Skip to main content

Legal

Privacy Policy

Last updated: 1 May 2026

This Privacy Policy explains how Vicerta Corporation Limited (“we”, “us”, “our”) collects, uses and protects your personal data when you use Pencil (the “Service”), our AI teaching assistant platform.

1. Who we are

Vicerta Corporation Limited (company no. 15954721) is the data controller for personal data processed through Pencil. Our registered address is:

Vicerta Corporation Limited
Company no. 15954721
Petersham Drive
St Paul’s Cray
BR5 2QF
United Kingdom

For privacy enquiries, contact us at privacy@vicerta.com.

2. What data we collect

We collect the following categories of personal data:

  • Account data: name, email address, school name, year group, subject and curriculum.
  • Usage data: tools used, prompts entered, outputs generated and timestamps.
  • Billing data: payment information processed securely by Stripe (we do not store card details).
  • Technical data: IP address, browser type, device information and cookies.
  • Communications: emails you send to us and our responses.

3. How we use your data

We use your personal data to:

  • Provide and operate the Service.
  • Generate AI outputs based on your prompts.
  • Process payments and manage subscriptions.
  • Send service communications (account, billing, security).
  • Send marketing communications where you have opted in.
  • Improve the Service and develop new features.
  • Comply with legal obligations.

4. Legal bases for processing

Under UK GDPR, we rely on the following legal bases:

  • Contract: to provide the Service you have signed up for.
  • Legitimate interests: to improve the Service, prevent fraud and secure our platform.
  • Consent: for marketing communications and non-essential cookies.
  • Legal obligation: to comply with applicable law.

5. AI processing and your prompts

When you use Pencil’s AI tools, your prompts are processed by third-party AI providers (Anthropic) to generate outputs. We do not use your prompts or outputs to train any AI models. Your data is not shared with any third party for advertising or model training purposes.

6. Sub-processors

We use the following sub-processors:

  • Supabase (database and authentication, EU region)
  • Vercel (hosting)
  • Stripe (payment processing)
  • Anthropic (AI model provider)
  • Resend (transactional email)
  • PostHog (product analytics)
  • Microsoft Clarity (session replay, with consent)

7. International transfers

Some sub-processors are based outside the UK. Where this is the case, we rely on UK-approved transfer mechanisms (Standard Contractual Clauses, UK addendum or adequacy decisions) to protect your data.

8. Data retention

We retain your account data for as long as your account is active. Generated outputs are retained until you delete them or close your account. After account closure, we delete personal data within 30 days, except where we are legally required to retain it (for example, billing records for tax purposes).

9. Your rights

Under UK GDPR, you have the right to:

  • Access your personal data.
  • Correct inaccurate data.
  • Request deletion of your data.
  • Restrict or object to processing.
  • Data portability.
  • Withdraw consent at any time.
  • Lodge a complaint with the Information Commissioner’s Office (ico.org.uk).

To exercise any of these rights, email us at privacy@vicerta.com.

10. Cookies

We use cookies and similar technologies. See our Cookie Policy for details.

11. Security

We use industry-standard security measures including TLS encryption in transit, encryption at rest, Row-Level Security on our database, and access controls. No system is perfectly secure, but we take security seriously.

12. Children

Pencil is intended for use by teachers and education professionals aged 18 and over. We do not knowingly collect personal data from children. Where teachers use the Service to generate content involving student information, the school remains the data controller for that information.

13. Schools and Data Processing Agreements

Schools using Pencil under a School Plan are provided with a Data Processing Agreement (DPA) under which Vicerta Corporation Limited acts as data processor. Contact schools@vicerta.com to request a DPA.

14. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. The “Last updated” date at the top of this page indicates when the policy was most recently revised.

15. Contact us

For privacy questions, data subject requests or any other privacy-related enquiries: