Contents
The School Governance Assurance Framework (GAF) is a professional service used by school governors, clerks, and governance professionals. We provide eight governance tools: Board Assurance Audit, Website Check, Website Assurance, Board Intelligence Report, Meeting Agendas, School Progress Assurance, Statutory Assurance, and Headteacher Report. We collect only the data necessary to operate these tools and respond to enquiries. We do not sell data, serve advertising, or share data with third parties for marketing purposes.
This policy covers all GAF tools — including the free Board Assurance Audit and Website Check, and the membership tools (Website Assurance, Board Intelligence Report, Meeting Agendas, School Progress Assurance, Statutory Assurance, and Headteacher Report) — delivered through the School Portal at portal.governanceassurance.co.uk. Where processing differs between services, this is noted.
1 Who we are
The School Governance Assurance Framework is operated by Joshua Mangas ("we", "us", "our"). For the purposes of UK data protection law, Joshua Mangas is the Data Controller for all personal data collected through:
- The GAF governance tools platform at portal.governanceassurance.co.uk
- The School Portal at portal.governanceassurance.co.uk
- The GAF marketing website at governanceassurance.co.uk
- Any contact forms on the above sites
Contact: Use the website contact form
2 What data we collect and why
2.1 School Portal (portal.governanceassurance.co.uk)
When you register and use the GAF governance tools (Board Assurance Audit, Website Check, Website Assurance, Board Intelligence Report, Meeting Agendas, School Progress Assurance, Statutory Assurance, and Headteacher Report), we collect:
| Data | Why we collect it |
|---|---|
| Email address | Used for passwordless authentication via email one-time codes, or OAuth sign-in through Google or Microsoft (for the School Portal at portal.governanceassurance.co.uk). Required to access the platform. |
| School / trust name | Identifies the school or trust completing the assessment. Appears on your report. |
| Town and postcode | Distinguishes organisations with similar names. Appears on your report. |
| Headteacher / CEO name | Included in the board audit report for governance records. |
| Chair of Governors / Trustees name | Included in the board audit report for governance records. |
| Your name and role | Identifies the person completing the assessment. Appears on your report. |
| Assessment responses | The status (Not Started / Developing / Secure) and optional evidence notes you enter for each of the framework elements. |
| Payment transaction references | Payment transaction records (amount, currency, payment status) are processed by Stripe. We store transaction references for billing and HMRC compliance. We do not store card numbers or bank details — these are held solely by Stripe. |
| Website crawl data | URLs, page content, and compliance findings collected when the Website Check or Website Assurance tool scans your school website. Used to generate compliance reports and auto-populate Board Audit evidence. |
| GIAS governor data | Governor names, roles, and appointment dates retrieved from the DfE Get Information About Schools (GIAS) register. Used to populate the Board Intelligence Report and governor profiles. |
| Ofsted, DfE, and Companies House data | Publicly available inspection history, school performance data, and trust filing records. Used to generate the Board Intelligence Report. |
| SIP document uploads | School Improvement Plan documents uploaded for AI-assisted priority extraction within School Progress Assurance. Documents are processed transiently by Anthropic and stored in the database for your school's use. |
| Governor names and assignments | Governor names assigned to statutory monitoring roles and SIP visit reports within Statutory Assurance and School Progress Assurance. Used to generate downloadable visit report documents. |
| Headteacher termly data | Attendance, exclusions, staffing, budget, SIP progress, and safeguarding data entered via the Headteacher Report tool. Feeds into the Board Intelligence Report. |
| Submission timestamp | Records when your assessment was completed. |
We do not collect data about individual pupils, staff, or parents. The assessment relates to board-level governance processes only. Do not enter sensitive personal data about individuals in the evidence notes fields.
2.2 Contact form (marketing website)
When you submit the contact form, we collect:
- Your name and role
- Your school or organisation name
- Your email address
- Your reason for enquiry and message
This data is used solely to respond to your enquiry and provide relevant service information.
2.3 Data we do not collect
- Passwords (we use passwordless authentication)
- Card numbers or bank details (payments are processed by Stripe; we store only transaction references)
- Device fingerprints or behavioural advertising profiles for marketing
- Data relating to individual pupils, staff, or parents as intended service input
3 Legal basis for processing
Under UK GDPR, we rely on the following legal bases:
| Processing activity | Legal basis |
|---|---|
| Operating the board audit platform and storing your responses | Legitimate interests — providing the governance board audit service you have registered for. Our legitimate interests do not override your rights; you may request deletion of your data at any time (see section 7). |
| Sending authentication emails (one-time codes or sign-in links) | Contractual necessity — required to provide access to the platform you have requested. |
| Processing payments via Stripe | Contractual necessity — required to complete the transaction you have initiated and for HMRC compliance. |
| Responding to contact form enquiries | Legitimate interests — responding to a direct professional enquiry. |
| Notifying operational inboxes when a school submits an assessment | Legitimate interests — operational administration of the service. |
4 How we store and protect your data
4.1 Supabase (board audit platform and School Portal)
Board audit and School Portal data is stored in a Supabase PostgreSQL database. Data in transit is encrypted via TLS. Access controls and row-level policies are applied so users can only access data relevant to their own school account.
Access controls are designed so that:
- Each school can only read and write its own data
- Only separately authenticated administrative access can view broader service data
- User-facing deletion is restricted and handled by request workflow
4.2 Cloudflare and Vercel (website hosting and delivery)
The board audit platform and marketing website are hosted and delivered through Cloudflare infrastructure. The School Portal at portal.governanceassurance.co.uk is hosted on Vercel (EU, London region). Both providers may log access requests including IP addresses as part of standard secure server operation.
4.3 Email (authentication and notifications)
Authentication emails containing one-time sign-in codes or sign-in links, together with notification emails, are sent through configured email infrastructure. Email in transit is encrypted where supported by receiving systems.
4.4 Contact form routing
Website contact-form submissions are processed by the configured form/email provider and used only to route and respond to enquiries.
5 How long we keep your data
| Data | Retention period |
|---|---|
| Board audit profile and responses | Retained for the duration of active service use plus 2 years following your last active session, after which data is deleted unless you request deletion sooner. |
| Authentication emails (sign-in codes or links) | Sign-in codes or links expire after a short period (approximately 1 hour). Transmission metadata follows provider retention settings. |
| Contact form enquiries | Retained for up to 2 years, or until the enquiry has been resolved and correspondence is no longer needed. |
| Admin logs and session tokens | Session tokens expire on platform-defined intervals. Access logs are retained in line with provider security defaults. |
6 Who we share your data with
We do not sell, rent, or trade personal data. We share data only with the infrastructure providers listed below, which are necessary to operate the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication infrastructure for the board audit platform and School Portal | EU-hosted region |
| Cloudflare | Website and platform hosting/delivery | Global network |
| Vercel | Application hosting (School Portal) | EU (London) |
| Stripe | Payment processing | EU/UK |
| Resend | Transactional email delivery | US (EU data processing) |
| OAuth identity provider | US | |
| Microsoft | OAuth identity provider | EU |
| Anthropic | AI document processing (SIP extraction, School Portal only) | US |
| EmailJS | Contact form email delivery | EU/US |
| Google Fonts | Serving web fonts — your IP address may be transmitted as part of the request | Global |
We may disclose personal data to a third party if required to do so by law, court order, or lawful authority.
International transfers
Cloudflare and email providers may operate infrastructure globally. Where data is transferred outside the UK or EU, this is handled under UK GDPR Chapter V transfer mechanisms, including adequacy decisions or Standard Contractual Clauses where applicable.
7 Your rights under UK GDPR
As a data subject under UK GDPR, you have the following rights. To exercise any of them, contact us via the website contact form. We will respond within 30 days.
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you and your school. |
| Rectification | Request correction of inaccurate or incomplete data. |
| Erasure | Request deletion of your data. We will delete your profile and all assessment responses from the database within 30 days of a valid request. |
| Restriction | Request that we restrict processing of your data while a dispute is resolved. |
| Data portability | Request your assessment data in a machine-readable format (JSON or CSV). |
| Object | Object to processing based on legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds. |
| Withdraw consent | Where processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing. |
There is no charge for exercising your rights. We may ask you to verify your identity before fulfilling a request.
Automated decision-making (Article 22)
The platform uses AI to generate governance reports, extract SIP priorities, and analyse website compliance. These outputs are advisory and support governance decision-making but do not constitute automated decisions with legal or significant effects. No decisions about individuals are made solely by automated means.
8 Cookies
The GAF board audit platform uses browser localStorage to maintain your session state between pages. This is not a cookie and does not transmit data to external servers, but it does store a session token in your browser.
We do not use tracking cookies, advertising cookies, or analytics cookies.
Google Fonts, loaded on both sites, may set technical cookies or log IP address data as part of serving font files. If blocked, the site falls back to system fonts. The School Governance Assurance Framework uses passwordless authentication — no passwords are stored in cookies or session storage.
9 Children's privacy
The GAF platform is a professional governance tool intended for adults in governance roles (governors, trustees, clerks, headteachers, and governance professionals). It is not directed at or intended for use by children under the age of 18.
We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted data through the School Governance Assurance Framework, please contact us via the website contact form and we will delete it promptly.
The platform must not be used to collect, enter, or store personal data about pupils. Assessment responses should relate to board-level governance processes, not to individual children or staff.
10 Changes to this policy
We may update this privacy policy from time to time. Where changes are material, we will notify registered users by service communication or site notice before the changes take effect where practicable.
The date at the top of this page will always reflect the most recent version.
11 Contact and complaints
If you have any questions about this privacy policy, how we handle your data, or wish to exercise your rights, contact us using the website contact form.
If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Questions about this policy?
Use the contact form on the main site and mark your message as a privacy request.