Privacy Policy
Effective: 22 April 2026 · Version 2.1.0 Supersedes: Privacy Policy dated 1 October 2019
1. Who we are
Skilly is the trading name of Skillscan Limited, an Irish company. We build and run the Skilly platform — a classroom tool that helps secondary schools run reflective SPHE (or equivalent pastoral) lessons, support pupil wellbeing, and surface safeguarding concerns for the school's coordinator to review.
| Field | |
|---|---|
| Legal entity | Skillscan Limited |
| Trading name | Skilly |
| Company registration (CRO) | 565995 |
| VAT registration | IE3375591CH |
| Registered office | 5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland |
| General email | hello@skilly.ie |
| Data Protection email | legal@skillysolutions.com |
| Data Protection phone | +353 87 418 8829 |
This policy covers both our website (skilly.ie) and our platform (the application your school accesses after signing up). It applies in Ireland, across the European Union, and in the United Kingdom. Where EU GDPR and UK GDPR differ on any substantive point, we apply the stricter rule.
2. Summary in one paragraph
We hold two groups of personal data: (1) data about pupils and staff using the Skilly platform on behalf of their school, and (2) data about visitors to skilly.ie, people who contact us, and people signing up to hear from us. We don't sell data to anyone, we don't use pupil or staff data for marketing, we don't use anyone's data to train AI models, and we keep the minimum amount for the minimum time. If anything is unclear, email legal@skillysolutions.com.
3. Who decides what happens to your data
Under the GDPR one or more organisations is legally "in charge" of any given piece of personal data — the "data controller" — and may use a service provider to handle it on their behalf — a "data processor". For Skilly the split is:
- When you use the Skilly platform (pupils, teachers, coordinators, admins signed into the app): your school is the data controller and Skillscan Limited is the data processor. We handle your data under the school's written instructions, captured in a Data Processing Agreement between us.
- When you use skilly.ie, contact us, or subscribe to product updates: Skillscan Limited is the data controller. We decide directly what happens to your data.
This distinction matters mainly for who you contact when you want to exercise a right (see §14). In plain English: platform questions → your school first; website and sales-lead questions → us directly.
4. What data we collect on the Skilly platform
When a school enrols pupils and staff on the platform we hold the following categories. The school (not us) decides which pupils are enrolled, which classes they're in, and what activities they complete.
4.1 Identity and account data
- Full name (first and last)
- Email address
- Role (student, teacher, coordinator, admin)
- Class group (e.g. "2A") and year group (e.g. "2nd Year")
- Teacher–class assignments
- Bcrypt-hashed password (never stored in plain text)
- Account creation date and last-login timestamp
- The IP address and user agent string of each login (security and audit only — 90-day retention)
4.2 Pupil SPHE activity
- Reflective writing submitted by the pupil in response to a curriculum prompt
- Mood indicator chosen by the pupil on a 5-point scale
- Self-ratings given at the start of a strand ("pre-assessment")
- Daily mood check-ins ("pulse") with an optional short sentence
- Weekly wellbeing survey responses (six indicator scores plus an optional short note)
- Any media attachment a pupil adds to a reflection (image, voice note, short video)
- Assessment submissions — Junior Cycle Classroom-Based Assessment files and Senior Cycle Key Assignment artefacts
4.3 Teacher-generated data about pupils
- Teacher override of the AI score (1–5)
- Teacher note attached to a reflection (visible to the pupil)
- Teacher written feedback (visible to the pupil)
- Pastoral notes — private staff-only notes about a pupil, not visible to the pupil
- Learning profile — differentiated-learning flags set by a teacher (autism, dyslexia, ADHD, custom needs) plus relevant UI preferences
4.4 Safeguarding flags — special category data
The platform automatically surfaces safeguarding flags when the AI detects wording in a pupil's reflection that appears to indicate a welfare concern. Each flag contains:
- A verbatim quote from the pupil's reflection (capped at 30 words)
- An AI-generated safeguarding observation
- A category — for example "Anxiety", "Self-harm", "Abuse", "Bullying", "Low mood", "Peer pressure", "Wellbeing concern"
- A severity (high / medium / low)
- Severity votes from the AI, the class teacher, and the coordinator — the highest severity wins
- Status (open or closed), who acted on it, when, and what action was taken
- The escalation level reached (if an unacknowledged high-severity flag automatically chased the principal)
Safeguarding data is special category personal data under Article 9 GDPR because it can reveal information about a pupil's mental or physical health — and where a disclosure is made, may relate to Article 10 matters (criminal offences). We handle this category with stricter access controls, stricter retention, and full audit logging (see §7 for AI, §10 for retention, §11 for security).
