Last updated: June 2025

GDPR Statement

Pathlight is designed around UK GDPR compliance from the ground up, with particular care for the handling of children's personal data.

Our ICO registration

Pathlight is registered with the Information Commissioner's Office (ICO) as required under the UK Data Protection Act 2018. We process personal data commercially and maintain this registration annually.

Data controller vs data processor

For leader account data

Pathlight is the data controller. We decide what data to collect from leaders (name, email, role) and why. Our lawful basis is contract performance.

For children's data

The group leader is the data controller. Pathlight is a data processor acting on their instructions. Leaders are responsible for consent.

Lawful basis for processing

Leader account data

Lawful basis: Contract performance. We need your name and email to provide the service you have signed up for.

Children's data (stored by leaders)

Lawful basis: Legitimate interests. Group leaders have a legitimate interest in maintaining accurate records for the children in their care, including safety-critical information such as allergies and medication. Leaders must additionally hold parental or guardian consent.

Payment data

Lawful basis: Contract performance + legal obligation. Payment records are retained for 7 years as required by UK financial regulations. Card details are never stored by Pathlight — they are handled entirely by Stripe.

Children's data — Article 8 and special categories

Pathlight stores health-related information (allergies, medication) about children. Under UK GDPR, health data is a special category of personal data requiring additional protections. We handle this by:

  • Requiring leaders to confirm they hold parental consent before using the service
  • Using row-level security so only authorised leaders can access their group's data
  • Encrypting all data in transit and at rest
  • Storing the minimum data necessary
  • Enabling leaders to delete individual children's records immediately on request

Data Processing Agreement

By accepting our Terms of Service, you enter into a Data Processing Agreement (DPA) with Pathlight. This agreement sets out:

  • That we will process children's data only on your instructions
  • That we will implement appropriate technical and organisational security measures
  • That we will not sell or share the data with third parties for any other purpose
  • That we will notify you of any data breach within 72 hours of becoming aware of it
  • That we will delete all data within 30 days of account cancellation
  • That we will assist you in responding to data subject requests

We have equivalent DPAs in place with our sub-processors: Supabase, Stripe, and Resend.

Data transfers

All data is stored within the UK/EU. Our primary data centre is Supabase's EU West (London) region. No personal data is transferred to countries outside the UK/EU.

Breach notification

In the event of a personal data breach, Pathlight will:

  • Notify affected customers within 72 hours of becoming aware of the breach
  • Report to the ICO where required under UK GDPR
  • Take immediate steps to contain and assess the breach
  • Provide full details of what happened, what data was affected, and what steps have been taken

Contact for data matters

For all GDPR and data protection enquiries: privacy@pathlight.app

We will respond within 30 days. For urgent matters, please state this in your subject line.

If you are not satisfied with our response, you have the right to complain to the ICO at ico.org.uk/make-a-complaint.