Rainbow Curriculum Rainbow Curriculum Planning tool for CfW
Estyn Report
Pricing
Join the waitlist Log in

Privacy Policy

The privacy of your data is a big deal to us. It is your data, not ours. In this policy, we lay out what data we collect and why, how your data is handled, and your rights with respect to your data. We promise we never sell your data: never have, never will.

What we collect and why

Our guiding principle is to collect only what we need. Here's what that means in practice:

Identity & access

When you sign up for Rainbow Curriculum, we ask for identifying information such as your name, email address, and school details. That's so you can personalise your account, and we can send you updates and other essential information. We may also send you optional surveys from time to time to help us understand how you use our product and to make improvements. With your consent, we will send you our newsletter and other updates. You can opt out of non-essential communications at any time.

We'll never sell your personal information to third parties, and we won't use your name or school in marketing statements without your permission.

Billing information

If you sign up for a paid Rainbow Curriculum account, you will be asked to provide payment information. We use secure third-party payment processors (Stripe) who comply with PCI standards. We store a record of the payment transaction, including the last 4 digits of the card number, for purposes of account history, invoicing, and billing support. We store your billing address to calculate any VAT due, to detect fraudulent transactions, and to print on your invoices.

Product interactions

We store curriculum plans, learning objectives, and other content you create in Rainbow Curriculum. We keep this data for as long as your account is active. If you delete content, we'll delete it from our active servers within 30 days and from our backups within 90 days.

Geolocation data

We log the IP address you use when you sign in to the service. We use this information to detect fraudulent account usage and to ensure the security of your account.

Website interactions

We collect information about your browsing activity for analytics and statistical purposes. This helps us understand how people use our product so we can make improvements. We use our own analytics tools and do not use third-party analytics services.

Cookies

We use cookies to keep you logged in and remember your preferences. A cookie is a piece of text stored by your browser. You can adjust cookie retention settings and accept or block individual cookies in your browser settings, although our service won't work properly if you block essential cookies.

Voluntary correspondence

When you email us with a question or to ask for help, we keep that correspondence, including your email address, so that we have a history of past correspondence to reference if you reach out in the future.

When we access or disclose your information

To provide products or services you've requested. We use some third-party subprocessors to help run our service. You can view the list below.

To help you troubleshoot or fix a problem. If at any point we need to access your content to help you with a support case, we will ask for your explicit permission before proceeding.

To investigate, prevent, or take action regarding restricted uses. Accessing your account when investigating potential abuse is a measure of last resort. We want to protect the privacy and safety of everyone using Rainbow Curriculum, and we also want to protect our rights and the rights of our employees. We'll only do this when we have reasonable suspicion that an account is being used for unlawful purposes.

When required under applicable law. If we receive a valid court order, warrant, or subpoena from UK law enforcement, we may be required to disclose certain information. We will only comply with such requests when required by law in England and Wales.

Your rights with respect to your information

Under UK GDPR, you have several important rights. These include:

  • Right of access: You have the right to know what personal data we hold about you.
  • Right to correction: You have the right to correct any inaccurate or incomplete personal data.
  • Right to erasure: You have the right to request deletion of your personal data.
  • Right to restrict processing: You have the right to ask us to restrict how we use your data.
  • Right to data portability: You have the right to receive your data in a structured, commonly used format.
  • Right to object: You have the right to object to processing of your personal data.
  • Rights related to automated decision-making: We do not use automated decision-making or profiling.

To exercise any of these rights, please contact us at [email protected]. We will respond within one month.

How we secure your data

All data is encrypted in transit via SSL/TLS. Database backups are encrypted. We hold Cyber Essentials certification, demonstrating our commitment to maintaining strong cybersecurity practices.

We run regular security audits and updates. Our staff receive regular security training. Access to customer data is restricted to authorised personnel only, on a need-to-know basis.

What happens when you delete content or your account

If you choose to cancel your Rainbow Curriculum account, we'll retain your data for 30 days in case you change your mind. After 30 days, we'll delete all your content from our active servers. The data will be purged from our backups within 90 days.

We keep minimal information (email address and billing records) for tax and legal compliance purposes. This data is retained for 7 years as required by HMRC.

Data retention

We keep your information for as long as your account is active or as needed to provide you services. If you close your account, we will delete your personal data as described above, except where we need to retain it to comply with legal obligations (such as tax records).

Location of data

Rainbow Curriculum is built for schools in the United Kingdom. Our application and database infrastructure is located in the European Union (EU) via our hosting provider. This means your data is stored within the EU and subject to UK GDPR protections.

Some of our third-party subprocessors may process data outside the UK and EU. In such cases, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the UK Information Commissioner's Office (ICO).

Third-party subprocessors

We use the following third-party services to help us provide Rainbow Curriculum:

  • Heroku: Cloud application platform for hosting our service (data stored in EU region)
  • Amazon Web Services (AWS): Cloud infrastructure for file storage and backups (data stored in EU region)
  • Sentry: Error tracking and monitoring to help us fix bugs quickly
  • Postmark: Transactional email delivery for account notifications and essential communications

All subprocessors are required to meet our data protection standards and comply with UK GDPR requirements.

Changes to this policy

We may update this policy from time to time. If we make significant changes, we will notify you by email or by posting a notice on rainbowcurriculum.co.uk prior to the change becoming effective. Your continued use of Rainbow Curriculum after any changes indicates your acceptance of the updated policy.

Questions and complaints

If you have questions about this privacy policy or how we handle your data, please contact us at:

Email: [email protected]
Post: MIKE GLAVIN CATALYST LIMITED, Hillview Cottage, Llangybi, Usk, Gwent, United Kingdom, NP15 1NN

We are registered in England and Wales (Company number 12880359).

If you are not satisfied with our response to any complaint or believe our processing of your information does not comply with data protection law, you can make a complaint to the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk

Governing law

This privacy policy is governed by the laws of England and Wales. Any disputes relating to this policy or our privacy practices will be subject to the exclusive jurisdiction of the courts of England and Wales.