Privacy Policy

Effective Date: March 5th 2025

Last Updated: June 11th 2025

1. Introduction

Welcome to SchoolReports.app ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your information when you use our website and services.

2. Data Controller

Gerard Egan
SchoolReports.app
16 Seaton Grove, Moseley, Birmingham, B13 8PD, United Kingdom
support@schoolreports.app

3. Data We Collect

• Account Information: Name, email address, password (hashed and stored securely), and role.
• Reports: AI-generated reports saved in your account, which are automatically deleted after a defined period.
• Organisation Details: If you are part of an organisation, we may process information related to your organisation.
• User Preferences: Settings and preferences related to how you use our services.

4. How We Use Your Data

We use your personal data to provide and improve our services, ensure security, manage user reports, and comply with legal obligations.

5. Legal Basis for Processing

• Performance of a Contract: To provide our services to registered users.
• Legitimate Interests: To improve services, prevent fraud, and enhance security.
• Consent: Where required (e.g., marketing communications, cookies).
• Legal Obligation: Where necessary to comply with applicable laws.

6. Data Retention

• Reports: Stored for a specific period, after which they are automatically deleted.
• Account Information: Retained while your account remains active; deleted upon request or after inactivity for a defined period.

7. Cookies and Tracking Technologies

We use cookies only for essential functionality, such as maintaining login sessions. No tracking or analytics cookies are used. You can manage cookie settings in your browser.

8. ICO Registration

SchoolReports.app is registered with the Information Commissioner's Office (ICO) under registration number ZB666410. We comply with the UK GDPR and the Data Protection Act 2018.

If you have concerns about how we handle your data, you can contact the ICO:

• Website: https://ico.org.uk/
• Phone: 0303 123 1113
• Contact Form: ICO Contact

9. Your Rights Under GDPR & UK GDPR

You have the right to access, rectify, delete, or restrict processing of your data. You may also withdraw consent where applicable. Contact us at support@schoolreports.app to exercise your rights.

10. Contact Information

For privacy-related inquiries, contact:
Gerard Egan
16 Seaton Grove, Moseley, Birmingham, B13 8PD, United Kingdom
support@schoolreports.app

11. Security & International Data Transfers

All personal data is stored on secure servers located in London, United Kingdom, hosted by DigitalOcean. Access to these servers is limited to authorised devices using secure SSH and multi-factor authentication. All data in transit is encrypted using HTTPS with SSL/TLS.

We conduct regular security reviews, vulnerability assessments, penetration testing, and maintain an information asset inventory and backup procedures to ensure resilience and recovery.

We do not transfer personal data outside of the UK or EEA. If a user accesses our services from outside these regions (e.g., while travelling), the data remains within our UK-based infrastructure and under our legal control.

12. Subprocessors

We use trusted third-party service providers (subprocessors) who process limited personal data on our behalf. These subprocessors are contractually bound to comply with UK GDPR requirements.

• DigitalOcean – Hosting infrastructure (UK)
• Postmark – Transactional email delivery (US with EU safeguards including SCCs)

We maintain written agreements authorising each subprocessor and will notify users of any new subprocessors, providing the right to object in line with Article 28 of UK GDPR.

We do not share your data with analytics providers or third-party advertisers.

13. Accountability & Records of Processing

We follow a “data protection by design and by default” approach: personal data is minimised, access is restricted, and safeguards are embedded from the outset.

We maintain internal Records of Processing Activities (ROPA) as required under Article 30 UK GDPR. These records include purposes of processing, categories of data subjects/data, recipients, retention periods, transfers, and security measures. Our records are reviewed and updated regularly.