Privacy notice

What the platform operator is — and is not — responsible for

Report-O-Matic Ltd is responsible for building and running the service in line with data protection law: security, access controls, subprocessors it appoints, assisting schools with their processor relationship, and the in-product tools we provide (such as export and account closure where available).

Report-O-Matic Ltd is not responsible for how a school or its staff choose to use data outsidethe service — for example emails, printed PDFs, local drives, other systems, or disclosures to parents — or for the school's own legal basis, transparency, or retention choices for pupil data. Those remain the school's compliance duties as controller.

Contact

For questions about this processing or to exercise rights relating to the platform, contact privacy@report-o-matic.online. For pupil-record requests, your school is usually the first point of contact.

What we process

• Account data: email address, optional password hash, optional display name on membership rows, session cookie reference, security / sign-in codes (hashed where applicable), and audit-style events tied to your account (for example report edits or AI assist usage metadata).
• School workflow data: classes, pupil names, numeric grades, report text, timetables, and related content your organisation enters. The product is not designed to collect pupil addresses, dates of birth, or contact details.
• Billing: Paddle acts as merchant of record for card payments when checkout is enabled (tax and checkout are handled by Paddle); we may store limited billing identifiers and transaction summaries. Commercial banking may involve Wise. Card checkout is currently disabled on this deployment; no new card payments are taken through the product until the operator turns it back on.

Marketing communications

We do not currently send promotional emails to schools. We may send service messages (for example security, billing, or product changes). If we introduce marketing communications in future, we will do so in line with applicable law and provide appropriate opt-out or consent mechanisms where required.

Purposes and lawful bases (EU/UK GDPR)

We process account and workflow data to provide the service you request (contract / steps prior to contract), to secure the platform (legitimate interests in fraud prevention and abuse resistance, balanced against your rights), and where required to comply with law (legal obligation). Schools remain responsible for choosing and documenting their own lawful bases for pupil-related processing. Where consent is required for non-essential cookies, we ask separately — see the cookie notice.

Subprocessors

Data may be processed by providers listed on our subprocessor page, including Supabase, Resend, OpenAI (optional AI), Cloudflare, Paddle, and Wise. Use subprocessors' privacy policies for detail. International transfers may rely on standard contractual clauses or equivalent mechanisms those providers offer.

Retention

We keep data while your account or organisation relationship is active and for a reasonable period afterwards for backups, security, and legal claims. Some billing records may be retained longer where the law requires. You can request erasure subject to overriding legal obligations and school ownership rules in the product.

Your rights

Subject to applicable law, you may have the right to access, rectify, erase, restrict, or object to certain processing, and to data portability. Signed-in users can download a machine-readable export and request account closure from the Profile page where those controls exist. You may also lodge a complaint with your supervisory authority.

Security

We use industry-standard measures including encrypted transport (HTTPS), access control by role, and hashed credentials where passwords are used. No method of transmission or storage is completely secure.