Privacy Policy
Last updated: May 2026 · Version 2.1
The subscribing school or multi-academy trust that holds the Schoolgle account.
Schoolgle Ltd, acting on the controller's instructions.
1. Who we are
Schoolgle Ltd ("Schoolgle", "we", "us") provides an AI-powered school improvement platform for UK schools and multi-academy trusts. Our platform helps school leaders organise evidence, track compliance, manage estates, and prepare for inspections.
Under UK GDPR and the Data Protection Act 2018, the subscribing school or trust is the Data Controller. Schoolgle Ltd acts as a Data Processor, processing personal data only on the controller's documented instructions.
Our privacy lead can be contacted at privacy@schoolgle.co.uk. Data-protection queries may also be sent to dpo@schoolgle.co.uk.
Company number: 16776489. Registered in England and Wales. Registered office: 25-29 Sandy Way, Yeadon, Leeds, West Yorkshire, England, LS19 7EW.
ICO Registration: ZC103199
2. Data we collect
We collect and process the following categories of personal data:
| Category | Examples | Purpose |
|---|---|---|
| Account data | Name, email address, role, school/trust name | Authentication, access control, billing |
| School improvement data | Documents uploaded or connected via cloud storage, evidence notes, assessment judgements, action plans | Core platform functionality: evidence matching, framework assessment, action tracking |
| Staff directory data | Staff names, roles, email addresses, phone numbers (as entered by the school) | HR management, task assignment, communication |
| Estates data | Asset registers, contractor details, inspection records, photos of rooms/equipment | Compliance tracking, maintenance scheduling |
| Product-scoped pupil data | Pupil names, references, year/class, characteristics and preferences where required by a subscribed product such as Class Builder | Product delivery, school-controlled analysis and staff review of outputs |
| Usage data | IP address, browser type, pages visited, feature usage, error logs | Service improvement, debugging, security monitoring |
3. Data we do NOT collect
Schoolgle is designed for school leaders and staff. We minimise personal data and do not collect or process the following categories unless a school-controlled workflow specifically requires them:
- Unnecessary identifiable pupil data — evidence and intelligence workflows should use school-level, cohort-level or pseudonymised data wherever possible
- Medical or health records — unless the subscribed product schedule explicitly requires them and the school has approved that processing
- Financial data — we do not store bank details or payroll information (Stripe handles payment card data directly)
- Biometric data
- Special category data — unless a product schedule or DPIA covers the purpose, or it is incidentally present in school-controlled documents or evidence uploaded by the school
4. How we use AI
Schoolgle uses artificial intelligence to help schools organise and analyse their improvement evidence. Here is exactly how:
| AI use case | What happens | Model / Provider |
|---|---|---|
| Document analysis | Extracted text is PII-masked then sent to an LLM to identify evidence against Ofsted/SIAMS framework requirements | Google Gemini Flash (primary), Gemini Flash Lite (fallback) |
| OCR for scanned documents | Scanned PDFs and images are processed to extract text | Mistral OCR (EU-hosted) |
| Voice transcription | Voice input in Ed (our assistant) is transcribed using browser APIs; no audio is sent to our servers | Web Speech API (on-device) |
| Room/asset scanning | Photos taken during estates inspections are analysed to identify compliance issues | Gemini 2.5 Flash (vision) |
| Conversational assistant (Ed) | School leaders can ask Ed questions about their data, draft documents, and manage tasks | Gemini 2.5 Flash via OpenRouter |
Our AI commitments
- All AI models are used in API mode only — your data is never used to train models
- We prefer EU/UK-hosted providers where possible (Mistral, Supabase EU, Firebase EU)
- For US-hosted providers, we have Standard Contractual Clauses (SCCs), UK International Data Transfer Agreement/Addendum terms or another appropriate transfer safeguard documented in the applicable sub-processor/DPA review
- Guardian Mode automatically detects and redacts personally identifiable information before it reaches AI models
- No automated decisions are made without human oversight — AI suggests, humans decide
5. Legal basis for processing
| Processing activity | Legal basis (UK GDPR) |
|---|---|
| Providing the platform service | Article 6(1)(b) — performance of a contract |
| Security monitoring and fraud prevention | Article 6(1)(f) — legitimate interests |
| Analytics cookies | Article 6(1)(a) — consent, if optional analytics are introduced in future |
| Responding to legal obligations | Article 6(1)(c) — legal obligation |
6. Sub-processors
We use the following third-party sub-processors to deliver our service:
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase | Database, authentication | EU (Frankfurt) | Adequacy (EU) |
| Firebase (Google) | Authentication (OAuth) | EU | Adequacy (EU) |
| Mistral AI | OCR, document processing | EU (Paris) | Adequacy (EU) |
| OpenRouter | AI model routing gateway | US | UK SCCs / IDTA |
| Google (Gemini) | Primary AI analysis, vision | US | UK SCCs / IDTA |
| Anthropic (Claude) | AI analysis (via OpenRouter) | US | UK SCCs / IDTA |
| Microsoft Azure | Text-to-speech | UK (London) | Domestic |
| Stripe | Payment processing | US | EU-US DPF |
7. International transfers
Where personal data is transferred outside the UK, we rely on one of the following safeguards:
- UK adequacy regulations — for transfers to the EU/EEA
- UK International Data Transfer Agreement (IDTA) — for transfers to the US (Google, Anthropic)
- Standard Contractual Clauses (SCCs) — as a supplementary measure alongside the IDTA
- EU-US Data Privacy Framework (DPF) — for Stripe, which is a certified participant
We conduct Transfer Impact Assessments (TIAs) for US-based sub-processors where required and review transfer safeguards when providers, regions or processing purposes change.
8. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until account deletion + 30 days grace period |
| School improvement data (documents, evidence, assessments) | Until account deletion + 30 days grace period |
| Application logs | 12 months |
| Database backups | 90 days |
| AI processing logs | 30 days (anonymised metadata only) |
When a school requests account deletion or contract-end deletion, active personal data is normally removed within 30 days unless a longer legal, audit, support or contractual retention period applies. Backups expire according to the backup retention period above. Anonymised, aggregated analytics or operational metrics may be retained indefinitely for service improvement.
9. Your rights
Under UK GDPR, you have the following rights:
- Right of access — request a copy of your personal data
- Right to rectification — correct inaccurate or incomplete data
- Right to erasure — request deletion of your personal data
- Right to restriction — restrict processing in certain circumstances
- Right to data portability — receive your data in a machine-readable format
- Right to object — object to processing based on legitimate interests
How to exercise your rights
Contact our privacy lead at privacy@schoolgle.co.uk with your request. We will respond within one month. If your request is complex, we may extend this by a further two months, and we will let you know within the first month.
As Schoolgle acts as a Data Processor, we may redirect your request to your school or trust (the Data Controller) where appropriate.
10. Children's data
Schoolgle is designed for use by adult school staff and governors. The platform is not intended for, or directed at, children under 18.
Some subscribed products may process children's data where the school chooses to use them. For example, Class Builder may store named pupil records, year/class, characteristics and preference/session data so authorised school staff can review proposed class groupings. Other modules may contain pupil references incidentally in evidence, tickets or uploaded documents. In these cases, the school remains the Data Controller and Schoolgle processes the data under the DPA, product schedule and any relevant DPIA/product annex.
11. Cookies
We use a minimal number of cookies:
- Essential cookies — authentication session tokens (Supabase). These are strictly necessary and do not require consent.
- Analytics cookies — not currently used on the marketing website. If optional analytics cookies are introduced later, we will update the Cookie Policy and request consent before setting them.
For full details, see our Cookie Policy.
12. Complaints
If you have a concern about how we handle personal data, please contact our privacy lead first at privacy@schoolgle.co.uk. We take all complaints seriously and will aim to resolve them promptly.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Website: ico.org.uk
Telephone: 0303 123 1113
Live chat: ico.org.uk/global/contact-us/live-chat
13. Contact
For any questions about this privacy policy or our data practices:
Privacy contact
Email: privacy@schoolgle.co.uk
DPO/data protection: dpo@schoolgle.co.uk
Website: schoolgle.co.uk
This policy was last reviewed in May 2026. We will review it at least annually or when there are significant changes to our processing activities. Any material changes will be communicated to account holders by email.