Privacy Policy

Spellcast is a spelling practice application for UK primary school children, operated by Made Good Software ("we", "us", "our"). Spellcast is accessible at spellcast.academy.

We are the data controller for personal data collected through this service. Made Good Software is registered with the Information Commissioner's Office (ICO) under registration number C1918648. For any data protection queries, contact us at: support@spellcast.academy

Parent / Guardian Accounts

• Email address — used to identify your account and send service communications
• Name — used to personalise your experience
• Password — stored as a one-way bcrypt hash; we cannot read it
• Subscription and billing data — subscription status and billing is handled by Stripe; we store only a Stripe customer reference ID

Child Accounts

• Display name and username — used to identify the child within your family account
• Year group — used to select age-appropriate word lists
• Character preferences — witch/wizard choice, hair colour, cloak colour, skin tone, familiar — used for in-app personalisation only
• Spelling session data — words attempted, correct/incorrect answers, scores, timestamps — used to power adaptive learning and progress reports

Technical Data

• We do not use cookies for tracking or advertising
• We process the IP address of visitors to our marketing site to derive a daily-rotating session hash — this lets us count unique visitors and group their page views without identifying anyone. We do not store raw IP addresses; only the hash. Hashes rotate every 24 hours and cannot be reversed.
• Session authentication uses a JWT token stored in your browser's local storage

We use a small amount of anonymous data to understand how people find and use SpellCast before they sign up, so we can make it better. We do not use cookies. We do not share this data with anyone.

What we record

• Which pages people visit, and in what order
• Where they came from (the referring website and any UTM tags on the link)
• Whether they clicked a sign-up or get-started button — and which one (not who clicked it)
• Clicks on links that take you to other websites — we record only the destination domain (e.g. "bbc.co.uk"), not your identity
• How far down a page you scrolled (50% and 100% milestones only)
• Roughly how long you spent on a page
• Whether you moved to leave the page quickly ("exit intent")

All of the above is anonymous. We do not know your name, email address, or any other identifying detail from this data.

What we do not do

• No cookies — none, for any purpose
• No tracking pixels or third-party scripts — no Google Analytics, no Facebook Pixel, no Hotjar, no Plausible, nothing of that kind
• No selling of data to anyone, ever
• No advertising — we do not show ads, and we do not help others target ads at you
• No tracking once you sign in — this analytics only runs on the public marketing pages, before you log in. Authenticated app pages (lessons, progress, class management) do not fire any of these events.

Lawful basis

We rely on legitimate interests under Article 6(1)(f) of UK GDPR. Our interest is understanding how our marketing site performs so we can improve it. This falls within the ICO's recognised analytics exception: the data is anonymous, used for statistical purposes only, and never shared with third parties. It does not result in any profiling or decision-making about individuals.

How long we keep it

Marketing-site analytics data is deleted automatically after 13 months.

How to opt out

Most browsers include privacy settings that let you block or limit site analytics — feel free to use them. You can also email support@spellcast.academy and we will disable tracking for your visits.

When you use the SpellCast app, our server keeps a short-lived log of each API request. We use this purely for performance monitoring — finding slow or failing endpoints so we can fix them quickly.

What we record

• Which endpoint was called — the route pattern only (e.g. /api/sessions/start), never the actual data IDs in the path
• HTTP method and response status code
• How long the server took to respond (in milliseconds)
• A randomly generated request ID (UUID) — used to correlate entries, not to track you
• For signed-in users: your internal account ID and account type (parent, child, teacher, admin)
• A daily-rotating hash of your IP address — the same approach described in §2 above; no raw IP is stored

What we do NOT record

• The contents of any request or response body — your spelling answers, messages, or any other payload
• The pages your browser visits (that is §2b territory — marketing-site only)
• Your name, email address, or any other identifying detail beyond your account ID

This log is stored in a separate analytics database with no link to your main account record. Only SpellCast admins can query it.

Retention

Request log entries are deleted automatically after 7 days.

Lawful basis

Legitimate interests under Article 6(1)(f) of UK GDPR. Monitoring the performance and reliability of the service is necessary to keep it working correctly for all users, and does not override your rights or interests.

We never sell your data, use it for advertising, or share it with third parties for their own marketing purposes.

Home accounts (parent-managed)

Spellcast home accounts are designed for use by children under parental supervision. Child accounts can only be created by a parent or guardian who holds the parent account.

We do not knowingly collect data directly from children. All account creation and data management for children is performed by the parent or guardian. The child account contains only the minimum data necessary to deliver the spelling practice service.

