1. Introduction

AureyaTech Ltd is the parent company, legal entity, intellectual property owner, and platform operator for all first-party software products and services, including its market-facing product brands:

• Lingjo®: Flagship AI Teaching & Curriculum Platform for Schools and Trusts
• Mochaic®: AI Automation & Chat Platform for SMEs

This Policy explains how AureyaTech Ltd collects, uses, discloses, and safeguards personal data across all of its services. Product-specific privacy notices (such as the Lingjo- Branded Privacy Notice) supplement this Policy where additional, sector-specific detail is required.

1. Scope and Definitions

1.1 Services

For the purposes of this Policy, "Services" means any activities performed or offered by AureyaTech Ltd, including but not limited to:

• Software platforms, web applications, and hosted services
• AI-powered agents, chatbots, and automation tools
• Educational products and curriculum-aligned systems
• Websites, portals, dashboards, APIs, and integrations
• Communications, newsletters, marketing, and support services

This definition is intentionally broad to cover both current and future offerings without limiting AureyaTech Ltd's ability to develop new technologies or service models.

1.2 Key Terms

• Personal Data: Any information relating to an identified or identifiable individual.
• Client: An organisation that contracts with AureyaTech Ltd to use the Services for its own purposes (for example, a school, trust, or business deploying an AI agent on its website).
• End User: An individual who uses the Services under the authority or direction of a Client (for example, a student or a website visitor interacting with an embedded AI agent).
• Data Controller: The entity that determines the purposes and means of processing personal data.
• Data Processor: The entity that processes personal data on behalf of a Data Controller.

2. Overview of Services

3. Data Controller and Data Processor Roles

AureyaTech Ltd operates under a dual-role model, acting as either a Data Controller or a Data Processor depending on the context of the Service.

3.1 When AureyaTech Acts as Data Controller

AureyaTech Ltd acts as a Data Controller where it determines the purposes and means of processing personal data, including:

• Operation of its corporate websites and marketing communications
• Management of newsletter subscriptions and direct enquiries
• Provision of Lingjo® where AureyaTech determines platform-level purposes, governance, and security standards
• Platform analytics, security monitoring, and service improvement

In these cases, AureyaTech Ltd is responsible for establishing a lawful basis for processing and for responding directly to data subject rights requests.

3.2 When AureyaTech Acts as Data Processor

AureyaTech Ltd acts as a Data Processor where it processes personal data on behalf of a Client that determines how and why the data is used, including:

• Deployment of Mochaic® or other AI agents embedded into a Client's website or internal systems
• White-label or enterprise deployments of AI or automation services
• Educational deployments where schools or trusts act as primary Data Controllers for student data

In these cases, AureyaTech Ltd processes data strictly in accordance with the Client's documented instructions and enters into a Data Processing Agreement (DPA) as required under Article 28 UK GDPR.

3.3 Joint Responsibility for Technical Safeguards

For certain limited technical and security data (such as system logs, abuse prevention signals, and infrastructure monitoring), AureyaTech Ltd may act as a controller in its own right to meet legal, security, and operational obligations, even where the primary service data is processed on behalf of a Client.

4. Personal Data We Process

AureyaTech Ltd processes only the personal data necessary to operate its Services, meet legal obligations, and maintain platform security.

4.1 Categories of Data

• Identity and Contact Data: Name, email address, organisation, role, and account identifiers.
• Account and Authentication Data: Login credentials, authentication tokens, and access records (managed via secure third-party identity providers).
• Service Content: Educational content, AI agent inputs and outputs, uploaded documents, and configuration data provided by Clients or End Users.
• Usage and Technical Data: IP addresses, device type, browser type, access timestamps, error logs, and system performance metrics.
• Communications: Support requests, emails, and feedback.

5. How We Use Personal Data

AureyaTech Ltd uses personal data to:

• Deliver and operate the Services
• Authenticate users and manage accounts
• Provide educational, automation, and AI-powered functionality
• Maintain platform security and prevent misuse
• Improve performance, reliability, and user experience
• Communicate with Clients, users, and stakeholders
• Meet legal, regulatory, and contractual obligations

We do not sell personal data and do not use personal data for advertising or profiling unrelated to the operation of our Services.

