Legal

Privacy Policy

Last updated: March 2026

1.Introduction

exaim Limited ("exaim," "we," "us," or "our") is registered in England and Wales (ICO Registration Number ZB842876) and operates internationally, including Dubai, UAE, holding a valid Technology License in Dubai. exaim is committed to safeguarding the privacy and security of our business-to-business (B2B) clients, educational institutions ("Institutions"), and their administrators, teachers, and students ("End Users").

This Privacy Policy details how exaim collects, processes, shares, transfers, and retains personal data, outlining user rights under the UK General Data Protection Regulation (UK GDPR) and UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection ("UAE PDPL").

2.Scope of Policy

exaim serves as a Data Processor on behalf of educational Institutions, who act as Data Controllers. This policy applies to all data handled by exaim through our platform and related services across jurisdictions in which we operate.

3.Information We Collect

Institutional Data

  • Institution name, address, and registration number
  • Administrator's name, email, and telephone number
  • Billing and payment details

End User Data

  • Name, date of birth, and class assignment
  • Assessment responses, grades, and analytical insights

4.Purpose and Legal Basis of Data Processing

exaim processes personal data exclusively for the purposes set out below.

Purpose of ProcessingLegal Basis (UK GDPR and UAE PDPL)
Automated grading & personalised feedbackPerformance of contract (with Institution)
Educational performance analyticsPerformance of contract
Technical support & troubleshootingPerformance of contract
Enhancing platform functionality & developing new featuresLegitimate interests
Compliance with data protection & regulatory obligationsLegal obligation

5.AI-driven Assessment Transparency

exaim employs Artificial Intelligence (AI) to automate assessment grading, including open-ended responses. AI analyses End User responses solely to generate grades, personalised feedback, and insights. Human oversight is always provided, enabling teachers to review, verify, and modify AI-generated outcomes. Automated assessments never solely dictate academic outcomes without institutional review.

6.Special Categories & Children's Data

exaim does not collect or process special categories of personal data (e.g., special educational needs or health information).

Children's Data

exaim services involve processing data of students under 18 years of age. Institutions (Data Controllers) confirm responsibility for obtaining lawful consent or ensuring alternative lawful bases (such as educational obligations or parental authorisation), complying with UK GDPR Article 8 and UAE PDPL.

7.Data Sharing & International Transfers

exaim does not sell or rent personal data. Data sharing occurs solely:

  • With subprocessors compliant with GDPR and UAE PDPL for essential services (hosting, analytics, support)
  • Upon explicit direction by Institutions (e.g., reporting to parents or authorities)
  • To comply with legal obligations or official regulatory requests

Google Cloud Platform (GCP)

exaim maintains a formal Data Processing Agreement (DPA) with Google Cloud Platform (GCP) that incorporates appropriate safeguards, including Standard Contractual Clauses, ensuring compliance with GDPR and UAE PDPL.

International Data Transfers

exaim stores personal data on Google Cloud Platform, with data primarily hosted in the UK and/or EU. If data transfers occur outside these regions, we rely on Standard Contractual Clauses (SCCs) and other appropriate safeguards.

Subprocessor Updates

Institutions will receive email notifications at least 30 days in advance of any changes to subprocessors. An updated subprocessor list can be requested at any time.

8.Data Retention Policy

Data is retained only as long as necessary for:

  • Contractual obligations with Institutions
  • Compliance with legal obligations or dispute resolution

After contract termination, personal data is securely deleted or returned within 60 days, per GDPR and UAE PDPL requirements.

9.Data Security & Breach Notification

exaim implements robust technical and organisational measures to protect personal data, including:

Encryption

  • Data encrypted at rest using industry-standard AES-256 encryption.
  • Data encrypted in transit using Transport Layer Security (TLS) protocols.

Access Controls and Authentication

  • Strict role-based access controls (RBAC) ensure users have only necessary privileges.
  • Secure login mechanisms, including mandatory multi-factor authentication (MFA) for administrative accounts.

Infrastructure Security

  • All data storage and processing hosted exclusively on Google Cloud Platform (GCP).
  • SOC 2 Type 2 and ISO 27001 certified infrastructure.
  • Compliance with GDPR and UAE PDPL data protection standards.
  • Regular independent audits and third-party certifications.

System Monitoring & Breach Response

  • Continuous security monitoring and logging to detect unusual activities.
  • Institutions notified within 72 hours of a confirmed breach, as required by GDPR and UAE PDPL.

10.Responsibilities of Institutions (Data Controllers)

Institutions agree to:

  • Ensure lawful collection, processing, and sharing of personal data, including lawful consent for children's data.
  • Inform End Users, parents, or guardians of processing practices.
  • Comply fully with applicable local and international data protection laws.

11.User Rights under GDPR & UAE PDPL

Users have the right to:

  • Access their personal data.
  • Correct inaccurate or incomplete personal data.
  • Request deletion of personal data when no longer necessary or processed unlawfully.
  • Limit or object to specific types of data processing.
  • Request portability of their personal data in a structured, machine-readable format.

Exercising Your Rights

End Users should direct their requests to the relevant Institution (Data Controller). exaim, as a Data Processor, will assist Institutions promptly, transparently, and in accordance with applicable data protection laws.

Right to Lodge Complaints

UK Users

Information Commissioner's Office (ICO)

ico.org.uk

UAE Users

UAE Data Office / Local Emirate Data Protection Authority

u.ae/en

12.Jurisdiction and Governing Law

For UK-based or international Institutions, this Privacy Policy is governed exclusively by the laws of England and Wales, with disputes subject to English courts.

For UAE-based Institutions, this Privacy Policy is governed exclusively by the laws of Dubai and the UAE, with disputes subject exclusively to Dubai Courts.

13.Dedicated Privacy Contact

For privacy-related inquiries, complaints, or to exercise your data protection rights under the UK GDPR or UAE PDPL, please contact our designated Data Protection Officer (DPO):

Data Protection Officer

exaim Limited

2 Crossways Business Centre
Bicester Road, Kingswood
Aylesbury, HP18 0RA
United Kingdom
privacy@exaim.ai

14.Policy Updates

We regularly review and update this policy. Institutions will be notified via email at least 30 days in advance of significant changes. By using Exaim services, Institutions acknowledge and accept this Privacy Policy and our commitment to robust privacy and data protection standards across jurisdictions.

Terms of Service →Questions? Contact us →