Structured governance assurance for UK school governing boards.

Privacy Policy

How the School Governance Assurance Framework collects, uses, and protects your personal data.

Effective: 1 May 2026
Version: 2026-05-01-v1
UK GDPR compliant
Data Controller: Joshua Mangas

Contents

  1. Who we are
  2. What data we collect and why
  3. Legal basis for processing
  4. How we store and protect your data
  5. How long we keep your data
  6. Who we share your data with
  7. Your rights under UK GDPR
  8. Cookies
  9. Children's privacy
  10. Changes to this policy
  11. Contact and complaints

The School Governance Assurance Framework (SGAF) is a professional service used by school governors, clerks, and governance professionals. We provide 15 governance tools across free and membership tiers. We collect only the data necessary to operate these tools and respond to enquiries. We do not sell data, serve advertising, or share data with third parties for marketing purposes.

This policy covers all SGAF tools, including the free tools (Quality Standard, Website Check, AI Readiness Audit, Faith Inspection Readiness, School Data Check) and the membership tools (Website Compliance, Board Intelligence Report, Meeting Agendas, School Improvement, Statutory & Core, Headteacher Report, CES Assurance, SIAMS Assurance, Trust Dashboard, Agenda Builder), delivered through the School Portal at portal.governanceassurance.co.uk. Where processing differs between services, this is noted.

1 Who we are

The School Governance Assurance Framework is operated by Joshua Mangas ("we", "us", "our"). For the purposes of UK data protection law, Joshua Mangas is the Data Controller for all personal data collected through:

  • The SGAF governance tools platform at portal.governanceassurance.co.uk
  • The School Portal at portal.governanceassurance.co.uk
  • The SGAF marketing website at governanceassurance.co.uk
  • Any contact forms on the above sites

For the governance and assessment data your school enters into the platform, your school is the Data Controller and we act as Data Processor on its behalf. See our Client Privacy notice and Data Processing Agreement for how that data is handled.

Contact: Use the website contact form

2 What data we collect and why

2.1 School Portal (portal.governanceassurance.co.uk)

When you register and use the SGAF governance tools (Quality Standard, Website Check, AI Readiness Audit, Faith Inspection Readiness, School Data Check, Website Compliance, Board Intelligence Report, Meeting Agendas, School Improvement, Statutory & Core, Headteacher Report, CES Assurance, SIAMS Assurance, Trust Dashboard, and Agenda Builder), we collect:

DataWhy we collect it
Email addressUsed for passwordless authentication via email one-time codes, or OAuth sign-in through Google or Microsoft (for the School Portal at portal.governanceassurance.co.uk). Required to access the platform.
School / trust nameIdentifies the school or trust completing the assessment. Appears on your report.
Town and postcodeDistinguishes organisations with similar names. Appears on your report.
Headteacher / CEO nameIncluded in the Quality Standard report for governance records.
Chair of Governors / Trustees nameIncluded in the Quality Standard report for governance records.
Your name and roleIdentifies the person completing the assessment. Appears on your report.
Assessment responsesThe status (Not Started / Developing / Secure) and optional evidence notes you enter for each of the framework elements.
Invoice and payment referencesInvoice references and payment records for bank transfer and payment-link transactions. We do not store bank details. Invoice references are retained for billing and HMRC compliance.
Website crawl dataURLs, page content, and compliance findings collected when the Website Check or Website Compliance tool scans your school website. Used to generate compliance reports and auto-populate Quality Standard evidence.
GIAS governor dataGovernor names, roles, and appointment dates retrieved from the DfE Get Information About Schools (GIAS) register. Used to populate the Board Intelligence Report and governor profiles.
Ofsted, DfE, and Companies House dataPublicly available inspection history, school performance data, and trust filing records. Used to generate the Board Intelligence Report.
SIP document uploadsSchool Improvement Plan documents uploaded for AI-assisted priority extraction within School Improvement. Documents are processed transiently by our AI provider and stored in the database for your school's use. They are never used to train AI models.
Governor names and assignmentsGovernor names assigned to statutory monitoring roles and SIP visit reports within Statutory & Core and School Improvement. Used to generate downloadable visit report documents.
Headteacher termly dataAttendance, exclusions, staffing, budget, SIP progress, and safeguarding data entered via the Headteacher Report tool. Feeds into the Board Intelligence Report.
Faith readiness assessment responsesCES and SIAMS module responses, self-assessment answers, and generated action plans within the faith governance tools.
Trust dashboard aggregated dataAggregated governance data across schools within a multi-academy trust, displayed on the Trust Dashboard.
School Data Check lookupsSchool URN submitted for lookup. Published DfE data (attendance, behaviour, performance, staffing) is retrieved and displayed. No personal data is collected beyond the URN.
Agenda Builder selectionsMeeting type selections and framework element mappings used to generate structured agenda documents.
Submission timestampRecords when your assessment was completed.

