Contents
The Governance Assurance Framework (GAF) is a professional service used by school governors, clerks, and governance professionals. We collect only the data necessary to provide the self-assessment tool and respond to enquiries. We do not sell data, serve advertising, or share data with third parties for marketing purposes.
1 Who we are
The Governance Assurance Framework is operated by Joshua Mangas ("we", "us", "our"). For the purposes of UK data protection law, Joshua Mangas is the Data Controller for all personal data collected through:
- The GAF self-assessment platform at app.governanceassurance.co.uk
- The GAF marketing website at www.governanceassurance.co.uk
- Any contact forms on the above sites
Contact: Use the website contact form
2 What data we collect and why
2.1 Self-assessment platform (app.governanceassurance.co.uk)
When you register and use the GAF self-assessment tool, we collect:
| Data | Why we collect it |
|---|---|
| Email address | Used for magic-link authentication. Required to access the platform. |
| School name | Identifies the school completing the assessment. Appears on your report. |
| Town and postcode | Distinguishes schools with similar names. Appears on your report. |
| Headteacher name | Included in the self-assessment report for governance records. |
| Chair of Governors name | Included in the self-assessment report for governance records. |
| Your name and role | Identifies the person completing the assessment. Appears on your report. |
| Assessment responses | The status (Not Started / Developing / Secure) and optional evidence notes you enter for each of the framework elements. |
| Submission timestamp | Records when your assessment was completed. |
We do not collect data about individual pupils, staff, or parents. The assessment relates to board-level governance processes only. Do not enter sensitive personal data about individuals in the evidence notes fields.
2.2 Contact form (marketing website)
When you submit the contact form, we collect:
- Your name and role
- Your school or organisation name
- Your email address
- Your reason for enquiry and message
This data is used solely to respond to your enquiry and provide relevant service information.
2.3 Data we do not collect
- Payment or financial information
- Passwords (we use passwordless magic-link authentication)
- Device fingerprints or behavioural advertising profiles for marketing
- Data relating to individual pupils, staff, or parents as intended service input
3 Legal basis for processing
Under UK GDPR, we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Operating the self-assessment platform and storing your responses | Legitimate interests — providing the governance self-assessment service you have registered for. Our legitimate interests do not override your rights; you may request deletion of your data at any time (see section 7). |
| Sending a magic-link authentication email | Contractual necessity — required to provide access to the platform you have requested. |
| Responding to contact form enquiries | Legitimate interests — responding to a direct professional enquiry. |
| Notifying operational inboxes when a school submits an assessment | Legitimate interests — operational administration of the service. |
4 How we store and protect your data
4.1 Supabase (self-assessment platform)
Self-assessment data is stored in a Supabase PostgreSQL database. Data in transit is encrypted via TLS. Access controls and row-level policies are applied so users can only access data relevant to their own school account.
Access controls are designed so that:
- Each school can only read and write its own data
- Only separately authenticated administrative access can view broader service data
- User-facing deletion is restricted and handled by request workflow
4.2 Cloudflare (website hosting and delivery)
The self-assessment platform and marketing website are hosted and delivered through Cloudflare infrastructure. Cloudflare may log access requests including IP addresses as part of standard secure server operation.
4.3 Email (authentication and notifications)
Authentication magic links and notification emails are sent through configured email infrastructure. Email in transit is encrypted where supported by receiving systems.
4.4 Contact form routing
Website contact-form submissions are processed by the configured form/email provider and used only to route and respond to enquiries.
5 How long we keep your data
| Data | Retention period |
|---|---|
| Self-assessment profile and responses | Retained for the duration of active service use and for a period of up to 3 years following your last active session, after which data is deleted unless you request deletion sooner. |
| Authentication emails (magic links) | Magic links expire after a short period (typically around 1 hour). Transmission metadata follows provider retention settings. |
| Contact form enquiries | Retained for up to 2 years, or until the enquiry has been resolved and correspondence is no longer needed. |
| Admin logs and session tokens | Session tokens expire on platform-defined intervals. Access logs are retained in line with provider security defaults. |
6 Who we share your data with
We do not sell, rent, or trade personal data. We share data only with the infrastructure providers listed below, which are necessary to operate the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication infrastructure for the self-assessment platform | EU-hosted region |
| Cloudflare | Website and platform hosting/delivery | Global network |
| Email provider(s) | Email transmission for authentication and notifications | Global |
| Contact form provider | Contact form submission transmission | Provider-managed regions |
| Google Fonts | Serving web fonts — your IP address may be transmitted as part of the request | Global |
We may disclose personal data to a third party if required to do so by law, court order, or lawful authority.
International transfers
Cloudflare and email providers may operate infrastructure globally. Where data is transferred outside the UK or EU, this is handled under UK GDPR Chapter V transfer mechanisms, including adequacy decisions or Standard Contractual Clauses where applicable.
7 Your rights under UK GDPR
As a data subject under UK GDPR, you have the following rights. To exercise any of them, contact us via the website contact form. We will respond within 30 days.
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you and your school. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion of your data. We will delete your profile and all assessment responses from the database within 30 days of a valid request. |
| Restriction | Request that we restrict processing of your data while a dispute is resolved. |
| Data portability | Request your assessment data in a machine-readable format (JSON or CSV). |
| Object | Object to processing based on legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds. |
| Withdraw consent | Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing. |
There is no charge for exercising your rights. We may ask you to verify your identity before fulfilling a request.
8 Cookies
The GAF self-assessment platform uses browser localStorage to maintain your session state between pages. This is not a cookie and does not transmit data to external servers, but it does store a session token in your browser.
We do not use tracking cookies, advertising cookies, or analytics cookies.
Google Fonts, loaded on both sites, may set technical cookies or log IP address data as part of serving font files. If blocked, the site falls back to system fonts.
9 Children's privacy
The GAF platform is a professional governance tool intended for adults in governance roles (governors, trustees, clerks, headteachers, and governance professionals). It is not directed at or intended for use by children under the age of 18.
We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted data through the platform, please contact us via the website contact form and we will delete it promptly.
The platform must not be used to collect, enter, or store personal data about pupils. Assessment responses should relate to board-level governance processes, not to individual children or staff.
10 Changes to this policy
We may update this privacy policy from time to time. Where changes are material, we will notify registered users by service communication or site notice before the changes take effect where practicable.
The date at the top of this page will always reflect the most recent version.
11 Contact and complaints
If you have any questions about this privacy policy, how we handle your data, or wish to exercise your rights, contact us using the website contact form.
If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Questions about this policy?
Use the contact form on the main site and mark your message as a privacy request.