Privacy Policy
Last updated: 5 April 2025
1. Introduction
ReadingBridge is a trading name of Next Generation Forge Ltd. ("we", "us", "our"). We are committed to protecting the privacy and security of your personal data. This privacy policy explains how we collect, use, store, and share personal data when you use the ReadingBridge platform at readingbridge.co.uk.
We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003 (PECR), and the ICO's Age Appropriate Design Code (Children's Code).
ReadingBridge provides AI-powered reading support for Key Stage 2 children (typically aged 7β11). Because our service is used by children, we apply the highest standards of data protection throughout our platform.
2. Data controller
The data controller responsible for your personal data is ReadingBridge. You can contact us at:
- Email: privacy@readingbridge.co.uk
- Website: readingbridge.co.uk
3. Personal data we collect
3.1 Parent and tutor accounts
- Name and email address (via account registration)
- Subscription and billing information (processed by Stripe β we do not store full card details)
3.2 School administrator and teacher accounts
- Name and email address
- School affiliation and role
3.3 Home pupils (children added by parents/tutors)
- First name only β we do not collect surnames or other personal identifiers
- Year group
- Reading session data: text transcriptions, comprehension activity responses, fluency scores, and time spent reading
3.4 School pupils
- First name and a username chosen by the school
- A 4-digit PIN (stored securely using one-way hashing β we cannot view the original PIN)
- Year group and class assignment
- Reading session data as described in section 3.3
3.5 Voice data
When a child reads aloud, their voice is processed in real time for speech-to-text transcription. We do not store voice recordings. Audio is transcribed and immediately discarded. Only the text transcription is retained.
3.6 Technical and usage data
- Device type, browser type, and operating system
- Pages visited and features used (collected via analytics cookies, with your consent)
- Error and performance data to maintain service quality
4. Data we do not collect
- Children's surnames or personal identifiers beyond first name
- Voice recordings (audio is processed in real time and discarded)
- Location data
- Browsing activity outside ReadingBridge
- Photographs or biometric data
- Data for advertising or profiling purposes
5. Legal bases for processing
Under UK GDPR, we process personal data on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Providing the ReadingBridge service to parents and tutors | Performance of a contract (Article 6(1)(b)) |
| Providing the service to schools under a subscription or data processing agreement | Performance of a contract (Article 6(1)(b)) |
| Processing children's reading data to deliver personalised reading support | Legitimate interests (Article 6(1)(f)) β providing educational benefit to children, balanced against minimal data collection and strong safeguards |
| Processing payment information | Performance of a contract (Article 6(1)(b)) |
| Analytics cookies | Consent (Article 6(1)(a)) β you can accept or decline analytics cookies at any time |
| Essential cookies for authentication and security | Legitimate interests (Article 6(1)(f)) β necessary for the secure operation of the service |
| Error monitoring and service reliability | Legitimate interests (Article 6(1)(f)) β maintaining a safe, reliable service |
6. How we use your data
- To provide personalised reading activities and comprehension support
- To transcribe children's speech in real time for reading fluency assessment
- To generate progress reports for parents, tutors, and teachers
- To manage user accounts and subscriptions
- To process payments securely
- To improve the platform based on aggregated, anonymised usage patterns (with consent for analytics)
- To monitor and resolve errors and maintain service quality
- To communicate with you about your account or service updates
7. Third-party data processors
We use carefully selected third-party service providers to operate ReadingBridge. Each processor is bound by data processing agreements and processes data only as instructed by us.
| Provider | Purpose | Data processed |
|---|---|---|
| Auth0 (Okta) | User authentication | Name, email address, login credentials |
| Amazon Web Services (AWS) | Data storage and hosting infrastructure | All application data (encrypted at rest) |
| OpenRouter | AI model routing for content generation, speech-to-text transcription, and text-to-speech | Voice audio (processed in real time, not stored), reading text, comprehension prompts (no personal identifiers) |
| Stripe | Payment processing | Payment card details, billing address, transaction history (Stripe is PCI DSS Level 1 compliant) |
| PostHog | Product analytics (with consent) | Anonymised usage events, page views, device information |
| Sentry | Error monitoring | Error stack traces, browser and device information |
We do not sell personal data to any third party. We do not share children's data with advertisers.
8. International data transfers
Some of our third-party processors are based outside the United Kingdom. Where personal data is transferred internationally, we ensure appropriate safeguards are in place, including:
- UK adequacy decisions β transfers to countries recognised by the UK Government as providing adequate data protection
- International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses β contractual safeguards approved by the ICO
- Binding data processing agreements with all processors
9. Data retention
| Data type | Retention period |
|---|---|
| Account data (parents, tutors, teachers) | Retained while the account is active, plus 30 days after closure to allow recovery |
| Pupil reading data and progress | Retained while the associated account is active, then deleted with the account |
| Voice recordings | Not retained β processed in real time and immediately discarded |
| Payment records | Retained as required by HMRC for up to 6 years after the end of the relevant tax year |
| Analytics data | Anonymised and aggregated β not linked to individuals after collection |
| Error monitoring logs | Retained for up to 90 days |
After the retention period, data is permanently deleted or irreversibly anonymised.
10. Cookies and local storage
We use cookies and local storage to operate and improve ReadingBridge. Under PECR, strictly necessary cookies do not require consent. Analytics cookies require your consent, which you can provide or withdraw at any time via our cookie banner.
| Cookie / storage | Purpose | Type | Duration |
|---|---|---|---|
| Auth0 session cookies | Authenticate parent, tutor, and teacher accounts | Strictly necessary | Session |
| rb-school-session | Authenticate school pupil sessions | Strictly necessary | 2 hours |
| rb-school-selection | Remember which school a pupil selected on the device | Strictly necessary | 30 days |
| rb-cookie-consent (localStorage) | Store your cookie preference | Strictly necessary | Persistent |
| PostHog cookies | Product analytics and usage insights | Analytics (consent required) | 1 year |
11. Childrenβs data and the ICO Childrenβs Code
ReadingBridge is designed for use by Key Stage 2 children (typically aged 7β11). We take our obligations under the ICO's Age Appropriate Design Code seriously and apply the following principles:
- Best interests of the child β every design and data decision prioritises children's wellbeing and safety
- Data minimisation β we collect only the minimum data necessary to provide educational support (first name, year group, reading responses)
- No profiling or behavioural advertising β children's data is never used for profiling, targeting, or advertising
- High privacy by default β privacy settings are set to the most protective level; children do not need to take any action to be protected
- No detrimental use β children's data is used only to support their reading development
- Age-appropriate AI β all AI-generated content is filtered to ensure age-appropriate language and interactions
- No direct messaging β children cannot communicate with other users or receive unsolicited contact
- Parental and school oversight β parents, tutors, and teachers have full visibility of children's activity and data
Children do not create their own accounts. Home pupil profiles are created by a parent or tutor. School pupil accounts are created by a teacher or school administrator.
12. Your rights
Under UK GDPR, you have the following rights in relation to your personal data (and your child's data):
- Right of access β request a copy of the personal data we hold about you or your child
- Right to rectification β ask us to correct inaccurate or incomplete data
- Right to erasure β ask us to delete personal data where there is no compelling reason for continued processing
- Right to restrict processing β ask us to limit how we use your data in certain circumstances
- Right to data portability β receive your data in a structured, commonly used, machine-readable format
- Right to object β object to processing based on legitimate interests
- Right to withdraw consent β where processing is based on consent (e.g. analytics cookies), you may withdraw consent at any time without affecting the lawfulness of prior processing
To exercise any of these rights, contact us at privacy@readingbridge.co.uk. We will respond within one month of receiving your request, as required by UK GDPR.
13. Schools and data processing agreements
When a school uses ReadingBridge, the school is typically the data controller for its pupils' data, and ReadingBridge acts as the data processor. We provide comprehensive data processing agreements (DPAs) to all school customers, which set out:
- The types of data processed and the purposes of processing
- Security measures and technical safeguards
- Sub-processor details and notification obligations
- Data breach notification procedures
- Data return and deletion on termination
We can also provide documentation to support your Data Protection Impact Assessment (DPIA). Contact privacy@readingbridge.co.uk to request a DPA or DPIA support pack.
14. Data security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS) and at rest
- Secure password hashing (bcrypt) for school pupil PINs
- Role-based access controls for all staff
- Regular security audits and vulnerability assessments
- Incident response procedures and breach notification processes
15. Data breaches
In the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach
- Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms
- Notify school customers (where we act as processor) without undue delay
16. Changes to this policy
We may update this privacy policy from time to time. Significant changes will be communicated via email or a prominent notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.
17. Complaints
If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO. Please reach out to us at privacy@readingbridge.co.uk first.
18. Contact us
For any questions about this privacy policy or how we handle personal data:
- Privacy enquiries: privacy@readingbridge.co.uk
- Safeguarding concerns: safeguarding@readingbridge.co.uk
- General support: support@readingbridge.co.uk
This privacy policy was last updated on 5 April 2025.