S
Sound Read Spell← Back

Privacy Policy

Last updated: 12 June 2026

This Privacy Policy explains how Sound Read Spell (“we”, “us”, “our”) collects, uses and protects personal data when you use our website and learning service (the “Service”). We are the data controller for the personal data we collect about you.

1. Who we are

Sound Read Spell is operated by Matthew Stanbury, a qualified teacher based in the United Kingdom. If you have any questions about this policy or how we handle your data, please contact us at soundreadspell@gmail.com. Schools using the Service can also raise queries through their usual data protection channels, and we will co-operate fully with any school or trust Data Protection Officer.

2. What data we collect

We collect and process the following personal data:

  • Account details— email address, password (stored as a one-way hash), and the date your account was created.
  • Subscription and trial state— whether your free trial is active, when it started, and whether you are on a paid subscription.
  • Progress data— which sounds, words, sentences and passages have been practised. This is stored in your browser’s local storage on your own device and is not transmitted to our servers.
  • Anonymous classroom accounts— when a class joins via a teacher’s classroom code, each device is signed in anonymously. These accounts contain no name, no email address, and no information about the child — only a random identifier and a link to the teacher’s session. See section 5.
  • Technical data— standard server logs (request URL, timestamp, IP address, browser type) retained for security and debugging purposes.

3. How we use your data

  • To create and run your account and deliver the Service.
  • To remember your progress between sessions and devices.
  • To manage trials, subscriptions and access rights.
  • To send essential service emails (confirmation, password reset, account notices).
  • To keep the Service secure and detect misuse.
  • To comply with our legal obligations.

4. Lawful basis

Under UK GDPR, we process your personal data on the following bases:

  • Contract— processing that is necessary to provide the Service you have signed up for.
  • Legitimate interests— keeping the Service secure, preventing fraud, and improving the product. We will always balance these interests against your rights.
  • Consent— where we ask you to opt in (for example, any future marketing emails). You can withdraw consent at any time.
  • Legal obligation— where we have to process data to meet a legal requirement.

5. Children’s data

The Service is designed for young children to use with a parent, carer or teacher, and has been built to follow the principles of the ICO’s Age Appropriate Design Code. Accounts can only be created by an adult aged 18 or over. We do not knowingly collect personal data directly from children: there are no free-text fields, forms or prompts asking a child for any information about themselves, no advertising, no profiling, and no behavioural tracking.

Classroom use in schools. When a teacher starts a classroom session, the Service shows a short-lived join code (valid for 15 minutes) as a QR code. Children join on a class device and are signed in anonymously:

  • No child is asked for their name, email address, or any other personal information at any point.
  • The anonymous account stores only a random identifier and a link to the teacher’s session, so the device stays signed in for the lesson.
  • Teachers can see only how many devices joined their session — never which child used which device, and never any per-child data.
  • Practice progress on a class device is stored only in that device’s browser, not on our servers.
  • Anonymous classroom accounts are automatically deleted from our systems within 30 days, and classroom session records within 90 days.
  • Classroom accounts are technically blocked from every adult-facing part of the Service (account settings, sign-up forms, teacher and admin areas).

If you believe a child has submitted personal data without your consent, please contact us and we will delete it.

6. How we share data

We do not sell your personal data. We share data only with service providers who help us run the Service, under contracts that require them to protect your data:

  • Supabase— authentication and database hosting.
  • Google / Firebase— application hosting.
  • Email delivery providers— for confirmation and password-reset emails.
  • Payment processor— if and when we take payments, via a regulated provider such as Stripe. We do not store your card details.

Some of these providers are based outside the UK (for example in the United States). Where that is the case, we rely on appropriate safeguards such as the UK International Data Transfer Addendum or Standard Contractual Clauses.

7. Cookies and local storage

We use strictly necessary cookies to keep you signed in and to preserve your session. We also store small amounts of data in your browser’s local storage to remember your in-progress practice position. We do not use advertising or tracking cookies.

8. How long we keep data

We keep your account data for as long as your account is active, plus a reasonable period afterwards so that you can reactivate, and to meet tax and legal obligations. If you delete your account, we will delete or anonymise your personal data within a reasonable time, except where we are required to keep it by law.

  • Anonymous classroom accounts are deleted automatically within 30 days of being created.
  • Classroom session records are deleted automatically within 90 days.
  • Server logs are short-lived technical records retained by our hosting providers for security and reliability purposes only.

9. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased in certain circumstances.
  • Restrict or object to how we use your data.
  • Receive a copy of your data in a portable format.
  • Withdraw consent where we rely on consent.

To exercise any of these rights, email us at soundreadspell@gmail.com. You also have the right to complain to the UK’s Information Commissioner’s Office (ico.org.uk).

10. Security

We take reasonable technical and organisational measures to protect your data, including encrypted connections (HTTPS), hashed passwords, and strict access controls. No system is perfectly secure, so we cannot guarantee absolute security — please keep your password safe and contact us immediately if you suspect any unauthorised access.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the updated version on this page and change the “Last updated” date at the top. Material changes will be notified to you by email.

12. Contact us

If you have any questions about this Privacy Policy, email soundreadspell@gmail.com.