Privacy Policy

1. Introduction

This Privacy Policy explains how AttendTrack ('we', 'our', 'us'), operated by Vince James, collects, uses, stores, and protects personal data when schools and educational settings ('you', 'the school') use our AI-powered attendance management platform available at attendtrack.co.uk.

We are committed to handling all personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (DPA 2018), and all other applicable UK data protection legislation.

Please read this policy carefully. By using AttendTrack, you confirm you have read and understood how we process personal data.

2. Who We Are

AttendTrack is operated by Vince James, a sole trader based in Essex, United Kingdom.

3. Our Role Under UK GDPR

AttendTrack acts as a Data Processor on behalf of schools. The school using our platform is the Data Controller and determines the purposes for which personal data is processed. We process data strictly on the documented instructions of the school.

Our full Data Processing Agreement (DPA), which sets out each party's responsibilities, is available as a separate document and must be signed before the school begins using AttendTrack.

4. What Personal Data We Collect

4.1 Data About School Staff

• Full name and job title
• Work email address
• Login credentials (encrypted)
• Usage logs and activity within the platform

4.2 Data About Pupils

• Pupil name
• Year group and class
• Attendance records (present, absent, late, reason codes)
• Absence reason information (where provided by the school)

We do not collect or store sensitive special category data about pupils (such as medical information, ethnicity, or SEND status) unless explicitly provided by the school as part of an attendance note or voicemail transcription, in which case the school remains responsible for that data as Data Controller.

4.3 Data Processed via Voicemail (Twilio)

AttendTrack uses Twilio to receive and process voicemail messages left by parents or guardians reporting pupil absences. The following data is processed as part of this feature:

• Audio recordings of parent/guardian voicemail messages (voice data)
• Parent/guardian name and phone number (where provided or identifiable from the recording)
• Pupil name as mentioned in the voicemail
• Reason for absence as stated by the caller — this may include medical or health information, which constitutes Special Category Data under UK GDPR
• Transcribed text of the voicemail, generated by AI and displayed on the AttendTrack dashboard

4.4 Technical Data

• IP addresses and device information
• Browser type and version
• Usage analytics and session data
• Error logs

5. How We Use Personal Data

We process personal data solely for the purposes of providing and improving the AttendTrack service, including:

• Enabling schools to record, monitor, and report on pupil attendance
• Receiving and transcribing parent/guardian voicemail messages reporting pupil absences
• Matching transcribed voicemail content against uploaded absence records on the dashboard
• Generating automated alerts and reports for school staff
• Providing AI-powered analysis of attendance patterns
• Sending automated notifications to parents/guardians where the school has configured this
• Maintaining the security and integrity of the platform
• Providing customer support

We do not use personal data for marketing, advertising, or any purpose other than providing the service.

6. Legal Basis for Processing

As a Data Processor, we process data under the lawful basis established by the school as Data Controller. Schools typically rely on:

• Legal obligation — schools are legally required to maintain attendance registers under the Education (Pupil Registration) (England) Regulations 2006
• Public task — schools acting in their official capacity to fulfil their statutory functions

We process staff account data under the lawful basis of contractual necessity (to provide the service the school has purchased).

7. Data Storage and International Transfers

AttendTrack uses third-party infrastructure providers whose servers are located in the United States of America. Personal data may therefore be transferred to and stored in the US, which is outside the United Kingdom and the European Economic Area (EEA).

7.1 Abacus.AI

AttendTrack is built and hosted on infrastructure provided by Abacus.AI. Pupil attendance records, staff account data, and dashboard content are stored on Abacus.AI servers in the United States.

7.2 Twilio

AttendTrack uses Twilio for voicemail reception and transcription. Parent/guardian voice recordings and transcriptions are processed and stored by Twilio on US-based servers.

7.3 Safeguards

Where personal data is transferred to the United States, we rely on the following safeguards to ensure an adequate level of protection:

• Standard Contractual Clauses (SCCs) as approved by the UK Information Commissioner's Office (ICO)
• The UK International Data Transfer Agreement (IDTA) where applicable

8. Data Retention

We retain personal data only for as long as necessary to provide the service and meet our legal obligations:

• Active account data — retained for the duration of the subscription
• Attendance records — retained for a maximum of 7 years in line with standard UK education record-keeping guidance, unless the school requests earlier deletion
• Staff account data — deleted within 30 days of account closure
• Technical and usage logs — retained for up to 12 months
• Voicemail audio recordings (Twilio) — deleted promptly following successful transcription; up to 30 days residual retention on Twilio's systems post-deletion request
• Voicemail transcriptions — retained as part of the attendance record for the duration of the subscription, then deleted within 30 days of account closure

Schools can request deletion of their data at any time by contacting us at the address below.

9. Data Sharing

We do not sell, trade, or rent personal data to any third party.

We may share data with the following categories of third parties solely to deliver the service:

• Abacus.AI — our platform infrastructure and AI processing provider (sub-processor, US-based)
• Twilio — our telephony and voicemail transcription provider (sub-processor, US-based)
• Payment processors — for subscription billing only (no pupil data is shared with payment processors)
• Legal and regulatory authorities — where required by law

10. Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, loss, alteration, or disclosure, including:

• Encrypted data transmission using HTTPS/TLS
• Access controls and authentication requirements
• Regular review of security practices
• Staff (where applicable) trained in data protection obligations

In the event of a personal data breach, we will notify affected schools without undue delay and in any event within 72 hours of becoming aware, in accordance with our Incident Response Policy.

11. Your Rights

As a Data Controller, the school (and by extension its staff and the parents/guardians of pupils) may exercise the following rights under UK GDPR:

• Right of access — to obtain a copy of personal data held
• Right to rectification — to correct inaccurate data
• Right to erasure — to request deletion of data (subject to legal retention obligations)
• Right to restriction — to limit how data is processed
• Right to data portability — to receive data in a machine-readable format
• Right to object — to object to certain types of processing

To exercise any of these rights, please contact us at [email protected]. We will respond within one calendar month.

12. Complaints

If you have concerns about how we handle personal data, please contact us in the first instance. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify schools of any material changes by email or via in-platform notification. The date at the top of this document reflects when it was last updated.

14. Contact Us

For any questions about this Privacy Policy or our data practices, please contact: