Last updated: 7 July 2026
⚠️ Template for review: complete the bracketed details and have this policy reviewed before going live. If you process children's data at scale you should also complete a Data Protection Impact Assessment (DPIA) and consider ICO registration.
[Business name], [address], is the data controller for Sparks Academy. Contact: [contact email]. Because our service is used by children, we design it around the ICO's Age Appropriate Design Code (the "Children's Code").
From parents: your name, email address (which is the account login), payment records (handled by PayPal/Stripe — we never see card numbers), and your marketing preference. About the student: first name and surname, year group and exam cohort, and learning activity — lesson views, quiz and mock exam answers, scores, topic analytics, Spark Points and badges. Technical: essential cookies for login sessions, and security logs (IP address, login attempts) kept to protect accounts.
To provide the service you've signed up for and take payment (contract); to send progress reports, receipts and account emails to the parent (contract/legitimate interests); to keep the service secure and prevent abuse (legitimate interests); and to send optional marketing to parents only where you have opted in (consent — withdraw any time via the unsubscribe link or your account page). We do not use children's data for marketing, profiling beyond learning analytics, or advertising, and we do not sell data.
Data is stored in our database hosted with [hosting provider, e.g. Microsoft Azure, UK/EU region]. Limited data is shared with processors who help us run the service: our email provider [provider] (to send account and report emails), PayPal and Stripe (payments), and Google reCAPTCHA on sign-up forms (spam prevention — Google may process your IP address). We do not transfer data outside the UK/EEA except under recognised safeguards.
Account and learning data is kept while the account is active and for [12] months after the last activity, then deleted or anonymised. Payment records are kept for 6 years as required by UK tax law. Security logs are kept for [90] days.
You can ask us to access, correct, export, restrict or delete personal data, and you can object to processing based on legitimate interests. Parents exercise these rights on behalf of their child. Email [contact email]; we respond within one month. You can also complain to the Information Commissioner's Office at ico.org.uk.
We use only essential cookies: a session cookie that keeps you logged in, and (on sign-up forms) Google reCAPTCHA's cookie for spam prevention. We do not use advertising or analytics cookies, so no cookie banner consent is required.
See also our Terms of Use & Sale and Safeguarding Statement.