Under Article 30 of the UK GDPR, School Atlas maintains a record of the personal data we process. This page publishes a summary for transparency. The full record is available to the Information Commissioner on request.
What this record covers
Each entry below describes one processing activity: the purpose, the categories of personal data involved, the lawful basis under Article 6 of the UK GDPR, how long we keep the data, and who else sees it. Where an activity involves a sub-processor, the country of processing is shown.
International data transfers
School Atlas is a UK controller. Some processing happens via sub-processors based outside the UK and EEA — most notably Stripe (US, payments), Anthropic (US, AI inference), Resend (US, email), Sentry (US, error monitoring), and Google Analytics 4 (US, with consent). Each transfer is shown against the activity below.
All transfers outside the UK rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, and where a recipient is also DPF-certified we additionally rely on the UK Extension to the EU–US Data Privacy Framework (the “UK–US Data Bridge”). Supabase (database / auth) is hosted in the EU. We do not transfer pupil data to any sub-processor outside the UK / EEA.
1. Account creation and authentication
- Purpose: Identify returning users, secure access, provide the service the user has signed up for.
- Categories of data: Email address, hashed password, account creation timestamp, last sign-in.
- Lawful basis: Art 6(1)(b) contract.
- Retention: Until account deletion, then 30 days in deleted-accounts audit table before purge.
- Recipients / sub-processors: Supabase (auth + database, EU).
2. User profile and preferences
- Purpose: Personalise shortlists, saved searches, notification settings.
- Categories of data: Display name (optional), postcode area (optional, for distance calculations), notification preferences, saved schools and searches.
- Lawful basis: Art 6(1)(b) contract.
- Retention: Until account deletion.
- Recipients / sub-processors: Supabase (EU).
3. Child profiles (parent-managed)
- Purpose: Let parents shortlist schools against a specific child (year group, phase, preferred school types). Never shared outside the parent account, never used for marketing, never profiled.
- Categories of data: Name (parent may use a first name, initials or a nickname); optional date of birth (to compute the child's current school year); current year group; school phase; preferred school types; any free-text notes the parent writes. No SEND data is captured in a structured field — parents may mention SEND matters in their free-text notes if they choose.
- Lawful basis: Art 6(1)(b) contract with the account-holding parent (or person with parental responsibility), performed on the child's behalf. The child is the data subject for the personal data held in the record; the parent acts as their representative under parental responsibility and exercises access/rectification/erasure rights for them. Art 8(1) UK GDPR consent is not engaged because the child is not the direct user of the service. Where the parent enters Art 9 special-category content into the free-text notes field, the additional condition is the parent's explicit consent under Art 9(2)(a) + DPA 2018 Sch 1 Pt 1 para 1 (see migration 00414).
- Retention: Until the parent deletes the profile or deletes their account. Deleting the parent account cascades to all child_profiles rows via a foreign-key ON DELETE CASCADE.
- Recipients / sub-processors: Supabase (EU) only. No onward disclosure.
4. Subscription and payment processing
- Purpose: Take payment for paid plans, manage renewals, issue invoices.
- Categories of data: Stripe customer ID, subscription status, plan, billing period. We do not store card numbers, CVCs, expiry dates or last-four digits — those are held exclusively by Stripe under their PCI-DSS Level 1 attestation. Our database holds only the opaque Stripe customer ID and the resulting subscription state.
- Lawful basis: Art 6(1)(b) contract.
- Retention: Subscription status mirror kept for the life of the account, then deleted as part of account deletion. Invoice and transaction records on the Stripe side are retained by Stripe for 7 years to meet UK financial-record obligations (HMRC self-assessment requires retention until the 5th anniversary of the 31 January following the tax year — Stripe holds for 7 to satisfy the longer retention rules in other jurisdictions in which it operates). We can retrieve those records on demand for an SAR but do not duplicate them locally.
- Recipients / sub-processors: Stripe (US, under UK Addendum to EU SCCs; Stripe is also DPF-certified so the UK–US Data Bridge applies).
5. Parent reviews of schools
- Purpose: Publish moderated first-hand reviews to help other parents.
- Categories of data: Review text (1,000 chars max), declared relationship (parent / former parent / prospective), rating. Reviewer identity held internally, never published.
- Lawful basis: Art 6(1)(a) consent at submission + Art 6(1)(f) legitimate interest (platform operation and Defamation Act s.5 defence).
- Retention: Published reviews retained for the life of the platform or until withdrawn by the author. Rejected reviews retained 12 months as moderation audit trail, then deleted.
