ReadingFluency.co.uk Logo
ReadingFluency.co.uk

Legal

Privacy policy

Effective date: 7 June 2026

Nectarwood Ltd ("we," "our," or "us") provides Reading Fluency, a reading fluency assessment and progress tracking tool for primary schools (the "Service"). This Privacy Policy explains how we collect, use, disclose and protect personal information when you use Reading Fluency.

1. Information we collect

1.1 Information you provide directly

Account information:

  • Name (teachers)
  • Email address
  • Password (stored encrypted)
  • School or organisation name
  • Year group or role (optional)

Pupil information (provided by teachers):

  • Full name
  • Gender
  • Year group
  • Class
  • SEN (special educational needs) status
  • Pupil Premium status
  • EAL (English as an additional language) status
  • Assessment results and reading progress data

Payment information:

  • Card payments are processed securely through Stripe. We do not store card details.
  • We also accept payment by Bacs bank transfer for schools. Where you pay by Bacs, we hold the billing contact and transaction record only.
  • Billing address and transaction history

1.2 Information collected automatically

Usage data:

  • Assessment activity
  • Time spent in the Service
  • Features used
  • Login timestamps

Technical data:

  • IP address
  • Browser type and version
  • Device type
  • Operating system
  • Cookies and similar technologies

Cookie usage:

  • Reading Fluency marketing site: essential cookies plus optional Google Analytics (with consent)
  • Reading Fluency application: essential cookies only (authentication, security, preferences)

Essential cookies (always active): authentication (keeps you logged in), security (CSRF protection), preferences, cookie consent choice.

Optional cookies (marketing site only, requires consent): Google Analytics for usage analytics. Google Analytics is not used inside the application where pupil data is present.

2. How we use your information

2.1 Legal basis for processing (UK GDPR)

  • Contract: to provide the Service you subscribed to
  • Consent: for marketing communications and optional features
  • Legitimate interest: for service improvement, security and fraud prevention
  • Legal obligation: to comply with applicable laws

2.2 Purposes of processing

  • Provide the Service: create accounts, run assessments, track progress, generate reports
  • Process payments: handle subscriptions and billing
  • Improve the Service: analyse usage patterns and feedback
  • Communicate with you: service updates, support responses, educational tips
  • Ensure security: prevent fraud and malicious activity
  • Comply with legal obligations

3. Your rights and choices

3.1 Your UK GDPR rights

You have the right to: access, rectification, erasure, restriction, portability, objection, and to withdraw consent.

3.2 Exercising your rights

  • Email: support@readingfluency.co.uk
  • Include your name, email and specific request
  • Response time: within 30 days
  • We may request identity verification

4. Data security

We implement appropriate technical and organisational measures:

  • Encryption: data encrypted in transit (TLS 1.2 or higher) and at rest (AES-256)
  • Access controls: role-based access, limited on a need-to-know basis, row-level security at the database level
  • Authentication: secure password requirements, hashed storage (bcrypt via Supabase Auth)
  • Regular security reviews
  • Secure hosting: UK-based managed infrastructure

4.1 Data breach response

  • We will notify the ICO within 72 hours where required
  • We will notify affected users without undue delay
  • We will provide clear information and take immediate action to contain and remediate

4.2 Administrator access

To maintain and support the Service, a small number of authorised administrators at Nectarwood Ltd can access system data where strictly necessary for technical maintenance, security monitoring, support and resolving issues. This access is limited to those purposes, is logged and audited, and is never used to view pupil data for any other reason. Your school's data remains yours, processed only on your instructions as set out in our Data Processing Agreement.

5. Children's privacy

5.1 Our approach

Reading Fluency is used by teachers in primary schools. Teachers create and manage pupil records; children do not create their own accounts. We collect the minimum pupil data needed to assess and track reading fluency.

5.2 Pupil data protection

  • We comply with the UK Data Protection Act 2018 and UK GDPR
  • Pupil data is used only for educational purposes
  • Schools and teachers can request pupil data deletion
  • We do not show advertising to children
  • We do not sell or share pupil data for marketing

6. Data retention

Active accounts:

  • Account data: retained while the account is active
  • Assessment data: retained while the account is active
  • Usage logs: retained for 12 months

Deleted accounts:

  • Personal data deleted within 30 days
  • Some data retained for legal compliance (for example, payment records for tax purposes: 7 years)
  • Anonymised usage statistics may be retained

7. International data transfers

7.1 Data storage location

Your core data (pupil records, assessment records, staff records) is stored and processed in the United Kingdom (London, AWS eu-west-2 region). We use a small number of ancillary sub-processors located in the EU and the US, listed below.

7.2 Sub-processors

  • Supabase (database and authentication): UK (London). GDPR compliant.
  • Vercel (hosting and CDN): US. ISO 27001, SOC 2 Type II, GDPR compliant.
  • Stripe (card payment processing): US. PCI DSS Level 1, covered by the EU-US Data Privacy Framework and UK Extension.
  • Resend (transactional email, e.g. confirmation and password reset): US. Covered by the EU-US Data Privacy Framework and UK Extension.
  • Brevo (marketing and onboarding email): EU (France). GDPR compliant, ISO 27001.
  • Google Analytics (marketing site only, with consent): US. Covered by the EU-US Data Privacy Framework.

A current list of sub-processors is maintained at readingfluency.co.uk/sub-processors.

8. Communications and marketing

Essential service communications (cannot opt out): account security alerts, payment and billing notices, critical service updates, legal and policy changes, support responses.

Optional marketing communications (you can opt out): educational tips and strategies, new feature announcements, product updates, educational resources, special offers.

How to opt out: click "unsubscribe" in any marketing email, update preferences in your account settings, or email support@readingfluency.co.uk.

9. Automated decision making

We do not use automated decision-making or profiling that produces legal or similarly significant effects. Data analysis is used only to generate educational reports, track pupil progress, and improve the Service.

10. Contact information

10.1 Data controller for our own records

  • Name: Nectarwood Ltd
  • Email: support@readingfluency.co.uk
  • Address: Suite A, 82 James Carter Road, Mildenhall, IP28 7DE
  • ICO Registration: ZC112415

10.2 Response times

  • General inquiries: 5 working days
  • UK GDPR rights requests: 30 days
  • Data breach notifications: 72 hours

10.3 Complaints

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO): ico.org.uk, telephone 0303 123 1113.

11. Changes to this policy

We may update this Privacy Policy periodically. Material changes will be communicated via email or prominent website notice at least 30 days before they take effect. Continued use of the Service after changes constitutes acceptance of the new policy.

This Privacy Policy is effective from 7 June 2026 and replaces all previous versions.