Trust & Safety

Built for the most important users. Protected accordingly.

Malgosha works with vulnerable children. We take that responsibility seriously โ€” in our architecture, our policies, and our team culture.

๐Ÿ”’ GDPR Compliant
๐Ÿ‡ฌ๐Ÿ‡ง UK Data Only
โ™ฟ WCAG 2.1 AA
๐Ÿ›ก๏ธ KCSIE Aligned
๐Ÿ” AES-256 Encrypted
๐Ÿ“‹ ICO Registered
๐Ÿ”’

GDPR & Data Privacy

  • All student data stored in UK data centres โ€” never leaves the UK
  • No data sold or shared with third parties, ever
  • Data retention: session data deleted after 12 months unless school opts to retain
  • Full data subject access requests (DSAR) supported within 72 hours
  • Data Protection Officer available: [email protected]
  • ICO registered: registration number available on request
๐Ÿ›ก๏ธ

Safeguarding

  • Designed in alignment with Keeping Children Safe in Education (KCSIE)
  • No direct student-to-student interaction โ€” fully 1:1 AI sessions only
  • No user-generated content visible to other users
  • Session transcripts available to parents and designated safeguarding leads
  • Malgosha does not collect biometric data
  • All staff with data access are DBS checked
โ™ฟ

Accessibility

  • WCAG 2.1 AA compliant โ€” tested with NVDA and VoiceOver
  • Keyboard-navigable throughout โ€” no mouse required
  • High contrast mode and font size controls built-in
  • Dyslexia-friendly font option (OpenDyslexic) available
  • All interactive elements have ARIA labels
  • No time-pressured interactions (unless opted into)
๐Ÿ”

Security

  • All data encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Annual third-party penetration testing
  • Vulnerability disclosure programme โ€” [email protected]
  • Multi-factor authentication for all teacher and admin accounts
  • Principle of least privilege โ€” staff access scoped by role
  • Incident response: contained and communicated within 72 hours

Questions about data or compliance?

Our DPO is available for procurement queries, Data Processing Agreements, and DSAR requests.

Contact our DPO