1. Who We Are
School Atlas is an independent school-finding service for parents, operated by Stephen Spence, a sole trader trading as School Atlas. We are the data controller for the personal data described in this policy. We are not affiliated with any government body, local authority, or school.
Our correspondence address is 182 Heythorp Street, London, SW18 5BU, United Kingdom. You can contact us at privacy@schoolatlas.co.uk for all data-protection and rights-request matters. Because we are a sole trader, UK GDPR Article 37 does not require us to appoint a statutory Data Protection Officer and we have not done so; requests to the privacy mailbox are answered by the controller in person.
ICO registration. We are registered as a controller of personal data with the UK Information Commissioner's Office and pay the data-protection fee under the Data Protection (Charges and Information) Regulations 2018. Our ICO registration number is ZC133193(registered 25 April 2026). You can verify this entry on the ICO's public register at ico.org.uk/ESDWebPages/Search. You can raise concerns with us at privacy@schoolatlas.co.uk or lodge a complaint directly with the ICO at ico.org.uk/make-a-complaint.
2. What Data We Collect
Account Data
When you register, we collect your email address, display name, and optionally your postcode. Your postcode helps us show you relevant nearby schools and is never shared with third parties.
Location Data
If you use the “Near me” feature, your browser may request permission to access your device's location. This data is used only in your browser to find nearby schools and is never stored on our servers or sent to third parties.
Usage Data
We use essential cookies for authentication (session management). We do not use advertising cookies or cross-site tracking. We use Google Analytics 4 for website analytics, which uses first-party cookies to measure site usage (see Third-Party Services below).
Child Profiles
Signed-in parents may create child profiles to keep school-search preferences organised per child. For each profile the following fields are captured, all entered by you:
- Name (you may use a first name, initials or a nickname).
- Date of birth (optional; used only to derive the current school year / phase).
- Current year group and school phase (nursery / primary / secondary / post-16).
- Preferred school types (e.g. state, independent).
- Free-text notes you choose to add.
Child profiles are private to your account, protected by row-level security in our database, and are not shared with any third party, used for advertising or used to train machine-learning models. The child is the data subject for any personal data held in the profile (the ICO position is that the data subject is always the natural person the data is about, not the person who entered it). You as the parent or person with parental responsibility submit and manage the profile on the child's behalf, and you exercise the child's data rights (access, rectification, erasure) until the child is old enough to do so themselves — the ICO Children's Code treats this transition as occurring around age 13 in an online services context, and we will engage directly with a child of competent age who asks to do so. Our lawful basis for processing the profile is Article 6(1)(b) (performance of the contract with you, as the account holder who instructed us to keep the record). You can edit or delete any profile at any time from your account settings; deleting your account permanently removes all associated child profiles via a database cascade.
Notes about your child's needs (special-category data). The free-text notes field on a child profile is optional and is intended for shortlisting context only (for example: preferred sixth-form subjects, commute notes). If you choose to include information that is special category data under Article 9 UK GDPR — for example, information about your child's health, disability or SEND status — we rely on your explicit consentunder Article 9(2)(a) and DPA 2018 Schedule 1 Part 1 paragraph 1. You will be asked to confirm this consent in the notes field before the data is saved, and you can withdraw consent at any time by deleting the note or the profile. We never profile children, never share notes with schools, and never use notes to train AI models.
Shortlists and Saved Searches
If you save schools to your shortlist or save search criteria, this data is stored in your account and is only visible to you.
Search Analytics
When you search for schools, we record only the outward code of the postcode searched (e.g. "SW18" rather than the full "SW18 1AA"), the filters applied, and a pseudonymised session identifier (a one-way hash of your IP address and a server-side salt). If you are logged in, your user ID is linked to the search. The outward code resolves to thousands of addresses, so it cannot identify you. This data helps us understand search demand across the UK and improve the service. Search analytics data is retained for 12 months and then deleted. Because the salt used to derive the session hash is held by us, we treat this record as pseudonymised personal data under UK GDPR Article 4(5), not anonymous data: a third party who obtained the hash without our salt could not reverse it to your IP, but we retain the technical ability to re-derive a match and therefore apply UK GDPR safeguards to the record throughout its 12-month lifetime.
Newsletter
If you subscribe to our newsletter, we collect your email address and optionally your preferred borough. Newsletter subscription is based on your explicit consent (Article 6(1)(a)). You can unsubscribe at any time via the link in every email. Newsletter subscriber data is retained until you unsubscribe, at which point your email is removed from our mailing list within 30 days.
