Privacy Policy

Last updated: May 2026

1. Who We Are

Connecta is an EU-based learning platform for students aged 6-18. We operate under GDPR and process student data solely to:

  • Enable safe peer learning in closed circles
  • Provide AI-assisted learning via Socrat (curriculum-aligned coach)
  • Monitor safety through GoodTalk (BGGPT-powered content moderation)
  • Support school integration with easy class management

2. Data We Collect & Why

Student Data

  • Learning interactions: Chat messages, questions, homework attempts → fed to Socrat (trained on curriculum frameworks, NOT commercial training)
  • Safety signals: Message content analyzed by GoodTalk (BGGPT model) to detect harm, bullying, unsuitable sharing before transmission
  • Basic profile: Age, grade, optional school/class affiliation (for teacher visibility only, never sold)

School Data

  • Class rosters, school codes, teacher accounts for onboarding
  • No storage of attendance, grades, or other school records beyond class membership

3. How We Process Data (GDPR Lawful Basis)

For students: Parental/school consent (Article 8 GDPR for minors under 16, or parental delegation for older teens)

For safety: Legitimate interest in child protection (Article 6(1)(f)), overridden by parental/school duty of care

For learning: Performance of contract (school/parent agreement to use Connecta)

4. Socrat & Curriculum Data

Socrat is trained on curriculum frameworks (not student data). When a student asks a question:

  1. The message is sent to Socrat to generate pedagogical guidance
  2. Socrat's response teaches thinking, not answers (never gives homework solutions directly)
  3. Student interactions do NOT update Socrat's underlying model; they only inform immediate responses
  4. Teachers see Socrat's prompts and student thinking, but never direct access to raw student messages unless they request escalation

5. GoodTalk Safety System (BGGPT Model)

GoodTalk analyzes messages in real-time using a BGGPT-based model to detect:

  • Bullying, harassment, threats
  • Unsuitable image/content sharing
  • Grooming signals or exploitation indicators
  • Self-harm or mental health crises

When risk is detected:

  • Low risk: Student gets a suggestion to rephrase (no punishment)
  • High risk: Alert goes to parent/teacher for intervention
  • Serious risk: Escalation flag for designated safeguarding lead

6. School Integration & Data Control

Schools can onboard easily by:

  • Importing class rosters (encrypted, stored only for roster sync)
  • Designating one teacher per class as safeguarding lead
  • Setting up parent opt-in (email invites for parental consent)

Teachers see only:

  • Which students are in their class
  • Flagged safety alerts (not raw messages)
  • Socrat's pedagogical prompts (to understand the teaching approach)

Teachers can never see unfiltered peer chat or individual student messages except when explicitly escalated by GoodTalk.

7. Data Retention

  • Active student accounts: Messages retained for 1 school year + 30 days after leaving
  • School roster data: Retained only while school is active (deleted upon offboarding)
  • GoodTalk alerts: Retained for 2 years (compliance with duty of care record-keeping)
  • Socrat interaction logs: Anonymized and retained for 90 days to improve response quality

8. Your Rights (GDPR Articles 15-22)

  • Right to access: Request all data we hold about a student
  • Right to deletion: Request account closure (subject to legal retention obligations)
  • Right to portability: Export your learning data in machine-readable format
  • Right to object: Opt out of Socrat recommendations or GoodTalk analysis (disables core features)
  • Right to restrict processing: Limit how we use your data

Contact: [email protected]

9. International Data Transfers

All student data is processed and stored within the EU. Socrat and GoodTalk APIs may be hosted in EU regions only. No transfers to non-EU countries except where explicitly contracted with EU-compliant sub-processors.

10. Data Breaches & Incident Response

In case of unauthorized access:

  • We notify affected students/parents within 72 hours (Article 33 GDPR)
  • Data Protection Authority notified if risk to rights is high
  • Detailed incident report provided upon request

11. Contact & DPA

Data Protection Officer: [email protected]

Supervisory Authority (EU): Your national data protection authority (links available at EDPB)