4.5 Operational data
- Audit log of every significant action (who read or changed what, when)
- Email log of every transactional email we sent on the school's behalf (recipient, subject line, delivery status — never the body)
- Short-lived technical logs (IP, user agent, timestamps) retained for 90 days for security and debugging only
4.6 What we do NOT hold
For clarity:
- Date of birth — never collected; age is inferred from year group only
- Home address, phone number, geolocation — not collected
- Payment card data — handled entirely by our payment sub-processor; card details never reach our servers
- Biometric or genetic data — never collected
- Religious, political, or trade-union affiliation — never collected; if a pupil voluntarily mentions any of these in reflection text it is handled under the same safeguards as other reflection content
- Data about non-enrolled third parties — if a pupil mentions another person by name in a reflection, we apply PII redaction before any AI processing (see §7)
5. What data we collect on the skilly.ie website
When you visit the website, contact us, or sign up for product updates, we hold:
- Essential technical data — your IP address, browser type, pages visited, referrer. Used in aggregate for site improvement only.
- Contact-form submissions — name, email, the school or organisation you mentioned, your role, and the message you sent us.
- Newsletter subscribers — email address, optionally your name and school.
- Recruitment applications — your CV, cover letter, and contact details.
We do not run third-party analytics, advertising, or tracking pixels on skilly.ie. See §13 for the complete list of cookies we set.
6. Why we process each category (lawful bases)
| Data | Controller | Lawful basis |
|---|---|---|
| Pupil platform data — identity, reflections, moods, assessments | The school | Art. 6(1)(e) public task (Education Act 1998 in Ireland; equivalent statutory schooling functions in other jurisdictions) |
| Pupil safeguarding and wellbeing data (special category) | The school | Art. 9(2)(g) substantial public interest — pursuant to Children First 2015 (Ireland), Keeping Children Safe in Education (UK), or national equivalent — plus Art. 9(2)(i) preventive and social protection where relevant |
| Staff platform data | The school | Art. 6(1)(b) contract + Art. 6(1)(f) legitimate interest (security, audit) |
| Website technical logs | Skillscan | Art. 6(1)(f) legitimate interest — operating a functional website |
| Essential cookies (see §13) | Skillscan | ePrivacy — strictly necessary, no consent required |
| Contact-form enquiries | Skillscan | Art. 6(1)(f) legitimate interest — replying to your enquiry |
| Newsletter subscription | Skillscan | Art. 6(1)(a) consent — you opted in |
| Recruitment applications | Skillscan | Art. 6(1)(b) pre-contract steps + Art. 6(1)(f) legitimate interest |
The school (not Skillscan) should document its lawful basis for the platform processing in its own Data Protection Policy, Acceptable Use Policy, or Enrolment Policy. The school is also responsible for obtaining parental consent at enrolment for pupils below the applicable Digital Age of Consent:
- Ireland: 16 (Data Protection Act 2018, s.31)
- United Kingdom: 13 (UK Data Protection Act 2018, s.9)
- Other EU Member States: between 13 and 16, depending on national law
7. How our AI works — and what it sees
Skilly uses AI to perform two distinct jobs on pupil reflection text. Both are disclosed here transparently under Articles 13, 14 and 22 GDPR.
7.1 Reflection scoring
When a pupil submits a reflection, the platform sends it to an AI service (Anthropic's Claude model, operated by Anthropic PBC in the United States) and receives back:
- A score from 1 to 5 against a published SPHE rubric
- Formative written feedback (typically 75–150 words)
The score is advisory. The class teacher can override it, and the effective score stored against any reflection is always the teacher's override where one is given — never the AI's. No score is "solely automated": there is always a human review step.
