Data protection

Who we are

Report-O-Matic Ltd (company number 17239610) develops and operates the Report-O-Matic software service. We act as a data processorwhen a school or other organisation uses the product to process pupil and staff-related information on the organisation's instructions. For some account-holder data (for example your sign-in email), we may act as controller where we determine how that data is used to run accounts and security.

Roles: school and platform

• Your school (controller) decides what pupil and staff data to enter, the lawful basis, transparency to parents and pupils, retention, and any use of reports outside the system (email, print, other systems).
• Report-O-Matic Ltd (processor) hosts the service, applies access controls, uses approved subprocessors, and processes data only to provide and secure the product — as described in our documents below.

Key documents

• Terms of use

  Contractual terms for schools using the service, credits, and AI features.

• Privacy notice

  What data we process, why, retention, your rights, and subprocessors in plain language.

• Data Processing Agreement (DPA)

  Article 28–style processor terms for schools and trusts that need a written agreement with Report-O-Matic Ltd.

• Subprocessor list

  Hosting, email, AI, payments, and security providers.

• Cookie notice

  Session cookies and sign-in security technologies.

Children and pupil data

The product is designed for school reporting. Schools enter pupil names (typically first name for AI features; display names may also be stored), class membership, numeric grades, and report text. The service does not require pupil addresses, dates of birth, or contact details. Do not enter special-category data unless your organisation has a clear lawful basis and the product is appropriate for that use.

Security measures

We design the service so each school's data is separated and access is limited by role. Measures include:

• Encrypted transport (HTTPS) for sign-in and all dashboard use
• Per-organisation (tenant) isolation in the database layer
• Role-based permissions for owners, department heads, and teachers
• Hashed credentials where passwords are used; short-lived session cookies for sign-in
• Human verification (Cloudflare Turnstile) on the public sign-in page to reduce automated abuse
• Audit-style logging for security-relevant events where configured
• Optional AI-assisted report drafting: pupil surnames are not sent to the model; only first names and numeric rubric data are used for appraisal, as described in the privacy notice

No online service can guarantee absolute security; we review controls as the product evolves.

Subprocessors

Personal data may be processed by providers listed on our subprocessor page, including Supabase, Resend, OpenAI (optional AI), Cloudflare, Paddle (card checkout when enabled by the operator), and Wise (business payment operations). The DPA covers authorisation and objection rights for schools.

International transfers

Some subprocessors may process data outside the UK or EEA. Where that applies, we rely on appropriate safeguards offered by those providers (for example UK IDTA / Addendum or EU standard contractual clauses), as described in the DPA and subprocessor documentation.

Personal data breaches

If we become aware of a personal data breach affecting your organisation's data in the service, we will notify you without undue delay with information reasonably available so you can meet your obligations as controller. Please report suspected security issues to us promptly using the contact below.

Helping your school comply

• Use the DPA with your records of processing and privacy information for parents and staff where required.
• Signed-in users can export personal data and request account closure from Profile where those controls are available.
• Limit access within your organisation to staff who need it; review inactive accounts and class assignments regularly.
• Treat exported PDFs and copies like any other confidential pupil information — the platform does not control use after export.

Contact

For data protection questions about the platform, contact privacy@report-o-matic.online. For requests about a pupil's records, contact the school first — they are usually the controller.