Last updated: June 2025
Privacy Policy
Pathlight is built in the UK and designed from the ground up to handle children's personal data responsibly. This policy explains what we collect, why, how long we keep it, and your rights under UK GDPR.
1. Who we are
Pathlight is operated as a sole trader business in the United Kingdom. We are registered with the Information Commissioner's Office (ICO) under the UK Data Protection Act 2018.
Contact us at: privacy@pathlight.app
2. Who is the data controller?
For data about leaders (your name, email address, account details): Pathlight is the data controller.
For data about children stored in Pathlight (names, dates of birth, award records, safety information): the group leader who added that child is the data controller. Pathlight acts as a data processor on their behalf. This means the leader is responsible for ensuring they have appropriate consent from parents or guardians before storing a child's data in Pathlight.
3. What data we collect
About leaders (account holders)
- Name and email address
- Encrypted password (we never see your password in plain text)
- Role title within your group
- Login timestamps and activity logs
- Payment information (processed by Stripe — we never store card details)
About children (stored by leaders)
- First name and last name initial
- Date of birth
- Section or sub-group name
- Award completion dates
- Whether they have made their Promise
- Allergy and dietary information (if the leader records this)
- Medication details (if the leader records this)
- Photo consent status
- Notes added by leaders
Technical data
- Session cookies (essential for keeping you logged in)
- Server logs (IP address, request timestamps — retained for 30 days)
4. Our lawful basis
For leader account data: Contract performance — you have agreed to our Terms of Service and we need your data to provide the service.
For children's data: Legitimate interests — group leaders have a legitimate interest in maintaining accurate records for the children in their care, including safety information. Leaders must additionally ensure they hold appropriate parental or guardian consent.
For marketing communications: We only contact you about your account and service updates. We will ask for explicit consent before any other marketing.
5. Children's data — special considerations
Pathlight handles information about children under 18. We take this responsibility extremely seriously.
- We collect only the minimum data necessary to provide the service
- We never sell, share, or use children's data for advertising or analytics
- All data is stored in encrypted form in secure UK/EU infrastructure
- Only leaders with verified accounts can access their group's data
- Leaders can delete any individual child's record at any time
- Parents or guardians can request deletion by contacting their group leader, who can action this directly in Pathlight
6. How long we keep data
- Active accounts: Data is retained for as long as your account is active
- Cancelled accounts: All data is permanently deleted within 30 days of account cancellation
- Individual child records: Deleted immediately when a leader removes them
- Payment records: Retained for 7 years as required by UK financial regulations (held by Stripe)
- Server logs: Deleted after 30 days
7. Who we share data with
We use a small number of trusted sub-processors to operate the service:
Supabase (database and authentication)
EU West (London) data centre. ISO 27001 and SOC 2 Type 2 certified. Privacy policy
Stripe (payment processing)
PCI DSS Level 1 certified. We share only the minimum information required to process your subscription. Card details go directly to Stripe — we never see them. Privacy policy
Resend (transactional email)
Used to send account confirmation and password reset emails. We share only your email address for this purpose. Privacy policy
We do not share your data with any other third parties. We do not sell data. We do not use data for advertising.
8. Your rights under UK GDPR
- Right of access: Request a copy of all data we hold about you
- Right to erasure: Request deletion of your data (subject to legal retention requirements)
- Right to portability: Request your data in a machine-readable format (CSV export available in Settings)
- Right to rectification: Correct any inaccurate data we hold
- Right to restrict processing: Ask us to pause processing of your data
- Right to object: Object to processing based on legitimate interests
To exercise any of these rights, email privacy@pathlight.app. We will respond within 30 days.
If you are not satisfied with our response, you have the right to complain to the ICO at ico.org.uk.
9. Cookies
Pathlight uses only essential cookies required to keep you logged in. We do not use advertising cookies, analytics cookies, or any form of tracking across other websites. See our Cookie Policy for full details.
10. Security
- All data encrypted in transit (TLS 1.3) and at rest
- Row-level security — leaders can only access their own group's data
- Two-factor authentication available for all accounts
- Access tokens expire after a short period of inactivity
- Invite codes required to join a group
11. Changes to this policy
We will notify you by email of any material changes to this policy. The date at the top of this page shows when it was last updated.
Questions about this policy? Email privacy@pathlight.app