in §13.2

Both parties sign the cover signature block at §15

The structure mirrors GDPR Art. 28(3) clause-by-clause so a school's DPO can tick the mandatory items off a compliance checklist quickly.

Distribute via email as a PDF (rendered from this Markdown). Keep the Markdown source under version control so any negotiated change for a specific school is recorded as a derivative version.

Data Processing Agreement

Parties

This Data Processing Agreement (the "DPA") is made between:

(1) [CUSTOMER LEGAL NAME], of [CUSTOMER REGISTERED ADDRESS] (the "Controller" or the "School"); and

(2) Skillscan Limited, an Irish private company limited by shares (CRO 565995, VAT IE3375591CH) with registered office at 5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland, trading as Skilly (the "Processor" or "Skillscan").

Each a "Party" and together the "Parties".

Recitals

(A) The Parties have entered into a subscription agreement under Skillscan's Terms of Service (the "Subscription Agreement") for the Controller's use of the Skilly platform (the "Services").

(B) The Services involve Skillscan processing personal data on behalf of the Controller.

(C) This DPA records the terms on which Skillscan, as Processor, processes that personal data, in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("EU GDPR") and the equivalent provisions of the United Kingdom General Data Protection Regulation ("UK GDPR") (together "GDPR"), and the Irish Data Protection Act 2018 and the UK Data Protection Act 2018 as applicable (together with GDPR, "Data Protection Law").

(D) This DPA is incorporated by reference into the Subscription Agreement. Where there is any conflict between this DPA and the Subscription Agreement, this DPA prevails for matters concerning processing of personal data.

1. Definitions

Capitalised terms not defined here have the meaning given to them in GDPR or the Subscription Agreement. In particular:

"Personal Data", "Processing", "Data Subject", "Special Category Personal Data", "Personal Data Breach" and "Supervisory Authority" have the meanings given in GDPR.
"Customer Personal Data" means Personal Data that Skillscan Processes on behalf of the Controller under the Subscription Agreement, as further described in Annex 1.
"Sub-processor" means any third party engaged by Skillscan to Process Customer Personal Data on Skillscan's behalf, as listed in Annex 3.
"TOMs" means the technical and organisational measures set out in Annex 2.

2. Roles and scope

2.1 Roles

For all Customer Personal Data Processed under the Subscription Agreement:

The School is the Data Controller
Skillscan is the Data Processor

This allocation is intentional and reflects the operational reality: the School determines who is enrolled on the Services, what curriculum activities they complete, how their data is used pedagogically, and how long the School wishes to retain it. Skillscan executes those instructions through the Services.

2.2 Scope of processing

Skillscan Processes Customer Personal Data only to the extent necessary to provide the Services and only on the documented instructions of the School, as recorded in:

This DPA
The Subscription Agreement and any Order Form
The configuration choices the School makes in the Services administration interface
Any further written instruction the School gives, where reasonably implementable

If Skillscan considers that a documented instruction infringes Data Protection Law, Skillscan will inform the School without undue delay and may suspend the Processing concerned pending the School's resolution.

2.3 Description of processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Annex 1.

3. Processor obligations (Article 28(3) GDPR)

Skillscan undertakes the following obligations as Processor.

3.1 Documented instructions

Skillscan will Process Customer Personal Data only on the documented instructions of the School, including with regard to transfers of Customer Personal Data outside the European Economic Area or the United Kingdom, unless required to do so by law to which Skillscan is subject. In such a case, Skillscan will inform the School of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

3.2 Confidentiality of personnel

Skillscan will ensure that persons authorised to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is granted only to those personnel whose role requires it.

3.3 Security (Article 32 GDPR)

Skillscan will implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including those described in Annex 2, taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks to Data Subjects.

3.4 Sub-processors

The School authorises Skillscan to engage the Sub-processors listed in Annex 3, on terms providing equivalent data protection obligations to those in this DPA. The mechanism for adding or replacing Sub-processors is set out in §4.

