Privacy Policy

Last updated: 11 April 2026

This Privacy Policy explains how School IQ Labs Ltd ("we", "us", "our"), the company behind StaffIQ, collects, uses, stores, and protects personal data when you use our platform. School IQ Labs Ltd is a company registered in England and Wales and acts as a data processor on behalf of the schools and trusts ("Customers") that use StaffIQ.

1. Who We Are

School IQ Labs Ltd is the developer and operator of StaffIQ, a cloud-based platform for school compliance (Single Central Record) and HR management. For the purposes of data protection law, our Customers (schools, academy trusts, and educational organisations) are the data controllers, and we act as their data processor.

2. Data We Collect

We collect and process the following categories of personal data:

2.1 Customer Account Data

  • Name, email address, and job title of account administrators and users
  • Organisation name, address, and billing information
  • Authentication credentials (passwords are hashed and never stored in plain text)

2.2 Staff Record Data (processed on behalf of Customers)

  • Personal details: name, date of birth, address, contact information
  • Employment details: job title, role type, contract type, start and end dates, salary information
  • Identity and compliance documents: DBS certificate numbers, right-to-work evidence, qualifications, references, safeguarding training records
  • Demographic data: gender, nationality, ethnicity (where provided by the Customer for workforce reporting)
  • Document uploads: scanned certificates, ID documents, and other files uploaded by Customer users

2.3 Usage and Technical Data

  • IP addresses, browser type, device information
  • Pages visited, features used, and session duration
  • Error logs and performance data

3. How We Use Your Data

We process personal data for the following purposes:

  • Service delivery: To provide, maintain, and improve the StaffIQ platform
  • Compliance management: To enable Customers to manage their Single Central Record and staff compliance checks
  • Alerts and notifications: To send expiry reminders, compliance alerts, and system notifications
  • Audit logging: To maintain a record of actions taken within the platform for accountability and regulatory purposes
  • Support: To respond to Customer queries and provide technical support
  • Analytics: To generate aggregated, anonymised insights about platform usage (never individual-level data shared externally)
  • Legal obligations: To comply with applicable laws, regulations, and legal processes

4. Legal Basis for Processing

We process personal data on the following legal bases under UK GDPR:

  • Contract performance: Processing necessary to deliver the StaffIQ service to our Customers
  • Legitimate interests: Platform security, fraud prevention, and service improvement
  • Legal obligation: Where required by law (e.g. financial record-keeping)
  • Consent: Where applicable, such as for marketing communications (which you can opt out of at any time)

For staff record data, our Customers are the data controllers and are responsible for establishing the appropriate legal basis for their processing activities.

5. Data Sharing

We do not sell personal data. We share data only in the following circumstances:

  • Sub-processors: We use carefully selected third-party services to operate our platform (see section 9). All sub-processors are bound by data processing agreements.
  • Inspector access: Customers may generate time-limited, read-only links to share compliance data with inspectors (e.g. Ofsted, KHDA). This is initiated and controlled by the Customer.
  • Legal requirements: Where required by law, regulation, or valid legal process

6. Data Retention

We retain personal data for as long as the Customer account is active and as required to fulfil our contractual obligations. Customers can configure data retention policies within StaffIQ for staff records. Upon account termination:

  • Staff record data is deleted within 90 days of account closure
  • Audit logs are retained for 12 months after account closure for regulatory compliance, then permanently deleted
  • Backups containing personal data are purged within 30 days of deletion from the live system

7. Data Security

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Strict tenant isolation ensuring each organisation's data is logically separated
  • Role-based access controls within the platform
  • Regular security assessments and penetration testing
  • Comprehensive audit logging of all data access and modifications
  • Secure, hashed password storage

8. International Data Transfers

Our primary infrastructure is hosted within the United Kingdom. Where data is transferred outside the UK (for example, to sub-processors), we ensure appropriate safeguards are in place, such as UK International Data Transfer Agreements or adequacy decisions.

9. Sub-Processors

We use the following categories of sub-processor:

  • Cloud hosting: Infrastructure and database hosting (UK/EEA data centres)
  • File storage: Encrypted document and attachment storage
  • Email delivery: Transactional emails (alerts, invitations, password resets)
  • Payment processing: Subscription billing (we do not store card details)

A current list of named sub-processors is available upon request by contacting us at the address below.

10. Your Rights

If you are an end user whose data is held within StaffIQ, your data controller is the school or trust that employs you. Please direct data subject requests to your employer in the first instance. We will assist our Customers in responding to such requests.

Under UK GDPR, individuals have the right to:

  • Access their personal data
  • Rectify inaccurate data
  • Request erasure ("right to be forgotten")
  • Restrict processing
  • Data portability
  • Object to processing

11. Cookies

StaffIQ uses essential cookies required for the platform to function (session management, authentication). We do not use advertising or tracking cookies. Analytics cookies, if used, are anonymised and can be declined.

12. Children's Data

StaffIQ is designed for use by school staff and administrators. We do not knowingly collect personal data from children. If you believe a child's data has been submitted to the platform in error, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated to Customers via email and an in-app notification. The "Last updated" date at the top of this page reflects the most recent revision.

14. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

School IQ Labs Ltd
Suite RA01, 195-197 Wood Street
London, E17 3NU
United Kingdom
Email: privacy@staffiq.app

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.