Privacy Policy · SchemeMap

Who we are

SchemeMap is a service provided by D4N LTD, a company registered in England and Wales. For the purpose of the UK GDPR and the Data Protection Act 2018, D4N LTD is the data controller for your account data.

Our ICO registration reference is available on our cookies page. If you need to contact us about your data, email privacy@d4n.uk.

What we collect

Your email address and a display name (required for sign-in).
Your school name if you choose to enter one.
Timetable photos you upload for import. Deleted within 30 days of upload.
Your scheme-of-work structure, class names, year groups, and lesson log entries.
Optional homework notes, partial-lesson notes, and missed-reason codes.
Device/browser metadata sent with every HTTP request (standard web logs).

What we do not collect

We never collect pupil data. There is no pupil name, SEND code, photo, grade, or identifier anywhere in our data model. If you find yourself typing a pupil’s name into a notes field, please don’t — use initials or a seating-plan code instead. SchemeMap is designed as a scheme-tracking tool for teachers, not an MIS.

Why we hold it

The lawful basis under UK GDPR Article 6(1)(b) — processing is necessary to provide the service you’ve signed up to. For billing we rely on Article 6(1)(b) contract + Article 6(1)(c) legal obligation (VAT record retention).

Retention

Timetable photos: removed from our storage bucket within 30 days of the import (sooner if you dismiss the import).
Account data: retained while your account is active. Deleted within 30 days of account deletion, except where we’re legally required to keep billing records longer (usually 6 tax years for HMRC).
Web server logs: 30 days.

Your rights (GDPR)

You can exercise these any time via email to privacy@d4n.uk, or directly through settings (export / delete account).

Access — via the Export feature in Settings (JSON + CSV).
Rectification — edit anything in the app, or email us.
Erasure — Settings → Delete account (permanent, cascades).
Portability — the JSON export is designed to be portable.
Objection / restriction — email us, we’ll action within 30 days.
Lodge a complaint with the ICO — ico.org.uk.

Sub-processors

We use the following processors. Each is bound by a DPA and GDPR-compliant.

Supabase Inc. — database, auth, object storage (EU region).
Anthropic PBC — timetable photo analysis via Claude (photo only sent on user upload; not used for training).
Stripe, Inc. — billing and subscription management.
Vercel Inc. — web hosting.
Plausible Insights OÜ — aggregated, cookie-free analytics.

Department tier

If you’re a Head of Department using the Department tier, D4N LTD acts as a processor for the school in respect of the shared SOWs, learning walks, and appraisal notes scoped to your department. Ask us for a DPA — we’ll sign one tailored to your school.

Changes

If we materially change this policy we’ll email you at the address on your account at least 14 days before the change takes effect.