Privacy policy
Privacy Policy
Last Updated: 29th October 2025
1. Introduction
This Privacy Policy describes how HeadteacherChat Ltd (“we”, “us”, or “our”) collects, uses, and protects personal data when you interact with our services.
It applies to:
- Website: www.headteacherchat.com
- Community Platform: community.headteacherchat.com
- Online Store: shop.headteacherchat.com
We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and guidance issued by the Information Commissioner’s Office (ICO).
2. Data Controller
HeadteacherChat Ltd
The Enterprise Centre, University of East Anglia
Norwich, Norfolk, England, NR4 7TJ
Email: info@headteacherchat.com
3. Data Protection Officer (DPO)
We have appointed a Data Protection Officer (DPO) to oversee compliance and data protection matters.
Data Protection Officer (DPO): Jonathan Coy
HeadteacherChat Ltd
Email: info@headteacherchat.com
Postal Address: The Enterprise Centre, University of East Anglia, Norwich, Norfolk, England, NR4 7TJ
The DPO can be contacted for any questions or concerns regarding this policy or data processing activities.
4. How We Collect Personal Data
We collect data in the following ways:
- Directly from you: When you create an account, contact us, subscribe to newsletters, participate in the community, or make purchases.
- Automatically: Through cookies, analytics tools, and similar technologies when you use our services.
- From third parties: Including payment providers, marketing platforms, and analytics tools.
5. Types of Personal Data Collected
| Category | Examples | Source |
|---|---|---|
| Identity Data | Name, role, school, username | User input |
| Contact Data | Email, address, phone number | User input |
| Account Data | Login credentials, profile details, posts | Circle.so |
| Transaction Data | Order details, billing, and payment data | Shopify, Stripe |
| Technical Data | IP address, browser type, device info | Analytics and cookies |
| Marketing Data | Preferences, campaign engagement | Loop.so |
6. Lawful Bases for Processing
We process data lawfully under the following bases:
| Purpose | Lawful Basis |
|---|---|
| To provide our services and manage accounts | Performance of a contract |
| To process orders and payments | Performance of a contract |
| To communicate regarding services | Legitimate interest |
| To send marketing or newsletters | Consent |
| To improve our platforms and services | Legitimate interest |
| To comply with legal obligations | Legal requirement |
7. Purposes of Processing
We use your data to:
- Manage website, community, and shop accounts
- Process transactions and provide products or services
- Deliver support and respond to enquiries
- Conduct analytics and improve our services
- Send relevant communications and updates (subject to consent)
- Protect against fraud and ensure platform security
- Meet legal and regulatory obligations
8. Data Sharing and Sub-Processors
We only share personal data with trusted third-party service providers that assist us in operating our services.
| Category | Processor | Location | Legal Safeguard |
|---|---|---|---|
| Hosting & Infrastructure | Amazon Web Services (AWS), Cloudflare | EEA/US | SCCs + UK Addendum |
| Community Platform | Circle.so | US | SCCs + UK Addendum |
| E-commerce Platform | Shopify | Canada/US | Adequacy (Canada) + SCCs |
| Analytics | Google Ireland Ltd | EEA/US | SCCs + IP anonymisation |
| Marketing Automation | Loop.so | US | SCCs + UK Addendum |
| Payments | Stripe Payments UK Ltd | UK | UK GDPR Compliant |
| Customer Support | Zendesk Inc. | US | SCCs + UK Addendum |
All Sub-Processors are contractually bound to maintain appropriate security and data protection standards.
9. International Data Transfers
When transferring data outside the UK or EEA, we ensure one or more of the following safeguards are in place:
- Adequacy decisions by the UK government
- Standard Contractual Clauses (SCCs) with the UK Addendum
- Binding Corporate Rules (BCRs)
These measures ensure your personal data receives an equivalent level of protection.
10. Data Retention
We retain personal data only as long as necessary to fulfil the purposes for which it was collected.
| Data Type | Retention Period | Reason |
|---|---|---|
| Account and profile data | Until account deletion | Service continuity |
| Transaction data | 6 years | Accounting compliance |
| Marketing consent and engagement | Until withdrawal | Legal record |
| Analytics data | 26 months | Service improvement |
| Support queries | 24 months | Customer service |
11. Your Rights
Under the UK GDPR, you have the following rights:
- Access: Request a copy of your personal data.
- Rectification: Correct inaccurate information.
- Erasure: Request deletion of your data (“right to be forgotten”).
- Restriction: Request limitation of processing.
- Portability: Request transfer of your data to another controller.
- Objection: Object to processing for direct marketing or legitimate interests.
- Withdrawal of consent: Withdraw consent for marketing communications.
To exercise these rights, contact info@headteacherchat.com.
If you are unsatisfied with our response, you may contact the Information Commissioner’s Office (ICO) via https://ico.org.uk.
