Learner privacy

Your conversations are private

Zebrafish is built on a simple principle: you learn best when you feel safe to experiment, make mistakes, and ask honest questions. That means your AI tutoring sessions belong to you.

What your employer sees

Your employer sees your progress through the programme: which lessons you've completed, your current tier (AI Practitioner, AI Professional, or AI Fluent), and your aggregate capability scores. This is the information they need to track the return on their investment and report on workforce AI readiness.

What your employer never sees

Your employer never sees your session transcripts — the actual conversations you have with your AI tutor. They don't see the prompts you wrote, the questions you asked, the mistakes you made, or the topics you explored. Your conversations are between you and your AI tool.

What Zebrafish stores

When you complete a session and email your summary, we store structured fields from that summary: the skill you practised, the reusable prompt you built, your reflection, and your assessor scores. We use this to personalise your future sessions, track your progress, and improve the programme. We do not store full session transcripts.

Where your conversations live

Your AI tutoring sessions take place inside your own AI tool — Claude, ChatGPT, Copilot, or Gemini. The conversation exists in that tool's environment, subject to that provider's privacy policy. Zebrafish does not have access to the conversation itself, only to the summary you choose to send us at the end of each session.

Our commitment

We will never share individual learner data with your employer beyond completion status and aggregate scores. If this policy changes, we will notify you in advance and give you the choice to opt out. If you have questions about how your data is used, contact us at davidl@zebrafish.ac.

The formal bit — UK GDPR notice

The section above is the plain-English story. What follows is the legal schedule required by Article 13 of the UK General Data Protection Regulation.

Who we are

Zebrafish is a trading name of Educational Futures Limited, a company registered in England and Wales with company number 16451512, whose registered office is at Salisbury House, 2–3 Salisbury Villas, Cambridge CB1 2LA. Educational Futures Limited is the “data controller” for your personal data, which means we are responsible for deciding how it is used and for protecting it.

You can contact us about anything in this notice by emailing davidl@zebrafish.ac.

What personal data we collect about you

When your employer enrols you on the Sparks programme, or when you sign up directly through zebrafish.ac, we collect and hold:

  • Account data — your email address, your name, your job role (optional), the name of your employer, and your chosen AI platform.
  • Onboarding answers — your replies to the welcome email (your goals, your current AI usage, and anything else you chose to share), used to personalise your lessons.
  • Session and submission data — for each lesson, the delivery state, the full text of the summary you email back, a structured extraction of that summary (skill practised, reusable prompt, reflection, commitment, scores), your ratings, and a crib sheet generated from your submission.
  • Credential data — if you complete the programme, your name, the tier you attained, the issue date, and your aggregate benchmark scores.
  • Email audit log — a record of every email we send to you and every reply you send us, kept for delivery audit and debugging.

We do not collect full transcripts of your AI tutoring conversations, analytics cookies, marketing trackers, browser fingerprints, or payment card data.

Why we use your personal data (lawful basis)

We process your personal data on two legal bases under Article 6 of the UK GDPR:

  • Performance of a contract — if your employer has enrolled you, we process your data to deliver the programme they have contracted us to deliver. If you have signed up directly, we process your data to deliver the programme to you.
  • Legitimate interests — for operational activities such as running a reliable email service, debugging delivery problems, and improving the curriculum using aggregate ratings and benchmark data.

We do not rely on consent to process your data for the Sparks programme itself, because in an employer-funded learning context consent is rarely freely given. This does not reduce your rights.

Who we share your data with

We share your personal data only with the following parties:

  • Supabase — our database, authentication, and file storage provider. Holds all the data listed above.
  • Vercel — our application hosting provider. Processes data in memory during each request but does not persist programme data.
  • Postmark (operated by ActiveCampaign) — our email delivery and inbound email provider. Holds copies of emails in transit.
  • Anthropic — the provider of the Claude AI model we use to parse your submissions, generate scores, and draft your reward emails and crib sheets. Receives the free text of your submissions and onboarding answers but not your email address, name, or employer identity. Anthropic's commercial API terms state that customer data is not used to train their models.

Each of these sub-processors is bound by a data processing agreement requiring them to protect your data and to process it only on our instructions.

Your employer receives aggregate progress and impact reports covering your completion status, your current tier, and your aggregate capability scores. Your employer never receives your session transcripts, your raw submissions, your reflections, or the structured fields extracted from your submissions.

The public, but only in one specific way: if you earn a graduation credential, a verification page shows your name, the tier you attained, the issue date, and your aggregate benchmark scores. You can ask us to suppress your name on this page at any time, in which case it will show “Credential holder (suppressed)” instead, but the credential itself will remain verifiable.

We do not sell your personal data, do not share it with advertisers, and do not share it with any party not listed above except where required by law.

International transfers

Some of our sub-processors are based outside the UK. Where your personal data is transferred outside the UK, we rely on the UK International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses, combined with each provider's own security and contractual safeguards, to ensure your data receives protection equivalent to UK law.

How long we keep your data

  • Account, submissions, scores, and crib sheets — for the duration of your employer's contract with us plus 12 months, or for as long as your account is active plus 12 months if you signed up directly. You can request earlier deletion at any time.
  • Graduation credentials — indefinitely, so that employers can continue to verify them. If you exercise your right to erasure, the credential is retained but your name is replaced with “Credential holder (suppressed)”.
  • Email audit log — 12 months from the date of each email.
  • Organisation and billing records — seven years after the end of your employer's contract, to meet UK tax and financial record-keeping requirements.
  • Backups — held for up to 30 days on a rolling basis. When you exercise your right to erasure, we remove your data from live systems immediately; it is then cleared from backup cycles within 30 days.

Your rights

Under the UK GDPR you have the following rights:

  • Access — ask us for a copy of all the personal data we hold about you.
  • Rectification — ask us to correct anything that is wrong.
  • Erasure — ask us to delete your account and all your submissions, scores, and crib sheets.
  • Restriction — ask us to pause processing of your data in specific circumstances.
  • Portability — ask us for a copy of your data in a structured, machine-readable format (we provide JSON).
  • Objection — object to processing we carry out on the basis of legitimate interests.

To exercise any of these rights, email davidl@zebrafish.ac. We will respond within one month.

You also have the right to complain to the UK Information Commissioner's Office if you believe we have mishandled your personal data. You can contact the ICO at ico.org.uk or on 0303 123 1113. We would prefer you to contact us first so that we can try to put things right.

Security

We protect your personal data using TLS for traffic in transit, encryption at rest in Supabase and Postmark, Supabase Row Level Security policies on all database tables, passwordless magic-link authentication (we do not store your password), multi-factor authentication on all vendor dashboards, and an audit log of every email sent and received.

Changes to this notice

We may update this notice from time to time as the product evolves or as our sub-processors change. When we make a material change, we will notify you by email before the change takes effect and give you the opportunity to exercise your rights.

Last updated: 11 April 2026.