Privacy Policy

Who we are

spellbound is operated by Chris Goodall, trading as Spark Apps. We are registered with the Information Commissioner's Office (ICO) under registration number C1882162.

For privacy enquiries, contact us at privacy@spellbound-edu.co.uk.

What spellbound is

spellbound is a spelling practice tool for UK primary schools. It is designed to be privacy-first: we do not collect pupil names, email addresses, or any information that directly identifies a child.

What we collect

Staff accounts

Teachers register with an email address, display name, and password. Passwords are hashed with bcrypt and never stored in plain text. The lawful basis for processing staff account data is legitimate interest (providing the service the teacher signed up for).

Learner data

Learners are identified only by a randomly generated 6-character access code and a separate display code. We do not ask for or store pupil names, dates of birth, or any other personal information.

For each spelling session we record: which words were attempted, whether each answer was correct, the number of attempts, and the time taken. This data is used to track progress and tailor practice to each learner.

School branding

Teachers may optionally upload a school logo. This is stored in the database and displayed only within authenticated pages.

How we use data

All data is used solely to provide the spelling practice service. We do not sell, share, or transfer data to third parties. We do not use data for advertising, profiling, or any purpose beyond the core educational function.

Where data is stored and sub-processors

Data is stored in a PostgreSQL database hosted by Neon in the EU (London, eu-west-2). The EU has adequacy status under UK GDPR, so no additional safeguards are required for this transfer.

The application is hosted on Vercel (United States). Transfers to the US are covered by the UK-US Data Bridge, which provides an adequate level of data protection under UK GDPR.

Our sub-processors are:

• Neon -- database hosting (EU, London)
• Vercel -- application hosting (US, UK-US Data Bridge)
• GitHub -- source code hosting (US, UK-US Data Bridge)

All connections between the application and database use TLS encryption.

How long we keep data

Learner session and progress data is retained for the current academic year. Data associated with inactive learners (no activity for 12 months) may be automatically purged.

When a teacher deletes a class, all associated learner profiles, sessions, and attempt data are removed. Staff accounts persist until the teacher requests deletion.

Cookies

spellbound uses only strictly necessary cookies for authentication:

• staff_session -- staff authentication (7-day expiry)
• learner_session -- learner authentication (8-hour expiry)

Both cookies are httpOnly, secure, and cryptographically signed. We do not use tracking cookies, analytics cookies, or any third-party cookies. As these are strictly necessary cookies, no cookie consent banner is required under PECR.

Children and UK GDPR

Because spellbound does not collect any data that identifies individual children, the risk profile under UK GDPR and the Age Appropriate Design Code is minimal. No parental consent mechanism is required as no personal data (as defined by ICO guidance) is collected from learners.

Schools remain the data controller for their learners. spellbound operates as a data processor on behalf of the school.

Your rights

Under UK GDPR you have the right to:

• Access -- request a copy of data we hold about you
• Rectification -- correct inaccurate data
• Erasure -- request deletion of your data
• Portability -- receive your data in a structured format
• Objection -- object to processing based on legitimate interest

Teachers can delete classes and learner data directly from the application at any time. For account deletion or data export requests, contact privacy@spellbound-edu.co.uk. We will respond within 30 days.

If you are not satisfied with our response, you have the right to complain to the ICO at ico.org.uk.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page will be revised accordingly. Continued use of spellbound after changes constitutes acceptance of the updated policy.