Privacy Policy

1. Who We Are

ICT & Data Services Group Limited ("we", "us", "our") is a company registered in England and Wales (company number 07557591). Our registered address is 5 Campsall Drive, Sheffield, S10 5FZ.

We develop and provide Tracker+, a cloud-based pupil tracking and data analysis platform for primary schools and multi-academy trusts, and Reports to Parents, an AI-powered pupil report writing service.

For any privacy-related queries, contact us at privacy@ictdsg.com.

We intend to register with the Information Commissioner's Office (ICO) as a data processor prior to the launch of Tracker+ in September 2026. Our registration number will be published here once confirmed.

2. What This Policy Covers

This policy covers three distinct areas:

This website — what we collect when you visit our site, enquire about our products, or contact us
Tracker+ — our cloud-based school tracking platform, launching September 2026, in which we store and process pupil data on behalf of subscribing schools
Reports to Parents — our AI-powered report writing service, available both as a feature within Tracker+ and as a standalone product

Important: Tracker+ is a cloud-based service. Unlike previous versions of Tracker+, your school's pupil data is stored securely on our systems, hosted in the United Kingdom. We act as a Data Processor on your school's behalf. Your school remains the Data Controller at all times.

3. Website & Marketing Data

Information You Provide

When you interact with our website or chatbot, we may collect:

Demo booking requests: Name, email address, phone number, and school name
Try AI demo: Email address and school name when you use our interactive AI demonstration
Callback requests: Name, phone number, and preferred contact time
Support enquiries: Name, email address, school name, and your message
General correspondence: Any information you provide when contacting us by any channel

We use this information to respond to your enquiries, arrange demonstrations, and provide support. We will not add you to marketing lists without your explicit consent.

Colleague Referrals

Our Try AI demo includes an option to share the experience with a colleague. If you choose to use this:

We collect your name (optional) and your colleague's email address
We send a single email inviting them to try the demo, identifying you as the referrer
We do not add referred individuals to marketing lists
Referred individuals can contact us at any time to request deletion of their data

Our legal basis for this processing is legitimate interest. We believe a professional referral from a colleague in an educational context is reasonable and that the referred individual would likely welcome the information.

Analytics

We use Google Analytics to understand how visitors use our website. This collects anonymised data about your visit, including pages viewed and time on site. You can opt out using the Google Analytics Opt-out Browser Add-on.

Cookies

Our website uses only essential cookies required for the site to function, plus Google Analytics cookies. We do not use advertising or tracking cookies.

4. Tracker+ Platform

Our Role

When your school subscribes to Tracker+, we act as a Data Processor on behalf of your school (the Data Controller). We process pupil data strictly in accordance with your instructions and our contractual obligations.

Before accessing Tracker+, your school will be required to sign a Data Processing Agreement (DPA) with us as part of the onboarding process. This DPA sets out our respective responsibilities under UK GDPR.

What Data We Store

Tracker+ stores the following categories of pupil data that schools choose to upload or enter:

Pupil Identity Data

First name and surname
Date of birth
Unique Pupil Number (UPN)
Gender
Admission date
Year group

Special Category & Vulnerability Data

Ethnicity and home language
SEN status and SEN need type
Free School Meals (FSM) eligibility
Pupil Premium (PP) status
Looked After Child (LAC) status
English as an Additional Language (EAL) status

Educational Data

Formative assessment data across all subjects and terms
Statutory assessment results (Phonics Screening, KS1, Multiplication Tables Check, KS2 SATs)
Weekly attendance percentages
Attendance notes
Intervention enrolments, session attendance, and progress assessments
Teacher notes and PPM (Pupil Progress Meeting) discussion records
Custom test scores
Year 6 mock SATs scores
SEN support plan data, including identified needs, targets, provisions, review notes, and graduated response tracking
Enrichment activity registrations, fee status, and subsidy information

Staff & Account Data

Teacher and administrator names and email addresses
Encrypted passwords
Audit logs (user actions, timestamps, and IP addresses) — retained for security purposes

Where Data is Stored

All Tracker+ data is stored on Supabase infrastructure located in London, United Kingdom (AWS eu-west-2). Data does not leave the UK for storage purposes.