- Recipients / sub-processors: Supabase (EU). Public, once published.
6. AI advisor conversations
- Purpose: Answer parent questions about UK schooling.
- Categories of data: Conversation messages (free-text) + account ID.
- Lawful basis: Art 6(1)(b) contract (Pro feature).
- Retention: Conversation messages stored in our Supabase database (EU) for the life of the account and deleted on account deletion. Forwarded to Anthropic under their published Data Processing Addendum and Commercial Terms: no training on Customer Content, up to 30-day retention for abuse monitoring then deletion. Child-profile fields (name, date of birth, notes) are stripped server-side before any request leaves our servers.
- Recipients / sub-processors: Anthropic (US, under Anthropic’s published Data Processing Addendum incorporating the UK Addendum to EU SCCs).
7. Search and interaction analytics
- Purpose: Improve the product; understand which schools and filters users engage with.
- Categories of data: Anonymised search terms, page view counts. No IP stored post-processing.
- Lawful basis: Art 6(1)(f) legitimate interest (product improvement) for first-party event mirroring; Art 6(1)(a) consent for Google Analytics 4.
- Retention: 12 months rolling, then aggregated and purged. Enforced by scheduled job.
- Recipients / sub-processors: Google Analytics 4 (US, consented only) under the UK Addendum to EU SCCs / UK-US Data Bridge. First-party events are stored in Supabase (EU).
8. Email communications
- Purpose: Deliver transactional, onboarding, weekly digest, and marketing emails.
- Categories of data: Email address, first name (optional), delivery and open status.
- Lawful basis: Art 6(1)(b) for transactional; Art 6(1)(a) explicit consent (unticked opt-in at signup) for the onboarding series; Art 6(1)(a) consent for marketing newsletters. PECR 22(3) soft opt-in is used only for re-engagement messages to former paying subscribers about similar paid products.
- Retention: Until account deletion or 30 days after unsubscribe, whichever is sooner.
- Recipients / sub-processors: Resend (US, under UK Addendum).
9. Error monitoring
- Purpose: Detect and fix bugs.
- Categories of data: Stack traces, route paths, user ID (not email or name). IP addresses are scrubbed before storage.
- Lawful basis: Art 6(1)(f) legitimate interest (service reliability).
- Retention: 90 days rolling.
- Recipients / sub-processors: Sentry (US, under UK Addendum).
10. Institution portal — school-uploaded data
- Purpose: Let a claimed school manage its profile, photos, open days, and enquiries.
- Categories of data: School staff contact details, profile copy, photos, pupil-free business data.
- Lawful basis: Art 6(1)(b) contract between the institution and School Atlas.
- Retention: For the life of the institution account; on termination, data retained 90 days for dispute handling, then deleted.
- Recipients / sub-processors: Supabase (EU). Where a school uploads pupil data, School Atlas acts as processor under the published [Institution DPA](/legal/institution-dpa).
11. Moderation and abuse handling
- Purpose: Keep reviews lawful, meet the Defamation Act 2013 s.5 notice-and-takedown duty, and satisfy the Online Safety Act 2023 s.10 duties.
- Categories of data: Notice text, complainant contact, moderator decision, timestamps, linked review.
- Lawful basis: Art 6(1)(c) legal obligation (Defamation Regulations 2013) + Art 6(1)(f) legitimate interest.
- Retention: 3 years from the date of the moderation decision — evidentiary window for possible defamation claim.
- Recipients / sub-processors: Internal only.
Special category data (Article 9)
Special category data is processed only in one narrow place: the free-text notes field on a child profile, where a parent may voluntarily record information that could reveal health, SEND status, or other Article 9 categories. Processing is conditional on the parent ticking an explicit-consent checkbox at the point of entry (UK GDPR Art. 9(2)(a); DPA 2018 Schedule 1 Part 1 paragraph 1). Notes are stored encrypted at rest, are visible only to the authenticated parent, are never used for profiling, marketing, or automated decision-making, and can be erased at any time from the child profile screen. Consent can be withdrawn by clearing the notes field, which removes both the data and the consent record.
What we do not process
- Other Article 9 categories — biometric data, genetic data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, or sexual orientation — are not collected.
- No location tracking beyond a voluntary postcode area, and no third-party behavioural advertising pixels.
- No children's data is used to profile for marketing.
Questions about this record
If you have questions about what we process, why, or for how long, email privacy@schoolatlas.co.uk. For a formal Article 15 subject access request, you can also use the data export and deletion controls in your account.