Our promise in plain English: We read your school emails to extract event details, then immediately discard them. We never store email content, never sell your data, and never use it for advertising. You can delete your account and all your data at any time.
SchoolSphere is operated by SchoolSphere Ltd, a company registered in England and Wales. We are the data controller of your personal data under UK GDPR and the Data Protection Act 2018.
We do not currently have a designated Data Protection Officer (DPO). Data protection queries should be directed to privacy@schoolsphere.app.
You also have the right to contact the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113.
This policy is governed by the laws of England and Wales. SchoolSphere is primarily designed for users in the United Kingdom and is operated under UK GDPR and the Data Protection Act 2018.
If you access SchoolSphere from outside the UK, the following may also apply to you:
Where data is transferred outside the UK, we ensure Standard Contractual Clauses (SCCs) or equivalent safeguards are in place as required by the ICO's international transfer guidance.
When you sign in via Google OAuth, we store your name, email address, unique user ID, and account creation date. We do not store your password.
When you add a child, we store their first name or nickname, year group, avatar emoji, and colour. We do not collect children's dates of birth, addresses, photographs, or government identifiers. Children cannot create accounts or access the app directly.
We store events you add manually or import via text, email, PDF extraction, school letter scanning, or voice input — including titles, dates, requirements, and the child they are associated with. This includes school events, clubs, parties, medical appointments, play dates, childminder sessions, and sports fixtures added through the Family Hub.
If you connect Gmail, we access your inbox with read-only scope to extract school events. We do not store the full text of your emails. Raw email content is processed in memory and discarded immediately — or within a few seconds at most — after extraction. Only extracted event data is saved.
PDFs and photos you upload are temporarily stored, processed by AI to extract event information, and then permanently deleted immediately after extraction. We do not retain uploaded documents.
Text you paste (email text, WhatsApp messages) and voice recordings you make via the voice input feature are sent to our AI for extraction and are not stored beyond the extraction process. Voice audio is transcribed and then discarded immediately — we do not retain audio recordings.
If you subscribe, payment is processed by Stripe. We do not store your card details. We receive from Stripe: your customer ID, subscription status, plan type, and billing dates.
If you enable push notifications, we store a device push token to deliver reminders to your device.
We collect standard server logs (IP addresses, request timestamps, error reports) for security monitoring only. Logs are pseudonymised where possible and retained for a maximum of 90 days. We do not use any third-party analytics services (such as Google Analytics, Firebase Analytics, or Mixpanel). No analytics cookies or tracking pixels are used.
We use your data only to provide the SchoolSphere service. Specifically:
We do not use your data for advertising, profiling, or any purpose not listed here.
We collect only the data that is strictly necessary to provide the SchoolSphere service. We do not collect data speculatively or "just in case." Each data field we store has a documented purpose, and we periodically review what we hold to ensure it remains necessary and proportionate.
We do not repurpose data for uses beyond those described in this policy. If we wish to use your data for a new purpose, we will seek fresh consent or establish a new lawful basis before doing so.
SchoolSphere uses AI to extract event information from emails, documents, and natural language input. This processing is performed by OpenAI, L.L.C. (USA), operating under a Data Processing Agreement (DPA) with SchoolSphere Ltd. OpenAI is contractually prohibited from using API data to train their models — see OpenAI's Data Processing Addendum.
When we send content to OpenAI for processing, we send only the relevant text (for example, the body of a forwarded email or a pasted message). We do not send your name, account ID, or any other identifying information alongside the content. OpenAI processes the text and returns structured event data; the original text is not retained by us or OpenAI after processing.
AI processing is performed server-side (not on your device). All communication between our servers and OpenAI is encrypted in transit. OpenAI is used solely for event extraction and calendar assistant features — it is not used for profiling, advertising, or any decision-making about you.
SchoolSphere is for parents and carers aged 18 and over. Children do not have accounts and cannot access the app directly.
Age verification: We require users to self-declare they are 18 or over during sign-up. We also rely on Google's account age signals where available via Google OAuth. We do not use additional age-verification services at this time, as the service is not directed at children — it is a tool for parents and carers to manage their own calendars.
Consent for Gmail and AI features: Before connecting Gmail or using AI-powered extraction features, users are shown a clear consent screen explaining what data is processed and how. This consent can be withdrawn at any time in Settings.
We apply the following protections in line with the ICO's Children's Code:
We have carried out a Data Protection Impact Assessment (DPIA) in line with ICO guidance, covering AI processing, Gmail integration, and children's profile data.
We do not sell your data. We share data only with the following trusted service providers, each acting as a data processor under a written agreement:
Manus (platform host) — EU/UK region
App hosting, database, and infrastructure. Data is stored in EU/UK-region servers. DPA in place.
Amazon Web Services (AWS) — EU region
Temporary file storage for uploaded documents. Files are deleted immediately after AI processing. AWS operates under SCCs and is UK GDPR-adequate for EU region transfers.
Google LLC (USA) — Gmail API & Google Calendar
Read-only access to your Gmail inbox, only when you explicitly connect Gmail. If you enable Google Calendar push sync, we create and manage a dedicated SchoolSphere calendar in your Google account. Google operates under SCCs. You can revoke both Gmail and Google Calendar access at any time in Settings or via your Google Account.
Stripe Inc (USA) — payment processing
Subscription payments. We share only the minimum information required (email, name, subscription plan). Stripe is PCI-DSS compliant and operates under a DPA and SCCs.
OpenAI, L.L.C. (USA) — AI event extraction and calendar assistant
Text content (email bodies, pasted text, document text, voice transcriptions) is sent to OpenAI for event extraction and natural language processing. No names, account IDs, or identifying information are included. OpenAI is contractually prohibited from training on API user data and operates under a DPA and SCCs. See openai.com/policies/data-processing-addendum.
Where data is transferred outside the UK, we ensure Standard Contractual Clauses (SCCs) or equivalent safeguards are in place as required by the ICO's international transfer guidance.
Under UK GDPR, you have the right to:
EU/EEA users may also lodge a complaint with their local supervisory authority. California residents may exercise CCPA/CPRA rights by emailing us.
To exercise any right, email privacy@schoolsphere.app. We will respond within 30 days.
You also have the right to complain to the ICO at ico.org.uk/make-a-complaint.
All data is transmitted over HTTPS (TLS 1.2+). Session cookies are httpOnly and secure. OAuth tokens are stored encrypted at rest. Uploaded files use randomised storage keys and are deleted immediately after processing. We do not store passwords. Server logs are pseudonymised where possible.
In the event of a data breach likely to risk your rights, we will notify you and the ICO within 72 hours as required by UK GDPR.
SchoolSphere uses a single session cookie to keep you logged in. This cookie is strictly necessary for the app to function and does not track you across other websites.
We also use browser local storage to save your app preferences (such as selected child filter and calendar view). This data stays on your device and is never transmitted to our servers.
We do not use advertising cookies, analytics cookies, third-party tracking pixels, or device fingerprinting of any kind.
Term dates retrieved from school websites are provided for convenience only and may not be accurate. Always verify important dates directly with your school. We are not affiliated with any school.
If we make material changes to this policy, we will notify you via email and via an in-app banner before the changes take effect, where possible. We will ask you to review and accept material changes before continuing to use SchoolSphere.
Previous versions of this policy are available on request by emailing privacy@schoolsphere.app.
Data protection queries: privacy@schoolsphere.app
General enquiries: hello@schoolsphere.app
ICO: ico.org.uk · 0303 123 1113
Version 2.1 · Last updated 3 April 2026 · SchoolSphere Ltd, England & Wales