Privacy policy

Privacy Policy

Last Updated: 29th October 2025


1. Introduction

This Privacy Policy describes how HeadteacherChat Ltd (“we”, “us”, or “our”) collects, uses, and protects personal data when you interact with our services.

It applies to:

We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and guidance issued by the Information Commissioner’s Office (ICO).


2. Data Controller

HeadteacherChat Ltd

The Enterprise Centre, University of East Anglia

Norwich, Norfolk, England, NR4 7TJ

Email: info@headteacherchat.com


3. Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) to oversee compliance and data protection matters.

Data Protection Officer (DPO): Jonathan Coy

HeadteacherChat Ltd

Email: info@headteacherchat.com

Postal Address: The Enterprise Centre, University of East Anglia, Norwich, Norfolk, England, NR4 7TJ

The DPO can be contacted for any questions or concerns regarding this policy or data processing activities.


4. How We Collect Personal Data

We collect data in the following ways:

  • Directly from you: When you create an account, contact us, subscribe to newsletters, participate in the community, or make purchases.
  • Automatically: Through cookies, analytics tools, and similar technologies when you use our services.
  • From third parties: Including payment providers, marketing platforms, and analytics tools.

5. Types of Personal Data Collected

Category Examples Source
Identity Data Name, role, school, username User input
Contact Data Email, address, phone number User input
Account Data Login credentials, profile details, posts Circle.so
Transaction Data Order details, billing, and payment data Shopify, Stripe
Technical Data IP address, browser type, device info Analytics and cookies
Marketing Data Preferences, campaign engagement Loop.so

6. Lawful Bases for Processing

We process data lawfully under the following bases:

Purpose Lawful Basis
To provide our services and manage accounts Performance of a contract
To process orders and payments Performance of a contract
To communicate regarding services Legitimate interest
To send marketing or newsletters Consent
To improve our platforms and services Legitimate interest
To comply with legal obligations Legal requirement

7. Purposes of Processing

We use your data to:

  • Manage website, community, and shop accounts
  • Process transactions and provide products or services
  • Deliver support and respond to enquiries
  • Conduct analytics and improve our services
  • Send relevant communications and updates (subject to consent)
  • Protect against fraud and ensure platform security
  • Meet legal and regulatory obligations

8. Data Sharing and Sub-Processors

We only share personal data with trusted third-party service providers that assist us in operating our services.

Category Processor Location Legal Safeguard
Hosting & Infrastructure Amazon Web Services (AWS), Cloudflare EEA/US SCCs + UK Addendum
Community Platform Circle.so US SCCs + UK Addendum
E-commerce Platform Shopify Canada/US Adequacy (Canada) + SCCs
Analytics Google Ireland Ltd EEA/US SCCs + IP anonymisation
Marketing Automation Loop.so US SCCs + UK Addendum
Payments Stripe Payments UK Ltd UK UK GDPR Compliant
Customer Support Zendesk Inc. US SCCs + UK Addendum

All Sub-Processors are contractually bound to maintain appropriate security and data protection standards.


9. International Data Transfers

When transferring data outside the UK or EEA, we ensure one or more of the following safeguards are in place:

  • Adequacy decisions by the UK government
  • Standard Contractual Clauses (SCCs) with the UK Addendum
  • Binding Corporate Rules (BCRs)

These measures ensure your personal data receives an equivalent level of protection.


10. Data Retention

We retain personal data only as long as necessary to fulfil the purposes for which it was collected.

Data Type Retention Period Reason
Account and profile data Until account deletion Service continuity
Transaction data 6 years Accounting compliance
Marketing consent and engagement Until withdrawal Legal record
Analytics data 26 months Service improvement
Support queries 24 months Customer service

11. Your Rights

Under the UK GDPR, you have the following rights:

  • Access: Request a copy of your personal data.
  • Rectification: Correct inaccurate information.
  • Erasure: Request deletion of your data (“right to be forgotten”).
  • Restriction: Request limitation of processing.
  • Portability: Request transfer of your data to another controller.
  • Objection: Object to processing for direct marketing or legitimate interests.
  • Withdrawal of consent: Withdraw consent for marketing communications.

To exercise these rights, contact info@headteacherchat.com.

If you are unsatisfied with our response, you may contact the Information Commissioner’s Office (ICO) via https://ico.org.uk.


