AI Governance & Ethics
The English Hub - operated by Upskill Energy Limited
Last reviewed: 12 May 2026 · Next review: November 2026
This page is an honest assessment of where The English Hub sits against the regulatory and voluntary frameworks that govern AI systems and personal data when they touch users in Qatar. We have written it for school Data Protection Officers, parents, and diligence reviewers. It is not marketing copy. Where we fall short, we say so, and we list the work we still owe you.
1. What applies to us, and what doesn’t
The English Hub is operated by a UK-based company. We are not a QCB-licensed financial entity, not registered in the Qatar Financial Centre (QFC), not designated Critical National Infrastructure, and not a supplier to any Qatari government agency. That immediately narrows the binding surface area.
| Instrument | Binding on us? | Why |
|---|
| PDPPL (Law 13/2016) | Yes, for data of individuals in Qatar | Extra-territorial reach via service offered to Qatar residents |
| Cybercrime Law (Law 14/2014) | Yes, for any content delivered into Qatar | Content offences are jurisdictional, not licence-gated |
| QCB AI Guideline (Sept 2024) | No - we hold no QCB licence | Used voluntarily as a reference standard |
| NCSA AI Guidelines v1.0 (Feb 2024) | No - voluntary | Treated as expected practice; alignment in progress |
| MCIT Ethical AI Principles (2025) | No - voluntary | Adopted as our internal ethical baseline |
| NIA / NIMF / NDCP | No - not CNI, not government | Tracked but not implemented |
| Cloud Policy Framework | No - not a licensed Qatari cloud provider | Referenced when selecting subprocessors |
| QFC Data Protection Regulations 2021 | No - not QFC-registered | Separate jurisdiction |
The honest summary: PDPPL and the Cybercrime Law are the two instruments that genuinely bite. Everything else is voluntary best-practice that we either align to or are openly working toward.
2. PDPPL - where we comply, where there are gaps
PDPPL is narrower than GDPR. It requires a lawful basis, transparency, purpose limitation, security, and explicit consent for sensitive data. It does not grant a GDPR-style Article 22 right against solely-automated decisions, but it does class children’s data as sensitive.
Where we currently comply
- Personal data is stored in Supabase (EU region), encrypted at rest and in transit.
- We publish a privacy notice describing categories of data, purposes, and retention.
- We support data access and deletion requests via email (see section 10).
- We do not sell personal data and do not use it to train third-party AI models.
Where there are gaps we acknowledge
- We have not yet appointed a named Data Controller representative for Qatar-resident users, and PDPPL’s consent and notification requirements for sensitive data (including children’s) are not yet supported by a structured workflow on our signup path.
- Subprocessors operate across multiple jurisdictions: Stripe (USA), PostHog (EU/US), GA4 (USA), Vercel hosting (USA), Sentry (USA). PDPPL permits cross-border transfer with safeguards but does not have an adequacy list, so we currently rely on contractual safeguards rather than a formal transfer impact assessment per Qatar resident.
- We do not yet maintain a register of processing activities specific to Qatar users.
Remediation (1): Build a Qatar-specific privacy notice supplement listing each subprocessor, its jurisdiction, and the contractual safeguard.
Remediation (2): Implement a Record of Processing Activities (RoPA) and review quarterly.
3. Cybercrime Law - relevance for AI-generated content
Law 14/2014 criminalises, among other things, content that infringes social values, public order, or the reputation of others, and content that is false or misleading. Because our platform generates explanatory content, model answers, and feedback using LLMs, an autonomous agent producing such material is not a defence - the operator carries the risk.
What we do
- All AI-generated student-facing study material is produced from a curated curriculum prompt set, not free-form user prompts to a raw model.
- We do not publish AI-generated content about identifiable individuals.
- We rate-limit and log all generation events for after-the-fact review.
Gaps
- We do not yet run a pre-publication content classifier specifically tuned to Qatari content offences.
- Student-submitted essays processed by AI may contain content that, if echoed back unfiltered, could constitute an offence on republication.
Remediation (3): Add a Qatar-aware content safety layer (classifier + denylist) in front of any AI output rendered to a Qatar-resident user, and log decisions for audit.
