Privacy Policy
This Privacy Policy explains how Jack Flanagan trading as Snapshot Education ("we", "us", "our") collects, uses, and protects personal data when you use the Snapshot SEND profiling service ("the Service").
1. Data Controller Information
Data Controller: Jack Flanagan trading as Snapshot Education
Contact for privacy matters: dpo@snapshoteducation.com
Registered address: [Insert Company Registered Address]
2. Data We Collect
Account and User Data
- Name, email address, and professional role
- School, MAT, or local authority affiliation
- Account credentials and access logs
- Communication preferences
Pupil and Learner Data
- Names and identification numbers
- Date of birth and age information
- Special educational needs information
- Assessment observations and professional notes
- Academic performance and progress data
- Attendance and behavioral information
- Contact information for parents/guardians
Technical Data
- IP address and device information
- Browser type and usage patterns
- Service access logs and error reports
- Performance and analytics data (anonymized)
3. How We Use Your Data
Service Provision
- Provide SEND profiling and analysis services
- Generate assessment reports and educational insights
- Maintain user accounts and access controls
- Track student progress over time
Service Improvement
- Analyze usage patterns to improve functionality
- Monitor performance and fix technical issues
- Develop new features based on user needs
- Conduct security monitoring and threat detection
Legal Compliance
- Comply with UK GDPR and data protection laws
- Respond to legal requests and regulatory inquiries
- Maintain records for legal and audit purposes
- Protect the rights and safety of our users
4. Legal Basis for Processing
For Educational Institutions
- Public Task: Processing is necessary for our official functions in providing educational support services
- Legitimate Interests: For service improvement, security, and fraud prevention, balanced against your rights
- Contractual Necessity: Where processing is required to deliver our service under our terms
Special Category Data
- Processed with explicit consent where required
- Necessary for educational assessment and support
- Subject to enhanced security measures
- Used only for legitimate educational purposes
5. Data Sharing and Third Parties
We Do Not Sell Your Data
We never sell, rent, or share personal data with third parties for marketing or commercial purposes.
Service Providers
We work with carefully selected third-party service providers:
- Cloud Hosting: Vercel (UK/EU servers) for service infrastructure
- Database Services: Supabase (UK/EU servers) for data storage
- Payment Processing: Stripe (UK/EU servers) for subscription payments
- Email Services: Resend (UK/EU servers) for user communications
- Analytics: Plausible (UK/EU servers, anonymized data only)
Legal Requirements
We may share data when required by law, court order, or regulatory authority.
6. Data Security
Technical Measures
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Regular security testing and vulnerability assessments
- Secure authentication and access controls
- Network security and intrusion detection
Organizational Measures
- Staff training on data protection and security
- Role-based access with principle of least privilege
- Regular security audits and compliance reviews
- Incident response procedures and breach notification
7. Data Retention
We retain personal data only as long as necessary for the purposes outlined in this policy:
- User Accounts: Until account deletion
- Pupil Profiles: 7 years after last update (educational record requirements)
- Assessment Data: 7 years after completion
- System Logs: 12 months for security and maintenance
- Analytics Data: 26 months (anonymized only)
Data is automatically deleted when retention periods expire. You can also request immediate deletion of your data at any time.
8. Your Rights
Under UK GDPR, you have the following rights:
Right to Access
Request a copy of the personal data we hold about you or your institution.
Right to Rectification
Request correction of inaccurate or incomplete personal data.
Right to Erasure
Request deletion of personal data where no longer necessary for processing.
Right to Restrict Processing
Request limitation of processing in certain circumstances.
Right to Data Portability
Request transfer of your data to another service provider in a machine-readable format.
Right to Object
Object to processing based on legitimate interests.
9. Cookies and Tracking
Essential Cookies
We use essential cookies required for service functionality, security, and authentication.
Analytics Cookies
We use privacy-focused analytics (Plausible) that do not track individual users across sites. All analytics data is anonymized and aggregated.
Cookie Preferences
You can control cookie preferences through your browser settings. Disabling essential cookies may affect service functionality.
10. International Data Transfers
All personal data processing occurs within the United Kingdom and European Union. We do not transfer personal data outside the UK/EU without appropriate safeguards.
11. Children and Young People
Snapshot is designed for use by educational professionals working with children and young people. We process pupil data only with appropriate legal authority and consent from educational institutions.
12. Changes to This Policy
We may update this privacy policy from time to time. Material changes will be communicated with at least 30 days' notice. Continued use of the service constitutes acceptance of the updated policy.
13. Contact Information
Data Protection Officer
Email: dpo@snapshoteducation.com
Response time: Within 30 days for standard inquiries
General Inquiries
Email: jack@snapshoteducation.co.uk
Address: [Insert Company Registered Address]
Complaints
If you have concerns about our data processing, you can contact our DPO or the Information Commissioner's Office (ICO).
This privacy policy is designed to comply with UK GDPR and ICO guidelines for educational service providers. For detailed data processing arrangements, please refer to our Data Processing Agreement. Educational institutions should review this policy with their legal and data protection teams.