12. Security Measures

We implement appropriate technical and organisational measures to secure personal data, including:

  • SSL/TLS encryption
  • Secure hosting and firewall protection
  • Access control and multi-factor authentication
  • Regular vulnerability assessments
  • Staff confidentiality and data protection training

13. Cookies and Tracking

We use cookies and similar technologies for website functionality, analytics, and marketing purposes.

For more information, please see our Cookie Policy.


14. Children’s Privacy

Our services are directed at adults working in education. We do not knowingly collect data from individuals under 16 years old. If such data is identified, it will be deleted immediately.


15. Changes to This Policy

We may update this Privacy Policy to reflect operational, legal, or technical changes. The revised version will be published on our website with a new “Last Updated” date.


16. Contact Information

HeadteacherChat Ltd

The Enterprise Centre, University of East Anglia

Norwich, Norfolk, England, NR4 7TJ

Email: info@headteacherchat.com

Website: https://www.headteacherchat.com


Appendix A: Record of Processing Activities (RoPA)

Processing Activity Purpose Categories of Data Data Subjects Legal Basis Retention Recipients / Transfers
User registration (website/community) Account creation and login Identity, contact, credentials Users Contract Until deletion Circle.so (US)
Online sales and transactions Order processing and fulfilment Identity, contact, transaction Customers Contract, Legal obligation 6 years Shopify (Canada/US), Stripe (UK)
Marketing communications Send newsletters and promotions Contact, engagement data Subscribers Consent Until withdrawal Loop.so (US) Circle.so (US)
Analytics and performance Improve usability and experience Technical, behavioural data Visitors Legitimate interest 26 months Google Ireland Ltd (EEA/US)
Customer support Manage enquiries Contact, enquiry content Users Legitimate interest 24 months Notion (US)
Security monitoring Prevent fraud and abuse IP, usage logs All users Legitimate interest Variable AWS, Cloudflare

Appendix B: DPO and Compliance Records

  • DPO contact: info@headteacherchat.com
  • Sub-Processor register maintained and reviewed annually
  • Data Protection Impact Assessments (DPIAs) completed for high-risk processing
  • Documented breach response plan and incident log
  • ICO registration maintained and renewed as required

Cookie Policy

Last Updated: 29th October 2025

1. Introduction

This Cookie Policy explains how HeadteacherChat Ltd (“we”, “us”, or “our”) uses cookies and similar technologies on our websites and online services, including:

We use cookies to ensure that our websites function properly, enhance user experience, analyse site performance, and support our marketing activities.


2. What Are Cookies?

Cookies are small text files placed on your device (computer, tablet, or smartphone) when you visit a website. They allow the website to recognise your device, remember your preferences, and provide relevant content.

Cookies can be:

  • Session cookies: Deleted automatically when you close your browser.
  • Persistent cookies: Remain on your device until they expire or are deleted manually.
  • First-party cookies: Set by the website you are visiting.
  • Third-party cookies: Set by external service providers whose content or technology is embedded on the site.

3. Types of Cookies We Use

3.1. Strictly Necessary Cookies

These cookies are essential for the operation of our websites. They enable features such as secure login, page navigation, and access to protected areas. Without these cookies, the website cannot function correctly.

Examples include:

  • Session management cookies
  • Authentication and security cookies
  • Consent management cookies (e.g. CookieYes, OneTrust, or native CMP)

3.2. Performance and Analytics Cookies

These cookies collect information about how visitors use our websites, such as page views, traffic sources, and time spent on pages. This helps us improve the performance and usability of our services.

Examples include:

  • Google Analytics (Google Ireland Ltd): Tracks website usage statistics with IP anonymisation enabled.
  • Circle.so analytics: Provides community engagement and activity metrics.
  • Shopify analytics: Tracks store interactions, cart behaviour, and purchase metrics.

3.3. Functional Cookies

These cookies enable additional functionality such as remembering your preferences, saved items, and login sessions. They improve the user experience but are not strictly necessary for basic operation.

Examples include:

  • Language and region selection
  • Account and login persistence on the Circle.so community
  • User interface preferences

3.4. Advertising and Marketing Cookies

These cookies are used to deliver relevant advertisements and measure their effectiveness. They may be set through our site by third-party partners such as social media networks or marketing platforms.

Examples include:

  • Meta (Facebook) Pixel
  • Google Ads (Conversion tracking and remarketing)
  • Mailchimp (Email campaign tracking)

You can manage or disable these cookies through our cookie consent banner or your browser settings.


