Privacy Policy

TILF LTD (company number 15804474), registered at 71–75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom (“TILF”, “we”, “us”, “our”) is committed to protecting personal data. This Privacy Policy explains how we collect, use, store and protect personal data when you use our Services. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable UK data protection laws. If you have questions, contact: accounts@tilf.io

1. Our Role: Controller and Processor Depending on how you use the Services, TILF acts either as a Data Controller or a Data Processor. 1.1 When We Act as Data Processor (Educational Institutions) Where an Educational Institution (e.g. school, academy, trust) provides student or teacher data to us in connection with the Services: The Educational Institution is the Data Controller. TILF acts as Data Processor. In this context: We process personal data only on the documented instructions of the Educational Institution. We do not determine the purposes of processing. We do not use identifiable School Personal Data for marketing. We do not fine-tune AI models using identifiable School Personal Data. Requests regarding School Personal Data should be directed to the relevant Educational Institution. 1.2 When We Act as Data Controller TILF acts as Data Controller when: Individuals create accounts directly (students or teachers not contracting via a school). Users interact with our website. We manage billing, support, and account administration. Users voluntarily publish content publicly. We send marketing communications (where permitted). In these cases, this Privacy Policy governs our processing.
2. Personal Data We Collect Depending on usage, we may collect: Account Information Name Email address Login credentials Educational Content Essay text Feedback history AI interaction logs Technical Data IP address Browser type Device information Usage logs Payment Data Payment processing is handled by third-party payment providers. We do not store full payment card details. Publicly Published Content If a user chooses to publish content publicly, that content becomes visible to other users. Users control whether content is published and may remove it at any time.
3. How We Use Personal Data 3.1 Where We Act as Processor We process School Personal Data solely to: Provide AI-assisted marking and feedback; Maintain accounts; Provide support; Ensure platform security; Comply with legal obligations. We do not use identifiable School Personal Data for advertising or unrelated commercial purposes. 3.2 Where We Act as Controller We may process personal data to: Provide and manage accounts; Deliver AI-powered educational services; Communicate service updates; Provide customer support; Process payments; Improve and analyse the Services; Send marketing communications (where permitted); Comply with legal obligations.
4. AI Processing Transparency TILF uses artificial intelligence technologies to generate marking and feedback. Important points: AI outputs are advisory and assistive only. Teachers and users remain responsible for reviewing outputs. Identifiable School Personal Data is not used to fine-tune AI models. We may use aggregated or anonymised data for product improvement, provided it does not identify any individual or Educational Institution.
5. Lawful Bases (Where We Act as Controller) Under UK GDPR, we rely on: Contract – where processing is necessary to provide the Services. Legitimate Interests – for service improvement, analytics, and security. Consent – where required (e.g. certain marketing communications). Legal Obligation – where required by law.
6. Marketing Communications We may send: Service-related communications (non-marketing); Product updates; Promotional emails (where permitted). You may opt out of marketing communications at any time via the unsubscribe link or by contacting us. Service-related communications (e.g. security updates) cannot be opted out of while you maintain an active account. We comply with the Privacy and Electronic Communications Regulations 2003 (PECR).
7. Data Sharing and Sub-processors We use third-party service providers to support delivery of the Services, including: Cloud hosting providers; AI model providers; Authentication providers; Payment processors; Analytics and monitoring providers. Where we act as processor, these providers act as sub-processors and are subject to appropriate contractual safeguards. We do not sell personal data.
8. International Transfers Some service providers may process data outside the UK. Where international transfers occur, we ensure appropriate safeguards are implemented, such as: UK International Data Transfer Agreement (IDTA); Standard Contractual Clauses; Adequacy decisions.
9. Data Retention 9.1 Educational Institutions Upon termination of Services: School Personal Data is deleted or returned within 30 days. Backup systems are cleared within 90 days. 9.2 Direct Users We retain personal data while accounts remain active. Upon verified deletion request: Data is deleted within 30 days. Backups are cleared within 90 days. Publicly published content remains visible until removed by the user.
10. Security We implement appropriate technical and organisational measures to protect personal data from unauthorised access, loss, or misuse. However, no system is completely secure.
11. Your Rights Where TILF acts as Controller, you may have rights to: Access your data; Rectify inaccurate data; Request erasure; Restrict processing; Object to processing; Data portability; Withdraw consent (where applicable). To exercise rights, contact: accounts@tilf.io If unsatisfied, you may complain to the UK’s supervisory authority: Information Commissioner's Office
12. Children’s Data Where Services are provided via Educational Institutions, schools are responsible for obtaining any required parental permissions. Where students create direct accounts, we expect users to comply with applicable age requirements and parental consent obligations.