Your Child's Data
A plain account of what happens to children's data in most schools, why it matters, and the specific architectural choices ÆRA has made. Written for families, educators, and school founders.
Version 1 · Version 1 · May 2026 · Open document
- Audience
- Families, educators, school founders, policymakers
- Read alongside
This document is written for families, educators, and school founders who want to understand what happens to children's data — and why the answer matters more than most schools acknowledge. It is not a legal document. The full technical and legal specification is in the ÆRA Data Sovereignty Truth Document. This is the plain account.
I. The Data Your Child Generates at School
A child in a digitally equipped school generates data continuously. Which activities they chose. How long they spent on each one. Where they struggled. What they found easy. How they responded to different kinds of instruction. Their emotional patterns across the day. Their communication with teachers and peers. Their progress across every subject area, week by week, year by year.
This data — accumulated across years — is one of the most detailed portraits of a developing human being that has ever existed. It is more granular than anything a teacher could hold in memory. More longitudinal than any report card. More revealing than almost anything a parent knows consciously about their child.
The question is: who holds it?
In most schools, the answer is: a company you did not choose, incorporated under a legal jurisdiction you were not consulted about, subject to laws you may not be aware of, with contractual terms you almost certainly did not read, with the ability to use that data in ways you may not have consented to — and no straightforward way to get it back.
This is not a hypothetical concern. It is the current reality for the majority of children in digitally-connected schools.
II. Why This Matters More Than It Used To
Education data has always existed. Schools have always kept records. What changed — rapidly and largely without public debate — is the nature of those records and the infrastructure holding them.
Twenty years ago, a child's school record was a file of paper documents held in a locked cabinet in the school building. The data was sparse, the access was limited, and the data stayed local. The risks were manageable.
Today, a child's learning data is held in cloud systems operated by companies whose primary business is not education. It is processed by AI tools whose training data, model behaviour, and output use are not disclosed. It crosses borders every time it is processed. It is subject to government access requests under laws — particularly US law — that operate without the procedural protections European families expect. And it persists indefinitely, because the economics of cloud storage make deletion rare and expensive.
The specific legal risk for European families is worth stating plainly. The US CLOUD Act, enacted in 2018, requires US companies to produce data held anywhere in the world when a US court or government authority demands it — regardless of where the data physically sits, and regardless of what the company's privacy policy says. FISA Section 702, reauthorised in 2024 with expanded scope, permits bulk intelligence collection from US providers without individualised warrants.
When a school uses Google Workspace for Education, Microsoft Teams, or any other US-headquartered platform, children's data is potentially subject to these legal instruments. The EU-US Data Privacy Framework — the current attempt to manage this tension — has already had two predecessors invalidated by the Court of Justice of the European Union. A third legal challenge is currently pending. Treating DPF certification as a guarantee of protection is not a legally defensible position.
None of this is secret. It is simply not discussed in most school enrolment conversations.
III. The Standard Responses — and Why They Are Not Enough
When this is raised, institutions typically offer one of three responses.
"We comply with GDPR." GDPR compliance is a minimum standard, not a protection against the specific risks above. A US company can be GDPR-compliant and still be required to produce European children's data under US law. GDPR does not override FISA Section 702. Compliance is necessary. It is not sufficient.
"We have contractual protections." A contractual commitment is only as strong as the ability to enforce it. A school's contract with Google or Microsoft does not prevent a US government authority from issuing a CLOUD Act demand directly to Google or Microsoft. The contract is between the school and the provider. The legal demand goes directly to the provider. The school is not in the chain.
"We anonymise the data." Genuine anonymisation is technically difficult and rarely achieved in practice. Learning data — which includes behavioural patterns, developmental trajectories, and longitudinal records — is extremely difficult to anonymise without destroying its utility. And anonymised data, once re-identified, cannot be un-re-identified.
The honest position is that none of these responses adequately addresses the structural problem. The structural problem requires a structural solution.
IV. What a Structural Solution Looks Like
The European Data Protection Board has stated the requirement precisely: for genuine data sovereignty, the provider must never have access to the unencrypted data or the encryption keys. This is an architectural requirement, not a contractual one.
In practice, this means several things.
Jurisdiction follows ownership. No US-headquartered entity should own, operate, or control any part of the infrastructure holding child data. The legal entity managing the data must be European, subject only to EU law.
Encryption keys must be held by the school or the family — never by any platform. If a platform holds the encryption keys, they can be compelled to produce readable data under US law. If the platform holds only ciphertext and the keys are held elsewhere, any data produced under legal compulsion is unreadable.
AI models that touch child data must be self-hosted on EU-controlled infrastructure, using open-weight models. Every time a cloud AI API call is made with child data as input, that data has crossed into the provider's system. There is no contractual protection that prevents this from becoming a legal liability.
The architecture must be local-first. The primary copy of the data should live on infrastructure controlled by the school or the cooperative — not on a provider's cloud. Cloud infrastructure should be for backup and synchronisation, not as the primary data store.
These are not exotic technical requirements. They are standard practice in industries where data sovereignty genuinely matters — banking, healthcare, defence. They have simply not been applied to education, where the purchasing decisions are made by institutions without technical expertise and the data subjects are children who cannot advocate for themselves.
V. What ÆRA Has Built
ÆRA's data architecture is called the Sovereign AI Stack. It operationalises the requirements above.
The AI that works with your child's learning data never leaves European infrastructure. ÆRA uses Mistral AI models — a French AI company, incorporated in Paris, with no US parent entity — self-hosted on European servers. The AI that analyses your child's developmental patterns, suggests Seminar groupings, and supports the coach's planning works entirely within infrastructure ÆRA controls. No API call containing your child's data goes to any US-headquartered company.