School Responsibilities

As Data Controller, your school is responsible for ensuring it has an appropriate lawful basis under UK GDPR for sharing pupil data with us, and for ensuring that use of Tracker+ is reflected in your school's own privacy notices and data protection documentation.

5. AI Features & Data Processing

Tracker+ includes optional AI-powered features including attainment analysis, headteacher report drafting, and a Data Assistant. When these features are used, data is transmitted to our AI provider.

How We Protect Pupil Identity

We take significant steps to protect pupil identities when using AI features:

Pseudonymisation: Pupil names are replaced with anonymous identifiers (pseudonyms) before any data is sent to our AI provider. The AI never processes real pupil names.
No Special Category Data in AI prompts: Vulnerability flags (SEN, PP, LAC, EAL, ethnicity, etc.) are included only as aggregate group labels, not as data about identifiable individuals.
Client-side restoration: Where AI output references pupils, real names are reinserted only within your browser session after processing is complete.

Our AI Provider

AI analysis is provided by Anthropic, PBC, who process data in the United States. These international transfers are protected by Standard Contractual Clauses (SCCs) and the UK Addendum to the SCCs, ensuring compliance with UK GDPR requirements for international data transfers.

Anthropic process data only to provide the service and do not use it to train their models. Full details of Anthropic's data processing commitments are available at anthropic.com/privacy.

AI Data Retention

Pseudonymised AI job records (including the prompts sent and responses received) are stored in our database linked to your school's account for audit and quality purposes. These records do not contain real pupil names. Schools may request deletion of AI job records at any time by contacting privacy@ictdsg.com.

6. Reports to Parents

Reports to Parents is our AI-powered pupil report writing service. It is available in two forms:

Integrated: As a feature within Tracker+, for schools that subscribe to the full platform
Standalone: As a separate product for schools that do not subscribe to Tracker+

Both versions operate on separate infrastructure and are governed by different data arrangements, described below.

Integrated (Tracker+)

When used as part of Tracker+, Reports to Parents draws on pupil data already held within the platform. The same data protection arrangements described in Section 4 apply. AI processing follows the same pseudonymisation approach described in Section 5.

Standalone Service

The standalone Reports to Parents service operates as an independent system with its own database, hosted in Frankfurt, Germany (EU) on Supabase infrastructure.

What We Collect

Teacher account information: Name, email address, school name, encrypted password
Pupil names: First name, surname, and preferred name (if provided)
Teacher notes: Professional observations about each pupil entered by the teacher
Attainment descriptors: Reading, writing, and maths attainment levels (not numeric scores)
Generated reports: The AI-generated report text
Payment records: Transaction records only — payment details are processed by SumUp and not stored by us

What We Do NOT Collect

Dates of birth or ages
Addresses or contact details of pupils or parents
Special Category Data (ethnicity, SEN status, medical information, etc.)
Any data beyond what you explicitly enter

How Pupil Names Are Protected

Names are never sent to AI: Pupil names are replaced with placeholders before data is sent to Anthropic. The AI never processes real pupil names.
Client-side restoration: Names are reinserted into the finished report only in your browser, after AI processing is complete.
Encrypted storage: Names are stored encrypted at rest and in transit.

Data Retention — Standalone

Draft reports: Retained until finalised or deleted by the user
Finalised reports: Retained for the duration of your account plus 1 year
Account deletion: All associated pupil data and reports are permanently removed within 30 days of account deletion or deletion request

Data Processing Role — Standalone

For the standalone Reports to Parents service, we act as a Data Processor on behalf of your school (the Data Controller). Schools are responsible for ensuring they have appropriate grounds under UK GDPR to share pupil names with us and for notifying staff and parents accordingly.

