Your data, plainly
Privacy policy
How we look after your information, and the children's records your setting keeps in the Forest School app.
1. Who we are
The Forest School app is a service provided by The Code Guy Ltd, a company registered in England and Wales (company number 09407392), whose registered office is The Old Byre, 15 Redgates Lane, Sewards End, Saffron Walden, CB10 2LW. In this policy, "we", "us" and "our" mean The Code Guy Ltd.
We are registered with the UK Information Commissioner's Office (ICO) under registration number ZB286164. For any privacy question, or to exercise your rights, email dpo@thecodeguy.co.uk or write to us at our registered office.
2. Our two roles: controller and processor
Data-protection law gives us different responsibilities depending on whose data we are handling, so it helps to be clear about the two roles we play.
- We are the controller of your account and billing information (the details you give us to sign up and pay). We decide how that information is used, and this policy explains how.
- The setting is the controller of the children's and families' records it keeps in the app (profiles, consents, registers, observations, incidents, safeguarding notes and session records). For that data we act only as the setting's processor, handling it strictly on the setting's documented instructions and on the data-processing terms that form part of our Terms of service. If you are a parent or member of staff and want to know how a particular setting uses your or your child's data, please contact that setting; we will support them in responding.
3. The information we handle
- Account: your name, email address and login credentials.
- Setting and billing: your setting's name, the plan you choose, and the billing details handled by our payment provider (we never store full card numbers).
- Records you enter: the children's profiles, consents, registers, observations, incidents, medication and session records a setting chooses to keep. The setting controls this data; we process it on the setting's behalf.
- Support and correspondence: messages you send us and our replies.
- Technical and usage: the limited, privacy-respecting logs and device information needed to keep the service running, secure and reliable.
4. Children's data and safeguarding
We treat children's data with particular care. It stays inside your setting and is never used for advertising, profiling or anything beyond providing the service to that setting. Safeguarding concerns are visible only to the setting's Designated Safeguarding Lead: not to general staff, and not to us as a matter of routine. We access the contents of a setting's records only where strictly necessary to provide or support the service, to keep it secure, or where the law requires it, and we never sell children's data or repurpose it.
5. Why we use it, and our lawful bases
For the data we control (your account and billing), we rely on the following UK GDPR lawful bases:
| What we do | Lawful basis |
|---|---|
| Create and run your account; provide the service | Performance of our contract with you |
| Take payment and keep tax and accounting records | Contract, and our legal obligations |
| Keep the service secure, prevent abuse, and fix faults | Our legitimate interests in a safe, working service |
| Send service messages (for example billing or security notices) | Contract, and our legitimate interests |
| Comply with legal and regulatory duties | Legal obligation |
Where we rely on legitimate interests, we have weighed those interests against your rights. For the children's records a setting keeps, the setting is responsible for choosing and recording the lawful basis (for example, consent for photographs, which the setting records and manages in the app).
6. Who we share it with
We do not sell your data. We share it only with the suppliers ("sub-processors") needed to run the service, each under a written contract that requires them to protect it and use it only on our instructions:
| Provider | What they do | Where |
|---|---|---|
| Microsoft Azure | Hosting of the application and database | United Kingdom |
| Stripe | Subscription payments and card processing | UK / EU, with onward transfer safeguards |
| Amazon Web Services (SES) | Sending transactional emails | EU (Ireland) |
We may also disclose data where the law requires it, or to establish, exercise or defend legal claims. If we change our sub-processors we will update this list. We will also share a setting's records back to that setting and the people it authorises, which is the whole point of the service.
7. Where your data lives and international transfers
Your core data (your account and your setting's records) is stored on Microsoft Azure infrastructure in the United Kingdom. Some of our suppliers (for example our payment and email providers) may process limited data outside the UK. Where they do, the transfer is protected by an approved safeguard, such as the UK's adequacy regulations, the UK International Data Transfer Agreement, or Standard Contractual Clauses with the UK Addendum.
8. How we keep it safe
We protect your data with appropriate technical and organisational measures, including encryption in transit, access controls and least-privilege access, the strict separation of each setting's data, and the safeguarding restrictions described above. No service can be completely secure, but we take security seriously and review our measures regularly.
9. Data breaches
If a personal-data breach occurs that is likely to result in a risk to people's rights and freedoms, we will notify the ICO within 72 hours of becoming aware of it where the law requires, and we will tell affected people without undue delay where the risk to them is high. Where we are a setting's processor, we will notify the setting promptly so it can meet its own duties.
10. How long we keep it
We keep your account and billing data for as long as your account is active, and afterwards only as long as we must (for example, to meet tax and accounting duties). When a setting closes its account, its records can be exported first and are then permanently deleted within 30 days, unless the law requires us, or the setting, to retain certain records (such as safeguarding or incident records) for longer.
11. Your rights
Under UK GDPR you have the right to:
- access the personal data we hold about you;
- have inaccurate data corrected, and incomplete data completed;
- have your data erased in certain circumstances;
- restrict or object to certain processing;
- data portability (receive your data in a portable format); and
- withdraw consent at any time, where we rely on consent.
To exercise a right, email dpo@thecodeguy.co.uk. We will respond within one month. For children's records held by a setting, the setting is the controller, so please contact that setting; we will help them respond.
12. Cookies
We keep cookies to a minimum. We use two kinds:
- Essential cookies that the service needs to work, for example to keep you securely signed in and to remember your cookie choice. These do not need your consent, and the site cannot function properly without them.
-
Analytics cookies (Google Analytics) that help us understand how the site is
used so we can improve it. These set cookies (such as
_ga) and share usage data with Google as our analytics provider. We only set them after you agree via the cookie banner; until then, no analytics cookies are set and no identifiers are stored on your device. You can decline, and analytics simply stays off.
You can change your mind at any time by clearing the cookies for this site in your browser, which makes the banner appear again. We do not use advertising or cross-site tracking cookies. Google processes the analytics data on our behalf; for more on how Google handles it, see Google's privacy policy.
13. Complaints
If you have a concern about how we handle your data, please contact us first at dpo@thecodeguy.co.uk so we can put it right. You also have the right to complain to the ICO at ico.org.uk, or by calling 0303 123 1113.
14. Changes to this policy
We may update this policy from time to time. We will post any changes here and update the date above; significant changes will be notified to account holders. Questions? Email dpo@thecodeguy.co.uk.