UK GDPR sets a deliberately high bar for processing children's data. Five questions reveal whether an AI tutor clears it. This guide is plain-English compliance literacy for UK parents — what to ask, what counts as a green flag, what to walk away from.
Why under-13s are different
The UK digital age of consent is 13. Under that age, a provider needs either:
- Verifiable parental consent, or
- A parent-account-only model where the parent is the data subject, not the child
The second is dramatically simpler to implement compliantly. Most well-designed AI tutors for KS3 have chosen it.
The five questions
1. Who is the data controller?
The data controller is the organisation legally responsible for your data. They should be named, with a UK address, in the privacy policy. If the controller is offshore-only, ask why.
2. What is the lawful basis for processing?
Under UK GDPR, there are six lawful bases. For AI tutors, the most common are:
- Performance of a contract (you signed up — they need data to deliver the service)
- Legitimate interests (limited; not appropriate for child data)
- Consent (must be specific, freely given, informed, and revocable)
Tutors using "consent" for children should have a parental-consent mechanism. Tutors using "contract" should be parent-account-only.
3. How long is data retained, and how is it deleted?
Look for a specific retention period. "As long as necessary" is too vague. Look for:
- Conversation data: 30 days or less (rolling) is best practice
- Account data: deleted on cancellation + 90-day grace period
You should be able to request immediate deletion from a dashboard, not by emailing.
4. Where is the data stored?
UK / EU storage is preferable post-Brexit. US storage requires adequacy decisions and is more complex. aitutors.me uses EU-region storage by default.
5. Is the data used to train AI models?
This is the question. The right answer is a clear no, not on user data, in the privacy policy. If hedged, walk away.
Verify with the ICO
Anyone processing UK personal data commercially must register with the ICO (Information Commissioner's Office). The register is public:
- Search: ico.org.uk → "Search the Register of Fee Payers"
- Look for the provider's name. Should appear as a current registration.
This is a £40/year, ~10-minute admin task. A provider that hasn't done it is signalling carelessness.
Easy wins (signs a service has taken privacy seriously)
- ✅ Cookieless analytics (no cookie banner) — small data surface
- ✅ EU storage region named explicitly
- ✅ Parent-account-only model (no child as data subject)
- ✅ ICO registration confirmed
- ✅ Privacy policy under 2,000 words, in plain English
- ✅ Deletion via dashboard, not email
Red flags
- ❌ "We may use anonymised data to improve our services"
- ❌ No published retention period
- ❌ "Privacy policy coming soon"
- ❌ Account creation possible without parent-account opt-in
- ❌ ICO register search returns nothing
What aitutors.me does
For reference (and disclosure — Jason runs aitutors.me):
- Parent-account-only model
- EU-region storage
- 30-day rolling deletion default
- No AI training on user conversations
- ICO registered
- Cookieless PostHog analytics
FAQ
Does UK GDPR apply to my child's AI tutor account?
Yes. UK GDPR and the Data Protection Act 2018 apply to any service processing personal data of UK residents — including any UK child interacting with an AI tutor.
What's the UK digital age of consent?
- Under-13s can only have their data processed with verifiable parental consent, or via a parent-account-only model where the parent is the data subject.
Should AI tutors be ICO-registered?
Yes if they process personal data of UK residents commercially. ICO registration is ~£40/year and the register is public — verify any provider before signing up.
Related reading
Not legal advice — speak to a solicitor for legal questions. Jason has been through this process for aitutors.me and writes from experience. Updated 20 May 2026.