Privacy Policy

Last updated: 11 March 2026

Who we are

spellbound is operated by Chris Goodall, trading as Spark Apps. We are registered with the Information Commissioner's Office (ICO) under registration number C1882162.

For privacy enquiries, contact us at privacy@spellbound-edu.co.uk.

What spellbound is

spellbound is a spelling practice tool for UK primary schools. It is designed to be privacy-first: we do not collect pupil names, email addresses, or any information that directly identifies a child.

What we collect

Staff accounts

Teachers register with an email address, display name, and password. Passwords are hashed with bcrypt and never stored in plain text. The lawful basis for processing staff account data is legitimate interest (Article 6(1)(f) UK GDPR) -- providing the service the teacher signed up for.

Learner data

Learners are identified only by a randomly generated 6-character access code and a separate display code. We do not ask for or store pupil names, dates of birth, or any other personal information.

The lawful basis for processing learner session data is legitimate interest (Article 6(1)(f) UK GDPR) -- specifically the school's legitimate interest in tracking pupil spelling progress. As no personal data that identifies individual children is collected, this processing falls at the lowest end of the privacy risk spectrum.

For each spelling session we record: which words were attempted, whether each answer was correct, the number of attempts, and the time taken. This data is used to track progress and tailor practice to each learner.

School branding

Teachers may optionally upload a school logo. This is stored in the database and displayed only within authenticated pages.

How we use data

All data is used solely to provide the spelling practice service. We do not sell, share, or transfer data to third parties. We do not use data for advertising, profiling, or any purpose beyond the core educational function.

Where data is stored and sub-processors

Data is stored in a PostgreSQL database hosted by Neon in the EU (London, eu-west-2). The EU has adequacy status under UK GDPR, so no additional safeguards are required for this transfer.

The application is hosted on Vercel (United States). Transfers to the US are covered by the UK-US Data Bridge, which provides an adequate level of data protection under UK GDPR.

Our sub-processors are:

  • Neon -- database hosting (EU, London)
  • Vercel -- application hosting (US, UK-US Data Bridge)
  • Upstash -- rate limiting infrastructure (EU, London)
  • GitHub -- source code hosting (US, UK-US Data Bridge)
  • Cloudflare -- DNS and email routing (US, UK-US Data Bridge)

All connections between the application and database use TLS encryption.

How long we keep data

Learner session and progress data is retained for the current academic year. Data associated with inactive learners (no activity for 12 months) is automatically purged by a daily scheduled task.

Classes that have been archived by a teacher for more than 24 months are automatically deleted, along with all associated learner data.

When a teacher deletes a class or an individual learner, all associated profiles, sessions, and attempt data are removed immediately. Staff accounts persist until the teacher deletes their account.

Internal audit logs (which record administrative actions such as deletions and exports but contain no learner spelling data) are retained for up to 24 months for accountability purposes, after which they may be purged.

Cookies

spellbound uses only strictly necessary cookies for authentication:

  • staff_session -- staff authentication (7-day expiry)
  • learner_session -- learner authentication (8-hour expiry)

Both cookies are httpOnly, secure, and cryptographically signed. We do not use tracking cookies, analytics cookies, or any third-party cookies. As these are strictly necessary cookies, no cookie consent banner is required under PECR.

Children and UK GDPR

Because spellbound does not collect any data that identifies individual children, the risk profile under UK GDPR and the Age Appropriate Design Code is minimal. No parental consent mechanism is required as no personal data (as defined by ICO guidance) is collected from learners.

Schools remain the data controller for their learners. spellbound operates as a data processor on behalf of the school.

Your rights

Under UK GDPR you have the right to:

  • Access -- request a copy of data we hold about you
  • Rectification -- correct inaccurate data
  • Erasure -- request deletion of your data
  • Portability -- receive your data in a structured format
  • Objection -- object to processing based on legitimate interest

Teachers can exercise many of these rights directly within the application:

  • Access & portability -- use the "Export data" buttons on the learner detail page or staff dashboard to download a full structured copy of all stored data
  • Erasure -- delete individual learners, entire classes, or your own staff account from within the application (all associated data is removed immediately)

For any other requests, contact privacy@spellbound-edu.co.uk. We will respond within 30 days.

If you are not satisfied with our response, you have the right to complain to the ICO at ico.org.uk.

Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page will be revised accordingly. Continued use of spellbound after changes constitutes acceptance of the updated policy.

← Back to spellbound