3.5 Assistance with Data Subject requests

Taking into account the nature of the Processing, Skillscan will assist the School by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the School's obligation to respond to requests by Data Subjects exercising their rights under Chapter III of GDPR (Articles 15–22). Specifically, the Services include built-in self-service tools for:

Subject Access Requests (Art. 15) — Data Subject can download their own data; the School's admin can trigger an export on their behalf
Erasure (Art. 17) — Data Subject or School can trigger erasure
Portability (Art. 20) — exports are in a structured machine-readable format

3.6 Assistance with breach notification, DPIA and prior consultation

Skillscan will assist the School in ensuring compliance with the obligations under Articles 32 to 36 GDPR, taking into account the nature of the Processing and the information available to Skillscan. This includes:

Notification of Personal Data Breaches affecting Customer Personal Data (see §8)
Cooperation with the School in any Data Protection Impact Assessment relating to the Services. Skillscan maintains a vendor DPIA covering the Services, available on request, which the School may adopt as the starting point for its own DPIA
Cooperation in any Article 36 prior consultation with a Supervisory Authority

3.7 Return or deletion

On termination of the Subscription Agreement, Skillscan will, at the School's choice, either return all Customer Personal Data to the School or delete it, as set out in §11 below.

3.8 Records and demonstration of compliance

Skillscan will make available to the School all information necessary to demonstrate compliance with the obligations in this DPA and Article 28 GDPR, and will allow for and contribute to audits as set out in §9.

4. Sub-processors

4.1 Authorised list

The School gives general written authorisation for Skillscan to engage the Sub-processors listed in Annex 3 at the date of this DPA. The current list is also published at https://app.skilly.ie/sub-processors, which is the authoritative live version.

4.2 Adding or changing a Sub-processor

Skillscan will give the School at least 30 days' prior written notice by email to the School's primary admin contact before adding or replacing any Sub-processor. The notice will identify the new Sub-processor, its purpose, location, and the safeguards in place for any international transfer.

4.3 Right to object

Within the 30-day notice period, the School may object to the proposed Sub-processor on reasonable data-protection grounds by written notice to legal@skillysolutions.com. If the parties cannot resolve the objection within a further 30 days, the School may terminate the Subscription Agreement on a pro-rata refund of any pre-paid fees for the unexpired portion of the term, with no other liability arising on either side from such termination.

4.4 Sub-processor obligations

Skillscan will impose on each Sub-processor by written contract data-protection obligations equivalent to those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. Skillscan remains fully liable to the School for the performance of each Sub-processor's data-protection obligations.

5. International transfers

Where Processing involves the transfer of Customer Personal Data outside the EEA or the UK (including transfers to Sub-processors), Skillscan ensures that one or more of the following safeguards apply:

An adequacy decision by the European Commission or, where applicable, the UK Information Commissioner
The EU-U.S. Data Privacy Framework (DPF) where the recipient is DPF-certified
Standard Contractual Clauses 2021 ("SCCs"), Module 3 (processor-to-processor) where Skillscan is the data exporter to a Sub-processor
Supplementary measures appropriate to the recipient and the data — including the redaction of identifying information from reflection text before transmission to AI Sub-processors, and binding contractual zero-retention riders with such Sub-processors

The Parties acknowledge that the SCCs (where applicable) form part of this DPA and are incorporated by reference. Module 3 of the SCCs applies to onward transfers from Skillscan to its US Sub-processors. The required SCCs annexes are populated by the equivalent annexes of this DPA (Annex 1, Annex 2, Annex 3 below).

A copy of the executed SCCs with each Sub-processor is available to the School on written request to legal@skillysolutions.com.

6. Data Subject rights

6.1 Routing requests

Where Skillscan receives a request from a Data Subject exercising rights under Articles 15–22 GDPR in respect of Customer Personal Data, Skillscan will:

Not respond to the Data Subject directly, except to acknowledge receipt and explain that the request must be addressed to the School as Controller
Forward the request to the School without undue delay, and in any event within 5 working days
Provide the School with reasonable assistance to respond, including using built-in Service tools (export, erasure, portability)

6.2 Self-service tools

Many Data Subject requests can be self-served by the Data Subject directly through the Services. The School's admin retains the ability to trigger export or erasure on a Data Subject's behalf at any time.

7. Security

7.1 Standard

Skillscan implements and maintains appropriate technical and organisational security measures as set out in Annex 2, designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

7.2 Personnel

Skillscan will:

Limit access to Customer Personal Data to personnel whose role requires it
Ensure each such person is bound by a confidentiality obligation (contractual or statutory)
Provide reasonable data-protection awareness training
Promptly remove access for any person who ceases to need it

7.3 Updates to TOMs

Skillscan may update the TOMs from time to time, provided that the updated TOMs maintain or improve the level of protection afforded to Customer Personal Data. Material reductions in protection are not permitted without the School's prior written consent.