6. AI and Automated Agent Data Handling

Certain Services use artificial intelligence and automated processing to provide functionality.

• Interaction Data: When users interact with AI agents, text, documents, or other content may be processed to generate a response or perform a task.
• Model Providers: AureyaTech Ltd supports integration with third-party AI model providers (for example, where Clients supply their own API credentials). Data may be transmitted securely to those providers solely to fulfil the user's request.
• Training Position: AureyaTech Ltd does not use customer, student, or end-user data to train proprietary or third-party AI models.
• Human Oversight: AI outputs are designed to support users and do not constitute automated decision-making with legal or similarly significant effects.
• Data Minimisation: Only the minimum necessary data is processed to deliver AI functionality, and retention of identifiable AI interaction data is limited to operational, security, and troubleshooting purposes.

7. Data Hosting and Residency

• Primary Hosting Location: United Kingdom
• Education Services Commitment: Where reasonably practicable, data for schools and trusts using Lingjo® is hosted within the UK.
• International Processing: Some sub-processors (such as AI model providers or cloud infrastructure partners) may process data outside the UK. Appropriate safeguards are applied in all such cases.

8. Lawful Bases for Processing

AureyaTech Ltd relies on the following lawful bases under UK GDPR and EU GDPR, as applicable:

• Contract: Processing necessary to provide the Services to Clients and users.
• Legitimate Interests: Platform security, service improvement, and business operations, balanced against individual rights.
• Consent: Marketing communications and optional features where required by law.
• Legal Obligation: Compliance with regulatory and statutory requirements.

Where AureyaTech Ltd acts as a Data Processor, the Client is responsible for establishing the lawful basis for processing End User data.

9. Data Retention

Personal data is retained only for as long as necessary to fulfil the purposes outlined in this Policy.

• Active Accounts: Retained for the duration of the account.
• Deleted Accounts: Personal data is securely deleted or anonymised within a reasonable period (typically 30–90 days), unless legal retention is required.
• Security and System Logs: Retained for 30–180 days for security, abuse prevention, and audit purposes.
• Client-Directed Data: Retained or deleted in accordance with contractual agreements and Client instructions

10. Security Measures

AureyaTech Ltd implements technical and organisational safeguards, including:

• Encryption in transit and at rest
• Access controls and role-based permissions
• Secure cloud infrastructure
• Monitoring, logging, and incident response procedures

Security Roadmap

AureyaTech Ltd is working toward:

• Cyber Essentials Certification (UK)
• ISO/IEC 27001 Information Security Management System (ISMS)

These frameworks are used internally to guide continuous improvement of security governance and risk management.

11. International Transfers

Where personal data is transferred outside the UK or EEA, AureyaTech Ltd applies appropriate safeguards, including:

• UK International Data Transfer Addendum
• Standard Contractual Clauses (SCCs)
• Adequacy decisions where applicable

12. Children's and Student Data

AureyaTech Ltd recognises the heightened protections required for children's data. Educational deployments of Lingjo® are supported by a dedicated, product-specific privacy notice and DPIA. Schools and trusts act as primary Data Controllers for student data, with AureyaTech Ltd operating as a processor or joint controller depending on deployment structure.

13. Your Rights

Individuals have the right to:

• Access their personal data
• Request correction
• Request erasure
• Restrict processing
• Object to processing
• Request data portability
• Withdraw consent where applicable

Requests should be directed to the contact details below. Where AureyaTech Ltd acts as a processor, requests may be referred to the relevant Client.

14. Regulatory Status

AureyaTech Ltd is preparing for registration with the UK Information Commissioner's Office (ICO) as required under the Data Protection (Charges and Information) Regulations 2018. The ICO registration number will be published once issued.

15. Updates to This Policy

This Policy may be updated to reflect legal, technical, or operational changes. Material updates will be communicated through appropriate channels.

16. Contact Details

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection supervisory authority, if you believe we have not addressed your concerns adequately. Our ICO Registration Number is ZC089084. You can contact the ICO at:

This Master Privacy Policy governs all AureyaTech Ltd Services. Product-specific privacy notices and contractual agreements supplement this Policy where applicable.