We do not collect data about individual pupils, staff, or parents. The assessment relates to board-level governance processes only. Do not enter sensitive personal data about individuals in the evidence notes fields.

2.2 Contact form (marketing website)

When you submit the contact form, we collect:

  • Your name and role
  • Your school or organisation name
  • Your email address
  • Your reason for enquiry and message

This data is used solely to respond to your enquiry and provide relevant service information.

2.3 Data we do not collect

  • Passwords (we use passwordless authentication)
  • Card numbers or bank details (we do not store bank details; we retain only invoice references)
  • Device fingerprints or behavioural advertising profiles for marketing
  • Data relating to individual pupils, staff, or parents as intended service input

3 Legal basis for processing

Under UK GDPR, we rely on the following legal bases:

Processing activityLegal basis
Operating the Quality Standard platform and storing your responsesLegitimate interests, providing the governance Quality Standard service you have registered for. Our legitimate interests do not override your rights; you may request deletion of your data at any time (see section 7).
Sending authentication emails (one-time codes or sign-in links)Contractual necessity, required to provide access to the platform you have requested.
Processing payments via invoice and bank transferContractual necessity, required to complete the transaction you have initiated and for HMRC compliance.
Responding to contact form enquiriesLegitimate interests, responding to a direct professional enquiry.
Operating free tools (AI Readiness Audit, Faith Inspection Readiness, School Data Check)Legitimate interests, providing the free governance tools you have chosen to use. You may request deletion of your data at any time.
Notifying operational inboxes when a school submits an assessmentLegitimate interests, operational administration of the service.

4 How we store and protect your data

4.1 Database and authentication (Quality Standard platform and School Portal)

Quality Standard and School Portal data is stored in a managed PostgreSQL database hosted in the EU. Data in transit is encrypted via TLS. Access controls and row-level policies are applied so users can only access data relevant to their own school account.

Access controls are designed so that:

  • Each school can only read and write its own data
  • Only separately authenticated administrative access can view broader service data
  • User-facing deletion is restricted and handled by request workflow

4.2 Website and application hosting

The marketing website is hosted and delivered through a global content delivery network. The School Portal at portal.governanceassurance.co.uk is hosted in the EU (London region). Hosting providers may log access requests including IP addresses as part of standard secure server operation.

4.3 Email (authentication and notifications)

Authentication emails containing one-time sign-in codes or sign-in links, together with notification emails, are sent through configured email infrastructure. Email in transit is encrypted where supported by receiving systems.

4.4 Contact form routing

Website contact-form submissions are processed by the configured form/email provider and used only to route and respond to enquiries.

5 How long we keep your data

DataRetention period
Quality Standard profile and responsesRetained for the duration of active service use plus 2 years following your last active session, after which data is deleted unless you request deletion sooner.
Authentication emails (sign-in codes or links)Sign-in codes or links expire after a short period (approximately 1 hour). Transmission metadata follows provider retention settings.
Contact form enquiriesRetained for up to 2 years, or until the enquiry has been resolved and correspondence is no longer needed.
Admin logs and session tokensSession tokens expire on platform-defined intervals. Access logs are retained in line with provider security defaults.

6 Who we share your data with

We do not sell, rent, or trade personal data. We share data only with the sub-processors necessary to operate the service. We use a small number, in the following categories:

CategoryPurposeLocation
Cloud database and authenticationStores Quality Standard and School Portal data and handles sign-inEU-hosted
Application and website hosting / CDNServes the School Portal and the marketing websiteEU (London) / global CDN
AI processingDocument analysis, compliance assessment, scoring, and report and content generationOutside UK/EU, under SCCs
Transactional email deliverySign-in codes and account notificationsOutside UK/EU, under SCCs
Payment link processingInvoice payment (you are redirected to the provider's hosted page; we do not store bank details)UK/EU
Identity providers (OAuth)Optional sign-in with a Google or Microsoft accountGlobal
Marketing-site servicesContact-form delivery (website only; fonts are self-hosted)Global

A current, named list of our sub-processors, their roles and data-processing locations is provided to schools and trusts in our Data Processing Agreement and is available to anyone on request from info@governanceassurance.co.uk. We notify customers of any intended change and give an opportunity to object. We may disclose personal data to a third party if required to do so by law, court order, or lawful authority.