8. Personal Data Breaches

8.1 Notification

Skillscan will notify the School of any Personal Data Breach affecting Customer Personal Data without undue delay and in any event within 24 hours of becoming aware. The notification will be sent to the School's admin email address recorded in the Subscription Agreement, with a copy to the School's DPO contact set out in §13.2 (if any).

8.2 Information provided

The notification will include, to the extent known at that time:

The nature of the breach, categories and approximate number of Data Subjects affected, and categories and approximate number of Personal Data records concerned
The likely consequences of the breach
Measures taken or proposed to address the breach and to mitigate its possible adverse effects
Contact details of a Skillscan point of contact

Where information is not initially available, Skillscan will provide it in phases without further undue delay.

8.3 Cooperation

Skillscan will cooperate with the School and provide reasonable assistance:

In the School's investigation, mitigation and remediation of the breach
In the School's notification to the Supervisory Authority under Article 33 GDPR (if required)
In any communication to affected Data Subjects under Article 34 GDPR (if required)

8.4 No admission of fault

Notification of a Personal Data Breach by Skillscan to the School is not an admission of fault or liability by Skillscan in respect of the breach.

9. Audits and inspections

9.1 Information on request

Skillscan will make available to the School, on reasonable written request and not more frequently than once per calendar year (except where required following a Personal Data Breach or by a Supervisory Authority), all information necessary to demonstrate compliance with this DPA, including:

A copy of Skillscan's most recent vendor DPIA
A summary of recent independent security testing (penetration test, vulnerability scans)
The current Sub-processor list with transfer safeguards
Aggregate evidence of the operation of the TOMs

9.2 Audits

The School may, on giving at least 30 days' prior written notice and not more than once per calendar year (except as in §9.1), audit Skillscan's compliance with this DPA. Such audits will be conducted:

During Skillscan's normal business hours
In a manner that does not interfere with Skillscan's day-to-day operations
By the School itself or by a qualified independent auditor mutually agreed in writing
Subject to reasonable confidentiality obligations
At the School's cost, except where the audit reveals material non-compliance, in which case Skillscan bears reasonable audit costs

In place of an on-site audit, the School may accept third-party attestation reports (e.g. ISO 27001, SOC 2 Type II, Cyber Essentials) once Skillscan holds them.

9.3 Supervisory Authority audits

Skillscan will cooperate with any audit or inquiry conducted by a Supervisory Authority (the Data Protection Commission in Ireland; the Information Commissioner's Office in the UK) in respect of the Processing under this DPA.

10. Liability

The Parties' liability under or in connection with this DPA is governed by the Subscription Agreement, including the limitations and exclusions set out there, save that:

Nothing in this DPA limits either Party's liability to a Data Subject under GDPR
Each Party's liability to the other for breach of this DPA is subject to the aggregate liability cap and data-protection-specific carve-out set out in the Subscription Agreement
Where the Parties are jointly liable to a Data Subject for the same damage, each Party may recover from the other Party that part of the compensation corresponding to its part of responsibility for the damage, in accordance with Article 82(5) GDPR

11. Term, termination, return and deletion

11.1 Term

This DPA takes effect on the Subscription Start Date in the Order Form and continues for the duration of the Subscription Agreement.

11.2 Survival

Sections that by their nature are intended to survive termination — in particular §3.7 (return/deletion), §8 (Personal Data Breach), §9 (audit) and §10 (liability) — survive termination of the Subscription Agreement.

11.3 Return or deletion of Customer Personal Data

On termination or expiry of the Subscription Agreement:

For a period of 30 days after termination, Skillscan will make Customer Personal Data available to the School for export through the Services (or by other means if the Services are no longer accessible), in a structured commonly-used machine-readable format
After the 30-day export window, Skillscan will, within a further 60 days (so 90 days from termination in total), delete all Customer Personal Data from its systems and require its Sub-processors to do the same, save where retention is required by law (in which case Skillscan will continue to protect such Personal Data in accordance with this DPA)
Skillscan will provide written confirmation of deletion on request

The School may instruct Skillscan in writing to return rather than delete Customer Personal Data at any point in the 30-day window, in which case Skillscan will arrange a final export.

11.4 Anonymised aggregate data

Skillscan may retain aggregate, anonymised statistics about the Service's operation (for example, total reflections submitted, total flags raised, average response time) provided such statistics cannot reasonably be used to identify any Data Subject and the cohort size is at least k≥5.