7.2 Safeguarding flag detection
A second, separate AI call scans the same reflection for safeguarding concerns (see §4.4). The AI creates the flag record automatically, but the response to a flag is entirely human-driven: a named coordinator reviews it, votes on severity, records action taken, and closes it. Unresolved high-severity flags chase the principal automatically until a human acknowledges.
7.3 What the AI sees (and does not see)
Before any reflection text leaves our servers we apply PII redaction:
- The pupil's own name →
[STUDENT] - Any other person-name in the text →
[PERSON_1],[PERSON_2], … - Email addresses, phone numbers, postal addresses, Eircodes, PPSN, IBAN numbers, credit card numbers and URLs are stripped
The AI receives only the strand/topic, the activity prompt, the pupil's mood label (e.g. "Good"), and the redacted reflection text. It does not receive the pupil's name, email, class, year group, teacher, school name, or any prior scores.
7.4 Our contract with the AI provider
We use Anthropic PBC (United States) for AI inference. We have in place:
- A signed Data Processing Agreement
- The zero-retention contractual rider: Anthropic does not retain reflection text or AI outputs beyond the 30-day minimum required for operational abuse-monitoring, after which it is deleted from their systems
- Written confirmation that reflection text is not used to train any Anthropic foundation model
- EU-U.S. Data Privacy Framework certification plus Standard Contractual Clauses 2021 as a second safeguard
7.5 Your right to human review (Article 22)
Because a teacher override is always available and every flag is reviewed by a named human coordinator before any action is taken, your Article 22 right to human review is built into the product. If you nonetheless wish to make a formal Article 22 request in writing, contact the school first (they are the controller for platform data).
8. Safeguarding — when information is shared with statutory bodies
If a safeguarding flag surfaces a concern that the school escalates under Children First (Ireland), Keeping Children Safe in Education (UK), or equivalent, the school is the party that makes any statutory report to Tusla, the relevant UK authority, or An Garda Síochána. Skillscan's role is to surface the concern to the school's coordinator — who is the Designated Liaison Person (DLP) for their school. The school makes the statutory report.
Where a court, the Data Protection Commission, the ICO, or any other authority with legal power compels Skillscan directly to produce platform data, we will:
- Notify the affected school without delay, unless a court order prohibits such notification
- Produce only the specific data legally required
- Log the event in the audit trail
9. Children's data — our commitments
The platform is used by pupils aged 12 to 18. Many are below the Digital Age of Consent applicable to them. Our commitments specifically in relation to pupils:
- We rely on the school, as the data controller, to have obtained consent from each pupil's parent or guardian as part of the school's enrolment process, and to operate under the school's published Acceptable Use Policy and Child Safeguarding Statement.
- We do not market to pupils at any age — pupils receive only transactional platform emails (password resets, new assignment notifications, and the like).
- We build the product with pupil safety as a design constraint: PII redaction before AI processing, strict tenant isolation, audit logging of every staff-side access to pupil data, and an age-protective rubric that adapts to the pupil's year group and any documented learning profile.
If you are a parent or guardian with a question about your child's data on Skilly, please contact the school first — the school is the controller. If the school cannot answer, we will assist them on request.
10. Sub-processors
We use the following sub-processors to deliver the platform. Every sub-processor is contractually bound to equivalent data-protection obligations. A current, versioned list is published at skilly.ie/sub-processors.
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Supabase Inc. | Primary database + file storage | EU (Frankfurt) | Data remains within EEA |
| Vercel Inc. | Application hosting + edge delivery | Primarily EU region; US fallback for edge caching | EU-U.S. Data Privacy Framework + SCCs 2021 |
| Anthropic PBC | AI inference — reflection scoring + safeguarding detection | United States | EU-U.S. DPF + SCCs 2021 + Zero-Retention Rider |
| Resend Inc. | Transactional email delivery | Primarily EU; US API endpoint | EU-U.S. DPF + SCCs 2021 |
Before we add or replace a sub-processor we notify each subscribing school at least 30 days in advance and give them an opportunity to object. If a school reasonably objects on data-protection grounds we will either address the objection or allow the school to terminate the subscription with a pro-rata refund.
