The short version: Before any school gives students access to Pekanga, a Data Processing Agreement must be in place. The DPA sets out Pekanga's obligations as a data processor under UK GDPR Article 28: what data we collect, how we protect it, how long we keep it, and what happens when the licence ends. Request the full document below.
Our commitments
What Pekanga commits to as your data processor
Pekanga's DPA is drafted to comply with the UK General Data Protection Regulation, the Data Protection Act 2018, and the Data (Use and Access) Act 2025.
✓
Purpose limitation
We process student data only to provide the Pekanga platform. We will never use it for AI model training, advertising, or any other purpose.
✓
Data residency (EEA)
All personal data is stored in Supabase infrastructure hosted in the European Economic Area. No transfers outside the UK or EEA in ordinary operation.
✓
72-hour breach notification
In the event of a personal data breach, we will notify the school within 72 hours with full details of the incident and remediation steps taken.
✓
No commercial sharing
Student data is never shared with employers, universities, advertisers, or any commercial third party. Your students' data is not a product.
✓
Deletion on termination
On termination of the licence, we retain data for 60 days to allow renewal or export, then delete all student records securely within 30 days of your written request.
✓
Data subject rights support
We assist with access, rectification, and erasure requests within 5 working days. Staff can permanently delete individual student records directly from the dashboard.
What data we process
Categories of personal data
Pekanga collects the minimum data necessary to provide personalised career guidance. We do not collect email addresses, dates of birth, or any special category data from students.
| Data category |
Examples |
Special category? |
| Identity data |
First name, surname |
No |
| Educational data |
Year group, subject choices, qualification type |
No |
| Usage data |
Career reports generated, careers saved, session timestamps |
No |
| Advisory data |
Appointment notes created by careers advisors |
No |
| Work experience data |
Employer name, placement dates, student reflection notes |
No |
Sub-processors
Who processes data on our behalf
The following sub-processors are approved under the DPA. We provide 30 days' notice before adding or replacing any sub-processor.
Database hosting and backend infrastructure. Stores all student personal data. Encryption at rest and in transit. Row-level security enforced on all student data tables.
Platform hosting and content delivery. Serves the Pekanga application. No persistent personal data stored.
Anthropic (Claude API)
Zero-retention API
AI language model for career report generation. Requests contain subject choices only — no names or persistent identifiers. Anthropic does not retain data beyond the API request lifecycle and does not use inputs to train models.
Transactional email for staff password resets. Processes registered email address only. No student data is transmitted.
Request the DPA
Ready to go live with your school?
Email us and we will send the full Data Processing Agreement, ready for your Data Protection Officer or legal team to review and countersign. We respond within one working day.
The DPA has been drafted to comply with UK GDPR Article 28, the Data Protection Act 2018, and the Data (Use and Access) Act 2025. It should be reviewed by your school's Data Protection Officer or a qualified data protection solicitor before execution. This page summarises key provisions only and does not constitute legal advice. Version 1.1 — June 2026.