⚠️ Draft for review — not legal advice.
This is a working draft. It must be reviewed and approved by a qualified data-protection / education-law professional and the responsible Data Protection Officer before it is published or relied upon. Placeholders in [square brackets] need real values.
Privacy Policy
Last updated: Draft — not yet published
This policy explains what personal data Storyjar processes, why, on whose behalf, and the rights people have. A short plain-English version for families is also available.
1. Who is responsible for your data
Storyjar is provided by [Legal entity name], [company number], [registered address] (“Storyjar”, “we”). Our Data Protection Officer is [DPO name / email]. We are registered with the Information Commissioner's Office (ICO) under [registration number].
For the data of children, parents and staff, the school is the data controller and Storyjar is a data processoracting only on the school's documented instructions. The school decides why children's data is collected; we only handle it to provide the service. For a small amount of data about the account holder(e.g. a teacher's login email), we act as controller.
2. What we process
| Who | What | Why |
|---|---|---|
| Children (3–7) | First name only; the “moments” they create (photos, drawings, typed words); optional teacher-added skill tags and dates | To build the child's class journal / portfolio for the school |
| Teachers / staff | Name, title, school email, hashed password, role, class assignment | To create and secure staff accounts and moderate content |
| Parents / carers | Name, email, family code, link to their child(ren) | To give a read-only family view of approved moments |
We deliberately do not collect:children's surnames, dates of birth, addresses, contact details, or any behavioural/analytics profiling data. Children never have logins, emails or passwords.
3. Lawful basis
The school determines and documents the lawful basis for processing children's data — typically public task(UK GDPR Art. 6(1)(e)) for state schools carrying out their educational function, with appropriate conditions for any special-category data (e.g. images). Storyjar processes this data solely as the school's processor under Art. 28. For account-holder data we rely on legitimate interests / contractto operate the service. Photographs of children are handled under the school's own photography consent arrangements.
4. How moments are controlled
Every moment a child creates is held privately in a teacher approval queue and is not visible to anyone else until a teacher approves it. Approved moments are visible only to the child's teacher(s), school admins who teach that class, and the child's linked parent/carer (read-only). Content is never public.
5. Where data is stored
Personal data (database, uploaded media and backups) is stored and processed in the UK/EU. We do not transfer children's personal data to the United States or other jurisdictions without an adequacy decision or appropriate safeguards. Our current infrastructure and sub-processors are listed in the Sub-processors page.
6. How long we keep it
We keep a child's data for as long as the school's subscription and the school's own retention rules require, and then delete it. A school can export or delete a class's data at any time; deletion removes both the database records and the underlying media files. Full details are set out in the Data Processing Agreement. [Confirm the exact retention schedule with the DPO.]
7. Security
We apply technical and organisational measures appropriate to children's data (UK GDPR Art. 32), including server-side access control scoped to who may see a child's work, access-controlled media, HTTPS, hashed passwords, security headers, least-privilege staff roles, and no third-party trackers. Our internal engineering rules are set out in our safeguarding & security governance.
8. Who we share data with
We do not sell data and we do not share it for advertising. We share it only with the limited sub-processors needed to run the service (see Sub-processors), each under a data-processing agreement, or where required by law.
9. Rights
Because the school is the controller for children's data, requests to access, correct, delete or export a child's data are made to the school, and we support the school in fulfilling them. Parents and pupils can raise requests with the school; the school can also contact us. For account-holder data you can contact us directly at [privacy contact]. You may complain to the ICO (ico.org.uk).
10. Children's Code
Storyjar is designed to meet the ICO's Age Appropriate Design Code: high-privacy defaults, data minimisation, no profiling of children, no nudge techniques, and transparency in language families can understand (see the plain-English version).
11. Changes
We will tell schools about material changes to this policy. This is a draft; the published version will carry a real effective date.