AI - UCL privacy policy

1. Introduction

INFORMATION SERVICES DIVISION (“ISD”, “we” “us”, or “our”) respects your privacy and is committed to protecting your personal data.

Please read this Privacy Notice carefully – it describes why and how we collect and use personal data and provides information about your rights.  It applies to personal data provided to us, both by individuals themselves or by third parties and supplements the following wider UCL privacy notice(s):

• General privacy notice when you visit UCL’s website
• Student privacy notice
• Staff privacy notice
• Research participants for health and care purposes privacy notice

We keep this Privacy Notice under regular review. It was last updated on 28th of April 2026.

2. About us

ISD is part of the Professional Services at University College London (UCL). We provide central IT services for all UCL students and staff.

UCL, a company incorporated by Royal Charter (number RC 000631), is the entity that determines how and why your personal data is processed. This means that UCL is the ‘controller’ of your personal data for the purposes of data protection law.

3. Personal data that we collect about you 

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). 
We may collect, use, store and transfer different kinds of personal data about you. This may include: 

• Your name and UCL email;
• Any personal data entered into chatbot prompts, uploaded materials, and conversation history;
• Usage and session metadata: login timestamps, session duration, service usage records, and consumption data;
• Technical identifiers: IP address, device information, and online identifiers associated with you accessing the service; 
• System-generated data: logs, interaction records, and administrative access records created through operation of the platform; 
• Content-derived data: outputs generated by AI systems based on user prompts and contextual materials; 
• ‘Special category’ data: any ‘special category’ data about you that you introduce yourself when using the AI systems (this may include details about your race or ethnicity, religious or philosophical beliefs, sexual orientation, political opinions, trade union membership, information about your health etc.).

4. How we use your personal data 

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

• To provide AI chatbot services, including generating responses and maintaining conversation history for user access. Depending on the circumstances and the personal data introduced (if any), this may include special category personal data. Here, the processing of your information is carried out on the basis of your explicit consent.
• To store and retrieve past conversations for you and authorised administrators;
• To monitor system usage, including resource utilisation, cost attribution, and service optimisation;
• To support incident management, service troubleshooting, and root cause analysis;
• To apply security controls, including detection and masking of personal data within user inputs (data loss prevention and guardrails);
• To help you with your enquiry. Depending on the circumstances, this may include special category personal data. Here, the processing of your information is carried out on the basis of your explicit consent. 

Where the processing is based on your consent, you have the right to withdraw your consent at any time by contacting us using the details set out below. Please note that this will not affect the lawfulness of processing based on consent before its withdrawal. 

Personal data is not intentionally required for the use of the AI@UCL service; however, personal data may be processed incidentally where you include such information in chatbot prompts.

5. Who we share your personal data with

Your personal data will be collected and processed primarily by our staff and UCL. Access to your personal information is limited to staff who have a legitimate need to see it for the purpose of carrying out their job at UCL. We may have to share your personal data with the parties set out below for the purposes outlined in section 4:

• Airia LLC (AI platform provider – processor storing conversation data and metadata);
• Cloud infrastructure providers (e.g. Microsoft Azure);
• External commercial LLM providers (e.g. OpenAI, Claude, Google);
• Content delivery and security providers;
• Monitoring and analytics providers. 

We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes – we only permit them to process your personal data for specified purposes and in accordance with our instructions.

6. Lawful basis for processing

Data Protection Legislation requires that we meet certain conditions before we are allowed to use your data in the manner described in this notice, including having a "lawful basis" for the processing. The basis for processing will be as follows:

• Consent. You have given us your consent for processing your personal data.
• Legitimate interests. The processing of your personal data may be necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or by fundamental rights and freedoms which require protection of personal data.
• Public task. The processing of your personal data may be necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us.

For special category personal data, the following lawful bases for processing will be used:

• Consent. You have given us your consent for processing your personal data.

7. International transfers

Personal data may be transferred outside the UK/EEA in limited circumstances where chatbot prompts are processed by third-party AI providers located in other jurisdictions (including the United States). 

Such transfers are mitigated through technical controls (including automated redaction of personal data prior to transfer) and contractual safeguards implemented by service providers.

8. Information security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We have established procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

9. Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

Users may delete their conversation history at any time. However, if they do not do so, we will retain chatbot message history and conversation records for up to 18 months, after which they will be deleted automatically.

We will keep your personal data according to the Records Retention Schedule.

10. Your rights 

Under certain circumstances, you may have the following rights under data protection legislation in relation to your personal data: 

• Right to request erasure of your personal data;
• Right to request correction of your personal data;
• Right to request access to your personal data;
• Right to object to processing of your personal data;
• Right to request restriction of the processing your personal data;
• Right to request the transfer of your personal data; and
• Right to withdraw consent.

If you wish to exercise any of these rights, please contact the Data Protection Officer. 

Contacting us 

You can contact UCL by telephoning +44 (0)20 7679 2000 or by writing to: University College London, Gower Street, London WC1E 6BT.

Please note that UCL has appointed a Data Protection Officer. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact our Data Protection Officer using the details set out below:

Data Protection & Freedom of Information Officer: data-protection@ucl.ac.uk

Complaints

If you wish to complain about our use of personal data, please send an email to data-protection@ucl.ac.uk with the details of your complaint to the Data Protection Officer so that we can look into the issue and respond to you. Please see the Data Protection Complaints Guidance and Procedure for further information about how we handle complaints.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) (the UK data protection regulator).  For further information on your rights and how to complain to the ICO, please refer to the ICO website.