Everything schools, trusts and DPOs need to see how Skye handles pupil data, and to complete procurement due diligence. Key facts are summarised on this page. Full documents are available to download for audit.
Many edtech suppliers carry out simple tasks under a school’s instructions. That makes them data processors. Skye works differently. When tutoring, Skye exercises independent pedagogical judgement: how to respond to each pupil, what to teach (guided by the class teacher), and how to adapt. Third Space Learning (TSL) also holds its own statutory safeguarding duties. These require us to act independently to protect pupils.
What this means for your school. You share pupil data with TSL as a third-party data controller. TSL takes full legal responsibility for the data protection standards within every session. You do not need a Data Processing Agreement. This page, together with our published privacy policy, provides the transparency required under UK GDPR Article 13 and 14. Your school remains controller of the decision to use Skye and of which pupils take part.
The ICO’s guidance confirms that where an organisation exercises professional judgement and holds independent statutory obligations, it cannot act as a processor. TSL’s safeguarding duties under Keeping Children Safe in Education and the DfE Generative AI Product Safety Standards make this particularly clear.
Skye is an AI tutor that delivers one-to-one maths sessions by voice. During a session, the pupil speaks and Skye responds in real time. Voice is transcribed in the moment so Skye can understand and reply. Those transcriptions are functional only. They are not stored by the AI model used.
What Skye decides on its own. The pacing, language and explanations used within a session, based on the pupil’s responses. The range of responses Skye can use is created and designed by our learning insights team of qualified maths specialist teachers.
What Skye does not decide. Which pupils receive sessions, which curriculum topics are covered, or any assessment or attainment judgements that affect a pupil’s academic record. These all stay with school leadership and teachers.
Skye does not profile pupils, does not make decisions with legal or significant effect, and does not use pupil data to train future AI models. Session data is used only to deliver and improve the tutoring service.
We collect only what is needed to deliver the service. School staff enter pupil details using fixed fields, so there is no risk of unnecessary data being captured through free-text inputs.
Data collected. First name, surname or surname initial, school, working-at maths level, platform pupil ID, lesson voice or audio, session transcript, progress and attainment data, and limited technical log data (IP address, device and browser).
Data not collected. Special category data (ethnicity, religion, health, SEN status), gender, date of birth, or any data beyond what is needed for maths tutoring.
Voice is captured as a communication channel so Skye can respond in real time, because tutoring is a live service. It is not used for identity verification or voiceprint analysis, and is not treated as biometric special category data under UK GDPR Article 9. By not collecting this data, we also reduce the risk of bias in AI models.
Access to pupil data is strictly tiered. Not all data is accessible to all users.
School accounts (teachers and administrators). Can view pupil profile data, progress reports and session summaries. Cannot access lesson recordings or transcripts, unless requested and shared by the TSL team.
Lesson recordings and transcripts. Accessible only to a small number of privileged TSL staff for safeguarding review and quality assurance. Not accessible through any school-facing account.
Pupil accounts. Access to the tutoring session and relevant curriculum only. No access to stored data, or to other pupils’ or teachers’ data.
This tiered access means a compromised school account cannot expose the most sensitive session content. It heavily protects pupil data, and ensures the most sensitive session data could only be breached, in theory, through TSL and not through the school.
TSL has independent statutory safeguarding duties under Keeping Children Safe in Education and the DfE Generative AI Product Safety Standards. So if a child makes a disclosure during a Skye session, TSL is both required and legally permitted to act independently of school instruction.
What happens if a child discloses something during a session. TSL’s safeguarding team reviews the session recording, which is accessible only to designated, safeguarding-trained staff. TSL contacts the school’s designated safeguarding lead directly. Where there is an immediate risk to a child, TSL may escalate to the relevant authorities independently. TSL notifies the school of any action taken.
This is one of the reasons TSL operates as an independent data controller, rather than a processor. A processor cannot take autonomous safeguarding action. TSL must be able to, and speed of action matters when safeguarding children.
We retain data only as long as needed for service delivery, safeguarding and query handling. Schools can delete pupil data, or request deletion of recordings, at any time.
TSL holds Cyber Essentials certification. This is the UK government-backed standard covering the five most important technical controls against common cyber attacks: boundary firewalls, secure configuration, access control, malware protection and patch management.
Cyber Essentials. Certified by IASME. Valid to December 2026. Certificate available to download below.
Penetration testing. We have committed to carrying out an independent penetration test every year. This test is currently being undertaken and when it is completed, we will share the scope and outcomes.
Breach notification. If a security incident affects school data, TSL notifies affected schools within 72 hours of becoming aware. TSL handles ICO notification for processing within our own controller remit.
We have prepared a full due diligence pack to make the DPIA process as straightforward as possible for your school or MAT. The pack includes a pre-completed template DPIA that your DPO can review, adapt and sign off without starting from scratch.
What’s included
If your DPO has questions these documents do not answer, our contact details are in the section below.
Page last reviewed June 2026. Contact hello@thirdspacelearning.com with any questions not answered here.