Legal
Privacy Policy
Last updated: 2026-06-30
1. Who we are
Boardingly Ltd (“Boardingly”, “we”, “us”) operates the website at boardingly.com and acts as the data controller for all personal data collected through this service.
Contact: privacy@boardingly.com
2. What data we collect and why
| Data type | Why we collect it | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Email address | Account creation, login, transactional emails | Contract (6(1)(b)) |
| Name (optional) | Personalisation of the service | Legitimate interest (6(1)(f)) |
| Password (hashed — bcrypt) | Account authentication | Contract (6(1)(b)) |
| Payment information | Processing £49 report purchases. Card data is handled by Stripe — we never store card numbers | Contract (6(1)(b)) |
| Session identifiers (cookie) | Security, authentication state | Legitimate interest (6(1)(f)); strictly necessary |
| IP address (transient) | Security, rate-limiting, fraud prevention | Legitimate interest (6(1)(f)) |
| Usage data (pages viewed, search queries) | Product improvement (anonymised); analytics via GA4 (consent-gated) | Consent (6(1)(a)) — analytics only after explicit opt-in |
| Shortlisted schools, report purchases | Core service features | Contract (6(1)(b)) |
| Child date of birth / age band (where provided) | Age-appropriate content; COPPA / UK GDPR compliance for under-13 accounts | Legal obligation (6(1)(c)); Consent with parental approval for under-13 |
We apply the minimum data principle: we collect only what is necessary to deliver the service.
3. Children's data and parental consent
Boardingly is a service used by families researching UK boarding schools. This means data about children may be processed. We take this seriously.
- Under 13 (COPPA / UK GDPR): We do not knowingly collect personal data from children under 13 without verifiable parental or guardian consent. If a parent creates an account on behalf of a child, the parent email is the account holder. An approval token is emailed to the parent before the child account is activated.
- 13–17 (UK GDPR Article 8): Where processing is consent-based, users aged 13–17 require a parent or guardian to provide or confirm consent.
- No behavioural advertising: We never serve behavioural advertising to any user under 18, and no third-party ad pixels operate on pages accessible to under-18 users.
- Child PII: Personal data relating to a child is never returned in API responses accessible to non-parents or non-guardians.
- If you believe a child has submitted data without appropriate consent, contact privacy@boardingly.com and we will delete it within 72 hours.
4. How long we keep your data (retention)
| Data type | Retention period | Action on expiry |
|---|---|---|
| Active account | Until deletion request | Deleted or anonymised on request |
| Inactive account | 2 years from last login | Email warning, then deletion |
| Payment records | 7 years (UK legal obligation) | Retained in Stripe only; not in our DB |
| Server logs | 90 days | Auto-purged |
| Session data | 7 days (rolling) | Auto-expired |
| Analytics consent record | Until withdrawn | Deleted on opt-out |
5. Who we share your data with (sub-processors)
We do not sell your data. We share it only with the following sub-processors to operate the service:
| Sub-processor | Purpose | Data shared | Location |
|---|---|---|---|
| Stripe | Payment processing | Email, name, payment data | USA (EU–US DPF / SCC) |
| Render | Cloud hosting | All user data at rest and in transit | USA (SCC) |
| Neon | Database hosting (PostgreSQL) | All user data stored in the DB | USA/EU (SCC) |
| Resend | Transactional email | Email address, name | USA (SCC) |
| Anthropic | AI-generated school summaries (no user PII sent) | School data only — no user personal data | USA (SCC) |
| Cloudflare | CDN, edge security, privacy-first analytics | Anonymised request data | Global (SCC) |
| Google Analytics 4 | Usage analytics (only with your consent) | Anonymised usage data — loaded only after consent granted | USA (EU–US DPF / SCC) |
Where data is transferred outside the UK / EEA, we rely on Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework as the transfer mechanism.
6. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure (“right to be forgotten”) — request deletion of your data.
- Portability — receive your data in a machine-readable format (JSON).
- Object — object to processing based on legitimate interest.
- Restrict — restrict processing while a dispute is resolved.
- Withdraw consent — at any time, for consent-based processing (e.g. analytics).
To exercise any right: email privacy@boardingly.com. We will respond within 30 days.
You may also complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.
7. Cookies
See our Cookie Policy for the full breakdown. In summary:
- Strictly necessary: Session and authentication cookies — no consent required.
- Analytics (GA4): Only set after you explicitly accept analytics cookies.
- Marketing: Not currently in use.
You can change your cookie preferences at any time using the consent banner (accessible via the “Cookies” link in the footer).
8. International transfers
Boardingly is incorporated in the United Kingdom. Data is processed on servers in the USA (Render, Neon, Stripe, Resend, Anthropic). All transfers rely on Standard Contractual Clauses (UK SCCs or EU SCCs with UK addendum) as the appropriate safeguard under UK GDPR Chapter V.
9. How we protect your data
- Passwords are hashed with bcrypt (cost factor 12) — never stored in plain text.
- All data in transit is encrypted with TLS 1.2+ via Cloudflare and Render.
- Session cookies are HttpOnly, SameSite=Lax, Secure in production.
- No PII is written to server logs.
- Production database is accessible only from our hosting service, not publicly.
- Access to production systems is restricted to authorised personnel.
10. Data breaches
If we become aware of a breach that poses a risk to individuals, we will notify the ICO within 72 hours (UK GDPR Article 33) and, where required, inform affected users without undue delay.
11. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email (to registered users) and by a prominent notice on this page. The “Last updated” date at the top of this page reflects the most recent revision.
12. Contact
Data controller: Boardingly Ltd
Privacy queries: privacy@boardingly.com