The Safeguard Hub
The Safeguard Hub

Safety Through Education & Partnership
MASH-Aligned

Privacy Policy

Last updated: May 2026

May 2026 update: This policy has been updated to cover newsletter subscriptions, our AI-powered Policy Generator tool, and our new Site Supporter payment portal.

1. Introduction

The Safeguard Hub ("we", "us", or "our") is committed to protecting your privacy and ensuring the security of any personal information you provide to us. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our website (safeguard-hub.org) and services.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

2. Data Controller

The Safeguard Hub is the data controller responsible for your personal data. If you have any questions about this Privacy Policy or our data practices, please contact us at:

Email: privacy@safeguard-hub.org

Website: safeguard-hub.org

3. Information We Collect

We may collect and process the following types of personal data:

3.1 Information You Provide

  • Contact information (name, email address) when you contact us
  • Professional information (organisation, role) for portal access requests
  • Any information you provide in correspondence with us
  • Newsletter subscriptions: If you subscribe to our newsletter, we collect your name and email address. These are stored securely in our database and used solely to send you safeguarding updates. You may unsubscribe at any time by contacting privacy@safeguard-hub.org.
  • AI Policy Generator: When you use our Policy Generator tool, you provide school or organisational details (school name, DSL name, headteacher name, school type, local authority, and academic year). These details are sent to our AI provider (Anthropic, via Replit's managed infrastructure) solely to generate your customised document. We do not store this information after the document is generated. No pupil data, safeguarding case information, or personal data of children should be entered into this tool.
  • Site Supporter payment portal: When you sign up as a Site Supporter via our payment portal (/payments/), we collect your full name, company name, email address, telephone number, and invoice number. This information is stored securely in our database and used solely to administer your sponsorship arrangement and contact you regarding your listing. Card payment details are processed directly by our payment processor, Square, and are never stored on our systems.

3.2 Automatically Collected Information

  • Technical data: IP address, browser type and version, operating system
  • Usage data: pages visited, time spent on pages, navigation paths
  • Cookie data: as described in our Cookie Policy
  • Approximate location data: On our Site Supporters page, we use your IP address to determine your approximate county or town. This allows us to show you supporters who are local to you. Your IP address is passed to a third-party geolocation service (ip-api.com) solely for this purpose. It is processed in real time, is not stored on our systems, and is not linked to any other personal information.

4. How We Use Your Information

We use your personal data for the following purposes:

  • Service delivery: To provide access to our safeguarding resources and professional portal
  • Payment processing: To process Site Supporter advertising payments, administer sponsorship arrangements, publish your business listing, and contact you about your account
  • Local supporter matching: To show you Site Supporters relevant to your county or town, using your IP address for approximate geolocation. This lookup is transient — no location data is retained
  • Communication: To respond to your enquiries and provide support
  • Website improvement: To analyse usage patterns and improve our services
  • Legal compliance: To comply with our legal and financial record-keeping obligations
  • Security: To protect our website and users from fraud and abuse

5. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Consent (Article 6(1)(a)): Where you have given clear consent for us to process your data for a specific purpose, such as newsletter subscriptions
  • Performance of a contract (Article 6(1)(b)): Where processing is necessary to perform a contract with you — including processing your payment details and administering your Site Supporter sponsorship arrangement
  • Legal obligation (Article 6(1)(c)): Where we need to comply with a legal obligation, including financial record-keeping requirements under the Companies Act 2006 and HMRC rules
  • Legitimate interests (Article 6(1)(f)): Where processing is necessary for our legitimate interests, such as improving our services and protecting our website

6. Data Sharing

We do not sell your personal data. We may share your data with:

  • Service providers: Third-party companies who assist in operating our website (hosting, analytics)
  • Payment processor (Square): When you make a payment via our Site Supporter portal, your card details and billing information are transmitted to and processed by Square (Block, Inc.), our payment processor. Square acts as a data processor on our behalf. Your card details are processed and stored solely by Square — we do not receive or store your card number, expiry date, or CVV. Square's privacy policy is available at squareup.com/gb/legal/privacy. Square may transfer data outside the UK; they operate under appropriate international transfer safeguards.
  • AI provider (Anthropic): When you use our Policy Generator, the school details you enter are transmitted to Anthropic's API (via Replit's managed AI infrastructure) to generate your document. Anthropic processes this data as a data processor on our behalf. This data is not retained by us after generation. Please do not enter personal data about children or vulnerable individuals into the Policy Generator.
  • Geolocation provider (ip-api.com): Your IP address is shared in real time to determine your approximate location for supporter matching. It is not retained.
  • Legal authorities: When required by law or to protect our rights
  • Safeguarding partners: Where necessary to protect children or vulnerable adults at risk (in accordance with statutory safeguarding duties)

All third parties are contractually obligated to protect your data in accordance with UK GDPR.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specifically:

  • Contact enquiries: 2 years from last contact
  • Portal access records: Duration of access plus 1 year
  • Analytics data: 26 months (anonymised)
  • Site Supporter payment records (name, company, email, telephone, invoice number, payment reference): 7 years from the date of payment, in accordance with HMRC requirements and the Companies Act 2006
  • Newsletter subscriptions: Until you unsubscribe, and then deleted within 30 days

8. Your Rights

Under UK GDPR, you have the following rights:

  • Right of access: Request a copy of your personal data
  • Right to rectification: Request correction of inaccurate data
  • Right to erasure: Request deletion of your data ("right to be forgotten")
  • Right to restrict processing: Request limitation of how we use your data
  • Right to data portability: Receive your data in a portable format
  • Right to object: Object to processing based on legitimate interests
  • Right to withdraw consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@safeguard-hub.org. We will respond within one month.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction. These measures include encryption, secure hosting, access controls, and regular security assessments.

10. International Transfers

We primarily store and process your data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO.

11. Children's Privacy

Our website provides safeguarding resources that may be accessed by young people. We do not knowingly collect personal data from children under 13 without parental consent. If you believe a child has provided us with personal data, please contact us immediately.

12. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk

Helpline: 0303 123 1113

13. Changes to This Policy

We may update this Privacy Policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically.