Our commitment to transparency, security, and your data rights.
Sunday 28 September 2025
Overview and scope
Purpose: This app is used by the Sunday School management team to manage attendance, rostering, and related administration. It is not a public-facing service and does not provide forums or discussion spaces.
Audience: Intended for authorised staff and parents/guardians who receive secure access links. There are no public login portals.
Jurisdiction: This notice is designed to comply with UK GDPR and the Data Protection Act 2018.
Contact data: Emails, phone numbers, postal addresses (where provided).
Attendance and rostering data: Check‑ins/outs, assigned classes, schedules.
Authorisations and consent records: Permissions (e.g., photo consent), safeguarding notes where strictly necessary..
Technical and usage data: Device/browser info, timestamps, pages or features used.
Analytics data: Aggregated performance metrics and error logs for service improvement.
How we collect data
Direct from parents/guardians: Information provided to enrol or update a child’s details.
From management staff: Attendance entries, rostering, and updates during program operation.
Automatically via the app: Basic usage and diagnostic data when using the service.
From third‑party services: Only where necessary to deliver functionality (e.g., email delivery status).
How we use data and legal bases
Provide and operate the service: Manage attendance, rosters, and parent communications. Legal bases: legitimate interests, contract, and consent where required.
Safeguarding and safety: Maintain emergency contacts and essential notes. Legal bases: vital interests and legal obligation where applicable.
Communications: Send operational notices (e.g., class changes, reminders). Legal bases: legitimate interests or contract.
Service improvement: Diagnose issues, enhance reliability, and measure performance. Legal basis: legitimate interests.
Compliance: Record‑keeping and responding to lawful requests. Legal basis: legal obligation.
No marketing: Personal data is not used for advertising or profiling.
Parent access and authentication
No public accounts: Parents do not register public logins.
Secure access links: Parents receive auto‑generated, password‑protected links to view or manage their child’s rostering data.
Transport security: Links are provided over secure connections (HTTPS).
Expiry and revocation: Links may expire and can be revoked if misused or upon request.
Storage, security, and retention
Remote, encrypted storage: Personal data is stored in secure, managed services with encryption in transit and at rest.
Access controls: Role‑based access limited to authorised management team members with authentication and audit logging.
Data minimisation: We collect only what is necessary for the stated purposes.
Retention: Data is kept only as long as needed for Sunday School operations and legal requirements, then securely deleted or anonymised.
Backups and recovery: Regular backups and disaster recovery measures are in place.
Sharing and international transfers
No selling of data: We do not sell or rent personal information.
Service providers: Trusted processors may access data solely to provide infrastructure, communications, analytics, or support—bound by confidentiality and security terms.
Legal disclosures: Information may be disclosed if required by law or to protect vital interests.
Transfers outside the UK: If data is transferred internationally, we use appropriate safeguards (e.g., standard contractual clauses or UK addendum). Details are available on request.
Analytics, cookies, and tracking
Limited analytics: Used only to improve functionality, reliability, and user experience—not for advertising or profiling.
Cookie usage: If cookies or local storage are used, they are limited to strictly necessary and performance purposes.
Do Not Track: The app may not respond to DNT signals; we restrict tracking to essential operations and improvement only.
No third‑party advertising cookies: We do not serve targeted ads.
Children’s privacy
Indirect collection: We receive children’s data from parents/guardians or authorised staff; we do not knowingly collect directly from children without parental involvement.
Parental responsibility: Parents/guardians should ensure the accuracy of the child’s information and update it when needed.
Safeguarding: Sensitive notes (e.g., allergies) are processed only when necessary and with heightened security and access controls.
Your rights and how to exercise them
Access: Request a copy of your personal data and your child’s data you provided.
Rectification: Ask us to correct inaccurate or incomplete information.
Erasure: Request deletion where data is no longer needed or consent is withdrawn (subject to legal obligations).
Restriction: Ask us to limit processing in certain circumstances.
Objection: Object to processing based on legitimate interests.
Portability: Request a copy in a commonly used, machine‑readable format where applicable.
Complaints: You can lodge a complaint with the UK Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113, and you can also contact us first so we can try to resolve concerns.
Additional information
No public areas: No forums, comments, or user‑generated public content are provided.
Automated decisions: We do not use automated decision‑making or profiling that produces legal or similarly significant effects.
Third‑party links: If we provide links to external sites, their privacy practices apply. Review their notices before sharing personal data.
Data breaches: We maintain incident response procedures and will notify affected individuals and regulators where legally required.
Changes to this notice: We may update this policy from time to time. Material changes will be communicated to authorised users and parents. The “Effective date” will indicate the latest version.