EverywhereX

Compliance

Data Protection Impact Assessment

Version 1.0 · Last updated: 19 April 2026

Draft

This document has not yet been reviewed by legal counsel.

We’re publishing the draft publicly so parents can see how we think about data protection, and so counsel has a concrete document to review and comment on. Content below may change — sometimes materially — as counsel feedback is applied. Do not treat this document as a final legal opinion or as sign-off on our processing.

The authoritative internal source is at docs/17-DPIA-UPDATE-DRAFT.md. Questions: privacy@evx.logicmesh.dev.

1. What this document is and is not

This is: a structured technical-side input to a DPIA refresh, covering three processing activities added to EverywhereX between 2026-04-15 and 2026-04-19.

This is not: the final DPIA, a legal opinion, or a sign-off on processing. Counsel should formalise this into the DPIA register entry, accept or modify the lawful-basis assumptions, sign off on the third-party processor list, and confirm the retention model is compliant.

2. Context

EverywhereX is an AI learning platform for UK children aged 8-11 with Special Educational Needs and Disabilities (SEND). The platform is parent-first — parents create accounts, complete a SEND intake questionnaire about their child, and supervise their child’s use. All data subjects are minors.

Three new processing activities are in scope of this DPIA refresh:

  • Microsoft Azure Immersive Reader integration (text-to-speech, picture dictionary, line focus)
  • EHCP-shaped SEND Profile generation (AI-assisted parent-led report)
  • Streaming voice tutor (OpenAI Realtime API, real-time bi-directional voice conversation)

3. Activity — Microsoft Azure Immersive Reader

Description

When a parent or child clicks “Immersive Reader” on a lesson page, the lesson text is sent to Microsoft Azure’s Immersive Reader service for accessibility-enhanced display.

Data sent

Lesson title and content, language tag (en-GB), ephemeral OAuth2 token. No personally identifiable information, no child identifier, no SEND data.

Lawful basis (proposed)

Article 6(1)(b) — necessary for performance of contract. Article 9 not triggered (no special category data sent).

Risk

Low. Microsoft Cognitive Services DPA in place via existing Azure subscription; data minimisation complete; vendor is GDPR-compliant; region EU.

4. Activity — EHCP-shaped SEND Profile generation

Description

A parent can request an AI-generated SEND Profile for their child — a document mirroring the structure of the statutory EHCP (Sections A, B, E, F). Generated on-demand by sending the child’s intake responses, AI persona, and platform activity summary to OpenAI’s GPT-4o-mini.

Data sent to OpenAI

Child’s first name (no surname), year group, SEND types as disclosed at intake, learning preferences, interests, goals, AI persona summary, activity summary. A structured prompt directing the model to produce EHCP-shaped sections.

Data NOT sent

Surname, date of birth, address, contact details, school name, health records, audio, images, biometric data.

Disclaimers surfaced to the parent

Every SEND Profile includes a prominent banner: “This is NOT an EHCP.” Sections C (Health) and D (Social Care) are explicitly not generated — instead, prompts for the parent’s GP and social worker are provided. Sections G-K (LA/NHS-owned) are placeholders only.

Lawful basis (proposed)

Article 6(1)(b) — necessary for performance of contract. Article 9(2)(a) — explicit parental consent for SEND data (special category).

Risk

Medium-low. Cross-border transfer to US under UK SCCs. Mitigations: data minimisation (no surname/DOB/address); explicit parental consent at intake; generated output not stored server-side; audit log of every generation.

5. Activity — Streaming voice tutor (OpenAI Realtime)

Description

A child or parent can initiate a real-time voice conversation with the AI tutor. Audio flows browser ↔ OpenAI via WebRTC. Sessions capped at 30 minutes and 5 sessions per day per child.

Data sent to OpenAI

Persona-tuned system prompt, live microphone audio, signalling. No surname, address, contact details, or school name.

Data stored by EverywhereX

Shipped v0.1: audit log entries only (timestamp, parent ID, child ID, model, voice, session length cap). Audio and transcripts are NOT stored by default. Phase 2.4 (planned, opt-in): transcript storage with explicit per-parent opt-in toggle. Audio recording deferred until this DPIA is signed off and iOS Safari MediaRecorder reliability has been validated.