Payment Data
If you subscribe to a paid plan, payments are processed by Stripe. We do not store your full card number, expiry, or CVV on our servers. Stripe handles all payment data in compliance with PCI DSS Level 1. We store only your Stripe customer ID, subscription status, and billing period for account management.
Institution Account Data
Schools and educational organisations can create institution accounts to claim and manage their school profiles. Institution accounts collect: organisation name, contact email, phone number, website, and an optional logo. Institution account data is processed under contract performance (Article 6(1)(b)) to provide the institution portal service. Team members are invited by institution owners and their membership is tracked for access control.
3. Public Information We Display
In addition to user account data, School Atlas displays certain personal data about public figures in connection with schools. This is not data we collect from you, but information we curate from publicly available sources.
Notable Alumni
We display the names and achievements of notable alumni who are public figures (e.g. politicians, athletes, authors, scientists). This data is limited to: name, professional field, a brief achievement description, approximate era of attendance, and a link to a verifiable public source (typically Wikipedia). We process this data under the legitimate interest lawful basis (Article 6(1)(f)). Our full Legitimate Interest Assessment is available for review.
If you are listed as a notable alumnus and wish to be removed, please contact us at privacy@schoolatlas.co.uk. We will honour removal requests promptly.
School Staff
We may display the names of headteachers and other senior staff in their professional capacity where a school itself publishes those names on its own website or where the name appears in a published inspection report (Ofsted, Estyn, Education Scotland, ETI or ISI). We process this data under legitimate interest (Article 6(1)(f)). Our full School Staff Legitimate Interest Assessment sets out the balancing test, safeguards and data-minimisation rules. Because we did not collect this information directly from the individual, we rely on Article 14(5)(b) (disproportionate effort to notify each subject) and publish this notice as our Article 14 transparency statement.
One-click removal. If you are named on a School Atlas school profile as a member of staff and wish to object to the processing or request removal, use the one-click removal form or email privacy@schoolatlas.co.uk. We action staff-removal requests within the UK GDPR Article 12 statutory window (one month), typically within five working days.
4. How We Use Your Data
- To provide and improve the School Atlas service
- To show you schools near your location (if postcode provided)
- To maintain your shortlists and saved searches
- To authenticate your account
- To send transactional emails (e.g. account confirmation, password reset)
- To send a short getting-started email series if you explicitly opt in at signup (you can withdraw consent at any time)
- To send optional email notifications you have opted into (e.g. Ofsted alerts, weekly digest)
We do not sell, rent, or share your personal data with third parties for marketing purposes.
5. Legal Basis for Processing
We process personal data on the following legal bases under UK GDPR:
- Contract performance(Article 6(1)(b)) — to provide your account, shortlists, and the core service you signed up for, to process subscription payments and provide premium features you have purchased, and to provide institution portal services to schools that have created institution accounts
- Legitimate interest(Article 6(1)(f)) — for anonymised analytics to improve the service, for security measures to protect against abuse, and for displaying publicly available information about notable alumni and school staff in their professional capacity (see our Legitimate Interest Assessment)
- Consent(Article 6(1)(a)) — for optional email notifications (Ofsted alerts, weekly digest) and for the short getting-started email series (explicit, unticked opt-in at signup). You can withdraw any consent at any time via your Account preferences or the unsubscribe link in any email
- Explicit consent(Article 9(2)(a) UK GDPR; DPA 2018 Sch 1 Pt 1 para 1) — where you choose to add special-category information (for example, your child's health or SEND needs) to a child-profile note. You will be prompted to confirm this consent before the data is saved; withdrawing consent deletes the note
- PECR soft opt-in(Regulation 22(3)) — for re-engagement emails sent only to subscribers who have previously paid for a School Atlas plan, about similar School Atlas products. Free-tier users never receive soft-opt-in marketing
6. Data Storage and Security
Your data is stored securely using Supabase (hosted on AWS in the EU). All data is encrypted in transit (TLS 1.2+) and at rest. Access to personal data is restricted to authorised administrators only via role-based access controls and Row Level Security policies.
Personal data breaches.If a breach occurs that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours of becoming aware of it, as required by Article 33 UK GDPR. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay (Article 34 UK GDPR), using the email address on your account and describing: the nature of the breach, the likely consequences, and the steps we are taking to mitigate it. You can also report a suspected breach to us at security@schoolatlas.co.uk.