We never use your data to train AI models. Your governance data, uploaded documents, and assessment responses are never used to train any AI model. AI processing is carried out by our AI provider through a private API on a transient basis: inputs and outputs are not used for model training, are retained only briefly for trust-and-safety purposes (typically no more than 30 days) and are then deleted. Our AI provider holds recognised independent security certification (currently SOC 2 Type II) and is bound by appropriate UK transfer safeguards (the IDTA or the EU SCCs with the UK Addendum). AI outputs are decision-support aids and do not constitute legal or regulatory advice.

International transfers

Some sub-processors operate infrastructure outside the UK or EU. Where data is transferred outside the UK or EU, this is handled under UK GDPR Chapter V transfer mechanisms, including adequacy decisions, the UK International Data Transfer Agreement (IDTA), or Standard Contractual Clauses where applicable.

7 Your rights under UK GDPR

As a data subject under UK GDPR, you have the following rights. To exercise any of them, contact us via the website contact form. We will respond within 30 days.

RightWhat it means
AccessRequest a copy of the personal data we hold about you and your school.
RectificationRequest correction of inaccurate or incomplete data.
ErasureRequest deletion of your data. We will delete your profile and all assessment responses from the database within 30 days of a valid request.
RestrictionRequest that we restrict processing of your data while a dispute is resolved.
Data portabilityRequest your assessment data in a machine-readable format (JSON or CSV).
ObjectObject to processing based on legitimate interests. If you object, we will cease processing unless we can demonstrate compelling legitimate grounds.
Withdraw consentWhere processing is based on consent, you may withdraw at any time without affecting the lawfulness of prior processing.

There is no charge for exercising your rights. We may ask you to verify your identity before fulfilling a request.

How to make a data subject request

  1. Email info@governanceassurance.co.uk with the subject line "Data Subject Request"
  2. State which right you are exercising (access, rectification, erasure, portability, restriction, or objection)
  3. Include your school name and the email address associated with your account
  4. We will verify your identity and respond within 30 calendar days
  5. There is no charge for exercising your rights

Automated decision-making (Article 22)

The platform uses AI to generate governance reports, extract SIP priorities, and analyse website compliance. These outputs are advisory and support governance decision-making but do not constitute automated decisions with legal or significant effects. No decisions about individuals are made solely by automated means.

Data Protection Impact Assessment

We have conducted a Data Protection Impact Assessment (DPIA) covering the processing activities described in this policy, including AI inference. A copy of the DPIA is available on request from info@governanceassurance.co.uk.

Special category data

The faith governance tools (CES Assurance, SIAMS Assurance, Faith Inspection Readiness) process data about a school's readiness for faith-based inspections. This data relates to institutional governance arrangements, not to the religious beliefs of individual data subjects. We do not process special category data as defined by UK GDPR Article 9. If you believe any data you have entered constitutes special category data, please contact us at info@governanceassurance.co.uk.

8 Cookies

The SGAF Quality Standard platform uses browser localStorage to maintain your session state between pages. This is not a cookie and does not transmit data to external servers, but it does store a session token in your browser.

We do not use tracking cookies, advertising cookies, or analytics cookies.

Web fonts loaded on the site may set technical cookies or log IP address data as part of serving font files. If blocked, the site falls back to system fonts. The School Governance Assurance Framework uses passwordless authentication, no passwords are stored in cookies or session storage.

9 Children's privacy

The SGAF platform is a professional governance tool intended for adults in governance roles (governors, trustees, clerks, headteachers, and governance professionals). It is not directed at or intended for use by children under the age of 18. We do not process pupil-identifiable data.

We do not knowingly collect personal data from anyone under 18. If you believe a child has submitted data through the School Governance Assurance Framework, please contact us via the website contact form and we will delete it promptly.

The platform must not be used to collect, enter, or store personal data about pupils. Assessment responses should relate to board-level governance processes, not to individual children or staff.

10 Changes to this policy

We may update this privacy policy from time to time. Where changes are material, we will notify registered users by service communication or site notice before the changes take effect where practicable.

The date at the top of this page will always reflect the most recent version.

11 Contact and complaints

If you have any questions about this privacy policy, how we handle your data, or wish to exercise your rights, contact us using the website contact form.

If you are not satisfied with our response, or believe we are processing your data unlawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Questions about this policy?

Use the contact form on the main site and mark your message as a privacy request.

Go to contact form →