12. Security Measures
We implement appropriate technical and organisational measures to secure personal data, including:
- SSL/TLS encryption
- Secure hosting and firewall protection
- Access control and multi-factor authentication
- Regular vulnerability assessments
- Staff confidentiality and data protection training
13. Cookies and Tracking
We use cookies and similar technologies for website functionality, analytics, and marketing purposes.
For more information, please see our Cookie Policy.
14. Children’s Privacy
Our services are directed at adults working in education. We do not knowingly collect data from individuals under 16 years old. If such data is identified, it will be deleted immediately.
15. Changes to This Policy
We may update this Privacy Policy to reflect operational, legal, or technical changes. The revised version will be published on our website with a new “Last Updated” date.
16. Contact Information
HeadteacherChat Ltd
The Enterprise Centre, University of East Anglia
Norwich, Norfolk, England, NR4 7TJ
Email: info@headteacherchat.com
Website: https://www.headteacherchat.com
Appendix A: Record of Processing Activities (RoPA)
| Processing Activity | Purpose | Categories of Data | Data Subjects | Legal Basis | Retention | Recipients / Transfers |
|---|---|---|---|---|---|---|
| User registration (website/community) | Account creation and login | Identity, contact, credentials | Users | Contract | Until deletion | Circle.so (US) |
| Online sales and transactions | Order processing and fulfilment | Identity, contact, transaction | Customers | Contract, Legal obligation | 6 years | Shopify (Canada/US), Stripe (UK) |
| Marketing communications | Send newsletters and promotions | Contact, engagement data | Subscribers | Consent | Until withdrawal | Loop.so (US) Circle.so (US) |
| Analytics and performance | Improve usability and experience | Technical, behavioural data | Visitors | Legitimate interest | 26 months | Google Ireland Ltd (EEA/US) |
| Customer support | Manage enquiries | Contact, enquiry content | Users | Legitimate interest | 24 months | Notion (US) |
| Security monitoring | Prevent fraud and abuse | IP, usage logs | All users | Legitimate interest | Variable | AWS, Cloudflare |
Appendix B: DPO and Compliance Records
- DPO contact: info@headteacherchat.com
- Sub-Processor register maintained and reviewed annually
- Data Protection Impact Assessments (DPIAs) completed for high-risk processing
- Documented breach response plan and incident log
- ICO registration maintained and renewed as required
Cookie Policy
Last Updated: 29th October 2025
1. Introduction
This Cookie Policy explains how HeadteacherChat Ltd (“we”, “us”, or “our”) uses cookies and similar technologies on our websites and online services, including:
- Main website: www.headteacherchat.com
- Community platform: community.headteacherchat.com
- Online shop: shop.headteacherchat.com
We use cookies to ensure that our websites function properly, enhance user experience, analyse site performance, and support our marketing activities.
2. What Are Cookies?
Cookies are small text files placed on your device (computer, tablet, or smartphone) when you visit a website. They allow the website to recognise your device, remember your preferences, and provide relevant content.
Cookies can be:
- Session cookies: Deleted automatically when you close your browser.
- Persistent cookies: Remain on your device until they expire or are deleted manually.
- First-party cookies: Set by the website you are visiting.
- Third-party cookies: Set by external service providers whose content or technology is embedded on the site.
3. Types of Cookies We Use
3.1. Strictly Necessary Cookies
These cookies are essential for the operation of our websites. They enable features such as secure login, page navigation, and access to protected areas. Without these cookies, the website cannot function correctly.
Examples include:
- Session management cookies
- Authentication and security cookies
- Consent management cookies (e.g. CookieYes, OneTrust, or native CMP)
3.2. Performance and Analytics Cookies
These cookies collect information about how visitors use our websites, such as page views, traffic sources, and time spent on pages. This helps us improve the performance and usability of our services.
Examples include:
- Google Analytics (Google Ireland Ltd): Tracks website usage statistics with IP anonymisation enabled.
- Circle.so analytics: Provides community engagement and activity metrics.
- Shopify analytics: Tracks store interactions, cart behaviour, and purchase metrics.
3.3. Functional Cookies
These cookies enable additional functionality such as remembering your preferences, saved items, and login sessions. They improve the user experience but are not strictly necessary for basic operation.
Examples include:
- Language and region selection
- Account and login persistence on the Circle.so community
- User interface preferences
3.4. Advertising and Marketing Cookies
These cookies are used to deliver relevant advertisements and measure their effectiveness. They may be set through our site by third-party partners such as social media networks or marketing platforms.
Examples include:
- Meta (Facebook) Pixel
- Google Ads (Conversion tracking and remarketing)
- Mailchimp (Email campaign tracking)
You can manage or disable these cookies through our cookie consent banner or your browser settings.