11. International transfers
Where pupil, staff, or marketing data is transferred outside the European Economic Area or the United Kingdom, we rely on one or more of:
- Adequacy decision — the European Commission has determined the destination country provides adequate protection (not currently relied upon as sole basis for any of our sub-processors)
- EU-U.S. Data Privacy Framework — for transfers to our US sub-processors (Anthropic, Resend, Vercel US edge), both of whom are DPF-certified
- Standard Contractual Clauses 2021 — as a second-layer safeguard alongside the DPF
- Zero-retention contractual rider — specifically for the AI path with Anthropic
- Supplementary technical measures — PII redaction before transmission (see §7.3) so what leaves the EEA is minimised
You can request copies of the SCCs with any sub-processor by emailing legal@skillysolutions.com.
12. How long we keep data
We retain data in line with the school's documented retention policy (for platform data) or the below defaults (for website and marketing data) — whichever is applicable.
| Category | Retention |
|---|---|
| Pupil reflection text | While the pupil is enrolled + until the end of the academic year in which they leave the school, after which the text is nulled. A structural row (date, strand, score — no content) is retained so the school can continue anonymised statistics in its Self-Evaluation cycle. |
| Pupil mood / pulse / wellbeing survey data | While enrolled + 12 months after leaving, then deleted |
| Pupil assessment submissions (CBA / Key Assignment files) | 7 years after the certifying examination, in line with State Examinations Commission records retention |
| Safeguarding flag records | Until the subject reaches age 25, in line with Tusla Children First retention guidance. Longer than other pupil data so late disclosures can be contextualised. |
| Staff data | While employed and active on the platform + 2 years after departure |
| Login IP / user agent technical logs | 90 days from the login event |
| Email delivery log (recipients, subject, status — never body) | 2 years |
| Audit log entries | 7 years, for GDPR accountability + DPC / ICO inspection readiness |
| All school data on subscription end | 30-day export grace window → purged within 90 days |
| Website technical logs | 90 days |
| Contact-form submissions | 2 years from last correspondence |
| Newsletter subscribers | Until you unsubscribe + 30 days |
| Recruitment applications | 12 months from application, unless you consent to longer |
A school can instruct us in writing to delete a specific platform category earlier; we will comply unless there is a legal obligation preventing us.
13. Cookies
We set only the cookies strictly necessary to run the site and the platform:
skilly-session— authenticated session cookie, only set after you log in. HttpOnly, Secure, SameSite=Strict.skilly-consent— remembers your response to the cookie banner.skilly-csrf— cross-site request forgery token used on form submissions.
Under the ePrivacy Regulations 2011 none of these require consent because they are strictly necessary to deliver the service you requested. We currently run no analytics, advertising, or behavioural-tracking cookies on skilly.ie. If we introduce any in future we will display a consent banner and update this policy.
14. How we keep your data safe
We apply appropriate technical and organisational measures, including:
- HTTPS-only transport with HSTS preload
- Bcrypt password hashing (cost factor 12)
- HMAC-SHA256 signed session cookies with role-aware expiry (admin 8 hours; coordinator 24 hours; staff and pupils 3 days)
- Multi-layer PII redaction before any AI call
- Zero-retention contractual rider with the AI provider
- Row-level tenant isolation at the database, API and application layers
- Brute-force login protection with account lockout
- Rate limiting on AI and authentication endpoints
- Full audit logging of significant actions
- Content Security Policy, HSTS, and related security headers
- SameSite=Strict session cookies as CSRF defence
- Dependency vulnerability scanning on every release
- Annual external penetration testing
- A documented incident-response plan including 72-hour DPC / ICO breach notification
A full description of our technical and organisational measures is provided in Annex 2 of the Data Processing Agreement we sign with each school. We also maintain a Data Protection Impact Assessment (DPIA) covering the platform's processing as a whole — schools' DPOs can request a copy by emailing legal@skillysolutions.com.
