Privacy policy

Last updated: 30 June 2026

Who we are

Schoolee is a UK-based service and acts as the data controller for the purposes of the UK GDPR and Data Protection Act 2018. Contact: privacy@schoolee.app.

What this policy covers

Schoolee turns school PDF emails into calendar events for parents. This policy explains what personal data we process, why, how long we keep it, who we share it with, and your rights.

What data we collect

Account data: your email address and display name.
Google profile data (if you sign in with Google): your Google account email, name, and profile picture URL.
Google OAuth tokens (if you grant calendar access): an encrypted refresh token stored so we can keep your Schoolee calendar up to date. Encrypted at rest, decrypted only for outbound API calls.
School association: which school you belong to and your approval status.
Children's profile data: the first name, year group, and class you enter for each child, used only to match which school notices apply to them. We do not collect a child's surname, date of birth, or contact details, and this is never taken from the emails you forward — you provide it yourself.
Forwarded email metadata: when you forward a school email to Schoolee, we store the sender's domain, the message ID, and extracted event data (dates, titles, locations). We do not retain the original email body or attachments after extraction. (Temporary beta exception — see below.)
Audit log: timestamps of sign-ins, email sends, admin actions, and similar security-relevant events (email domains only, never full addresses in log entries where a domain suffices).

How we use each Google scope

When you sign in with Google, we request these OAuth scopes. Each is limited to exactly what's described:

userinfo.email and userinfo.profile: to create your Schoolee account and display your name. Standard sign-in data only.
calendar.app.created: to create and manage only a dedicated "Schoolee" calendar in your Google Calendar. We cannot read or modify any calendar other than the one we created. If you delete the Schoolee calendar in Google Calendar, the button on your account page recreates it without affecting anything else.

We do not request access to Gmail, Drive, Contacts, Photos, or any other Google service.

Google API Services User Data Policy — Limited Use

Schoolee's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We do not:

Use Google user data to serve advertising.
Allow humans to read your Google user data, except where required for security investigations, to comply with applicable law, or with your explicit consent.
Transfer Google user data to any third party except as necessary to provide or improve user-facing features that are prominent in Schoolee's interface (e.g. writing events into your Schoolee calendar via Google's own APIs).

How we use your data

To create and maintain your Schoolee account.
To verify which school you belong to through one of the approved sign-up paths (an invite code, or a direct invite from a school admin).
To extract school events from PDFs you (or your school) forward to us, and write them to your Schoolee calendar and/or your private calendar feed URL.
To send transactional email (sign-in links, verification replies, admin notifications) to the address you provided.
To log security events (sign-in attempts, rate limits, admin actions) for abuse prevention.

Children's data

Schoolee is designed for parents, not children. We comply with the UK Age Appropriate Design Code (AADC) and UK GDPR Article 8 protections.

Our extraction is explicitly instructed to exclude children's names, class lists, or any personally identifiable information about individual children from the events we store. We classify event locations (e.g. trip destinations) as "restricted" by default; admins must explicitly approve parents before those locations are revealed, so the whereabouts of children are not exposed to anyone who happens to obtain a Schoolee account at a school.

Where your data lives

Schoolee runs on Cloudflare's edge platform. Account data and event data are stored on Cloudflare's platform in European data centres (Cloudflare's EU region). OAuth tokens are encrypted before storage.

Third-party processors

We share only the minimum data needed with the following service providers:

Cloudflare — hosting, storage, inbound email routing, DNS. Privacy policy.
Google — OAuth sign-in and Calendar API. Receives your email address and the events we write to your Schoolee calendar. Privacy policy.
Anthropic (Claude API) — extracts events from the PDFs you forward. We send PDF content and receive structured event data back. Anthropic commits to not training on API data by default. Privacy policy.
Resend — transactional email delivery for sign-in links and notifications. Receives recipient email address and message body. Privacy policy.

We do not sell or share personal data with advertisers, data brokers, or any party not listed above.

How long we keep data

Account, school, and calendar data: retained while your account is active.
Forwarded email message IDs: retained for the lifetime of the account, to prevent duplicate processing.
Audit logs: retained for up to 12 months.
Encrypted OAuth tokens: deleted immediately when you disconnect Google or delete your account.
On account deletion: we delete all your personal data within 30 days, except where retention is legally required (e.g. financial records). The Schoolee calendar created in your Google account is not touched — you can delete or keep it.

Temporary beta exception

During Schoolee's closed beta only, we temporarily keep a complete copy of the school emails you forward (including the original body and attachments) so we can improve how accurately we recognise which school an email is from and extract the right dates. This is used solely to test and tighten our matching — never for advertising or shared with third parties.

These raw copies are automatically deleted within 60 days, and the entire store is permanently deleted at the end of the beta period. After beta, Schoolee returns to not retaining the original email body or attachments after extraction.

Your rights (UK GDPR)

You have the right to:

Access the personal data we hold about you.
Rectify inaccurate data (edit your name/email from your account page).
Erase your data ("right to be forgotten") — use the Delete account button on /account, or email us.
Restrict or object to processing.
Data portability — export your events as an iCalendar (.ics) feed from your account.
Withdraw consent to Google access at any time via Google Account Permissions.

Requests: email privacy@schoolee.app. We respond within 30 days.

Cookies

Schoolee's cookies are all strictly necessary and used for no purpose other than authenticating the current session. We never set them for analytics, advertising, or tracking.

session — a signed token so you stay signed in. HttpOnly, Secure, SameSite=Lax.
csrf — a CSRF protection token. HttpOnly=false (by design, so our JS can include it in form submissions), SameSite=Strict.
active_admin_school — set only for parents who administer more than one school, to remember which school's admin view they're currently in. HttpOnly. Cleared on exit.
super_admin_school — set only for Schoolee staff with super-admin rights who have entered a specific school's admin view. HttpOnly. Cleared on exit.

Security

Your data is encrypted in transit and at rest. Sessions use signed tokens, and we require CSRF protection on every state-changing request. Access to school data is role-checked on each request. We run regular internal security reviews and remediate issues we find.

Open data attribution

Our UK school directory is built from open government data. School information for England is © Crown copyright and database right, Department for Education (Get Information about Schools). Scottish school data is © Crown copyright, National Records of Scotland (statistics.gov.scot). Welsh school data is © Crown copyright, Welsh Government (StatsWales). All used under the Open Government Licence v3.0.

Complaints

If you believe we've mishandled your data, please contact us first. If you're not satisfied, you can complain to the UK Information Commissioner's Office (ico.org.uk).

Changes to this policy

We'll update this page when our data practices change and update the "Last updated" date. Material changes will also be announced via email to your registered address.