Privacy Policy
Last updated: 27 February 2026
1. Who we are
JKRSP LTD, trading as Rafyo ("Rafyo", "we", "us"), provides school management software to small UK independent schools. We are the data processor for personal data processed on behalf of schools (data controllers). For data we collect directly (e.g. when you contact us or register for a school account), we act as the data controller.
Contact: privacy@rafyo.com
2. What data we collect
2.1 School administrators and staff
- Name and email address
- Password (stored as a one-way hash; we cannot read it)
- Role and permissions within the school
- IP address and browser user-agent (for session security and audit logging)
2.2 Parents and guardians
- Name and email address
- Password (stored as a one-way hash)
- Links to children within the school
- Canteen orders and payment records
- IP address and browser user-agent (for session security)
2.3 Children (pupils)
- First name and last name
- Class or year group
- Dietary notes (e.g. allergies, dietary preferences)
- Parent/guardian links
- Canteen order history
We do not collect children's dates of birth, photographs, or any data beyond what is necessary for the school management features the school has chosen to use. Children do not have accounts on Rafyo and do not interact with the platform directly.
2.4 Contact form enquiries
- Name, email address, school name (optional), and message content
2.5 Automatically collected data
- Session cookies (strictly necessary for authentication — see our Cookie Policy)
- Audit log entries recording actions taken within the platform (for regulatory compliance)
3. How we use your data
| Purpose | Lawful basis |
|---|---|
| Providing and operating the platform | Performance of contract (UK GDPR Art. 6(1)(b)) |
| Account authentication and session security | Performance of contract |
| Processing canteen orders and payments | Performance of contract |
| Audit logging for regulatory compliance | Legitimate interest (UK GDPR Art. 6(1)(f)) |
| Responding to contact form enquiries | Legitimate interest |
| Sending transactional emails (verification, password reset) | Performance of contract |
4. Children's data
Rafyo processes children's personal data on behalf of schools (data controllers) to enable canteen ordering, dietary management, and related school operations. We apply additional safeguards in line with the ICO's Children's Code (Age Appropriate Design Code):
- Data minimisation — we collect only the data necessary for school operations
- No profiling or automated decision-making — children's data is not used for profiling, marketing, or behavioural analysis
- No third-party data sharing — children's data is not shared with any third parties except as necessary to process payments
- No direct access — children do not have accounts and do not interact with the platform directly
- Default privacy — all settings default to the most privacy-protective option
- Best interests — the best interests of the child are a primary consideration in all processing decisions
5. Who we share data with
| Third party | Purpose | Data shared |
|---|---|---|
| Amazon Web Services (AWS) | Infrastructure hosting | All platform data (encrypted at rest and in transit, hosted in London, UK) |
| Stripe | Payment processing | Order amounts, payment references. Each school connects their own Stripe account. |
We do not sell personal data. We do not use any analytics, advertising, or tracking services.
6. International transfers
All data is stored and processed in the United Kingdom (AWS London, eu-west-2). We do not transfer personal data outside the UK. Stripe processes payment data within its own infrastructure; please refer to Stripe's privacy policy for details.
7. How long we keep data
| Data type | Retention period |
|---|---|
| Active user accounts | Duration of account |
| Children's records | Duration of school's use of platform, or until deleted by school |
| Canteen orders and payments | Duration of school's use of platform |
| Audit logs | 7 years (Ofsted inspection window) |
| Session data | 7 days (auto-expires) |
| Contact form enquiries | 12 months |
When a school terminates their account, all associated data (users, children, orders, payments, audit logs) is permanently deleted within 30 days.
8. How we protect your data
- All data is encrypted in transit (TLS 1.2+) and at rest
- Hosted on AWS in London, UK (eu-west-2)
- Passwords are stored as one-way hashes (bcrypt)
- Invite and verification tokens are hashed before storage (SHA-256)
- Role-based access control limits data access to authorised users
- Tamper-evident audit logs record all significant actions
- Public access to storage is blocked at the infrastructure level
9. Your rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your personal data ("right to be forgotten")
- Data portability — receive your data in a structured, machine-readable format
- Restriction — ask us to restrict processing of your data
- Objection — object to processing based on legitimate interest
To exercise any of these rights, please contact privacy@rafyo.com. We will respond within one month.
For parents: if you wish to access, correct, or delete your child's data, please contact your school in the first instance, as they are the data controller for pupil data. You may also contact us directly.
10. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
11. Changes to this policy
We may update this policy from time to time. We will notify registered users by email of any material changes. The "last updated" date at the top of this page indicates when it was most recently revised.