Privacy Policy

Ark HQ Limited (registered in Ireland, CRO 642391; registered office [—]) is the data controller for this website and our marketing. Our data-protection contact is [—] (privacy@thearkhq.com).

For the personal data inside our products, the school is the controller and Ark HQ acts as a processor on the school’s documented instructions, under a Data Processing Agreement.

This notice covers personal data Ark HQ controls — website visitors, enquiries, prospective and current clients. Where we process staff or student data inside SafeSchool, Ark Academy, Giraft or AskArk, the school’s own privacy notice and our DPA govern that processing.

As controller (website & marketing):

• Contact-form and enquiry details — name, email, school, message.
• Meeting bookings made through the HubSpot scheduler.
• Aggregate, cookieless website analytics.

As processor (inside the products): the staff and student personal data a school chooses to process — which may include special-category data (Article 9) and children’s data.

For our controller processing we rely on legitimate interests (running and marketing a B2B service), contract, and consent (cookies and marketing email). For special-category or children’s data we rely on the relevant Article 9 condition and the safeguards below. For processor activities we act only on the school’s instructions under the DPA. [Confirm bases per processing activity — solicitor/DPO.]

We treat student data as sensitive personal data and follow the Data Protection Commission’s Fundamentals for a Child-Oriented Approach to Data Processing. The school decides what is processed and remains the controller; we minimise what we hold, isolate each school’s data, host it in the EU, and — in AskArk — tokenise identifiers before any AI processing. School data is never used to train a public model.

We do not sell personal data. We use a small set of sub-processors to deliver the service — EU hosting [—], our AI model provider [—], Resend (transactional email) and HubSpot (scheduling and CRM). The current list is on our Trust & Compliance page and available on request.

[Maintain the definitive sub-processor list before launch.]

Personal data is hosted within the European Union. Where any transfer outside the EEA is unavoidable, it is protected by an adequacy decision or Standard Contractual Clauses. [Confirm against the final sub-processor list.]

We keep personal data only as long as needed for the purpose it was collected, or as required by law. Data processed on a school’s behalf is retained per the DPA and the school’s instructions, and returned or deleted on request.

[Set the retention schedule — including a rule for raw meeting transcripts — DPO.]

You have the right to access, rectify, erase, restrict, port and object to the processing of your personal data, and to withdraw consent. Contact us at privacy@thearkhq.com. Where we process data on a school’s behalf, we route requests through the school as controller.

How we use cookies and similar technologies is set out in our Cookie Policy.

You can complain to the Data Protection Commission in Ireland (dataprotection.ie). UK data subjects may complain to the Information Commissioner’s Office (ico.org.uk). We would ask that you raise it with us first so we can put it right.

We may update this notice; the date above shows when it was last reviewed. For any privacy question, contact privacy@thearkhq.com.