Your data, explained in plain English.

I built this app for my own family first. That means privacy is not a legal checkbox -- it is a promise from one parent to another.

Last updated: May 2026

Our pledge to you

We never sell your data. Not now, not ever.

Your data is never used to train AI models.

You own your data completely and can delete it at any time.

We only collect what is genuinely needed to run the service.

We will always be transparent about what we do with your information.

Why we are allowed to process your data

Our lawful basis under UK GDPR

Under UK data protection law, every organisation needs a valid legal reason to process personal data. Here are ours, in plain English:

Contract (most of what we do)

When you sign up, you enter a contract with us to provide the family calendar service. Processing your emails, storing your children's schedules, and generating briefings are all necessary to deliver what you signed up for.

Legitimate interest (keeping things working)

We use error monitoring (Sentry) and basic usage metrics to fix bugs and keep the service running reliably. We have balanced our interest in providing a reliable product against your privacy, and we keep this data minimal and short-lived.

Consent (optional features)

Push notifications, Alexa briefings, Google Home, Telegram notifications, and Google Calendar sync only activate when you explicitly opt in. You can withdraw consent at any time by turning these features off in your settings.

What happens to your data

Three steps, no surprises.

Step 1

Your school emails arrive

There are two ways school emails reach us:

Manual forwarding:You forward a school email to your personal My School Agent address. It arrives securely via our email provider (Resend).
Auto-Pilot mode:If you set up email forwarding rules, school emails are automatically routed to your My School Agent address. The same secure pipeline processes them without you lifting a finger.

In both cases, the email is stored temporarily so you can review what was extracted before events are confirmed to your calendar. Only emails from school-related senders are processed.

Step 2

AI extracts the important bits

We use Google Gemini (Enterprise tier) to read your email and pull out dates, events, deadlines, and action items. The Enterprise tier is important: it means your email content is not used to train Google's AI models and is processed in secure, isolated environments. The AI sees the email once, extracts what it needs, and moves on.

This is identical whether you forwarded the email manually or it arrived via Auto-Pilot. The same secure, no-training-data pipeline handles everything.

Step 3

Your data lives in your account

Extracted events and details are stored in our secure database (Supabase), encrypted at rest and in transit. Community data like shared timetables and term dates is anonymous -- no personal information is attached. Your family's events, child details, and pickup times are private and only accessible by you.

What we collect and why

Every piece of data we hold, explained honestly.

Data

Why we need it

Who sees it

How long we keep it

Email address

To create your account, log you in, and send your daily morning briefing.

Never shared with other users.

Kept until you delete your account.

Forwarded school emails

To extract dates, events, and action items for your family calendar.

Never shared. Only your family sees the extracted events.

Email content is kept for your review, then archived. You can delete any email at any time.

Child names and year groups

To organise events by child and personalise your morning briefings.

Never shared with other users. Visible only to your family account.

Kept until you remove the child or delete your account.

School name

To connect you with shared timetables, term dates, and community data for your school.

School names are visible to other parents at the same school so they can find and join.

Kept until you remove the school or delete your account.

Events and calendar data

To build your family calendar, generate morning briefings, and send reminders.

Private to your family. School-level events (from class reps) may be visible to parents at that school.

Active events kept until the event date passes (auto-archived after 7 days). Deleted on account deletion.

Community-shared events (Class Reps)

Class reps broadcast events to parents at their school or year group so the whole community stays informed.

Visible to parents in the same year group or class. Only event titles, dates, and details are shared -- never personal family data.

Kept until the event date passes or the rep deletes it.

Pickup times and notes

To include collection reminders in your daily briefing.

Private to your family only. Never shared.

Kept until you change or delete them.

Community timetables and clubs

Shared timetables benefit every family at a school. One parent adds the PE day, everyone benefits.

Visible to all parents at the same school. No personal data is attached.

Kept as long as the school exists in the system.

Payment information

To process subscription payments for paid plans.

Handled entirely by Stripe, Apple, or Google. We never see or store your card details.

Managed by the payment provider under their privacy policies. We store only a subscription reference ID.

Third-party services we use

We believe in being upfront about every service that touches your data.

Supabase

(USA)

Database and authentication

Hosts your account data and family information with encryption at rest and in transit.

Google Gemini (Enterprise)

(USA)

AI email processing and briefing generation

Reads your forwarded emails to extract events and generates your daily briefings. Enterprise tier means your data is not used to train Google's models.

Stripe

(USA)

Payment processing (web)

Handles subscription payments on the web. We never see or store your card number. Stripe is PCI-DSS Level 1 certified.

Apple (StoreKit)

(USA)

Payment processing (iOS)

Handles in-app subscription purchases on iPhone and iPad. We receive a purchase token to verify your subscription -- never your payment details.

Google (Play Billing)

(USA)

Payment processing (Android)

Handles in-app subscription purchases on Android. We receive a purchase token to verify your subscription -- never your payment details.

Resend

(USA)

Email delivery

Receives your forwarded school emails and sends your morning briefing and weekly summary emails.

OneSignal

(USA)

Push notifications

Delivers push notifications to your device if you opt in. Receives a device identifier and notification content. You can disable notifications at any time.

Google (Calendar API)

(USA)

Google Calendar sync

If you connect Google Calendar, we sync your school events to a dedicated sub-calendar in your Google account. We store an access token to maintain the connection. You can disconnect at any time.

Amazon Alexa

(USA)

Voice briefing delivery

If you connect the Alexa skill, we transmit the text of your daily briefing to Amazon so it can be read aloud. We do not process or store any voice audio.

