Legal
GDPR Compliance
Last updated · 12 May 2026
AI Essay Grader Europe is built for European education. This page summarises how the platform meets the requirements of the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and equivalent UK law.
Roles
- The school or teacher is the data controller for student data uploaded to AI Essay Grader Europe.
- ClassX Education B.V. is the data processor, acting only on documented instructions of the controller.
Lawful processing
We help controllers identify a lawful basis for processing student data — typically a public interest task carried out by an educational institution (Art. 6(1)(e)) or, where special-category data such as a student’s identifiable handwriting is involved, an appropriate condition under Art. 9.
Data minimisation
- Uploads are processed only for the requested task (grading, OCR, detection).
- Student names are optional; AI Essay Grader Europe never requires them to grade an essay.
- We strongly recommend pseudonymising scans (e.g. cropping out names) before upload.
Data residency
Customer data for EEA and UK users is stored in EU regions (Frankfurt and Dublin). Where a subprocessor processes data outside the EEA, transfers rely on the European Commission’s Standard Contractual Clauses (Decision 2021/914) and additional safeguards.
Data subject rights
We assist controllers in fulfilling Articles 15–22 requests within 30 days. Teachers and schools can export, rectify or delete data via the dashboard or by contacting dpo@classx.eu.
Records of processing (Art. 30)
We maintain a Record of Processing Activities and provide an extract on request to institutional customers under NDA.
Data Protection Impact Assessment
We have completed an internal DPIA covering AI grading and handwriting OCR. A summary is available to school customers on request.
Breach notification
We notify affected controllers without undue delay, and in any case within 72 hours of becoming aware of a personal data breach affecting their data.
Children
AI Essay Grader Europe accounts are for adults (educators and administrators). Student data may be processed only at the direction of the controller, never for direct marketing to children and never to train AI models.
Supervisory authority
Our lead supervisory authority is the Dutch Autoriteit Persoonsgegevens. Customers can also contact their local national authority.
This document is provided as a starting template adapted for European education providers. It does not constitute legal advice. Have qualified counsel review and tailor it to your jurisdiction and processing activities before relying on it.