Privacy Policy

Last updated: 9 July 2026

1. Who we are

JKRSP LTD, trading as Rafyo ("Rafyo", "we", "us"), provides school management software to small UK independent schools. We are the data processor for personal data processed on behalf of schools (data controllers). For data we collect directly (e.g. when you contact us or register for a school account), we act as the data controller.

Contact: privacy@rafyo.com

2. What data we collect

2.1 School administrators and staff

  • Name and email address
  • Password (stored as a one-way hash; we cannot read it)
  • Role and permissions within the school
  • IP address and browser user-agent (for session security and audit logging)

2.2 Parents and guardians

  • Name and email address
  • Password (stored as a one-way hash)
  • Links to children within the school
  • Canteen orders and payment records
  • IP address and browser user-agent (for session security)

2.3 Children (pupils)

  • First name and last name
  • Class or year group
  • Dietary notes (e.g. allergies, dietary preferences)
  • Parent/guardian links
  • Canteen order history

We do not collect children's dates of birth, photographs, or any data beyond what is necessary for the school management features the school has chosen to use. Children do not have accounts on Rafyo and do not interact with the platform directly.

2.4 Contact form enquiries

  • Name, email address, school name (optional), and message content

2.5 Automatically collected data

  • Session cookies (strictly necessary for authentication — see our Cookie Policy)
  • Audit log entries recording actions taken within the platform (for regulatory compliance)

3. How we use your data

Purpose Lawful basis
Providing and operating the platform Performance of contract (UK GDPR Art. 6(1)(b))
Account authentication and session security Performance of contract
Processing canteen orders and payments Performance of contract
Audit logging for regulatory compliance Legitimate interest (UK GDPR Art. 6(1)(f))
Responding to contact form enquiries Legitimate interest
Sending transactional emails (verification, password reset) Performance of contract

4. Children's data

Rafyo processes children's personal data on behalf of schools (data controllers) to enable canteen ordering, dietary management, and related school operations. We apply additional safeguards in line with the ICO's Children's Code (Age Appropriate Design Code):

  • Data minimisation — we collect only the data necessary for school operations
  • No profiling or automated decision-making — children's data is not used for profiling, marketing, or behavioural analysis
  • No third-party data sharing — children's data is not shared with any third parties except as necessary to process payments
  • No direct access — children do not have accounts and do not interact with the platform directly
  • Default privacy — all settings default to the most privacy-protective option
  • Best interests — the best interests of the child are a primary consideration in all processing decisions

5. Who we share data with

Third party Purpose Data shared
Neon (Neon, LLC, part of Databricks, Inc.) Managed database — the primary store for all platform data Everything the platform holds: accounts, children's records including dietary and allergy information, orders and payments. Stored in London, UK.
Amazon Web Services (AWS) Application hosting, file storage, content delivery, operational logs All platform data in transit; request logs. Hosted in London, UK.
Postmark (ActiveCampaign, LLC) Transactional email delivery (verification, password reset, notifications) The full content of the emails we send you. An order confirmation includes your children's names and any ingredients you have asked us to leave out of their meals. Postmark retains this content for 45 days.
Stripe, Inc. Payment processing The payer's email address, the amount, the school's name, and the school's own billing reference for your family. No pupil names, and no dietary or health information. Each school connects their own Stripe account.

We do not sell personal data. We do not use any analytics, advertising, or tracking services.

6. International transfers

All platform data is stored in the United Kingdom (AWS London, eu-west-2).

Some of the companies we rely on are based in the United States, and their staff may access data from there in order to operate, support and secure the service. Under UK GDPR that access is an international transfer even though the data itself stays in London, so we tell you about it.

Every one of these transfers is covered by the UK Extension to the EU-U.S. Data Privacy Framework — the UK Government's "data bridge", which provides the same legal protection as keeping the data here. Each company below has certified to the U.S. Department of Commerce and appears as active on the Data Privacy Framework list:

Recipient Certified as Covers
Neon, LLC Databricks, Inc. Our database, hosted in London and operated from the US
Stripe, Inc. Stripe, Inc. Payment processing
Postmark AC PM (ActiveCampaign, LLC) Transactional email

We do not rely on Standard Contractual Clauses for any of these transfers, and no transfer risk assessment is required, because the data bridge is an adequacy decision.

We are moving transactional email to Amazon SES in London, after which the content of our emails will no longer leave the UK. This page will be updated when that happens.

7. How long we keep data

Data type Retention period
Active user accounts Duration of account
Children's records Duration of school's use of platform, or until deleted by school
Canteen orders and payments Duration of school's use of platform
Audit logs 7 years (Ofsted inspection window)
Session data 7 days (auto-expires)
Contact form enquiries 12 months
Operational logs (which pages were requested, and when) 90 days
Email content held by Postmark 45 days
Database restore history 6 hours

When a school terminates their account, all associated data (users, children, orders, payments, audit logs) is permanently deleted within 30 days.

8. How we protect your data

  • All data is encrypted in transit (TLS 1.2+) and at rest
  • Hosted in London, UK (eu-west-2) — application on AWS, database on Neon
  • Passwords are stored as one-way hashes (scrypt)
  • Invite and verification tokens are hashed before storage (SHA-256)
  • Role-based access control limits data access to authorised users
  • Tamper-evident audit logs record all significant actions
  • Public access to storage is blocked at the infrastructure level

9. Your rights

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your personal data ("right to be forgotten")
  • Data portability — receive your data in a structured, machine-readable format
  • Restriction — ask us to restrict processing of your data
  • Objection — object to processing based on legitimate interest

To exercise any of these rights, please contact privacy@rafyo.com. We will respond within one month.

For parents: if you wish to access, correct, or delete your child's data, please contact your school in the first instance, as they are the data controller for pupil data. You may also contact us directly.

10. Complaints

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

11. Changes to this policy

We may update this policy from time to time. We will notify registered users by email of any material changes. The "last updated" date at the top of this page indicates when it was most recently revised.