Internal compliance document — not for public distribution
Data Protection Impact Assessment (DPIA)
Organisation
AI Mastery
Data Controller
AI Mastery — Sole Trader
Date completed
May 2026
Review date
May 2027 (annual)
DPO
Richard [Surname] — Founder
ICO Registration
[ICO Registration Number — to be added]
01 Purpose and overview

This Data Protection Impact Assessment (DPIA) has been completed in accordance with UK GDPR Article 35 and the ICO's guidance on DPIAs. It is required because AI Mastery processes personal data of children, which the ICO considers likely to result in high risk to the rights and freedoms of data subjects.

Processing activity being assessed: The collection, storage, and use of personal data of children aged 11–16 (and their parents) in connection with the AI Mastery online educational platform at aimastery.london.

Why a DPIA is required: The ICO's guidance states that a DPIA is required when processing is "likely to result in a high risk" including where the processing involves children's data in the context of an online service offered directly to children. AI Mastery meets this criterion.

02 Description of processing

Nature of processing: Collection and storage of account data, learning progress data, and feedback data from registered users. Processing of parental consent for users under 13. Generation of weekly progress reports for parents.

Scope: UK-based teenagers aged 11–16 and their parents or guardians. Expected user base: initially 5–15 beta testers, scaling to hundreds of subscribers post-launch.

Context: Online subscription educational platform. Users access content via web browser. No mobile app. No social features, no user-to-user communication, no public profiles.

Purpose: To provide AI literacy education to teenagers. To track learning progress and report it to parents. To improve the platform curriculum based on anonymised feedback.

Data categories processed:

  • Name / preferred name (not required to be legal name)
  • Email address
  • Age / date of birth
  • Pronouns (optional, not required)
  • Learning progress data (modules, XP, badges, quiz scores)
  • Written feedback responses
  • Anonymised technical/analytics data
  • Parent email address (for under-13 accounts)

Special category data: None. Pronouns are collected optionally and are not processed as special category data under UK GDPR.

03 Necessity and proportionality

Is the processing necessary? Yes. Each data type collected serves a specific, documented purpose:

  • Email address — required for account creation, login, and parent communications
  • Preferred name — required for personalised platform experience
  • Age — required to determine parental consent requirements (under/over 13)
  • Progress data — required to save learning progress between sessions and power parent dashboard
  • Feedback data — required for curriculum improvement; directly requested by users
  • Anonymised analytics — required to understand platform usage and fix technical issues

Could the purpose be achieved with less data? We have reviewed each data point and confirmed that none could be removed without materially impacting the platform's function. We do not collect date of birth beyond what is needed to confirm age bracket. We do not collect home address, phone number, school name, photographs, or any other data beyond the list above.

Data minimisation: In accordance with UK GDPR Article 5(1)(c), we collect the minimum data necessary. Pronoun and preferred name fields are optional. No data is collected for marketing profiling purposes.

04 Risk identification and assessment

The following risks have been identified and assessed. Risk level is assessed as the product of likelihood and severity before and after mitigating measures.

Risk Description Inherent risk Mitigation Residual risk
Unauthorised access to children's data A third party gains unauthorised access to the database containing children's personal data HIGH HTTPS encryption, Supabase SOC 2 compliance, Row Level Security, access controls, no public API exposure LOW
Under-13 accessing platform without parental consent A child under 13 creates an account without parental authorisation, resulting in unlawful data processing HIGH Age gate at signup, mandatory parent email for under-13s, account inactive until parent confirms via email LOW
Data breach notification failure A data breach occurs and we fail to notify the ICO within 72 hours as required MEDIUM Documented breach response procedure, Supabase breach alerting, direct ICO notification protocol in place LOW
Third-party provider data misuse A third-party service provider (Supabase, Clerk, Netlify, Payhip) misuses or loses children's data MEDIUM All providers selected for GDPR/UK GDPR compliance, data processing agreements in place, minimal data shared with each provider LOW
Inappropriate data retention Children's data retained beyond necessary period, increasing exposure risk MEDIUM Documented retention schedule, automated deletion process for inactive accounts after 90 days post-cancellation, right to erasure process documented LOW
Analytics profiling of children Google Analytics used to build profiles or serve targeted advertising to children MEDIUM GA4 configured with IP anonymisation, advertising features disabled, data sharing with Google disabled, minimum retention period set LOW
Children's feedback data misuse Written feedback from children used for purposes beyond platform improvement LOW Feedback data used only for curriculum development. Not shared externally. Anonymised after 2 years. Clearly explained in privacy policy. LOW
AI tutor generating inappropriate content The Claude-powered AI tutor generates content inappropriate for children MEDIUM System prompt constrains AI tutor to educational content only. Anthropic's safety systems active. Tutor operates within defined educational context with no open-ended general conversation. LOW
05 Measures to address risks