14.1 If a breach happens
If a personal data breach affecting platform data occurs we will:
- Notify the affected school within 24 hours of becoming aware
- Provide the school with the information it needs to meet its own 72-hour duty under Article 33 GDPR / UK GDPR to the Data Protection Commission or the Information Commissioner's Office
- Support the school with any Article 34 communication to affected data subjects
- Log the event in our internal breach register and external audit trail
15. Your data protection rights
Under the GDPR you have the following rights, exercisable at any time without charge:
| Right | What it means |
|---|---|
| Access (Art. 15) | Get a copy of the personal data we hold about you |
| Rectification (Art. 16) | Correct inaccurate data |
| Erasure (Art. 17) | Have your data deleted ("right to be forgotten") — subject to legal retention obligations |
| Restriction (Art. 18) | Pause our processing while a dispute is resolved |
| Portability (Art. 20) | Receive your data in a machine-readable format |
| Objection (Art. 21) | Object to processing based on legitimate interest, including marketing |
| Not to be subject to solely-automated decisions (Art. 22) | Request human review of any automated decision affecting you |
| Withdraw consent | Where processing is based on consent, you can withdraw it at any time |
15.1 How to exercise your rights
Platform data (pupils, parents, staff of a subscribing school) — please contact your school first. They are the controller. The platform has built-in tools to support them:
- You can download a copy of your own data at any time from the Account page of the platform (built-in SAR export, Article 15).
- You can request erasure through the same page.
- Your school's admin can trigger a full export or erasure on your behalf.
Website, marketing, and sales-lead data — email us at legal@skillysolutions.com. We will:
- Acknowledge within 5 working days
- Respond in substance within the statutory 30 calendar days; if the request is complex we may extend by up to 60 further days and will tell you so
- Not charge a fee unless the request is manifestly unfounded or excessive
16. How to complain
We would rather hear from you first, but you always retain the right to complain to a supervisory authority.
- Ireland / EU — the Data Protection Commission: www.dataprotection.ie · +353 (0)761 104 800 · info@dataprotection.ie · 6 Pembroke Row, Dublin 2, D02 X963, Ireland
- United Kingdom — the Information Commissioner's Office: ico.org.uk · +44 303 123 1113
The DPC is our lead supervisory authority under the GDPR one-stop-shop mechanism for EU-wide processing.
17. Representatives
-
European Union — because Skillscan Limited is established in Ireland (an EU Member State) we are not required to appoint a separate Article 27 representative for EU data subjects. Our Irish registered office serves that function.
-
United Kingdom — for Article 27 UK GDPR purposes, our UK Data Representative is:
Imagine Education Ltd Crossmead, Denver Road, Exeter, Devon, EX3 0BS, United Kingdom
UK residents can contact the UK representative or Skillscan directly — both routes reach the same data-protection function.
18. Changes to this policy
When we make a material change (adding a sub-processor, changing retention, adding a product feature with privacy implications) we will:
- Publish the updated policy at skilly.ie/privacy
- Post a dated changelog at the bottom
- For platform users: notify the school's admin by email
- For marketing contacts: notify you by email only if the change is material to you
Non-material changes (typographical fixes, re-ordering sections) are published with a bumped version number but without notification.
19. Contact
Data protection questions, or to exercise your rights:
📧 legal@skillysolutions.com 📞 +353 87 418 8829 📮 Data Protection · Skillscan Limited · 5 Kinross, Fey Yerra Lane, Leopardstown Road, Foxrock, Dublin 18, Ireland
Platform support:
📧 skillycare@skillysolutions.com
Version history
| Version | Date | Summary |
|---|---|---|
| 2.1.0 | 22 April 2026 | Full rewrite of the 1 October 2019 policy. Single-flow structure. Adds AI processing declaration, named sub-processors (Supabase, Vercel, Anthropic, Resend), Children First framing, Tusla-aligned safeguarding retention (to age 25), and EU + UK GDPR coverage. |
| 1.0.0 | 1 October 2019 | Original policy — superseded. |