12. Specific provisions for special category and children's data

12.1 Special category data

The Parties acknowledge that the Services are designed to Process Special Category Personal Data, in particular data concerning the wellbeing and possible safeguarding signals of pupils. The School warrants that it has a lawful basis under Article 9(2) GDPR for this Processing — typically Article 9(2)(g) (substantial public interest pursuant to Children First 2015 (Ireland), Keeping Children Safe in Education (UK), or equivalent national legislation).

12.2 Children's data

The Services Process Personal Data of pupils, the majority of whom are below the applicable Digital Age of Consent (16 in Ireland; 13 in the UK; varies elsewhere in the EU). The School warrants that:

It has obtained any parental consent required at enrolment
It operates under a published Acceptable Use Policy and Child Safeguarding Statement
It will not enrol any pupil whose parent or guardian has objected

12.3 Skillscan undertakings for children's data

Skillscan undertakes that:

Pupil data is never used for marketing
Pupil data is never used to train any AI model — Skillscan's own or any third party's — and this is contractually binding with Skillscan's AI Sub-processor (Anthropic)
The Services apply identifying-information redaction to reflection text before any transmission to the AI Sub-processor
The Services do not run analytics, advertising, or behavioural-tracking cookies

13. General

13.1 Notices

Notices under this DPA must be in writing and sent:

To Skillscan: legal@skillysolutions.com — with a hard copy to Skillscan Limited, 5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland, marked for the attention of the General Counsel
To the School: at the email address recorded for the School's primary admin in the Subscription Agreement and (where set) the School's DPO contact below

13.2 School DPO contact

Field	Value
DPO name	_______________________________________
DPO email	_______________________________________
DPO phone	_______________________________________

(Leave blank if the School has not appointed a DPO. In that case, breach notifications and data-protection correspondence will go solely to the School's primary admin contact.)

13.3 Conflict

In the event of conflict between this DPA, the Subscription Agreement, the Order Form, or any incorporated SCCs, the order of precedence is: (i) the SCCs; (ii) this DPA; (iii) the Order Form; (iv) the Subscription Agreement.

13.4 Governing law and jurisdiction

This DPA is governed by the laws of Ireland. The Parties submit to the exclusive jurisdiction of the Irish courts (Commercial Court of the High Court of Ireland for material disputes).

13.5 Severability

If any provision of this DPA is held unenforceable, the rest remain in full force, and the Parties will negotiate in good faith a replacement that achieves the same intent.

13.6 No third-party beneficiaries

This DPA creates rights and obligations only between the School and Skillscan. Data Subjects have rights under GDPR independently of this DPA; nothing in this DPA limits or modifies those rights.

14. Entire DPA

This DPA, together with its Annexes and the Subscription Agreement, constitutes the entire agreement between the Parties on its subject matter. No variation is effective unless in writing and signed by both Parties.

15. Signatures

Signed for and on behalf of [CUSTOMER LEGAL NAME]:

Signature: _______________________________________

Name (block capitals): _______________________________________

Position: _______________________________________

Date: _______________________________________

Signed for and on behalf of Skillscan Limited:

Signature: _______________________________________

Name (block capitals): SHANE MAGUIRE

Position: Founder · Acting Data Protection Officer

Date: _______________________________________

ANNEX 1 — Description of the Processing

Subject matter and duration

Provision of the Skilly platform — a software-as-a-service application for SPHE reflective practice and AI-assisted safeguarding — for the duration of the Subscription Agreement.

Nature and purpose of the Processing

Activity	Purpose
Hosting, storage and retrieval of pupil reflection text, mood indicators, daily pulses, weekly wellbeing surveys, pre-assessments and assessment submissions	To deliver the SPHE pedagogy and support the pupil's learning
AI scoring and AI-generated formative feedback on each reflection	To assist teachers in providing timely formative feedback at scale
AI safeguarding-flag detection on each reflection	To surface possible safeguarding concerns to the School's coordinator
Coordinator review, escalation and audit logging of safeguarding flags	To enable the School's safeguarding response under Children First / KCSIE / equivalent
Wellbeing aggregation and SSE / Wellbeing-Framework reporting	To enable the School's Self-Evaluation cycle and statutory wellbeing reporting
Account management — login, password, role-based access	To control access to the Services
Audit logging of staff-side access	To support GDPR accountability and the School's own audit obligations
Transactional email (welcome, password reset, safeguarding alerts, escalation)	To operate the Services