Amazon Web Services (Polly)

(USA)

Text-to-speech audio

Converts your daily briefing text into spoken audio for Alexa playback. The text is sent to AWS, converted to audio, and stored securely. No voice recordings of you are involved.

(Various)

Alternative notifications

If you connect Telegram, we send your daily briefing via the Telegram Bot API. We store only your chat ID. You can disconnect at any time.

Sentry

(USA)

Error monitoring

Captures error reports when something goes wrong so we can fix bugs quickly. May include device type and browser version. Does not intentionally capture personal data. Error data is automatically deleted after 30 days.

Automated decisions (Smart Auto-Pilot)

How AI decisions affect your calendar

If you enable Smart Auto-Pilot in your settings, our AI will automatically add school events to your calendar when it is sufficiently confident in what it extracted from a school email. This is the only feature in the app that makes automated decisions that directly affect your data without you reviewing each one first.

Here is how it works and how you stay in control:

How it works

When the AI reads a school email, it assigns a confidence score (0-100) to each event it finds, based on how clearly the date, title, and details are stated. If Auto-Pilot is on and an event's score meets your chosen threshold, it goes straight onto your calendar. Events below your threshold are saved as drafts for you to review manually.

You are always in control

Auto-Pilot is off by default. You choose whether to turn it on, and you set the confidence threshold yourself. You can turn it off at any time to go back to reviewing every event manually. Any auto-published event can be deleted from your calendar at any time.

Class Rep safety

If you are a Class Rep, Auto-Pilot will never broadcast events to other parents automatically. Community broadcasts always require your explicit approval -- the AI handles your personal calendar only.

Your rights

Under UK GDPR you have clear rights over your personal data. Here is how we honour them.

Access your data

View all your data at any time through your profile and family hub. Want a full export? Email us and we will provide it promptly.

Delete your data

Delete your account and all associated data from your profile settings. Deletion is permanent and immediate. No soft deletes, no hidden backups, no data lingering in some archive.

Request data deletion →

Correct your data

All your data is editable directly in the app. Child names, events, timetables, notes -- if something is wrong, you can fix it yourself.

Take your data with you

Export your calendar as an iCal feed compatible with Apple Calendar, Google Calendar, and Outlook. Want a full data export? Email us and we will provide it in a standard format.

The fine print

Cookies

We use essential cookies only -- the ones required to keep you logged in and remember your preferences. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No cookie banner needed because we do not do anything that requires your consent beyond the essentials.

Security

All data is encrypted in transit (TLS) and at rest. Authentication is handled through Supabase Auth with bcrypt password hashing. Database access is controlled by row-level security policies, meaning even if there were a bug in our code, the database itself enforces that you can only see your own data. Community features like class rep broadcasts are also governed by row-level security -- parents only see events shared to their specific school and year group. We do not store passwords in plain text and we never will.

Children's data

My School Agent is a tool for parents aged 18 and over. Children do not have accounts and cannot access the service directly.

We store the following child data, provided by the parent: first name (or nickname), year group, class name, date of birth (optional), and gender (optional). This is the minimum needed to organise your family calendar and generate personalised briefings.

Legal basis: processing is necessary to fulfil the contract with you (the parent) to provide the family calendar service. Because the account holder is always an adult parent or guardian, and children do not interact with the service directly, we apply data minimisation principles to keep children's data to the absolute minimum required.

Child data is never shared externally, never used for profiling or marketing, never sold, and is deleted immediately upon parent request or account deletion.

Community sharing (Class Reps)

When a class rep broadcasts an event, it becomes visible to all parents who have joined that year group or class within the app. This is how parents stay informed about trips, PE days, and school events without needing separate WhatsApp groups for every announcement.

What is shared: event title, date, time, category, and optional action details (e.g. "bring a packed lunch"). The rep's personal identity is not displayed to recipients -- events appear as school-level data.

WhatsApp invite links: when a rep generates a WhatsApp invite, the link contains only the school name, year group name, and a generic signup URL. No personal data about any family is included in the link.

Parents can leave a class group at any time, which immediately stops visibility of new shared content from that group.

International data transfers

Several of the services we use are based in the United States (see the full list above with countries shown). This means your personal data is transferred outside the UK.

These transfers are protected by the UK-US Data Bridge (where our providers are certified) and Standard Contractual Clauses (SCCs) approved by the ICO. Both are recognised legal mechanisms that ensure your data receives equivalent protection when processed outside the UK.

All data is encrypted in transit, and Google Gemini's Enterprise tier provides additional contractual guarantees that your data is not retained or used for model training.

Affiliate relationships

As an Amazon Associate and affiliate partner, My School Agent earns from qualifying purchases. When your child's calendar includes an action like a costume day or bake sale, we may suggest relevant products on Amazon.co.uk. Those shop links include an affiliate tag, which means Amazon pays us a small commission if you decide to buy something, at no extra cost to you. We never tailor the suggestions based on commission rates, and we never share your personal data with Amazon or any advertiser -- the link is a plain search URL built from the event details on your device.

Changes to this policy

If we make meaningful changes to how we handle your data, we will notify you by email before the changes take effect. Minor clarifications or formatting changes will be updated here with a new "last updated" date.

Data controller and contact

The data controller for My School Agent is:

My School Agent (operated by Matthew Pincombe)

My School Agent is currently operated as a sole trader business by a UK parent, for UK parents.

For any privacy-related questions, concerns, or requests, please contact us at: privacy@myschoolagent.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk