Get started

Privacy notice

The plain-English version.

This notice explains how Earn Your Stripes handles personal data — what we collect, why, where it lives, how long we keep it, and the rights you have. We’ve written it for schools and families to read, not for lawyers.

Last updated: May 2026.

Who we areWhat we collectChildren’s dataLawful basisHow we use itAutomated moderationSub-processorsRetentionYour rightsSecurityCookiesChanges

Who we are

Earn Your Stripes is operated by Stuart Ridout, a sole trader based in England (“we”, “us”, “our”). We are registered with the UK Information Commissioner’s Office under reference ZC130961.

For pupil data, the school is the data controller (they decide the purpose and means); we act as data processor under the school’s instructions. For our own operational data (school admins, billing contacts) we are the controller. Contact: hello@stripesquest.com.

What we collect

  • Pupil identity — first name and last initial, year group, form group. No address, no NHS number, no UPN unless the school chooses to import one.
  • Photo and video evidence — uploaded by parents (under-13) or pupils (13+) to record activities. EXIF data is stripped on processing.
  • Captions and notes — short written context for each piece of evidence.
  • Parent contact — name and email, for under-13 mediation. Magic-link is used in place of a password.
  • Staff identity — name and email, when the school enrols staff. Sign-in is via magic link today; Microsoft 365 / Google Workspace SSO is on our roadmap.
  • Third-party verifier contact — name and email of the coach or instructor invited to sign off a single submission. Held only for the life of the link (≤ 14 days).
  • Audit records — every state-changing action (sign-ins, edits, approvals, sign-offs, uploads, exports) and every sensitive view (evidence access, DSL view-as), with timestamp and actor.
  • Payment metadata — when a family or school orders a certificate or badge, Stripe handles the card and we receive a reference, amount and outcome only.
  • Technical data — sign-in codes, session tokens, standard server logs (IP, browser, request timestamps). Logs are retained for up to 30 days.

We don’t use tracking cookies, advertising networks, or third-party analytics. We don’t sell or share personal data for anyone else’s marketing.

Children’s data

Earn Your Stripes is designed for use in UK schools with pupils aged 5–14. We take the privacy of children seriously and comply with the UK Children’s Code (Age Appropriate Design Code).

  • Under-13s are not authentication subjects — they don’t hold an account or a password. Their record sits against a parent account verified by magic link.
  • Photo and video evidence is only visible to the pupil’s parent, their form tutor, and (if flagged) the school’s DSL.
  • School admins see no evidence artefacts — only aggregate dashboards.
  • Third-party verifiers see only the single submission they were invited to sign.
  • No advertising, no profiling, no AI training on children’s content.

If you are a parent and want content featuring your child removed, contact the school in the first instance. You can also email us at hello@stripesquest.com.

Lawful basis

We process personal data under UK GDPR on the following bases:

  • Public task (Article 6(1)(e)) — the school’s statutory educational function covers pupil processing. The school is the controller.
  • Contract (Article 6(1)(b)) — staff and admin accounts, to provide the service the school signed up for.
  • Legitimate interests — security logging, abuse prevention, content moderation to protect users including children.
  • Consent — verifiable parental involvement for under-13 evidence, and any optional features the school or family chooses to enable.
  • Article 9(2)(g) (substantial public interest) — the lawful basis for any incidental special-category data in photos (e.g. religious dress), grounded in safeguarding of children and individuals at risk.

How we use your data

  • Operate and deliver the Earn Your Stripes / Tiger Stripes service
  • Authenticate parents and staff via passwordless email magic link
  • Display a pupil’s progress to their parent and form tutor
  • Send transactional emails (sign-in codes, attestation invites, award notifications)
  • Run content moderation on every photo and caption before another user sees it
  • Investigate safeguarding flags raised by any user
  • Process the school’s Active Pupil Pack purchase through Stripe, and fulfil printed certificates and premium pin badges through our print partner

We don’t sell, rent, or share your personal data with third parties for their own marketing purposes.

Automated content moderation

Every image and caption uploaded to Earn Your Stripes is automatically scored by Microsoft Azure AI Content Safety. The scanner returns a severity rating in four categories — hate, sexual, violent and self-harm material — and we act on that rating as follows:

  • Content scored below the flag threshold publishes immediately.
  • Content scored at medium severity (2–3) is held and routed to the school’s DSL for manual review before another user sees it.
  • Content scored at high severity (≥ 4) is blocked outright. A system-generated audit entry records the decision.
  • If the moderation service is unreachable, uploads fail closed to manual review — never an unscanned pass.

A human always makes the final call on whether flagged content publishes, is hidden, or is removed. You have the right to object to processing based solely on automated decision-making — our process is always human-in-the-loop for any outcome that affects publication. Moderation results (severity scores, decision, timestamp) are retained alongside the audit record and are deleted when the underlying record is deleted.

Sub-processors

We use two sub-processors. Each processes data only on our instructions and is bound by a data processing agreement.

Sub-processorWhat they doLocation
Microsoft AzureStorage (Cosmos DB + Blob), hosting (Container Apps), AI Content Safety moderation, transactional email delivery (Azure Communication Services — sign-in links, attestation requests, award notifications).UK South
StripePayment processing for school Active Pupil Pack purchases. Card data handled directly by Stripe — schools only, never families.Ireland / United States — covered by SCCs + UK IDTA

Microsoft does not retain content after scoring and does not use it to train models. Transactional email is delivered within the UK via Azure Communication Services. The only transfer to the United States is card payment processing (Stripe), protected by Standard Contractual Clauses and the UK International Data Transfer Addendum. Opt-in push notifications are delivered through device push gateways (Apple / Google / Mozilla / Expo) and carry only a generic, PII-free alert and an in-app link — never pupil data; Web Push payloads are encrypted to the device.

Retention

  • Default pupil retention: until the child leaves the school + 2 years. Schools can override this with a shorter period.
  • Account close: data deleted within 30 days.
  • Residual backup copies: purged within 30 days of deletion.
  • Server logs: retained for up to 30 days.
  • Audit records: retained beyond the data they reference, to preserve a tamper-evident trail.

Your rights

Under UK GDPR, you (or your child, where you act on their behalf) have the right to:

  • Access the personal data we hold
  • Correct anything inaccurate
  • Delete your data — at submission level or by closing the account
  • Restrict or object to certain processing
  • Portability — request a full export of the child’s record
  • Withdraw consent where processing is based on consent

For pupil data, contact your school first — they are the data controller. For any other queries, or if your school has been unable to help, email us at hello@stripesquest.com. We respond within one calendar month. If you are unhappy with how we have handled your request, you have the right to complain to the Information Commissioner’s Office at ico.org.uk.

Security

  • All data is transmitted over HTTPS
  • Media files are stored in private Azure Blob containers and served only via short-lived signed URLs
  • Magic-link sign-in for parents and staff: single-use codes that expire in 15 minutes and lock out after 5 attempts
  • Role-based access — every action funnels through an authorisation guard, with a 48-case automated test suite
  • Tenant isolation enforced at the data layer — no cross-school code path

Discovered a security vulnerability? Please report it to hello@stripesquest.com.

Cookies

We use a single, strictly necessary session cookie to keep you signed in. We don’t use advertising, analytics, or tracking cookies. No cookie consent banner is required.

Changes to this notice

We may update this notice from time to time. When we do, we update the date at the top. If we make changes that materially affect how we handle personal data, we’ll notify schools and account holders by email.

Sample DPIA templateBack to Trust