The following measures are implemented or planned to address the identified risks:

🔒
HTTPS encryption across all pages
All data transmitted between users and the platform is encrypted. SSL certificate provisioned via Let's Encrypt, auto-renewing.
✓ IMPLEMENTED
👶
Age gate and parental consent flow
Age collected at signup. Under-13 accounts require parent email and email confirmation before activation. Compliant with UK GDPR Article 8 and DPA 2018.
⏳ TO BE IMPLEMENTED — Claude Code session
🍪
Cookie consent banner — essential only by default
Users presented with cookie consent on first visit. Essential cookies only by default. Analytics cookies require explicit opt-in. No advertising cookies.
⏳ TO BE IMPLEMENTED — Claude Code session
📊
GA4 privacy configuration
Google Analytics 4 configured with IP anonymisation enabled, advertising features disabled, data sharing with Google disabled, retention set to 14 months minimum.
⏳ TO BE IMPLEMENTED — Claude Code session
🗑️
Right to erasure process
Account deletion process documented. Email request to hello@aimastery.london triggers full data deletion within 30 days. Documented in privacy policy.
✓ IMPLEMENTED — process documented
📋
Child-friendly privacy notice
Separate plain-English privacy policy written at age-appropriate level, accessible at aimastery.london/privacy. Toggle between child and parent versions.
✓ IMPLEMENTED — deployed
🤖
AI tutor content restrictions
Claude-powered AI tutor operates with a constrained system prompt limiting responses to educational AI content. Anthropic's safety systems provide additional protection.
⏳ TO BE IMPLEMENTED — AI tutor build session
🏛️
ICO registration
Registered with the ICO as a data controller processing children's personal data. DPO nominated.
✓ IMPLEMENTED — May 2026
06 Children's Code compliance checklist

Assessment against the ICO Age Appropriate Design Code (Children's Code) 15 standards:

Standard Requirement Status
Best interests Child's best interests are primary consideration in design ✓ MET
DPIA DPIA completed before processing children's data ✓ MET — this document
Age appropriate application Risk-based approach to age verification ⏳ IN PROGRESS
Transparency Child-friendly privacy information provided ✓ MET
Detrimental use of data No use of data harmful to children's wellbeing ✓ MET
Policies and community standards Privacy policy covers children specifically ✓ MET
Default settings Privacy settings default to most protective ✓ MET — no social features, no public profiles
Data minimisation Only data strictly necessary is collected ✓ MET
Data sharing Children's data not shared without good reason ✓ MET — no third-party sharing beyond service providers
Geolocation Geolocation not used beyond what is necessary ✓ MET — not collected
Parental controls Tools provided to support parental oversight ✓ MET — parent dashboard
Profiling Children not profiled unless necessary and safe ✓ MET — no profiling
Nudge techniques No nudge techniques to encourage data sharing ✓ MET
Connected toys/devices Not applicable N/A
Online tools Tools available for children to exercise rights ✓ MET — email contact process documented
07 Consultation

Has the ICO been consulted? Prior consultation with the ICO is not required where risks have been adequately identified and mitigated through this DPIA. The ICO has been informed of our processing through the data controller registration completed May 2026.

Have data subjects been consulted? The platform has been beta tested with teenage users whose parents provided consent. Feedback from beta testers has directly informed the platform design, including safety features, accessibility mode, and the child-friendly privacy notice.

Have children's views been taken into account? Yes. Beta testing with a 14-year-old student over five modules generated structured feedback. AI safety content was added to the curriculum at the student's direct suggestion. This aligns with ICO guidance that children's views should inform processing design.

08 Conclusion and sign-off

Overall risk assessment: Having identified and assessed all relevant risks, and having implemented or planned mitigating measures, the residual risk of processing children's personal data through the AI Mastery platform is assessed as LOW.

Is the processing justified? Yes. The processing is necessary to deliver an educational service that is in the best interests of the children using it. The data collected is proportionate, minimised, and protected by appropriate technical and organisational measures.

Outstanding actions before public launch:

  • Age gate and parental consent flow — to be implemented in Claude Code session
  • Cookie consent banner — to be implemented in Claude Code session
  • GA4 privacy configuration — to be implemented in Claude Code session
  • AI tutor content restrictions — to be implemented when AI tutor is built
  • ICO registration number — to be added to privacy policy and this document when received
Document sign-off
Completed by
Richard [Surname]
Founder & DPO, AI Mastery
Signature: ________________
Date completed
May 2026
Next review: May 2027
Review trigger
Annual review or when significant changes to processing occur — new data types, new third-party providers, new features affecting children's data
ICO Registration
[ICO Registration Number — to be added]
Registered: May 2026
AI Mastery · DPIA v1.0 · May 2026 · Internal document — not for public distribution
Prepared in accordance with UK GDPR Article 35, ICO DPIA guidance, and ICO Age Appropriate Design Code