For schools, DPOs, and data protection leads
Our approach to data protection is simple: the safest way to protect data is not to hold it in the first place. So we only ever store the small amount of information the game actually needs to work, and we deliberately avoid collecting anything that would let a pupil be identified by the wider world. No email addresses, no contact details, and no pupil’s name on any screen another pupil can see.
Last updated: 14/05/2026 Version: 1.0
This document is intended for school Data Protection Officers, business managers, and IT leads evaluating Animal Bonds for use with pupils. It accompanies our Privacy Policy and Data Processing Agreement and provides the technical and procedural detail your compliance review will need.
If you require additional documentation (DPIA, DPA template, security questionnaire response), please email hello@animalbonds.co.uk.
1. Controller and processor relationships
When pupils use Animal Bonds via a school account:
- The school is the data controller for pupil personal data.
- Animal Bonds (operated by Franklin Works) is the data processor, acting on the school’s documented instructions per UK GDPR Article 28.
A signed Data Processing Agreement is required before any pupil data is processed. Our template is published at /privacy/dpa and is also available on request.
2. Data we process on behalf of schools
| Category | Examples | Purpose |
|---|---|---|
| Pupil real name | Set by school admin; recommended format is first name plus surname initial (e.g. “Alex S.”) | Identifying pupils on teacher and parent dashboards |
| Pupil display name | Auto-generated animal-noun combination (e.g. “OtterRiver”); set at pupil’s first sign-in | Pupil-to-pupil identity in multiplayer; protects pupil identity from other pupils |
| Class or year group | E.g. Year 3 | Organising pupils into their class |
| Player ID | Randomly generated internal identifier | Internal only |
| Educational performance | Number bond questions answered, response times, accuracy, mastery levels | Adaptive learning; teacher dashboard |
| Technical | Browser type, device type, session timestamps | Service delivery, debugging |
| Adult accounts (parents, teachers, school admin) | Name; role; class or pupil assignments | Account access, dashboard |
Visibility of names within the Service
| Whose name | Real name visible to | Display name visible to |
|---|---|---|
| The pupil themselves | No-one, including the pupil | Themselves |
| Other pupils (via multiplayer) | No-one | All pupils in the same class or school during multiplayer |
| Teachers (own class/school) | Teachers within the same school | Same |
| School administrator | Themselves and other admins at the same school | Same |
| Linked parents | Linked parents (own child only) | Same |
A pupil never sees their own real name on the Service. Other pupils never see a pupil’s real name. The display name is the only pupil-to-pupil identity exposed by the Service.
No email addresses are collected from parents, teachers, or pupils. Adult access to the Service is provided through login credentials issued by the school administrator. Where the school needs to communicate with parents, the school does so using its existing communication channels.
We do not process:
- Email addresses, postal addresses, or phone numbers from any user
- Pupil parental contact details
- Pupil photographs, videos, or voice recordings
- Special category data (Article 9): no health, religious, ethnic, biometric, or similar data
- Free-text input from pupils (the game uses tap/touch interactions only; no chat or messaging)
3. Lawful basis
For pupil data processed on the school’s instructions, the school determines the lawful basis (typically public task under Article 6(1)(e) for state schools, or legitimate interests for independent schools). Animal Bonds, acting as processor, processes only on the school’s documented instructions.
4. Sub-processors
We use the following sub-processors. Schools will be notified at least 30 days before any change.
| Sub-processor | Service | Data location | Transfer mechanism |
|---|---|---|---|
| Vercel Inc. (USA) | Web hosting and edge delivery | USA primary; UK/EU edge cache | UK Addendum to EU SCCs |
| Supabase Inc. (USA, with EU infrastructure) | PostgreSQL database, authentication | London (eu-west-2) or Dublin (eu-west-1) | UK Addendum to EU SCCs; data resident in UK/EU |
| Stripe Payments UK Ltd | Payment processing (school invoicing only) | UK/EU | UK GDPR-compliant; UK-regulated entity |
5. International transfers
Pupil data is held in the UK or EU. All transfers outside the UK are protected by the International Data Transfer Addendum (UK Addendum to EU SCCs) for transfers to the United States.
6. Retention
| Data | Retention while school subscribes | Retention after school ends use |
|---|---|---|
| Pupil profile and gameplay data | Duration of subscription | Returned or deleted within 30 days, at school’s choice |
| Teacher accounts | Duration of subscription | Deleted within 30 days |
| Aggregated, non-identifying analytics | Indefinitely | Indefinitely (no longer personal data) |
| Audit logs (security) | 12 months rolling | Retained per legal obligation, then deleted |
7. Security measures
7.1 Organisational
- Production database access is limited to Andrew Franklin.
- No personal data on local devices; all access via cloud admin consoles.
- Annual review of this document.
7.2 Technical
- TLS 1.2+ for all connections; HSTS enforced on all subdomains.
- Database encryption at rest (AES-256, managed by Supabase).
- Row-level security on the database: pupils can only ever read their own row; teachers can only read pupils linked to their school.
- Pupil data is held on managed, encrypted PostgreSQL infrastructure (Supabase) with provider-level durability and redundancy.
- Dependency vulnerability scanning (npm audit) prior to deployment.
- Web Application Firewall and DDoS mitigation provided by Vercel.
8. Data subject rights
Schools, parents, and pupils may exercise their rights under UK GDPR Articles 15 to 22 by contacting hello@animalbonds.co.uk. Standard response time: 30 days, with a written interim response within 5 working days.
9. Breach notification
In the event of a personal data breach affecting school pupil data:
- We will notify the affected school’s DPO within 24 hours of becoming aware of the breach.
- We will provide all information needed for the school to assess its own ICO notification obligation.
10. ICO Children’s Code
A separate Children’s Code compliance statement is available at /privacy/childrens-code. The Service is designed with the best interests of the child as the primary consideration. Default settings are the most privacy-protective available. No advertising. Minimal data collection.
11. Data Protection Impact Assessment
A Data Protection Impact Assessment has been undertaken for the Service and is being finalised ahead of pilot deployment. It will be reviewed annually or following any significant change.
12. Contact
Franklin Works, Walkford. BH23 5LS hello@animalbonds.co.uk
Animal Bonds