Markaloud

Legal

Data Handling & Privacy

Last updated: April 2026

Overview

Markaloud processes audio recordings of academic feedback and generates structured written feedback using AI. This page explains what data is collected, how it is processed, and the safeguards in place to protect student and staff information.

What Data We Process

Data TypePurposeStorage
Audio recordingsTranscription via speech-to-textStored on our servers
TranscriptsFeedback generation inputStored on our servers
Rubric criteriaStructuring feedback outputStored on our servers
Generated feedbackReturned to the teacherStored on our servers

Third-Party AI Providers

Markaloud uses third-party AI services to provide transcription and feedback generation. Data Processing Agreements (DPAs) are in place with all providers.

OpenAI — Transcription (Whisper API)

  • Audio is sent to OpenAI's API for speech-to-text conversion
  • OpenAI does not use API data to train models
  • Audio is processed and not retained after transcription
  • Data Processing Agreement (DPA) in place
  • Processed in the US/EU depending on endpoint

Anthropic — Feedback Generation (Claude API)

  • Transcripts are sent to Anthropic's API for feedback structuring
  • Anthropic does not use API data to train models
  • Data is processed and not retained beyond the request
  • Data Processing Agreement (DPA) in place
  • Processed in the US

Data Flow

1. Teacher records or uploads audio

2. Audio → OpenAI Whisper API → transcript returned

3. Transcript + rubric → Anthropic Claude API → feedback returned

4. Audio, transcript, and feedback stored on Markaloud servers

5. No data retained by OpenAI or Anthropic after processing

Data Protection Measures

  • All data transmitted over encrypted connections (HTTPS/TLS)
  • Audio files and transcripts stored on secure, access-controlled servers
  • API keys stored server-side only — never exposed to the browser
  • No student names are required or stored by default
  • Data Processing Agreements in place with all third-party AI providers
  • No data is used for AI model training by any provider

GDPR Compliance

Markaloud processes personal data as defined under the UK General Data Protection Regulation (UK GDPR). Audio recordings containing verbal feedback about identifiable students constitute personal data.

  • Lawful basis:Legitimate interest in providing efficient academic feedback, or as specified in the institution's data processing agreement
  • Data minimisation: Only data necessary for transcription and feedback generation is processed
  • Storage limitation: Institutions can request deletion of all associated data
  • International transfers: Data is transferred to US-based processors (OpenAI, Anthropic) under appropriate safeguards including DPAs and Standard Contractual Clauses

Institutional Responsibilities

Institutions deploying Markaloud act as the data controller for student data. Markaloud operates as a data processor. Institutions are responsible for:

  • Ensuring appropriate lawful basis for processing student data
  • Including Markaloud in their institutional privacy notices
  • Conducting a Data Protection Impact Assessment (DPIA) if required
  • Informing students that verbal feedback may be processed by AI tools

Future Roadmap

We are actively working to minimise third-party data sharing:

  • Self-hosted transcription: Planned migration to on-premises speech-to-text, eliminating the need to send audio to external providers
  • EU processing: Evaluating EU-hosted AI endpoints as they become available
  • On-premises deployment: Option for institutions to host Markaloud entirely within their own infrastructure

For questions about data handling or to request a Data Processing Agreement, contact us at privacy@markaloud.com.

View our Data Processing Agreement template