Home child accounts contain no email address and no contact information. The username chosen by the parent need not reflect the child's real name.

School accounts (teacher-managed)

Where Spellcast is used in a school context, pupil accounts are created and managed by the school (the Data Controller). We act as a Data Processor on the school's behalf under a signed Data Processing Agreement. Pupil data collected includes: first name, surname, username, year group, class, and spelling session history.

School pupils do not have email addresses within Spellcast. Password management is handled entirely by the teacher.

Children's Code compliance

We comply with the UK GDPR, the ICO's Age Appropriate Design Code (Children's Code), and applicable guidance on processing children's personal data. Specifically:

• We do not use children's data for profiling or targeted advertising
• We do not share children's data with third parties for their own purposes
• Privacy settings are set to high by default — leaderboards are class-only, no cross-school visibility
• We do not use nudge techniques or dark patterns to encourage children to share more data
• Geolocation data is not collected from child accounts
• There is no child-to-child messaging or communication of any kind

• Active home accounts: Data is retained for as long as your account is active.
• Deleted child accounts (home): All data including session history and attempts is permanently deleted immediately upon removal.
• Closed parent accounts: Account data and all associated child data is deleted within 30 days of account closure.
• School pupil accounts: Retained for the duration of the school's subscription plus 12 months, then deleted. The school can request earlier deletion at any time.
• Teacher/admin accounts: Retained until removed by the school admin or the school subscription ends.
• Billing records: Stripe retains billing records per their own retention policy for legal and tax compliance. We retain subscription status records for 7 years as required by UK financial regulations.
• Infrastructure server logs: 30 days (web server access logs).
• API request performance log: 7 days (see §2c).
• Error logs: 90 days (anonymised).

Google Text-to-Speech

We use Google's text-to-speech service to pronounce spelling words aloud. Only the word text itself (e.g. "elephant") is sent — no personal data, usernames, or identifiers are transmitted to Google. Google's privacy policy applies: policies.google.com/privacy

Brevo (email delivery)

We use Brevo (formerly Sendinblue) to send transactional emails — account verification, password resets, and teacher welcome emails. Brevo receives the recipient's name and email address only. No child data is sent to Brevo (children have no email addresses in Spellcast). Brevo's privacy policy: brevo.com/legal/privacypolicy

Stripe

Subscription payments are processed by Stripe, Inc. When you subscribe, you are directed to Stripe's hosted checkout. We receive only a customer reference ID and subscription status — no card details are stored on our servers. Stripe's privacy policy: stripe.com/gb/privacy

IONOS (hosting)

Spellcast is hosted on an IONOS VPS in the United Kingdom. All data remains in the UK. IONOS privacy policy: ionos.co.uk/terms-gtc/privacy-policy

As a data subject, you have the following rights. To exercise any of them, email support@spellcast.academy:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — ask us to correct inaccurate data
• Right to erasure ("right to be forgotten") — ask us to delete your data
• Right to restriction — ask us to limit how we use your data
• Right to data portability — receive your data in a structured, machine-readable format. Parent accounts can export data directly from account settings. Schools can export all pupil data via the teacher dashboard.
• Right to object — object to processing based on legitimate interests

We will respond to all requests within 30 days.

For school pupils: Rights are typically exercised through the school (as Data Controller) or by a parent or guardian contacting the school.

Automated decision-making: Spellcast does not make any automated decisions that produce legal or similarly significant effects. Adaptive word difficulty adjusts which spelling words are shown — this is a product feature with no consequences beyond the practice session.

Right to complain: If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner's Office (ICO) — the UK's data protection regulator. You can contact the ICO at ico.org.uk/make-a-complaint or by calling 0303 123 1113. We would appreciate the opportunity to address any concern before you contact the ICO.

We take appropriate technical and organisational measures to protect your data:

• Passwords are hashed using bcrypt (cost factor 10) — they cannot be reversed
• All data in transit is encrypted via TLS (HTTPS)
• Authentication tokens expire after 90 days for parents and 30 days for children
• Database access is restricted to the application server only

No method of transmission over the internet is 100% secure. In the event of a data breach affecting your account, we will notify affected users without undue delay.

We may update this privacy policy from time to time. We will notify you of significant changes by email (for parent accounts) and by posting a notice in the application. The "last updated" date at the top of this page will always reflect the most recent version.

For any privacy-related queries, requests, or complaints:

Email: support@spellcast.academy

Website: spellcast.academy