Your data, explained in plain English.

I built this app for my own family first. That means privacy is not a legal checkbox -- it is a promise from one parent to another.

Last updated: February 2026

Our pledge to you

We never sell your data. Not now, not ever.

Your data is never used to train AI models.

You own your data completely and can delete it at any time.

We only collect what is genuinely needed to run the service.

We will always be transparent about what we do with your information.

What happens to your data

Three steps, no surprises.

Step 1

You forward an email

When you forward a school email to your personal My School Agent address, it arrives securely via our email provider (Resend). The email is stored temporarily so you can review what was extracted before it is confirmed to your calendar.

Step 2

AI extracts the important bits

We use Google Gemini (Enterprise tier) to read your email and pull out dates, events, deadlines, and action items. The Enterprise tier is important: it means your email content is not used to train Google's AI models and is processed in secure, isolated environments. The AI sees the email once, extracts what it needs, and moves on.

Step 3

Your data lives in your account

Extracted events and details are stored in our secure database (Supabase), encrypted at rest and in transit. Community data like shared timetables and term dates is anonymous -- no personal information is attached. Your family's events, child details, and pickup times are private and only accessible by you.

What we collect and why

Every piece of data we hold, explained honestly.

Data

Why we need it

Who sees it

How long we keep it

Email address

To create your account, log you in, and send your daily morning briefing.

Never shared with other users.

Kept until you delete your account.

Forwarded school emails

To extract dates, events, and action items for your family calendar.

Never shared. Only your family sees the extracted events.

Email content is kept for your review, then archived. You can delete any email at any time.

Child names and year groups

To organise events by child and personalise your morning briefings.

Never shared with other users. Visible only to your family account.

Kept until you remove the child or delete your account.

School name

To connect you with shared timetables, term dates, and community data for your school.

School names are visible to other parents at the same school so they can find and join.

Kept until you remove the school or delete your account.

Events and calendar data

To build your family calendar, generate morning briefings, and send reminders.

Private to your family. School-level events (from class reps) may be visible to parents at that school.

Kept until you delete the event or your account.

Pickup times and notes

To include collection reminders in your daily briefing.

Private to your family only. Never shared.

Kept until you change or delete them.

Community timetables and clubs

Shared timetables benefit every family at a school. One parent adds the PE day, everyone benefits.

Visible to all parents at the same school. No personal data is attached.

Kept as long as the school exists in the system.

Payment information

To process subscription payments for paid plans.

Handled entirely by Stripe. We never see or store your card details.

Managed by Stripe under their privacy policy.

Third-party services we use

We believe in being upfront about every service that touches your data.

Supabase

Database and authentication

Hosts your account data and family information. EU-compliant infrastructure with encryption at rest and in transit.

Google Gemini (Enterprise)

AI email processing

Reads your forwarded emails to extract events and dates. Enterprise tier means your data is not used to train Google's models and is processed in isolated environments.

Stripe

Payment processing

Handles all subscription payments. We never see or store your card number. Stripe is PCI-DSS Level 1 certified.

Resend

Email delivery

Sends your morning briefing and weekly summary emails. Receives your forwarded school emails for processing.

OneSignal

Push notifications

Delivers push notifications to your device if you opt in. You can disable notifications at any time from your profile settings.

Your rights

Under UK GDPR you have clear rights over your personal data. Here is how we honour them.

Access your data

View all your data at any time through your profile and family hub. Want a full export? Email us and we will provide it promptly.

Delete your data

Delete your account and all associated data from your profile settings. Deletion is permanent and immediate. No soft deletes, no hidden backups, no data lingering in some archive.

Request data deletion →

Correct your data

All your data is editable directly in the app. Child names, events, timetables, notes -- if something is wrong, you can fix it yourself.

Take your data with you

Want to move your data elsewhere? We will provide it in a standard format. No lock-in, no exit fees, no awkward conversations.

The fine print

Cookies

We use essential cookies only -- the ones required to keep you logged in and remember your preferences. We do not use tracking cookies, advertising cookies, or any third-party analytics cookies. No cookie banner needed because we do not do anything that requires your consent beyond the essentials.

Security

All data is encrypted in transit (TLS) and at rest. Authentication is handled through Supabase Auth with bcrypt password hashing. Database access is controlled by row-level security policies, meaning even if there were a bug in our code, the database itself enforces that you can only see your own data. We do not store passwords in plain text and we never will.

Children's data

My School Agent is a tool for parents, not for children. We store child names and year groups to organise family calendars, but children do not have accounts and cannot access the service directly. We take the responsibility of holding any child-related data seriously and keep it to the absolute minimum needed.

Data location

Our database and authentication services are hosted by Supabase. AI processing is handled by Google's enterprise infrastructure. Payment processing is handled by Stripe. All providers maintain robust data protection agreements and comply with applicable data protection regulations.

Changes to this policy

If we make meaningful changes to how we handle your data, we will notify you by email before the changes take effect. Minor clarifications or formatting changes will be updated here with a new "last updated" date.