Privacy Policy

Direct Integration with School Management Information Systems (MIS)

We integrate with your school's MIS via Wonde, a third-party service provider. This allows Student Radar to automatically sync student records, staff directory data, and related educational information. Your school controls what data is shared through Wonde by configuring your MIS connection.

Direct Input by School Staff

School staff members use the Student Radar platform to input or update information about students and staff, such as safeguarding notes, intervention plans, attendance marks, and health information.

Parent/Guardian Portal

Parents and guardians may be invited to access a limited portal within Student Radar to view information about their child or to provide additional information (e.g., health data, contact details). Parents provide this data voluntarily.

Automatic Collection

When you access Student Radar, we automatically collect certain technical data including:

• Approximate geolocation (country/region level only, derived from IP address for security monitoring)
• Device type and operating system
• Browser type and version
• Pages visited and time spent on each page
• Referring URLs and clickstream data

IP addresses are collected for security purposes (threat detection, abuse prevention) and are not used for user profiling or behavioural tracking. IP addresses are truncated and/or anonymised within 30 days.

This information is collected via cookies, analytics tools, and server logs (see Section 12 for more on cookies).

What is Special Category Data?

Under Article 9 of the UK GDPR, certain types of personal data are classified as special category data and receive additional legal protection. Student Radar processes the following special category data:

• Health and Medical Data: Student health conditions, disabilities, medications, allergies, dietary requirements, and GP/medical provider details.
• Safeguarding and Child Protection Data: Safeguarding flags, concerns, incidents, previous allegations, and related documentation.
• Equality and Inclusion Data: Ethnicity, religion, cultural background, and SEN classification.

Lawful Bases for Special Category Data

We rely on the school's statutory duties under education and safeguarding law as the basis for this processing. We process special category data under the following Article 9(2) exemptions:

Criminal Offence Data

In limited circumstances, Student Radar may process information related to criminal convictions or offences (e.g., previous safeguarding allegations). This is processed under Article 10 of the UK GDPR and only where your school has a legitimate need to do so (e.g., staff background checks, safeguarding purposes). Processing is carried out under strict safeguards and only by authorised personnel.

Who is a Child?

Under the UK GDPR and ICO Children's Code guidance, a child is anyone under 18 years of age. Student Radar processes personal data of children (students aged under 18).

Our Approach

• Age-Appropriate Design: Although Student Radar is not designed for direct use by children, we ensure that any parent/guardian portal features are appropriate and safe for use by parents of young children.
• Best Interests of the Child: We process children's data only where it is in their best interests, supporting their education, safety, health, and wellbeing.
• Minimal Data Collection: We collect only the minimum personal data necessary for the purposes outlined in this policy.
• Transparency: We provide this privacy policy to schools to share with parents and carers, ensuring awareness of how children's data is used.
• Parental Rights: Parents have the right to request access to their child's data and to exercise other rights under the UK GDPR (see Section 10).

Student Consent

Students do NOT log in directly to Student Radar. The platform is used by school staff and, in limited cases, by parents/guardians. Schools rely on statutory duties (public task under Article 6(1)(e) UK GDPR) and, for special category data, Schedule 1 conditions under the DPA 2018, rather than consent to process student data. No pupil consent is sought or required because students do not have direct access to the platform.

What You Need to Know About Sub-Processors

• Mandatory Sub-Processors: Supabase, Vercel, and Wonde are essential to the operation of Student Radar and are automatically used.
• Optional Sub-Processors: Twilio, Resend, OpenAI, and Sentry are optional integrations. Your school controls whether these are enabled through your Student Radar settings. If disabled, your data is not processed by these services.
• Data Processing Agreements: All sub-processors have Data Processing Agreements in place that comply with Article 28 of the UK GDPR.

UK and EEA Data

Student Radar is designed with data residency in mind. The primary database (Supabase) is hosted in the UK (eu-west-2 region). Student data and educational records are not routinely transferred outside the UK/EEA.

Transfers to Other Jurisdictions

Where data must be transferred to jurisdictions outside the UK/EEA (e.g., to the US for OpenAI services, or to other regions for optional sub-processors), we rely on the following transfer mechanisms:

• EU/UK Standard Contractual Clauses (SCC): We use the EU Commission Standard Contractual Clauses (2021/914) and the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses to ensure adequate safeguards are in place.
• School Controls: For optional sub-processors (Twilio, Resend, OpenAI, Sentry), your school can control whether data is transferred by enabling or disabling these services.
• PII Removal: Before data is sent to external services (particularly AI services), personally identifiable information (PII) is tokenised or removed to minimise the personal data transferred.

Adequacy Decisions

The UK is not subject to an adequacy decision for inbound transfers (as it is the origin). Where we transfer data outbound, we verify that the recipient country either has an adequacy decision or we rely on SCCs/appropriate safeguards as described above.

Student and Staff Data

Your school is the data controller for student and staff data and determines the retention period. Student Radar will retain this data for as long as your subscription is active and for up to 30 days following termination unless otherwise instructed by the school. Once your school requests deletion or ends the subscription, data will be securely deleted according to the timescales set out in your Data Processing Agreement.

Technical and Usage Data

Technical logs, analytics data, and error logs are retained as follows:

• API logs, system logs, and audit logs: 13 months minimum
• Server-side analytics data (anonymised, no cookies): Up to 13 months
• Error tracking and performance data (via Sentry, if enabled): Up to 90 days

Backup and Recovery

We retain automatic backups for disaster recovery and business continuity purposes. These backups are retained for a maximum of 90 days unless a longer period is required by law or your school's instructions.

