Privacy Policy.
Effective date: 27 April 2026 · Last updated: 27 April 2026
This Privacy Policy explains how PupilProof collects, uses and protects personal data in connection with the service offered at pupilproof.com. We are committed to handling your data lawfully, transparently and securely.
Quick summary. We collect only the personal data you provide when you order a Report, your name, role, school name and email address. We never collect, request or process any data about students or pupils. We never share your data with platform vendors. We retain your data for 24 months and then delete it.
1. Who we are
PupilProof is operated by PUPIL PROOF LTD, registered in England and Wales under company number 17194384. Our registered office is at Nile House, Nile Street, Brighton, BN1 1HW. For the purposes of UK GDPR and the Data Protection Act 2018, we are the data controller for personal data processed via our website and intake form.
2. What data we collect
We collect the following categories of personal data when you commission a Report:
- Your name and professional role at the school
- Your school email address
- The school name, postcode and (optionally) URN of the school commissioning the Report
- Type of setting and student-on-roll range
- Payment information processed by our payment provider (Stripe), we do not see or store full card details
We do not collect, request, store or process any personal data relating to individual students. The intake form does not ask for any student names, identifiers, demographics or records.
3. Lawful basis for processing
We process your personal data on the following lawful bases under UK GDPR:
- Contract, to deliver the Report you have commissioned and to manage your order
- Legitimate interest, to operate our business, prevent fraud and meet our regulatory obligations
- Legal obligation, where we are required to retain records by HMRC or other regulators
4. How we use your data
We use the personal data you provide to:
- Deliver the Report you have ordered to your nominated email address
- Issue receipts and invoices
- Respond to your support enquiries
- Maintain accurate financial records as required by HMRC
- Improve our service and methodology (using anonymised, aggregated information only)
5. Sharing
We do not sell your data. We do not share your data with platform vendors named in the Report. We do not share your data for marketing purposes. We share your data only with the following categories of processor, strictly to deliver the service:
- Stripe, to process your payment (Stripe is the data controller for payment data)
- Email infrastructure providers, to deliver the Report and any service emails to you
- Cloud storage and hosting providers, to host the website, intake form and Report archive (data resident within the UK or EEA where possible)
- Our accountant, to prepare statutory accounts and tax returns
Each processor is bound by a written contract requiring them to handle your data only on our instructions and to UK GDPR standards.
6. Retention
We retain your contact data and the Report you commissioned for 24 months from the date of delivery. After 24 months we securely delete or anonymise the data. Financial transaction records are retained for the period required by HMRC (currently six years from the end of the relevant accounting period).
7. International transfers
Where any of our processors are located outside the UK or EEA, transfers are protected by appropriate safeguards as required under UK GDPR (typically the UK International Data Transfer Agreement or the European Commission's Standard Contractual Clauses with UK addendum).
8. Your rights
Under UK GDPR you have the following rights regarding your personal data:
- Right to be informed about how we process your data (this Policy)
- Right of access, request a copy of the personal data we hold about you
- Right to rectification, correct inaccurate or incomplete data
- Right to erasure, request deletion of your data, subject to our legal obligations
- Right to restrict processing, limit how we use your data
- Right to data portability, receive your data in a structured, machine-readable format
- Right to object, to processing based on our legitimate interests
To exercise any of these rights, email support@pupilproof.com. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk if you believe we have mishandled your data.
9. Cookies
Our website uses a minimal set of cookies and analytics. We use Plausible Analytics, a privacy-respecting analytics service that does not use cookies and does not collect any personally identifiable information. We do not use Google Analytics. We do not use marketing or retargeting cookies.
10. Security
We implement appropriate technical and organisational measures to protect your data, including encryption in transit (HTTPS), encryption at rest where applicable, access controls limited to the founders, multi-factor authentication on administrative accounts, and time-bound retention policies. No system is impenetrable; we will notify you without undue delay in the event of a breach affecting your personal data.
11. Changes to this Policy
We may update this Policy from time to time. The current version is always available at this URL. Material changes will be communicated by email to active customers.
12. Contact
For any privacy-related questions, including subject access requests, email support@pupilproof.com.