Individual teachers using the service should follow their school's policies regarding the use of external software tools.

7. Legal Basis for Processing

Processing Activity	Legal Basis
Responding to enquiries and arranging demos	Legitimate interests
Delivering Tracker+ services	Contract (with the school)
Processing pupil data within Tracker+	Contract (as Data Processor under the DPA)
Delivering standalone Reports to Parents	Contract (with the school or teacher)
Sending marketing communications	Consent
Colleague referral emails	Legitimate interests
Audit logging and security monitoring	Legitimate interests
Maintaining financial and legal records	Legal obligation

8. Data Retention

Data Type	Retention Period
Website enquiry data (non-customers)	Deleted after 2 years if you do not become a customer
Customer account and billing records	7 years after end of business relationship (legal obligation)
Tracker+ pupil data	Deleted within 30 days of subscription ending
Tracker+ audit logs	Retained for 2 years for security purposes
AI job records (pseudonymised)	Retained for 1 year, or deleted on request
Reports to Parents (standalone) — draft reports	Until finalised or deleted by user
Reports to Parents (standalone) — finalised reports	Duration of account plus 1 year
Reports to Parents (standalone) — account deletion	All associated data removed within 30 days

9. Your Rights

Under UK GDPR, you have the right to:

Access — Request a copy of the personal data we hold about you
Rectification — Ask us to correct inaccurate data
Erasure — Request deletion of your data in certain circumstances
Restriction — Ask us to limit how we use your data
Portability — Receive your data in a structured, machine-readable format
Object — Object to processing based on legitimate interests

To exercise any of these rights, contact privacy@ictdsg.com. We will respond within one calendar month.

Schools acting as Data Controllers: Where your school is the Data Controller for pupil data held in Tracker+, requests from pupils, parents, or staff regarding their data should in the first instance be directed to the school. We will cooperate fully with your school to fulfil any subject access requests or deletion requests within the required timeframe.

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

10. Third Parties

We share data with the following third-party providers only where necessary to deliver our services:

Provider	Purpose	Location
Supabase (Tracker+)	Database hosting and storage for Tracker+	London, UK (AWS eu-west-2)
Supabase (Reports to Parents standalone)	Database hosting for standalone Reports to Parents	Frankfurt, Germany (EU)
Anthropic	AI analysis and report generation (pseudonymised data only)	United States (SCCs + UK Addendum)
Netlify	Website and serverless function hosting	United States (SCCs)
Google Analytics	Anonymised website analytics	United States (SCCs)
Mailchimp	Marketing and enquiry communications	United States (SCCs)
SumUp	Payment processing (Reports to Parents standalone)	EU
Resend	Transactional email delivery (e.g. password resets)	United States (SCCs)

We do not sell personal data to any third party, and we do not share data with third parties for advertising or marketing purposes.

11. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

Encrypted connections (HTTPS/TLS) for all data in transit
Encryption at rest for all stored data
Row-level security policies ensuring each school can only access its own data
Secure, hashed password storage
Comprehensive audit logging of all data access and modifications
Regular security reviews
Pupil name pseudonymisation before any AI processing

ICT & Data Services Group Limited is certified under the UK Government's Cyber Essentials scheme, confirming that our infrastructure meets the required standard for protection against common internet-based cyber threats.

In the event of a data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours and affected schools without undue delay, in accordance with our obligations under UK GDPR.

12. Changes to This Policy

We may update this privacy policy from time to time, particularly as Tracker+ develops and new features are introduced. We will notify subscribing schools of any significant changes by email at least 30 days before they take effect. The "last updated" date at the top of this page indicates when it was last revised.

13. Contact Us

For any questions about this privacy policy or our data practices:

ICT & Data Services Group Limited
5 Campsall Drive
Sheffield
S10 5FZ

Email: privacy@ictdsg.com
Phone: 0114 437 2617

Contents