Right of Access (Article 15)

You have the right to request access to your personal data held by us. For student and staff data processed on behalf of a school, the school is the primary point of contact for exercising data protection rights. You may also contact Student Radar (see Section 15). We will provide a copy of your data in a structured, commonly used, and machine-readable format within 30 calendar days.

Right to Rectification (Article 16)

If you believe any personal data held about you is inaccurate or incomplete, you have the right to request correction. Please contact your school or Student Radar.

Right to Erasure (Article 17 — Right to be Forgotten)

You may request deletion of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected. However, this right is not absolute and may not apply if we have a legal obligation to retain the data or if it is necessary for other lawful purposes.

Right to Restrict Processing (Article 18)

You may request that we limit how we process your personal data while a dispute is resolved or if you have objected to processing.

Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller. This right applies where processing is based on consent or performance of a contract and where processing is carried out by automated means.

Right to Object (Article 21)

You have the right to object to processing of your personal data on grounds relating to your particular situation. This applies particularly to processing for profiling or marketing purposes.

Rights Related to Automated Decision-Making (Article 22)

See Section 11 for details on your rights regarding automated decision-making and profiling.

Right to Lodge a Complaint (Article 77)

If you believe your privacy rights have been breached, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

How to Exercise Your Rights

To exercise any of these rights:

1. Contact your school's data protection contact or administrator first (they may be able to fulfil your request internally).
2. If you do not receive a satisfactory response, contact Student Radar directly (see Section 15).
3. Include sufficient information to identify yourself and the data you are requesting (e.g., name, student ID, email address).
4. We will respond within 30 calendar days or explain why we need more time.

What is Automated Decision-Making?

Automated decision-making (under Article 22 of the UK GDPR) refers to making a decision about an individual based solely on automated processing, without human intervention, that produces legal or similarly significant effects.

Our Position

Student Radar does NOT carry out automated decision-making as defined by Article 22. We do not make any decisions that are legally binding or have significant effects on individuals based solely on automated processing.

Profiling and Advisory Features

Student Radar includes AI-powered features (such as the Risk Assessor, IEP Creator, and Insight Generator) that provide advisory insights. These features:

• Are designed to support human decision-making, not replace it
• Include a human-in-the-loop requirement — school staff review and approve any recommendations before they are acted upon
• Do not create legal or binding effects; they are advisory only. No automated decisions are made about students without a member of school staff reviewing and approving them
• Are subject to the school's professional judgement

Profiling for AI Services

Where Student Radar uses external AI services (OpenAI), personally identifiable information is tokenised before being sent to the external service. This means that the AI service receives de-identified data and cannot create a persistent profile of individuals.

What are Cookies?

Cookies are small text files stored on your device when you visit a website or use an application. They help websites remember information about you, such as your login status or preferences.

Our Use of Cookies

Student Radar uses cookies and similar technologies for the following purposes:

Consent for Cookies

Essential cookies (such as session tokens and CSRF tokens) do not require your consent and are necessary for the platform to function securely and properly.

Non-essential cookies (such as analytics cookies) require your consent. When you first access Student Radar or www.studentradar.com, you will be presented with a cookie banner asking for your consent. You can manage your cookie preferences at any time through your browser settings or the cookie preferences page.

Third-Party Cookies

Some of our sub-processors (such as Twilio, Resend, OpenAI, and Sentry) may set their own cookies or similar tracking technologies when their services are enabled. Please review their privacy policies for more information.

How to Control Cookies

You can control cookies through:

• Your browser settings — most browsers allow you to block or delete cookies
• The cookie preferences page on Student Radar — you can change your consent at any time

Please note that disabling cookies may affect the functionality of Student Radar and may prevent you from logging in or using certain features.

Our Commitment to Security

We implement comprehensive technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, and destruction. These measures include:

Technical Security Measures

• Encryption at Rest: All data stored in our databases is encrypted using AES-256 encryption.
• Encryption in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher (HTTPS).
• Role-Based Access Control (RBAC): User access is restricted based on role and responsibilities. School administrators, staff, and parents have different permission levels.
• Row-Level Security (RLS) with JWT Claims: Database access is enforced at the row level, ensuring users can only access data they are authorised to see.
• Multi-Factor Authentication (MFA): MFA (Authenticator Level 2 — AAL2) is mandatory for all staff accounts accessing the Platform. This applies to all user roles, including teachers, DSLs, SENCOs, and administrators.
• Honey Tokens: We deploy honey tokens (decoy data) throughout our systems to detect unauthorised access attempts.

Organisational Security Measures

• Cyber Essentials Certification: Student Radar is certified under the UK Cyber Essentials programme, demonstrating compliance with core security controls.
• Staff Training: Our team receives regular training on data protection and security best practices.
• Access Logs: We maintain detailed logs of who accesses what data and when. These logs are monitored for suspicious activity.
• Incident Response Plan: We have documented procedures for responding to data breaches or security incidents.

Data Breach Notification

If we become aware of a personal data breach affecting data processed on behalf of a school, we will notify the school without undue delay. The school, as data controller, is responsible for notifying the ICO where required under Article 33 of the UK GDPR. We will provide:

• The nature of the breach
• The data affected
• Likely consequences
• Steps we are taking to mitigate the breach
• Contact information for further details

Data Protection Lead and Privacy Inquiries

If you have questions about this Privacy Policy, our data handling practices, or if you wish to exercise your data protection rights, please contact:

Information Commissioner's Office (ICO)

If you have a concern about our privacy practices or if you wish to lodge a formal complaint, you may contact the ICO:

Response Times

We aim to respond to all data subject requests and privacy inquiries within 5 working days. For formal Subject Access Requests, we will respond within 30 calendar days as required by law.