The AI that generates learning content never sees your child's data. Mission Dispatches — the learning materials your child works with each day — are generated using frontier AI models (Claude or Gemini, accessed via European endpoints). But the Privacy Firewall ensures these models never receive your child's data. Before any content generation request is made, your child's identifying information is replaced with an ephemeral token that expires after the session, the skill categories are generalised, and any temporal markers are stripped. The AI receives a curriculum prompt, not a child profile. The outputs are content, not surveillance.
Your child's data is stored in Europe, on European-controlled infrastructure. The primary database is hosted on OVHcloud (France) or Hetzner (Germany) — both European-incorporated companies with no US parent entities, subject exclusively to EU law. The data never passes through US-controlled infrastructure.
Your child's most sensitive data is encrypted, and you hold the key. The Aptitude Map entries, Rhythm Notes, Developmental Signal records, and Phenology Journal — the most detailed and intimate records of your child's development — are end-to-end encrypted. ÆRA holds the ciphertext. You hold the key. Even if ÆRA's systems were compromised, this data would be unreadable without your key. At enrolment, you receive a recovery key — keep it somewhere safe.
No AI model is ever trained on your child's data. The AI tools used in the methodology learn from open, published research and curriculum content — never from individual child records. Your child's developmental data is used only to support your child's development, by the people responsible for it.
Your data rights are structural, not contractual. You can request full export of your child's data at any time. You can request deletion at any time. These rights are enforced by the architecture — the data is yours, the key is yours, and neither can be removed from you by any governance decision. The cooperative's founding documents make this explicit: child data sovereignty is non-negotiable, and no General Assembly vote can override a family's data rights.
VI. Why This Matters for the Methodology
The data architecture is not separate from the educational methodology. It is an expression of the same values.
The Aptitude Map — the continuously updated picture of your child's development that makes individualised coaching viable — only works if it is genuinely honest. If families believe their child's developmental record might be used against them, they will not be honest in providing context. If coaches believe the data might be subpoenaed or sold, they will not record what they actually observe. The depth of insight that makes the Seen Child principle real depends entirely on the trustworthiness of the system holding it.
The same applies to the Rhythm Notes — the qualitative record of how your child regulates, what ignites them, what their signals look like before distress becomes visible. This is intimate information. It should only exist in a system where the family has complete confidence in where it goes and who can see it. If that confidence is absent, the Rhythm Notes will be superficial. And if the Rhythm Notes are superficial, the continuity of care from Phase I to Phase II — the most powerful safeguarding mechanism in the methodology — is compromised.
The data architecture is what makes deep individualisation possible at all. And deep individualisation is what makes the educational outcomes the methodology claims achievable.
VII. What This Means for School Founders
If you are considering implementing the ÆRA methodology, the data architecture is a condition of licensing, not an optional add-on.
Licensed schools are required to implement the full Sovereign AI Stack: self-hosted Mistral for learning data, the Privacy Firewall for content generation, European-only infrastructure, E2EE for child profile data, and annual technology stack review through the cooperative governance structure.
The rationale is not bureaucratic. It is that the methodology's most important claims — individualisation at scale, the Seen Child, the continuity of care — only hold if the data infrastructure that makes them possible is trustworthy. A Licensed school using Google Workspace for the Aptitude Map is not implementing the ÆRA methodology. It is implementing a version of it that has removed the load-bearing element.
The technical specification for the Sovereign AI Stack is documented in full in the ÆRA Data Sovereignty Truth Document. Implementation support is provided through the practitioner network.
VIII. The Honest Limits
This document would not be honest without acknowledging what the architecture does not protect against.
Physical access. If the school's servers are physically seized, the architectural protections become a legal question rather than a technical one. The E2EE layer means the content is still unreadable, but the existence of the data and its metadata may be accessible.
Coaching pair access. The lead coach has access to your child's data for educational purposes. The architecture protects against external threats, not against a coach who misuses access. This is managed through professional obligations, supervision, and the cooperative governance structure — not through technical controls.
Enrolment data. The information provided at enrolment — names, addresses, emergency contacts, medical information — is held in a standard encrypted database rather than under E2EE, because it needs to be accessible to the administrative team in ways that the child's developmental record does not. This data is covered by GDPR but not by the same E2EE protections as the Aptitude Map.
Future legal change. The architecture is designed for the current legal landscape. If EU law changes in ways that would expose child data despite the architecture, the General Assembly's annual technology review is the mechanism for responding. The architecture is not permanent — it is continuously reviewed and updated as the legal landscape evolves.
These are real limits. They are documented here rather than in a footnote because a document about data honesty should be honest about its own limits.
IX. The Summary
Children's data is more detailed, more intimate, and more consequential than most parents are aware. The infrastructure holding it in most schools is less trustworthy than most schools acknowledge. The legal protections most commonly cited are weaker than they appear.
ÆRA has built an architecture that takes this seriously. AI that works with your child's data never leaves European infrastructure. AI that generates content never sees your child's data. The most sensitive developmental records are encrypted with keys only you hold. No AI model learns from your child's data. Your data rights are structural, not contractual.
This is not enough to claim perfect protection. But it is the honest state of what is architecturally possible, implemented as rigorously as we know how.
The data architecture is open. The technical specification is publicly available. Questions, challenges, and improvements are welcome. The methodology improves through the network that scrutinises it.
ÆRA — Your Child's Data · Version 1 · May 2026 Technical specification: AERA_TRUTH_DataSovereignty_v2.md Open document. Freely available. Annotations welcome.
Comment on this paper
Leave a comment for the whole paper
Reflections on direction, structure, or framing — anything that doesn't belong to a single passage. Tick the box below to mark your comment as a suggestion for the next version. A moderator reviews these before they feed into the next revision.
Sign in to leave a comment.