1. Who We Are

PickMySchool is operated by Candour IT Services, a UK-registered company. We are the data controller for your personal information. You can contact us at info@candouritservices.com for any privacy enquiries.

2. What Data We Collect

Account data: email address, name, home postcode (if provided). Child profiles: children's first names, birth years, current year groups, and SEN needs. This data is entered by parents — we do not collect data directly from children. Usage data: schools you save, compare, and track in your application tracker. Application dates, document checklist progress, and notes. Ofsted alert preferences. Review content you submit. AI Advisor: when you use the AI Advisor, your questions and home postcode (if set) are sent to Anthropic (Claude) for processing. We do not store your AI conversation history on our servers. Technical data: browser type, device type, and anonymous usage patterns. We do not use tracking cookies for advertising. We do not collect payment information — any future paid features will be handled by a PCI-compliant third-party payment processor.

3. Legal Basis for Processing

We process your data under the following UK GDPR lawful bases: Contract: to provide the PickMySchool service when you create an account. Legitimate interests: to improve the platform based on anonymous usage patterns and to send service-related notifications. Consent: for optional email communications (Ofsted alerts, digests). You can withdraw consent at any time.

4. How We Use Your Data

To provide PickMySchool and let you sign in. To save your schools, preferences, child profiles, application tracking, and Ofsted alerts. To show personalised school recommendations based on your postcode and children's details. To process AI Advisor queries. To send email notifications you have opted into. To improve the platform based on anonymous usage patterns. To respond to support enquiries. We do not sell your data to third parties. We do not run advertising. We do not share your data with schools unless you explicitly contact them.

5. Email Communications

We send emails via Resend (our email provider): sign-up confirmation, magic link sign-in, Ofsted rating change alerts (if you set them), and contact form confirmations. You can unsubscribe from non-essential emails at any time by contacting us or removing your alerts in your profile.

6. Data Processors (Third Parties)

We share the minimum data necessary with these processors: Supabase (EU): database, authentication — stores your account, saved schools, child profiles, application data. Vercel (EU/US): hosting — serves the website, processes API requests. Resend (EU): email — sends transactional and notification emails using your email address. Anthropic (US): AI processing — your AI Advisor questions and postcode are sent to Claude for generating responses. Anthropic does not store your data beyond the request. Postcodes.io (UK): postcode lookup — your postcode is sent to resolve location for school searches. Each processor has their own privacy policy and we have assessed their data handling practices.

7. Cookies & Local Storage

Essential cookies: Supabase authentication cookies to keep you signed in. These are strictly necessary and do not require consent. Local storage: we store your preferences (Ofsted filters, hidden schools, document checklist progress, dark mode) in your browser's local storage. This data never leaves your device. We do not use third-party advertising cookies, tracking pixels, or fingerprinting. We do not use Google Analytics or similar tracking tools. You can clear local storage and cookies at any time through your browser settings.

8. Children's Data

PickMySchool is a tool for parents, carers, and education professionals. Child profile data (first name, birth year, year group, SEN needs) is entered by the parent or carer, not collected from children directly. We store this data to provide age-appropriate school recommendations and key date reminders. This data is visible only to the parent who created it. We do not knowingly collect personal data from children under 13. If you believe a child has provided us with personal data without parental consent, please contact us immediately and we will delete it.

9. Your Rights

Under UK GDPR, you have the right to: Access: request a copy of all personal data we hold about you. Rectification: correct inaccurate or incomplete data. Erasure: request deletion of your account and all associated data (you can do this directly from your Profile > Account tab > Delete Account). Restriction: request we limit how we process your data. Portability: receive your data in a structured, machine-readable format. Objection: object to processing based on legitimate interests. Withdraw consent: for any processing based on consent. To exercise any right, contact info@candouritservices.com. We will respond within 30 days. You also have the right to lodge a complaint with the ICO (ico.org.uk).

10. Data Retention

Account data is kept for as long as your account is active. When you delete your account, all associated data (saved schools, child profiles, applications, alerts, reviews) is permanently deleted within 24 hours. AI Advisor conversations are not stored on our servers. Anonymous usage data may be retained indefinitely for analytics.

11. Data Security

All data is transmitted over HTTPS/TLS. Database is hosted on Supabase with row-level security policies. Passwords are hashed using bcrypt (via Supabase Auth). API keys and secrets are stored as environment variables, not in code. We conduct regular reviews of our security practices.

12. School Data

All school information comes from publicly available government sources including DfE GIAS, Ofsted, DfE Performance Tables, HM Land Registry, Ofcom, Environment Agency, and OpenStreetMap. Published under the Open Government Licence or equivalent. We do not store personal data about individual school staff or pupils. School Life data is extracted from publicly accessible school websites.

13. International Transfers

Your data may be processed in the EU and US by our processors (Supabase, Vercel, Anthropic). Where data is transferred outside the UK, we ensure adequate safeguards are in place through standard contractual clauses or adequacy decisions.

14. Changes

We may update this policy from time to time. Significant changes will be communicated via email to registered users. The last updated date at the top reflects the latest version.

15. Contact

Data Controller: Candour IT Services, United Kingdom. Email: info@candouritservices.com For complaints about how we handle your data, you can contact the Information Commissioner's Office (ICO) at ico.org.uk.