Privacy Policy
Last updated: March 2026 · Version 2.0
The subscribing school or multi-academy trust that holds the Schoolgle account.
Schoolgle Ltd, acting on the controller's instructions.
1. Who we are
Schoolgle Ltd ("Schoolgle", "we", "us") provides an AI-powered school improvement platform for UK schools and multi-academy trusts. Our platform helps school leaders organise evidence, track compliance, manage estates, and prepare for inspections.
Under UK GDPR and the Data Protection Act 2018, the subscribing school or trust is the Data Controller. Schoolgle Ltd acts as a Data Processor, processing personal data only on the controller's documented instructions.
Our Data Protection Officer (DPO) can be contacted at admin@schoolgle.co.uk.
ICO Registration: Pending (Application C1888815)
2. Data we collect
We collect and process the following categories of personal data:
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address, role, school/trust name | Authentication, access control, billing |
| School improvement data | Documents uploaded or connected via cloud storage, evidence notes, assessment judgements, action plans | Core platform functionality: evidence matching, framework assessment, action tracking |
| Staff directory data | Staff names, roles, email addresses, phone numbers (as entered by the school) | HR management, task assignment, communication |
| Estates data | Asset registers, contractor details, inspection records, photos of rooms/equipment | Compliance tracking, maintenance scheduling |
| Usage data | IP address, browser type, pages visited, feature usage, error logs | Service improvement, debugging, security monitoring |
3. Data we do NOT collect
Schoolgle is designed for school leaders and staff. We do not collect or process the following data categories:
- Pupil names or identifiable pupil data — the platform operates at the school/evidence level, not individual pupil level
- Medical or health records
- Financial data — we do not store bank details or payroll information (Stripe handles payment card data directly)
- Biometric data
- Special category data — unless incidentally present in documents uploaded by the school, in which case Guardian Mode redacts it before AI processing
4. How we use AI
Schoolgle uses artificial intelligence to help schools organise and analyse their improvement evidence. Here is exactly how:
| AI use case | What happens | Model / Provider |
|---|---|---|
| Document analysis | Extracted text is PII-masked then sent to an LLM to identify evidence against Ofsted/SIAMS framework requirements | Google Gemini Flash (primary), Gemini Flash Lite (fallback) |
| OCR for scanned documents | Scanned PDFs and images are processed to extract text | Mistral OCR (EU-hosted) |
| Voice transcription | Voice input in Ed (our assistant) is transcribed using browser APIs; no audio is sent to our servers | Web Speech API (on-device) |
| Room/asset scanning | Photos taken during estates inspections are analysed to identify compliance issues | Gemini 2.5 Flash (vision) |
| Conversational assistant (Ed) | School leaders can ask Ed questions about their data, draft documents, and manage tasks | Gemini 2.5 Flash via OpenRouter |
Our AI commitments
- All AI models are used in API mode only — your data is never used to train models
- We prefer EU/UK-hosted providers where possible (Mistral, Supabase EU, Firebase EU)
- For US-hosted providers, we have Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) in place
- Guardian Mode automatically detects and redacts personally identifiable information before it reaches AI models
- No automated decisions are made without human oversight — AI suggests, humans decide
5. Legal basis for processing
| Processing activity | Legal basis (UK GDPR) |
|---|---|
| Providing the platform service | Article 6(1)(b) — performance of a contract |
| Security monitoring and fraud prevention | Article 6(1)(f) — legitimate interests |
| Analytics cookies | Article 6(1)(a) — consent |
| Responding to legal obligations | Article 6(1)(c) — legal obligation |
6. Sub-processors
We use the following third-party sub-processors to deliver our service:
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, authentication | EU (Frankfurt) | Adequacy (EU) |
| Firebase (Google) | Authentication (OAuth) | EU | Adequacy (EU) |
| Mistral AI | OCR, document processing | EU (Paris) | Adequacy (EU) |
| OpenRouter | AI model routing gateway | US | UK SCCs / IDTA |
| Google (Gemini) | Primary AI analysis, vision | US | UK SCCs / IDTA |
| Anthropic (Claude) | AI analysis (via OpenRouter) | US | UK SCCs / IDTA |
| Microsoft Azure | Text-to-speech | UK (London) | Domestic |
| Stripe | Payment processing | US | EU-US DPF |
7. International transfers
Where personal data is transferred outside the UK, we rely on one of the following safeguards:
- UK adequacy regulations — for transfers to the EU/EEA
- UK International Data Transfer Agreement (IDTA) — for transfers to the US (Google, Anthropic)
- Standard Contractual Clauses (SCCs) — as a supplementary measure alongside the IDTA
- EU-US Data Privacy Framework (DPF) — for Stripe, which is a certified participant
We conduct Transfer Impact Assessments (TIAs) for all US-based sub-processors and review them annually.
8. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion + 30 days grace period |
| School improvement data (documents, evidence, assessments) | Until account deletion + 30 days grace period |
| Application logs | 12 months |
| Database backups | 90 days |
| AI processing logs | 30 days (anonymised metadata only) |
When a school requests account deletion, all personal data is removed within 30 days. Anonymised, aggregated analytics data may be retained indefinitely for service improvement.
9. Your rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of your personal data
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your personal data
- Right to restriction — restrict processing in certain circumstances
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
How to exercise your rights
Contact our DPO at admin@schoolgle.co.uk with your request. We will respond within one month. If your request is complex, we may extend this by a further two months, and we will let you know within the first month.
As Schoolgle acts as a Data Processor, we may redirect your request to your school or trust (the Data Controller) where appropriate.
10. Children's data
Schoolgle is designed for use by adult school staff and governors. The platform is not intended for, or directed at, children under 18.
The Compliance module may store limited consent records relating to children (e.g., photography consent, trip consent) as entered by school staff. In these cases, the school remains the Data Controller and is responsible for obtaining appropriate parental consent under Article 8 of UK GDPR.
11. Cookies
We use a minimal number of cookies:
- Essential cookies — authentication session tokens (Supabase). These are strictly necessary and do not require consent.
- Analytics cookies — only set with your explicit consent via our cookie banner. Used for anonymous usage statistics to improve the service.
For full details, see our Cookie Policy.
12. Complaints
If you have a concern about how we handle personal data, please contact our DPO first at admin@schoolgle.co.uk. We take all complaints seriously and will aim to resolve them promptly.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113
Live chat: ico.org.uk/global/contact-us/live-chat
13. Contact
For any questions about this privacy policy or our data practices:
Data Protection Officer
Email: admin@schoolgle.co.uk
Website: schoolgle.co.uk
This policy was last reviewed in March 2026. We will review it at least annually or when there are significant changes to our processing activities. Any material changes will be communicated to account holders by email.