Privacy Policy
Effective date: 9 July 2026
School Choice Report (reports on the state schools near a UK postcode with their latest Ofsted rating) is operated at schoolchoicereport.co.uk. This policy explains what personal data we collect, how and why we use it, and the rights you have. It is written to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We keep the data footprint of this product deliberately small.
Who the data controller is
The data controller for the personal data described here is the operator of School Choice Report. For any privacy question, or to exercise a right described below, email [email protected].
What we collect
We collect only what we need to deliver the report you pay for:
- The UK postcode you enter, and your choice of primary, secondary or all schools. We use these solely to work out which state schools are near you and to build your report.
- Your email address, so we can deliver the finished report and send your receipt.
- An optional name, if you choose to give one, used only to address your report and correspondence.
- Payment details are processed by Stripe. We never see or store your full card number, security code or expiry date. Stripe is a PCI-DSS Level 1 certified payment processor; your card data goes directly to Stripe. We receive only confirmation that payment succeeded and a limited record (such as the last four digits and a transaction reference) for our accounting and refunds.
Our lawful bases for using your data
Under UK GDPR we must have a lawful basis for each use of your personal data:
- Performance of a contract. Using your postcode, phase choice and email to generate and deliver the report you have bought, and to send your receipt, is necessary to perform our contract with you.
- Legitimate interests. Keeping basic, minimal records for security, fraud prevention and to run the service reliably rests on our legitimate interests, balanced against your rights.
- Legal obligation. Retaining transaction records for tax and accounting is required by law.
- Consent. We only use your email for optional marketing if you have explicitly opted in, and you can withdraw that consent at any time.
Analytics: cookieless, no personal data
We measure aggregate traffic with Fathom Analytics, a privacy-first, cookieless analytics service. Fathom sets no cookies, collects no personal data, does no cross-site or cross-device tracking, and does not build advertising profiles. Because it sets no cookies and collects no personal data, no cookie-consent banner is required under the Privacy and Electronic Communications Regulations (PECR). We cannot use Fathom data to identify you.
We do not sell your personal data
We do not sell your personal data, and we do not share it for advertising or profiling. We have no data-sale programme and will not create one. We share data only with the processors needed to run the service, described below.
How we use your information
- To generate and deliver the report you ordered.
- To email you the report, a receipt, and any delivery follow-up.
- To process refunds and respond to support requests.
- To keep minimal, largely non-identifying records for accounting, security and fraud prevention.
We do not use your email for marketing unless you have explicitly opted in.
Data retention
We keep your postcode, phase choice and email only as long as needed to deliver the report and provide support, and to meet our legal, tax and accounting obligations (transaction records are generally kept for around six years to satisfy HMRC record-keeping requirements). Payment records held by Stripe are retained under Stripe's own policies. You may ask us to erase your data at any time (see below), subject to records we are legally required to keep.
Your rights under UK GDPR
You have the right to:
- access the personal data we hold about you;
- rectify data that is inaccurate or incomplete;
- erase your data ("the right to be forgotten"), subject to records we must keep by law;
- restrict how we process your data in certain circumstances;
- data portability (receive your data in a portable format);
- object to processing based on our legitimate interests; and
- withdraw consent at any time where we rely on consent.
To exercise any of these rights, email [email protected] and we will respond within one month, as UK GDPR requires. We will not treat you unfavourably for exercising your rights.
Complaints and the ICO
If you have a concern about how we handle your data, please contact us first at [email protected] so we can try to put it right. If you are not satisfied, you have the right to complain to the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection, at ico.org.uk.
Children's privacy
This service is intended for adults and is not directed at children under 13, the age of digital consent recognised in the UK under the Data Protection Act 2018. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, email [email protected] and we will erase it.
Data security
Data is transmitted over encrypted HTTPS connections. Payment card data is handled entirely by Stripe. No method of transmission or storage is perfectly secure, but we minimise the personal data we hold precisely to reduce risk.
International transfers
Some of our processors, including Stripe and Fathom Analytics, may process data outside the UK. Where personal data is transferred internationally, it is protected by appropriate safeguards recognised under UK data protection law, such as UK adequacy regulations, the International Data Transfer Agreement (IDTA), or standard contractual clauses with the UK addendum.
Changes to this policy
We may update this policy from time to time. When we do, we will revise the effective date above. Material changes will be reflected on this page.
Contact
Questions about this policy or your data? Email [email protected].