4. NCSA AI Guidelines - voluntary alignment status
NCSA v1.0 covers the AI lifecycle: design, data, development, deployment, monitoring, decommissioning. We treat it as a self-assessment checklist.
| Lifecycle stage | Status |
|---|
| Design (intended use, risk tier) | Partial - informal, not documented |
| Data governance (sourcing, quality, bias) | Partial - curriculum content is sourced and reviewed; third-party training data is out of our control |
| Development (testing, validation) | Partial - manual QA, no formal eval set |
| Deployment (human oversight, fallbacks) | Yes - humans review flagged outputs |
| Monitoring (drift, incident response) | Partial - Sentry catches errors but not model-quality drift |
| Decommissioning | Not documented |
Remediation (4): Publish an AI System Card for each AI feature (essay feedback, model-answer generation, vocabulary explainer), including intended use, known limits, and an evaluation summary.
Remediation (5): Stand up a quarterly drift and quality review with documented criteria and a rollback plan.
5. MCIT Ethical AI Principles - alignment status
Six principles. Honest scoring below.
- Do no harm. Output is for revision support, not high-stakes decisions. Aligned.
- Safety and reliability. We do not yet publish accuracy or failure-mode statistics. Partial - see Remediation 4.
- Fairness. We have not yet tested AI-generated feedback for systematic bias against students writing in non-British English, second-language learners (including Gulf Arabic L1 speakers), or specific socioeconomic vocabulary. Gap.
- Environment. We use third-party model APIs; energy footprint is not measured or disclosed. Gap.
- Privacy. Covered in section 2. Partial.
- Transparency. AI essay-feedback panels, marking results, AI-generated revision material and AI-authored blog posts now carry a consistent visible "Made with AI - review before relying on it" label that links to this page. Remaining gap: a small number of statically pre-authored AI-assisted study pages may not yet display the label, and a pre-publication content classifier is still in progress (see Remediation 3).
Remediation (6): Add a visible “Generated with AI - review before relying on” label on every AI-produced essay-feedback panel, model answer, and auto-generated blog post.
Remediation (7): Commission an annual fairness audit across English-language proficiency tiers and publish the summary.
6. QCB / NIA / NDCP / Cloud Policy - when these apply to us
- QCB AI Guideline binds licensed financial entities. We are not one. We do, however, treat its model-risk-management framing as a useful reference, particularly its emphasis on documented model governance and explainability.
- NIA / NIMF / NDCP are mandatory for Critical National Infrastructure and government supply chains. The English Hub is neither. If a Qatari ministry or state school procures our service under a government contract, NIA controls become contractually relevant and we would need a gap assessment.
- Cloud Policy Framework binds licensed Qatari cloud providers. None of our hosting or storage is operated under a Qatari cloud licence. Our subprocessors are: Vercel (USA, edge), Cloudflare (global edge), Supabase (EU primary), Stripe (USA), PostHog (EU/US), GA4 (USA), Sentry (USA).
Remediation (8): Maintain a published subprocessor list with jurisdiction, purpose, and the contractual transfer mechanism, updated on change.
7. Honest gaps + remediation roadmap
| # | Action | Owner | Target |
|---|
| 1 | Qatar-specific privacy notice supplement | DPO | Q3 2026 |
| 2 | Record of Processing Activities (RoPA) | DPO | Q3 2026 |
| 3 | Qatar-aware content safety layer for AI output | Engineering | Q4 2026 |
| 4 | Publish AI System Cards per feature | Product | Q4 2026 |
| 5 | Quarterly drift & quality review with rollback plan | Engineering | Q3 2026 |
| 6 | "Generated with AI" labels across the product | Product | Q3 2026 |
| 7 | Annual fairness audit, summary published | DPO + external | Q1 2027 |
| 8 | Published subprocessor list with jurisdictions | DPO | Q3 2026 |
| 9 | Parental-consent flow for under-18 signups | Product | Q3 2026 |
| 10 | Cookie consent banner with granular categories | Engineering | Q2 2026 |
| 11 | DPIA for the AI content pipeline | DPO | Q4 2026 |
| 12 | Incident response runbook including notification timelines | Engineering | Q3 2026 |
8. Children’s data - special call-out
Our core audience is GCSE and IGCSE students, the vast majority of whom are aged 14-17 and therefore minors under both Qatari and most international frameworks. PDPPL classes children’s data as sensitive personal data, which requires explicit, informed consent - and for minors, that consent must come from a parent or legal guardian.
Where we currently fall short
- Our signup flow asks for an email and password. It does not currently verify age or capture verifiable parental consent for users under 18.