4. Cookies Used on Our Platforms

Platform Provider Cookie Name (example) Purpose Retention
Website Cloudflare __cf_bm Security and bot detection 30 minutes
Website Google Analytics _ga, _gid Visitor statistics 2 years
Community (Circle.so) Circle.so circle_session Session authentication Session
Shop (Shopify) Shopify _shopify_y, _shopify_s, cart E-commerce and cart tracking Up to 2 years
Marketing Meta (Facebook) _fbp Advertising analytics 3 months
Email Mailchimp mc_cid, mc_eid Email engagement tracking Up to 1 year

5. Managing Cookies

You can control and manage cookies in several ways:

  1. Consent Banner:

    When you first visit our website, you will be presented with a cookie consent banner that allows you to accept, reject, or customise cookie preferences.

  2. Browser Settings:

    You can block or delete cookies using your browser settings. Instructions are available for:

    • Google Chrome
    • Mozilla Firefox
    • Microsoft Edge
    • Safari
  3. Third-Party Opt-Outs:

    You may also opt out of personalised advertising through:


6. Updates to This Policy

We may update this Cookie Policy from time to time to reflect changes in technology, regulation, or our data practices. Updates will be posted on this page with the revised date indicated above.


7. Contact Information

For any questions or concerns regarding this policy or our use of cookies:

HeadteacherChat Ltd

Email: Info@headtacherchat.com

Address: The Enterprise Centre, University Of East Anglia, Norwich, Norfolk, England, NR4 7TJ

Website: https://www.headteacherchat.com

List of SubProcessors

Sub-Processor Policy

Last Updated: 29th October 2025

1. Purpose

This Sub-Processor Policy outlines the third-party data processors (“Sub-Processors”) engaged by HeadteacherChat Ltd (“the Company”) to assist in providing online services, including the main website (www.headteacherchat.com), the Circle.so community (community.headteacherchat.com), and the Shopify store (headteacherchat-shop).

The policy ensures compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any applicable data protection laws.


2. Definitions

  • Controller: HeadteacherChat Ltd, which determines the purposes and means of processing personal data.
  • Processor: Any third party processing personal data on behalf of the Controller.
  • Sub-Processor: A processor engaged by another processor to process data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person.

3. Scope

This policy applies to all services operated under HeadteacherChat Ltd, including but not limited to:


4. Use of Sub-Processors

HeadteacherChat Ltd engages carefully selected Sub-Processors to provide infrastructure, hosting, communication, analytics, and e-commerce functionalities. Each Sub-Processor is subject to a written agreement imposing data protection obligations equivalent to those under the UK GDPR.

No Sub-Processor may process personal data outside the UK or EEA without adequate safeguards (e.g., adequacy decision or Standard Contractual Clauses).


5. Current Sub-Processors

Category Sub-Processor Purpose Data Processed Location Legal Safeguard
Hosting & Infrastructure Amazon Web Services (AWS) Website and platform hosting Account, IP, usage logs EEA/US SCCs + UK Addendum
Cloudflare CDN and security IP, usage logs EEA/US SCCs + UK Addendum
Community Platform Circle Internet Services Inc. (Circle.so) Community hosting and member management Account, email, usage data US SCCs + UK Addendum
E-commerce Platform Shopify Inc. Storefront and order management Customer, payment, and shipping data Canada/US Adequacy decision (Canada) + SCCs
Email Analytics & Performance Google Ireland Ltd (Google Analytics) Web analytics IP, session data EEA/US SCCs + IP anonymisation
Email & Communication Loops.so Email marketing Name, email, engagement US SCCs + UK Addendum
Payments Stripe Payments UK Ltd Payment processing Payment and billing details UK UK GDPR Compliant
Support & Ticketing Trybooking Customer support Contact and enquiry data US SCCs + UK Addendum

6. Sub-Processor Onboarding and Review

  • All Sub-Processors undergo due diligence prior to engagement, assessing their security, compliance, and data protection posture.
  • Annual reviews are performed to ensure continued compliance.
  • Written agreements include data protection clauses consistent with Article 28(3) of the UK GDPR.

7. Notification of Changes

HeadteacherChat Ltd will notify customers and data subjects of any intended changes to Sub-Processors by updating this policy and, where required, providing prior notice through the website or via email.


8. Contact Information

For questions regarding this policy or data protection matters:

HeadteacherChat Ltd

Email: Info@headteacherchat.com

Address: The Enterprise Centre, University Of East Anglia, Norwich, Norfolk, England, NR4 7TJ

Website: https://www.headteacherchat.com