Categories of Personal Data Processed

Identity and account data

Full name (first and last)
Email address
Role (student, teacher, coordinator, admin)
Class group, year group
Teacher–class assignments
Bcrypt-hashed password
Account creation date, last login timestamp
Login IP address and user agent (security audit only — 90-day retention)

Pupil SPHE activity

Reflective writing
Mood indicator (5-point scale)
Pre-assessment self-ratings
Daily mood check-ins ("pulse") with optional short sentence
Weekly wellbeing survey responses (six indicator scores plus optional short note)
Media attachments to reflections (image, voice note, short video)
Assessment submissions (Junior Cycle CBA, Senior Cycle Key Assignment artefacts)

Teacher-generated data about pupils

Teacher override of AI score
Teacher note (visible to pupil)
Teacher feedback (visible to pupil)
Pastoral notes (staff-only)
Learning profile flags (autism, dyslexia, ADHD, custom needs) and accessibility preferences

Safeguarding data — Special Category

Verbatim quote from pupil reflection (capped at 30 words)
AI-generated safeguarding observation
Category (Anxiety, Self-harm, Abuse, Bullying, Low mood, Peer pressure, Wellbeing concern)
Severity (high / medium / low) plus AI / teacher / coordinator votes
Status, action taken, escalation level

Operational

Audit log entries
Email log entries (recipient, subject, delivery status — never the body)

Categories of Data Subjects

Pupils enrolled at the School (typically aged 12–18)
Teaching and pastoral staff at the School
Coordinators and administrators at the School

Volume estimate (to be filled in at signing)

Approximate number of pupils: __________________
Approximate number of staff: __________________
Year groups covered: __________________

Retention

Category	Retention
Pupil reflection text	While enrolled + until end of academic year of departure, then text nulled (structural row retained for SSE statistics)
Pupil mood / pulse / wellbeing survey	While enrolled + 12 months
Pupil assessment submissions (CBA / Key Assignment)	7 years after the certifying examination
Safeguarding flag records	Until subject reaches age 25 (Tusla Children First retention guidance)
Staff data	Active + 2 years after departure
Login IP / user agent technical logs	90 days
Email log	2 years (recipients, subject, status — never body)
Audit log	7 years
All Customer Personal Data on subscription end	30-day export grace + 60-day purge thereafter

The School may instruct earlier deletion of any specific category in writing.

ANNEX 2 — Technical and Organisational Measures (TOMs)

These are the security measures Skillscan applies as Processor to protect Customer Personal Data, addressing Article 32 GDPR.

Authentication and access control

Bcrypt password hashing (cost factor 12); never store plaintext
Per-email login lockout after 5 failures in 15 minutes
Per-IP rate limit of 20 login attempts per minute
Generic "invalid credentials" error message (no user enumeration)
Constant-time password comparison (dummy hash for non-existent users)
HMAC-SHA256-signed session cookies, HttpOnly + Secure + SameSite=Strict
Per-role session TTL: admin 8 hours, coordinator 24 hours, staff and pupil 3 days
Forced password change on first login for newly-provisioned users
Two-factor authentication (TOTP) for admin and coordinator roles — currently optional, becoming mandatory at 50-school scale

Authorisation and tenant isolation

Row-level tenant isolation enforced at the database layer
Application-level tenant filtering on every query
Role-based access:
- Pupils: see own reflections only
- Teachers: pupils in their assigned classes only
- Coordinators: school-wide flags + reports
- Admins: school-wide administrative data
Pupils cannot see safeguarding flags about themselves or others (product invariant + enforced at API layer)
Class-ownership enforcement on flag updates and reflection updates

Audit logging

Every staff-side access to pupil data logged with actor, target, timestamp, IP, action
Every safeguarding flag escalation logged separately with recipient list
Every transactional email logged with delivery status
Audit log retained 7 years
School admin has read-only access to their tenant's audit log

Encryption and storage

All data at rest encrypted (AES-256 via cloud provider)
All transit encrypted (TLS 1.2+ enforced via HSTS; 2-year max-age + preload)
Database backed up daily with point-in-time recovery
Off-site backup pipeline (in design) for additional disaster recovery beyond cloud provider's own resilience