4. Cookies Used on Our Platforms
| Platform | Provider | Cookie Name (example) | Purpose | Retention |
|---|---|---|---|---|
| Website | Cloudflare | __cf_bm |
Security and bot detection | 30 minutes |
| Website | Google Analytics |
_ga, _gid
|
Visitor statistics | 2 years |
| Community (Circle.so) | Circle.so | circle_session |
Session authentication | Session |
| Shop (Shopify) | Shopify |
_shopify_y, _shopify_s, cart
|
E-commerce and cart tracking | Up to 2 years |
| Marketing | Meta (Facebook) | _fbp |
Advertising analytics | 3 months |
| Mailchimp |
mc_cid, mc_eid
|
Email engagement tracking | Up to 1 year |
5. Managing Cookies
You can control and manage cookies in several ways:
-
Consent Banner:
When you first visit our website, you will be presented with a cookie consent banner that allows you to accept, reject, or customise cookie preferences.
-
Browser Settings:
You can block or delete cookies using your browser settings. Instructions are available for:
- Google Chrome
- Mozilla Firefox
- Microsoft Edge
- Safari
-
Third-Party Opt-Outs:
You may also opt out of personalised advertising through:
- Your Online Choices
- Google Ads Settings
- Facebook Ad Preferences
6. Updates to This Policy
We may update this Cookie Policy from time to time to reflect changes in technology, regulation, or our data practices. Updates will be posted on this page with the revised date indicated above.
7. Contact Information
For any questions or concerns regarding this policy or our use of cookies:
HeadteacherChat Ltd
Email: Info@headtacherchat.com
Address: The Enterprise Centre, University Of East Anglia, Norwich, Norfolk, England, NR4 7TJ
Website: https://www.headteacherchat.com
List of SubProcessors
Sub-Processor Policy
Last Updated: 29th October 2025
1. Purpose
This Sub-Processor Policy outlines the third-party data processors (“Sub-Processors”) engaged by HeadteacherChat Ltd (“the Company”) to assist in providing online services, including the main website (www.headteacherchat.com), the Circle.so community (community.headteacherchat.com), and the Shopify store (headteacherchat-shop).
The policy ensures compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any applicable data protection laws.
2. Definitions
- Controller: HeadteacherChat Ltd, which determines the purposes and means of processing personal data.
- Processor: Any third party processing personal data on behalf of the Controller.
- Sub-Processor: A processor engaged by another processor to process data on behalf of the Controller.
- Personal Data: Any information relating to an identified or identifiable natural person.
3. Scope
This policy applies to all services operated under HeadteacherChat Ltd, including but not limited to:
- The primary website (www.headteacherchat.com)
- The community platform (community.headteacherchat.com)
- The e-commerce store (shop.headteacherchat.com)
4. Use of Sub-Processors
HeadteacherChat Ltd engages carefully selected Sub-Processors to provide infrastructure, hosting, communication, analytics, and e-commerce functionalities. Each Sub-Processor is subject to a written agreement imposing data protection obligations equivalent to those under the UK GDPR.
No Sub-Processor may process personal data outside the UK or EEA without adequate safeguards (e.g., adequacy decision or Standard Contractual Clauses).
5. Current Sub-Processors
| Category | Sub-Processor | Purpose | Data Processed | Location | Legal Safeguard |
|---|---|---|---|---|---|
| Hosting & Infrastructure | Amazon Web Services (AWS) | Website and platform hosting | Account, IP, usage logs | EEA/US | SCCs + UK Addendum |
| Cloudflare | CDN and security | IP, usage logs | EEA/US | SCCs + UK Addendum | |
| Community Platform | Circle Internet Services Inc. (Circle.so) | Community hosting and member management | Account, email, usage data | US | SCCs + UK Addendum |
| E-commerce Platform | Shopify Inc. | Storefront and order management | Customer, payment, and shipping data | Canada/US | Adequacy decision (Canada) + SCCs |
| Email Analytics & Performance | Google Ireland Ltd (Google Analytics) | Web analytics | IP, session data | EEA/US | SCCs + IP anonymisation |
| Email & Communication | Loops.so | Email marketing | Name, email, engagement | US | SCCs + UK Addendum |
| Payments | Stripe Payments UK Ltd | Payment processing | Payment and billing details | UK | UK GDPR Compliant |
| Support & Ticketing | Trybooking | Customer support | Contact and enquiry data | US | SCCs + UK Addendum |
6. Sub-Processor Onboarding and Review
- All Sub-Processors undergo due diligence prior to engagement, assessing their security, compliance, and data protection posture.
- Annual reviews are performed to ensure continued compliance.
- Written agreements include data protection clauses consistent with Article 28(3) of the UK GDPR.
7. Notification of Changes
HeadteacherChat Ltd will notify customers and data subjects of any intended changes to Sub-Processors by updating this policy and, where required, providing prior notice through the website or via email.
8. Contact Information
For questions regarding this policy or data protection matters:
HeadteacherChat Ltd
Email: Info@headteacherchat.com
Address: The Enterprise Centre, University Of East Anglia, Norwich, Norfolk, England, NR4 7TJ
Website: https://www.headteacherchat.com