7. International Data Transfers
Personal data is primarily stored inside the UK/EEA. Our primary database (Supabase) runs in an AWS EU region and our error-monitoring provider (Sentry) uses its EU data region. Some providers process data outside the UK/EEA — principally in the United States. For each US transfer we rely on an Article 46 UK GDPR safeguard as set out below. The UK–US Data Bridge (the UK extension to the EU–US Data Privacy Framework) is used where the importer is DPF-certified; otherwise we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses (“UK Addendum”) together with the provider's Data Processing Agreement.
| Provider | Location | Article 46 safeguard |
|---|---|---|
| Supabase (database, auth) | EU (AWS, EU region) | Intra-EEA processing; DPA in place. |
| Vercel (hosting, edge) | Global edge / US | UK Addendum to EU SCCs; Vercel is DPF-certified, so the UK–US Data Bridge also applies. |
| Stripe (payments) | US / EU | UK Addendum to EU SCCs; Stripe is DPF-certified. PCI DSS Level 1. |
| Resend (transactional email) | US | UK Addendum to EU SCCs plus Resend's DPA. |
| Sentry (error monitoring) | EU data region | Intra-EEA processing where possible; UK Addendum plus Sentry DPA for any incidental US transfer. PII scrubbing is enabled. |
| Trigger.dev (background jobs) | US | UK Addendum to EU SCCs plus Trigger.dev DPA. |
| Upstash (rate-limit / cache) | EU / US | EEA Upstash region for primary storage; UK Addendum for any US fallback. |
| Anthropic (AI Advisor) | US | Anthropic's published Data Processing Addendum (incorporating the UK Addendum to EU SCCs) and Commercial Terms of Service. No training on Customer Content; up to 30-day retention for abuse monitoring then deletion. |
| Google (optional OAuth, Google Analytics 4) | US / EU | UK Addendum to EU SCCs; Google is DPF-certified, so the UK–US Data Bridge also applies. |
| Postcodes.io | UK | Intra-UK processing; no personal data transmitted beyond the postcode itself. |
| OpenStreetMap / CARTO | Global / EU | Map tiles only; no personal data transmitted. |
A transfer risk assessment has been completed for each of the US transfers listed above in line with the ICO's International Data Transfer Guidance. You can request a copy of the relevant transfer mechanism by writing to privacy@schoolatlas.co.uk.
8. Your Rights (UK GDPR)
Under the UK GDPR, you have the right to:
- Accessyour data — download a copy from your Account page
- Rectifyinaccurate data — edit your profile at any time
- Eraseyour data — delete your account from your Account page. This permanently removes all your data including profile, shortlists, and saved searches
- Portyour data — export your data as JSON from your Account page
- Restrictprocessing — contact us to restrict how we use your data
- Object to processing — contact us at privacy@schoolatlas.co.uk
- Withdraw consent— for optional email notifications, toggle them off in your Account preferences at any time
We will respond to all data rights requests within one month, as required by UK GDPR. To exercise any of these rights, email privacy@schoolatlas.co.uk.
9. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on you. Features such as “Smart Fill” on the compare page provide suggestions based on proximity and publicly available school data, but do not make decisions about you.
10. Data Retention
We retain your account data for as long as your account is active. When you delete your account, all personal data is permanently removed within 30 days. Anonymised, aggregated usage statistics (which cannot identify you) may be retained indefinitely.
11. Newsletter
If you subscribe to our newsletter, we collect your email address and optionally your preferred borough. You can unsubscribe at any time via the link in every email or from your Account preferences. When you unsubscribe, your email is removed from our mailing list within 30 days.
12. Payments & Subscriptions
If you subscribe to a paid plan, payments are processed by Stripe. We do not store your full card number, expiry, or CVV on our servers. Stripe handles all payment data in compliance with PCI DSS Level 1. We store only your Stripe customer ID, subscription status, and billing period for account management.
13. Institution Accounts
Schools and educational organisations can create institution accounts to claim and manage their school profiles. Institution accounts collect: organisation name, contact email, phone number, website, and an optional logo. Team members are invited by institution owners and their membership is tracked for access control. For details on how institution account data is processed, see the data collection and legal basis sections above.
14. Cookies
School Atlas uses essential cookies for authentication, and — subject to your consent — first-party analytics cookies set by Google Analytics 4 to measure site usage. We do not use advertising cookies, cross-site tracking, or third-party profiling cookies. GA4 analytics cookies are only written after you accept the cookie banner; if you reject, no GA4 cookies are set and Google Consent Mode v2 defaults remain at “denied”. You can change your choice at any time using the “Cookie Preferences” link in the footer.
| Name | Purpose | Category | Duration |
|---|---|---|---|
sb-<project-ref>-auth-token | Supabase authentication session (access and refresh tokens) | Essential | Session / 1 hour (refresh rolling) |
sb-<project-ref>-auth-token-code-verifier | Supabase PKCE login flow | Essential | Short-lived (login only) |
sa-analytics-consent (localStorage) | Records your analytics consent choice (“granted” / “denied”) | Essential | Persistent until cleared |
sa-cookie-notice-dismissed (localStorage) | Records that you have seen the cookie banner so we do not show it again | Essential | Persistent until cleared |
_ga | Google Analytics — distinguishes users | Analytics (opt-in) | 2 years |
_ga_R6VVWP6WX4 | Google Analytics — persists session state | Analytics (opt-in) | 2 years |
15. Third-Party Services & Sub-Processors
We use the following third-party services to operate School Atlas. These are our data sub-processors under UK GDPR:
| Service | Purpose | Data Location | Personal Data |
|---|---|---|---|
| Supabase | Authentication & database | EU (AWS, EU region) | Email, profile, shortlists |
| Vercel | Website hosting | Global edge | IP address (logs) |
| Google Analytics 4 | Website analytics (cookie-based, consent-gated) | US/EU | Pseudonymised usage data, first-party cookies. Only fires after you accept analytics cookies; Google Consent Mode v2 defaults to “denied” until consent is given. |
| Resend | Transactional email | US | Email address |
| Postcodes.io | Postcode geocoding | UK | None |
| Optional OAuth login | US | Email, name (if used) | |
| Stripe | Payment processing | US / EU | Payment method, email |
| OpenStreetMap | Map tiles | Global | None |
| Upstash | Rate limiting / Redis | US | IP address |
| Trigger.dev | Background job orchestration (scheduled ingest, notifications) | US | Job metadata; no parent personal data beyond internal user IDs |
| Sentry | Error monitoring | EU data region | None (IP scrubbed, PII stripped via sendDefaultPii: false) |
| CARTO | Map tiles | Global / EU | None |
| Vercel Speed Insights | Web performance monitoring | Global | None (anonymised Web Vitals only) |
| Anthropic | AI Advisor (Claude API) — answers parent questions about schools using public data | US | The text of questions you submit to the AI Advisor, plus the relevant school context. We rely on Anthropic's standard Commercial Terms of Service and published Data Processing Addendum for Article 28 / Article 46 obligations. Under those terms Anthropic does not train on Customer Content and retains inputs / outputs for up to 30 days for abuse monitoring before deletion. Child-profile fields (name, date of birth, notes) are stripped server-side before any request leaves our servers, and conversations are stored in our own Supabase database (EU) so you can re-read them from your Account. |
When you send a question to the AI Advisor, the question text and the relevant school context are transmitted to Anthropic for processing. Do not paste personal data (your child's name, NHS number, SEND records) into the Advisor. Conversations are stored in our database so you can re-read them from your account, and are deleted when you delete your account.
16. Children's Privacy
School Atlas is designed for parents and guardians. Account registration is restricted to users aged 16 or over (self-attested at signup). We do not knowingly collect personal data from anyone under 16; how we handle accidental access by under-16s is set out in our Children's Access Assessment. If you believe a child has provided us with personal data, please contact us immediately at privacy@schoolatlas.co.uk.
Parents may create child profiles containing their child's name, date of birth, year group, and school preferences. This data is entered and controlled by the parent, not the child, and is processed under parental authority as part of the service contract. Child profile data is included in data exports and is permanently deleted when the parent deletes their account.
We do not profile children for marketing or advertising.Child-profile data is used only to personalise the parent's own shortlisting experience (for example, suggesting schools for the correct year group and phase). It is never shared with schools, never used for advertising or re-targeting, and never used to train third-party AI models.
For a full picture of how we apply the ICO Children's Code and the Online Safety Act duties relating to children, see our Children's Access Assessment.
17. Changes to This Policy
We may update this policy from time to time. Significant changes will be communicated via email to registered users. The “last updated” date at the top of this page indicates the most recent revision.
18. Contact Us
For privacy-related queries, data requests, or complaints:
- Data-protection and rights requests: privacy@schoolatlas.co.uk
- General enquiries: info@schoolatlas.co.uk
- Security / breach reports: security@schoolatlas.co.uk
Our ICO registration number is shown at the top of this policy. You can verify it at ico.org.uk/ESDWebPages/Search.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent body for data protection. You can check the ICO's public register at ico.org.uk/ESDWebPages/Search.