← Back

Privacy Policy

Last updated: March 2026

1. Who we are

This website is operated by the Parent Teacher Association (“PTA”) of our school. We act as the data controller for the personal information collected through this service.

If you have any questions about how we use your personal data, please contact us via the school office.

2. What information we collect

When you register for a PTA event, we collect:

  • Your first name and last name
  • Your email address
  • Your child's first name, last name, and school class
  • Dietary requirements (where relevant to the event)
  • Payment information (processed securely by Stripe — we do not store card details)
  • Gift Aid declaration details: title, house name/number, postcode, donation date (only if you choose to Gift Aid your donation)
  • Any additional information requested for a specific event (e.g. T-shirt size)

3. Why we collect it and our legal basis

Event registration & administration

Legal basis: Legitimate interests (Article 6(1)(f) UK GDPR) — to organise and manage PTA events, including attendance registers and dietary requirements for the safety of attendees.

Payment processing

Legal basis: Contract (Article 6(1)(b) UK GDPR) — necessary to process your payment for paid events.

Gift Aid

Legal basis: Legal obligation and consent (Article 6(1)(a) and (c) UK GDPR) — to enable the PTA to reclaim Gift Aid from HMRC as required by the Gift Aid scheme. You are not obliged to provide this information and may opt out at any time.

4. How long we keep your data

  • Registration data — retained for 12 months after the event date, then securely deleted.
  • Gift Aid records — retained for 6 years from the date of donation, as required by HMRC.
  • Payment records — retained for 7 years for accounting and legal compliance.

5. Who we share your data with

We use the following third-party services to operate this platform. Each has been assessed for UK GDPR compliance:

Stripe (payment processing)

Stripe Payments Europe Ltd is authorised by the FCA and processes payments on our behalf. Card details go directly to Stripe and are never stored on our servers. Stripe is UK GDPR compliant. Stripe Privacy Policy.

Vercel (website hosting)

Our website is hosted by Vercel Inc. (USA). Vercel provides Standard Contractual Clauses (SCCs) for international data transfers and maintains a Data Processing Agreement compliant with UK GDPR. Vercel Privacy Policy.

Neon / PostgreSQL (database)

Your data is stored in a PostgreSQL database hosted by Neon Inc. (USA). Neon provides SCCs for international transfers. Data is encrypted at rest and in transit.

Resend (email delivery)

Confirmation and administrative emails are sent via Resend Inc. (USA). Resend uses SCCs for international data transfers. Only your email address is shared for the purpose of delivering transactional emails.

HMRC (Gift Aid only)

If you opt in to Gift Aid, your declaration details (name, address, postcode, donation amount and date) will be submitted to HMRC as required by the Gift Aid scheme.

We do not sell, rent, or share your personal data with any other third parties for marketing purposes.

6. International data transfers

Some of our service providers are based in the United States. Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO or equivalent protections under the UK GDPR International Data Transfer Agreement (IDTA) framework.

7. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access — you can request a copy of the personal data we hold about you.
  • Right to rectification — you can ask us to correct inaccurate data.
  • Right to erasure — you can ask us to delete your data, subject to our legal obligations to retain certain records (e.g. Gift Aid, financial records).
  • Right to restrict processing — you can ask us to pause how we use your data.
  • Right to object — you can object to processing based on legitimate interests.
  • Right to data portability — you can request your data in a machine-readable format.
  • Right to withdraw consent — where processing is based on consent (e.g. Gift Aid), you can withdraw consent at any time. This does not affect the lawfulness of processing before withdrawal.

To exercise any of these rights, please contact us via the school office. We will respond within one calendar month.

If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

This website does not use tracking or advertising cookies. We use only a session token stored in your browser's local storage to keep admin users logged in. This is strictly necessary for the service to function and does not require consent under PECR.

9. Children's data

We collect limited data about children (name and school class) solely for the purpose of event registration. This data is provided by a parent or guardian and is used only to manage attendance. We do not use children's data for any other purpose and do not share it beyond the purposes described in this policy.

10. Changes to this policy

We may update this Privacy Policy from time to time. The date at the top of this page shows when it was last revised. We recommend checking this page periodically.

← Back to Home