Privacy Policy
Last updated: 9 July 2026
1. Who we are
JKRSP LTD, trading as Rafyo ("Rafyo", "we", "us"), provides school management software to small UK independent schools. We are the data processor for personal data processed on behalf of schools (data controllers). For data we collect directly (e.g. when you contact us or register for a school account), we act as the data controller.
Contact: privacy@rafyo.com
2. What data we collect
2.1 School administrators and staff
- Name and email address
- Password (stored as a one-way hash; we cannot read it)
- Role and permissions within the school
- IP address and browser user-agent (for session security and audit logging)
2.2 Parents and guardians
- Name and email address
- Password (stored as a one-way hash)
- Links to children within the school
- Canteen orders and payment records
- IP address and browser user-agent (for session security)
2.3 Children (pupils)
- First name and last name
- Class or year group
- Dietary notes (e.g. allergies, dietary preferences)
- Parent/guardian links
- Canteen order history
We do not collect children's dates of birth, photographs, or any data beyond what is necessary for the school management features the school has chosen to use. Children do not have accounts on Rafyo and do not interact with the platform directly.
2.4 Contact form enquiries
- Name, email address, school name (optional), and message content
2.5 Automatically collected data
- Session cookies (strictly necessary for authentication — see our Cookie Policy)
- Audit log entries recording actions taken within the platform (for regulatory compliance)
3. How we use your data
| Purpose | Lawful basis |
|---|---|
| Providing and operating the platform | Performance of contract (UK GDPR Art. 6(1)(b)) |
| Account authentication and session security | Performance of contract |
| Processing canteen orders and payments | Performance of contract |
| Audit logging for regulatory compliance | Legitimate interest (UK GDPR Art. 6(1)(f)) |
| Responding to contact form enquiries | Legitimate interest |
| Sending transactional emails (verification, password reset) | Performance of contract |
4. Children's data
Rafyo processes children's personal data on behalf of schools (data controllers) to enable canteen ordering, dietary management, and related school operations. We apply additional safeguards in line with the ICO's Children's Code (Age Appropriate Design Code):
- Data minimisation — we collect only the data necessary for school operations
- No profiling or automated decision-making — children's data is not used for profiling, marketing, or behavioural analysis
- No third-party data sharing — children's data is not shared with any third parties except as necessary to process payments
- No direct access — children do not have accounts and do not interact with the platform directly
- Default privacy — all settings default to the most privacy-protective option
- Best interests — the best interests of the child are a primary consideration in all processing decisions
5. Who we share data with
| Third party | Purpose | Data shared |
|---|---|---|
| Neon (Neon, LLC, part of Databricks, Inc.) | Managed database — the primary store for all platform data | Everything the platform holds: accounts, children's records including dietary and allergy information, orders and payments. Stored in London, UK. |
| Amazon Web Services (AWS) | Application hosting, file storage, content delivery, operational logs | All platform data in transit; request logs. Hosted in London, UK. |
| Postmark (ActiveCampaign, LLC) | Transactional email delivery (verification, password reset, notifications) | The full content of the emails we send you. An order confirmation includes your children's names and any ingredients you have asked us to leave out of their meals. Postmark retains this content for 45 days. |
| Stripe, Inc. | Payment processing | The payer's email address, the amount, the school's name, and the school's own billing reference for your family. No pupil names, and no dietary or health information. Each school connects their own Stripe account. |
We do not sell personal data. We do not use any analytics, advertising, or tracking services.
6. International transfers
All platform data is stored in the United Kingdom (AWS London, eu-west-2).
Some of the companies we rely on are based in the United States, and their staff may access data from there in order to operate, support and secure the service. Under UK GDPR that access is an international transfer even though the data itself stays in London, so we tell you about it.
Every one of these transfers is covered by the UK Extension to the EU-U.S. Data Privacy Framework — the UK Government's "data bridge", which provides the same legal protection as keeping the data here. Each company below has certified to the U.S. Department of Commerce and appears as active on the Data Privacy Framework list:
| Recipient | Certified as | Covers |
|---|---|---|
| Neon, LLC | Databricks, Inc. | Our database, hosted in London and operated from the US |
| Stripe, Inc. | Stripe, Inc. | Payment processing |
| Postmark | AC PM (ActiveCampaign, LLC) | Transactional email |
We do not rely on Standard Contractual Clauses for any of these transfers, and no transfer risk assessment is required, because the data bridge is an adequacy decision.
We are moving transactional email to Amazon SES in London, after which the content of our emails will no longer leave the UK. This page will be updated when that happens.
7. How long we keep data
| Data type | Retention period |
|---|---|
| Active user accounts | Duration of account |
| Children's records | Duration of school's use of platform, or until deleted by school |
| Canteen orders and payments | Duration of school's use of platform |
| Audit logs | 7 years (Ofsted inspection window) |
| Session data | 7 days (auto-expires) |
| Contact form enquiries | 12 months |
| Operational logs (which pages were requested, and when) | 90 days |
| Email content held by Postmark | 45 days |
| Database restore history | 6 hours |
When a school terminates their account, all associated data (users, children, orders, payments, audit logs) is permanently deleted within 30 days.
8. How we protect your data
- All data is encrypted in transit (TLS 1.2+) and at rest
- Hosted in London, UK (eu-west-2) — application on AWS, database on Neon
- Passwords are stored as one-way hashes (scrypt)
- Invite and verification tokens are hashed before storage (SHA-256)
- Role-based access control limits data access to authorised users
- Tamper-evident audit logs record all significant actions
- Public access to storage is blocked at the infrastructure level
9. Your rights
Under UK GDPR, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — ask us to delete your personal data ("right to be forgotten")
- Data portability — receive your data in a structured, machine-readable format
- Restriction — ask us to restrict processing of your data
- Objection — object to processing based on legitimate interest
To exercise any of these rights, please contact privacy@rafyo.com. We will respond within one month.
For parents: if you wish to access, correct, or delete your child's data, please contact your school in the first instance, as they are the data controller for pupil data. You may also contact us directly.
10. Complaints
If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
- Website: ico.org.uk/make-a-complaint
- Telephone: 0303 123 1113
11. Changes to this policy
We may update this policy from time to time. We will notify registered users by email of any material changes. The "last updated" date at the top of this page indicates when it was most recently revised.