Login or Register

GDPR, Security & Data Protection

Last updated: 9 March 2026

Parent Portal Ltd is committed to protecting privacy, security, and the rights of parents, guardians, pupils, and school staff who use our services. We comply with UK GDPR and the Data Protection Act 2018. This statement explains how we collect, use, protect, store, and share personal data when operating the Parent Portal service.

Roles and Responsibilities

  • Data Controller: The school or educational organisation that uses Parent Portal. The school determines what personal data is collected and why.

  • Data Processor: Parent Portal Ltd. We process personal data only on the documented instructions of the school and under a GDPR-compliant Data Processing Agreement.

Documentation We Provide to Schools

To support your school's compliance and procurement process, we provide:

  • Data Processing Agreement (DPA) — a GDPR-compliant agreement defining how we process data on the school's behalf, including sub-processor details and security obligations.

  • Data Protection Impact Assessment (DPIA) — a comprehensive assessment covering all data processing activities, AI features, risk analysis, and mitigation measures. Provided as a template for schools to review with their DPO.

  • Incident Response Plan — our documented procedure for identifying, containing, and reporting data breaches.

These documents are available on request. Contact us to receive copies as part of your onboarding or procurement process.

Data We Process

We process only the personal data necessary to deliver the Parent Portal service. Depending on features your school enables, data may include:

  • Student data: name, date of birth, year group, class, attendance, observations, reports, safeguarding concerns, medical profiles.

  • Parent or guardian data: name, email, phone number, relationship to pupil, login details, preferences, communication history, medical information they provide about their child.

  • School staff data: name, role, email address, appraisal records, communication history.

  • System and technical data: login times, IP addresses, device or browser type, usage logs, support records.

AI Processing and Transparency

Parent Portal uses AI to assist teachers with observations, appraisals, and content generation. We are committed to transparency about how AI is used:

  • Human in the loop: AI drafts suggestions and summaries, but a teacher or staff member always reviews and approves before anything is saved or shared.

  • Data minimisation: only student first names are sent to AI providers. Surnames, dates of birth, and student identifiers are never transmitted.

  • No training on your data: we use AI providers with zero-retention API agreements. Your school's data is not used to train AI models.

  • Voice processing: voice recordings (for observations and appraisals) are transcribed using a secure speech-to-text service. Audio files are stored on UK/EU servers.

Hosting, Storage, and Backups

  • Primary hosting: live systems are hosted with OVH UK in secure UK data centres.

  • Backups: encrypted backups are stored on Wasabi servers in the EU (Frankfurt).

  • Data location: personal data remains in the United Kingdom and EU. No routine transfers outside the UK/EEA.

  • Encryption: data in transit is protected with TLS/HTTPS. Data at rest is encrypted using AES-256. Passwords are hashed with Argon2ID.

Security Measures

We use a layered security approach:

  • Authentication: strong password hashing (Argon2ID), optional two-factor authentication (TOTP), rate-limited login attempts, and session management.

  • Access control: role-based permissions scoped to each school. Multi-tenant isolation ensures schools cannot access each other's data.

  • Application security: parameterised SQL queries, CSRF protection, security headers (HSTS, X-Frame-Options, X-Content-Type-Options), and input validation.

  • Infrastructure: firewalls, intrusion detection, DDoS protection, and 24/7 monitoring at OVH data centres (ISO 27001 accredited).

  • Audit logging: authentication events, data access, and administrative actions are logged with IP addresses and timestamps.

  • Testing: regular vulnerability scans and security testing.

Sub-processors

We engage the following sub-processors under GDPR-compliant agreements:

  • OVH UK — primary hosting (UK)

  • Wasabi — encrypted backup storage (EU)

  • OpenAI / OpenRouter — AI text processing, zero-retention API (USA, UK-US Data Bridge)

  • AssemblyAI — speech-to-text transcription (USA, UK-US Data Bridge)

  • Stripe — payment processing, PCI DSS Level 1 (USA/EU)

  • Amazon Web Services (SES) — email delivery (EU)

  • Google Firebase (FCM) — Android push notifications (USA, UK-US Data Bridge)

  • Apple (APNS) — iOS push notifications (USA, UK-US Data Bridge)

A full list of sub-processors with transfer mechanisms and DPA status is included in our Data Processing Agreement.

International Transfers

Where data is processed by US-based sub-processors (AI services, push notifications), transfers are covered by the UK-US Data Bridge and supported by Data Processing Agreements with each provider. We do not routinely transfer personal data outside the UK/EEA for any other purpose.

Retention and Deletion

  • Personal data is retained only as long as necessary to provide the service, or as required by law (e.g. safeguarding records, financial records).

  • Upon cessation of a school's use of Parent Portal, we provide data export to the school, then securely delete the school's personal data within 30 days from live systems.

  • A detailed retention schedule is included in our DPIA and is available on request.

Individual Rights

Under UK GDPR, individuals have rights to access, rectification, erasure, restriction, objection, data portability, and the right to withdraw consent. Requests relating to pupil or parent data within the platform should be directed to the school in the first instance, since the school is the Data Controller. You also have the right to complain to the Information Commissioner's Office (ICO).

Incident Response

  • We maintain a documented incident response plan for security events and data breaches.

  • In the event of a breach, we will investigate, contain, and remediate without undue delay.

  • Schools will be notified within 24 hours of a confirmed breach affecting their data.

  • Where required by law, we will support the school in notifying the ICO and affected individuals within statutory timeframes.

Children's Data

The platform processes pupil information configured and controlled by the school. Children merit specific protection under UK GDPR. We implement age-appropriate safeguards including restricted access, parent-child relationship verification, and segregated safeguarding data accessible only to authorised designated safeguarding leads.

Related Documents

  • Privacy Policy — how we handle data and your rights in plain English.

  • Terms of Use — user responsibilities and platform terms.

Updates

We may update this statement to reflect changes in law, best practice, or our services. The latest version will always be available on this page.

Contact

For platform data controlled by your school, please contact the school in the first instance. For questions about this statement, our security practices, or to request copies of our DPA and DPIA, contact us: