The Headteacher’s Report Limited
The Headteacher’s Report Limited (“we”, “us”, “our”) is a company registered in England and Wales (Company No. 222374336).
Registered Office:
3000 Aviator Way
Manchester Business Park
Manchester
M22 5TG
We are registered with the Information Commissioner’s Office (ICO).
For all data protection enquiries:
📧 [email protected]
Depending on the context, we act as either:
When processing:
Website visitor information
Account registration details
Direct enquiries
Marketing subscriptions
Billing and administrative records
When providing our platform services to schools.
In these cases:
The school is the Data Controller
We act as Data Processor under Article 28 UK GDPR
We process data only on the documented instructions of the school
We provide an online platform that assists schools with:
Headteacher reporting
Self-evaluation documentation
Policy documentation
Compliance-related drafting
AI-assisted content generation
We may process:
Name
Email address
School name and address
Telephone number
Login credentials
Communication history
Where schools use our platform, we may process:
Aggregated pupil population data
Attendance statistics
Demographic breakdowns (non-identifiable)
School-level performance summaries
Staff role information (non-sensitive)
Self-evaluation responses
Policy documentation
Via our integration with Wonde API:
We do not request or require directly identifiable pupil data (such as names, addresses, dates of birth, UPNs).
We do not intentionally process identifiable pupil-level records within report outputs.
Data is used in aggregated and statistical form.
Schools remain responsible for ensuring that only necessary and proportionate data is entered into the system.
We rely on:
Article 6(1)(b) Contract – To provide account access and services
Article 6(1)(f) Legitimate Interests – To operate and improve our services
Article 6(1)(c) Legal Obligation – For compliance with applicable laws
Article 6(1)(a) Consent – For marketing communications where required
Schools determine the lawful basis for the data they provide.
This will typically be:
Article 6(1)(e) Public Task
Article 6(1)(c) Legal Obligation
Where any special category data is processed, the school remains responsible for identifying the appropriate Article 9 condition.
Our platform uses a commercial version of the ChatGPT API provided by OpenAI to generate suggested draft text.
Schools enter contextual and statistical information into our secure portal.
Our system transmits relevant content securely via API to the AI provider.
Schools do not submit data directly to the AI provider.
AI-generated outputs are draft suggestions only.
All AI outputs require human review and approval before use.
We use a paid commercial API service.
Data submitted via API is not used to train public AI models.
We instruct schools not to enter directly identifiable pupil data.
The system does not make automated decisions about individuals.
The AI functionality is an assistive drafting tool only.
We use carefully selected third-party service providers who act as Sub-Processors when we act as Data Processor.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Wonde | MIS integration | UK |
| Linode | Cloud hosting | UK |
| Google Workspace | Business operations & backups | UK/EU/US |
| MailChimp | Email communications | US |
| OpenAI | AI text generation | US |
All Sub-Processors are subject to contractual data protection obligations.
Some of our service providers operate internationally.
Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:
UK International Data Transfer Agreements (IDTA)
UK Addendum to Standard Contractual Clauses
Adequacy decisions where applicable
We implement appropriate technical and organisational measures, including:
HTTPS secured with TLS encryption
Encrypted database backups
Encrypted inter-server communications
Role-based access controls
Secure API authentication
Firewall protection
Restricted administrative access
Access to personal data is limited to authorised personnel only.
We retain personal data only for as long as necessary to provide our services and fulfil our contractual and legal obligations.
Account data is retained while an active relationship exists between the school and The Headteacher’s Report Limited.
Where a school subscription ends or an account is cancelled, associated data may be retained for a limited period to allow for account reactivation or retrieval of information if required. After this period, data will be permanently deleted from our active systems.
Schools remain the Data Controller for any personal data entered into the platform and may request the deletion of their data at any time in accordance with contractual and legal requirements.
Where deletion is requested, we will remove the relevant data from our active systems so that it is no longer accessible through the platform.
Encrypted system backups are maintained for operational resilience and disaster recovery purposes. Backup copies are retained only for a limited period and are automatically overwritten in accordance with our backup rotation policies.
Where data has been deleted from active systems, any residual copies contained within backup archives will be removed automatically as part of the normal backup lifecycle.
In the event of a personal data breach affecting school data:
We will notify the relevant Data Controller (the school) without undue delay.
We will cooperate fully in any required investigation or regulatory notification.
Individuals have the right to:
Access their personal data
Rectify inaccurate data
Request erasure
Restrict processing
Object to processing
Data portability
Lodge a complaint
Complaints may be made to:
Information Commissioner’s Office
www.ico.org.uk
If required personal data is not provided, we may be unable to:
Create user accounts
Provide access to the platform
Deliver contracted services
We may update this policy periodically to reflect legal, technical or operational changes. The latest version will always be available on our website.
In providing our services to schools, we act as a Data Processor in accordance with Article 28 UK GDPR.
The school remains the Data Controller and is responsible for determining the lawful basis and purpose for processing personal data entered into our platform.
We process data solely in accordance with the school’s instructions and our contractual agreement.
Our platform uses a commercial Artificial Intelligence (AI) service accessed via the ChatGPT API to generate suggested draft text for documents such as:
Headteacher reports
Self-evaluation documents
Policy summaries
Compliance documentation
Users enter relevant contextual and statistical information into our secure portal. Our system then submits appropriate data to the AI service via secure API in order to generate draft content.
Schools do not submit data directly to the AI provider.
All AI-generated content is subject to human review and approval before use.
Data submitted to the AI service may include:
Aggregated pupil population data
Attendance statistics
Assessment summaries
Policy information
Contextual school information
Self-evaluation responses
We do not require directly identifiable pupil data (such as names, dates of birth, addresses or unique identifiers) to be entered into the system.
Schools are responsible for ensuring that only necessary and proportionate personal data is entered into the platform.
We use a paid commercial version of the ChatGPT API provided by OpenAI as a Sub-Processor.
Where personal data is transferred outside the United Kingdom, appropriate safeguards are in place in accordance with Chapter V of the UK GDPR. These safeguards may include:
UK International Data Transfer Agreements (IDTA), or
The UK Addendum to EU Standard Contractual Clauses.
Details of our Sub-Processors are available upon request.
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:
Encrypted transmission (HTTPS/TLS)
Secure API authentication
Access controls
Role-based permissions
Commercial terms with the AI provider that limit data use beyond service provision
The AI system generates draft text only. It does not:
Make automated decisions about individuals
Produce legally binding outcomes
Replace professional judgement
All outputs require human review.
The Headteacher’s Report
NEW School Website Compliance
Trustee Report
SEF Pro
SEND Report
CSED/SIAMS Reports
mySchoolWellbeing