AI processing controls

PII redaction before any reflection text leaves the EEA — pupil's own name, other person names, addresses, contact details all stripped
Redaction count audit-logged per request
Anthropic zero-retention rider signed
Anthropic written confirmation that customer data is not used to train any foundation model
Skillscan does not maintain any internal model trained on customer data
Teacher override is the final score — AI score is advisory only
Every safeguarding flag is reviewed by a named human coordinator before any external action

Safeguarding alert delivery

Durable email log table — every send recorded before the provider call
Single retry on transient send failure
Resend delivery webhook updates the log with actual recipient-side outcome (delivered / bounced / complained)
Escalation ladder for unacknowledged HIGH safeguarding flags:
- Level 1 (immediate): coordinators + admins
- Level 2 (after 30 min unacknowledged): admins + all coordinators
- Level 3 (after 2h unacknowledged): principal + admins + coordinators
Acknowledgement automatic when a coordinator opens the flag detail or actions it
Admin-side Email Log dashboard surfaces every send with status

Network and application security

Strict-Transport-Security with 2-year max-age + preload
Content Security Policy
X-Frame-Options DENY
X-Content-Type-Options nosniff
Referrer-Policy strict-origin-when-cross-origin
Permissions-Policy denying camera, microphone, geolocation, payment APIs
Cross-Site Request Forgery defence via SameSite=Strict cookies + double-submit token
Rate limiting on AI and authentication endpoints

Vulnerability management

npm audit run on every release; dependency vulnerabilities patched within 7 days for High severity, 30 days for Medium
Internal whitebox penetration test completed 21 April 2026 — all 12 findings remediated
External dynamic penetration test scheduled
Annual external pen test thereafter

Personnel

Access to Customer Personal Data limited to personnel whose role requires it
All personnel bound by written confidentiality obligations
Periodic data-protection awareness briefings
Access immediately revoked on departure

Subject rights tooling

Pupil-facing self-service: download own data and request erasure from /account
Staff-facing tools: admins can trigger SAR / erasure on a Data Subject's behalf
Tenant-wide export available to the admin on subscription end
Machine-readable JSON export format (Article 20 portability)

Children-specific protections

No marketing to pupils under any circumstances
No third-party tracking, advertising, or behavioural cookies
Aggregate dashboards: minimum cohort size of k≥5 to prevent re-identification
Pupil data never used for marketing or model training
Age-protective rubric applies pupil's actual year group to soften AI scoring if mis-assigned

Incident response

Documented incident response plan
24-hour notification to Controllers of any Personal Data Breach affecting their tenant
72-hour DPC / ICO notification supported
Internal breach register maintained 7 years

ANNEX 3 — Authorised Sub-processors

The current authoritative list is published at https://app.skilly.ie/sub-processors. As at the date of this DPA, the authorised Sub-processors are:

Sub-processor	Purpose	Location	Transfer safeguard
Supabase Inc.	Primary database + file storage for the platform	EU (Frankfurt)	Within EEA
Vercel Inc.	Application hosting and edge delivery	Primarily EU; US fallback for edge caching	EU-U.S. Data Privacy Framework + SCCs 2021 (Module 3)
Anthropic PBC	AI inference — reflection scoring + safeguarding detection	United States	EU-U.S. DPF + SCCs 2021 (Module 3) + Zero-Retention Rider
Resend Inc.	Transactional email delivery	Primarily EU; US API endpoint	EU-U.S. DPF + SCCs 2021 (Module 3)

Each Sub-processor is bound by a written contract on terms providing equivalent data-protection obligations to those in this DPA.

Version history

Version	Date	Summary
1.0.0	22 April 2026	First DPA template aligned to the 22 April 2026 Privacy Policy v2.1.0, Terms of Service v2.0.0, and vendor DPIA v1.0.0. Schools-focused. Irish governing law. SCCs 2021 Module 3 incorporated by reference. Annexes 1–3 populated for the current product.

Section 6

DPIA reference

Skillscan Limited maintains an internal vendor Data Protection Impact Assessment (DPIA) covering the Skilly platform's processing as a whole. It assesses 19 identified risks against 46 documented controls; no risk has a residual rating higher than Medium, and Article 36 prior consultation with the Data Protection Commission is not required at this time.

The DPIA is shared with subscribing schools' Data Protection Officers on request. It is intended as the starting-point DPIA you can adopt and supplement with your school-specific facts (pupil count, classes covered, your existing safeguarding policy).

To request the DPIA, email legal@skillysolutions.com.