Cost guardrails (for good-faith design signal)

5 sessions per day per student (server-enforced). 30-minute hard cap per session (server + client enforced). Default model gpt-4o-mini-realtime-preview (cost-optimised).

Lawful basis (proposed)

Article 6(1)(b) — necessary for performance of contract. Article 6(1)(a) — explicit parental consent for voice specifically. Article 9(2)(a) — explicit parental consent for SEND-related data in the system prompt.

Safeguarding

The AI tutor system prompt instructs the model to pause the session and refer the child to a trusted adult if the child mentions self-harm, abuse, distress, or intent to hurt themselves or others. Full safeguarding policy at /safeguarding.

Risk register (top items)

  • Safeguarding-relevant content during a session — high severity, medium likelihood. Mitigated by system-prompt safeguarding instruction, visible transcript, and audit log.
  • Voice misused to extract personal info — medium severity, low likelihood. Mitigated by system-prompt refusal, OpenAI content moderation.
  • Audio picks up household conversation — low-medium severity, high likelihood. Mitigated by session caps, visible transcript, opt-in audio retention (default off).
  • Cross-border transfer of children’s voice — medium severity, high likelihood. Mitigated by UK SCCs via OpenAI, data minimisation, audit log.

6. Sub-processor list (post-changes)

No new sub-processors added in the recent changes. Full list on the Privacy Policy.

7. Children's Code self-assessment

Condensed view of how each of the 15 ICO Age Appropriate Design Code standards is addressed across the three new activities (full detail in the internal document):

  • Standard 1 (Best interests of the child): each feature designed for educational benefit; voice has session caps to prevent over-use
  • Standard 2 (DPIA): this document
  • Standard 3 (Age-appropriate application): KS2-tuned tutoring; safeguarding triggers in system prompt
  • Standard 4 (Transparency): disclaimers in SEND Profile, clear UI labels, new child-facing privacy summary
  • Standard 5 (Detrimental use): data minimisation across all activities
  • Standard 6 (Policies): existing privacy policy now reflects new processing
  • Standard 7 (Default settings): voice mode opt-in per session; audio retention opt-in; no third-party cookies
  • Standard 8 (Data minimisation): no surname/DOB/address sent to OpenAI for any activity
  • Standard 9 (Data sharing): sub-processor list disclosed; no new third parties
  • Standard 10 (Geolocation): not used
  • Standard 11 (Parental controls): parent dashboard exists; per-feature kill switch not yet built — counsel to advise if required
  • Standard 12 (Profiling): no automated decision-making with significant effect; persona is parent-reviewable
  • Standard 13 (Nudge techniques): no streaks, leaderboards, or engagement nudges
  • Standard 14 (Connected toys): not applicable
  • Standard 15 (Online tools — parental rights): data export + deletion already implemented

8. Counsel review checklist (TBC)

The following are queued for counsel to review and confirm. Until the checklist is complete, treat this document as draft only.

  • Confirm Microsoft Azure DPA covers Cognitive Services
  • Confirm OpenAI DPA + UK addendum + SCCs cover the Realtime API
  • Refresh Record of Processing Activities (RoPA): Immersive Reader, SEND Profile generation, voice tutor
  • Refresh DPIA register
  • Sign off on suggested consent text update
  • Advise on whether per-feature parental kill switch is required (Children’s Code Standard 11)
  • Advise on safeguarding response wording in the voice tutor system prompt (KCSIE 2025 alignment)
  • Confirm 30-day OpenAI retention is acceptable
  • Confirm cross-border transfer mechanism under SCCs is appropriate post-Schrems II
  • Sign off on Phase 2.4 (transcript / audio persistence) BEFORE that feature ships to real families

9. Document control

  • Author (technical): mbangoura with AI drafting assistance
  • Review: Pending — UK data-protection counsel
  • Distribution: Public (DRAFT only) + internal
  • Review cadence after sign-off: Annual + before each new processing activity
  • Related documents: /privacy, /terms, /safeguarding

Questions or feedback?

If you’re a parent, a data subject, a school DSL, or a DPO reviewing this document on behalf of a school, email privacy@evx.logicmesh.dev. We read every message and respond within one working day.