- Marketing communications, in-app analytics, and AI-generated feedback all process the personal data of these minors.
- We do not currently offer a parent-facing dashboard for reviewing and revoking consent.
This is the most material gap on the page. We are treating it as a priority.
Remediation (9): Build a parental-consent flow gated on age at signup: under-18 users enter a guardian email; signup completes only after the guardian confirms consent via a separate verified link. Maintain a consent log.
Remediation (10): Add a parent dashboard for consent review, data export, and account deletion, scoped to the child’s account.
Remediation (11): Minimise behavioural analytics on confirmed under-18 accounts; disable third-party analytics SDKs (GA4, PostHog session replay) by default for these users.
9. AI use disclosure
We use third-party large language models (currently OpenAI and Anthropic APIs, subject to change) to generate:
- Essay feedback and model annotations
- Practice questions and model answers
- Vocabulary explanations and grammar walkthroughs
- Auto-generated blog content (clearly labelled as such)
We do not:
- Use AI to make decisions about a student’s progression, eligibility, or grading that have legal or similarly significant effects
- Send personal data beyond the student’s submitted text to model providers
- Permit model providers to retain prompts for training (we use no-retention endpoints where contractually available)
Where AI is involved, we are working to label it in-product (Remediation 6). The underlying model name and the prompt template version for any generated artefact can be requested via the contact below.
11. Internal audit findings (May 2026)
This page is paired with an internal compliance audit completed 12 May 2026. The findings below are reproduced verbatim - these are real gaps we have identified in our own code, not theoretical risks. We are publishing them rather than hiding them because the framework rewards transparency and a candid roadmap.
A. Signup-flow consent gaps
- The registration page uses an implicit “By creating an account, you agree to…” link rather than an explicit consent checkbox. PDPPL Art. 4 requires affirmative action, and Art. 17 requires a separate explicit consent for cross-border transfer that the current form does not collect.
- The contact form has no consent checkbox and no in-line privacy-policy link.
B. Children’s data - material legal risk
- 16- and 17-year-olds bypass guardian consent entirely and self-onboard. PDPPL treats all under-18s as minors requiring guardian consent. This is the single biggest legal exposure for a GCSE/IGCSE platform marketed in Qatar.
- For 13-15 the flow collects a guardian email and fires a non-blocking parent-notify. Signup completes regardless of whether the guardian ever responds. This is “notice” rather than “verifiable parental consent”.
C. Architecture vs. notice mismatch
- The Qatar Privacy Notice (/legal/privacy-qatar) states that data is transferred to the UK under an IDTA. The actual data path is Supabase EU → Anthropic US → Sentry EU → GA4 US → Rewardful US. Anthropic, GA4, and Rewardful currently have no documented Qatar-specific transfer mechanism.
- Our Supabase region is documented inconsistently across internal registers (EU Frankfurt vs UK). The single source of truth needs reconciliation.
- Rewardful’s third-party script is unconditionally CSP-allow-listed but is not gated by the cookie-consent flag that protects GA4 and PostHog.
D. Right of human review - policy without UI
Our policy text promises a right to request human review of AI feedback. That button does not yet exist on the student-facing feedback component. A teacher-override surface exists for school accounts; an equivalent self-serve route for direct-to-consumer students does not.
E. DPIA status
Our internal DPIA for AI features is at draft v0.9 with author and DPO placeholders unfilled. Finalising it sits in Remediation 11.
F. AI labelling coverage
The essay-feedback panel and /legal/ai-transparency page do disclose AI use. Blog content-which is currently part-generated by our agent pipeline-is not flagged as AI-assisted on the public page. Remediation 6 covers this.
We commit to refreshing this section on every material code change to the signup, consent, or AI surfaces. If you are reading this on a date more than three months from the “Last reviewed” stamp at the top of the page, please email us to ask whether the audit has been refreshed.
10. Contact for data subject requests
If you are a student, parent, or school in Qatar and want to exercise any of the rights available under PDPPL (access, correction, deletion, withdrawal of consent), or you want to raise a concern about an AI-generated output, contact us at:
[email protected]
We will acknowledge within 5 working days and respond substantively within 30 days. If you are not satisfied with our response, you may escalate to the National Cyber Security Agency of Qatar (NCSA) as the relevant supervisory authority for PDPPL.
This page is reviewed at least every six months and after any material change to our AI features, subprocessors, or governance posture. The next scheduled review is November 2026.