Skip to main content

Draft — pending legal review. This document is a template. It has not yet been reviewed by a UK-qualified solicitor. Do not rely on it for binding agreements until the final version is published.

← Nine Pebbles

Privacy Policy

Last updated: 16 May 2026

1. Who we are

This Privacy Policy explains how Nine Pebbles (“we”, “us”, “our”) handles personal data when you use our platform at app.ninepebbles.com (the “Service”).

For staff and parent users of education businesses that use the Service (“Customers”), the Customer is the data controller of your personal data and we act as a data processor on their behalf. For visitors to our marketing pages, billing administrators, and sign-up flows, we act as a controller. This Policy covers both roles.

2. Data we collect

2.1 Account data (controller role)

  • Names, email addresses, phone numbers, organisation name and role of administrators who sign up.
  • Billing details (last four digits of payment card, billing address), processed by Stripe on our behalf.
  • Login activity (IP address, browser type, timestamps).

2.2 Customer Data (processor role)

Customers upload data about their students, parents, staff, and operations. This typically includes:

  • Student details: name, date of birth, year group, attendance, lesson notes, progress reports.
  • Parent/guardian details: name, contact information, relationship to student, billing arrangements.
  • Staff details: name, role, employment data, timesheets.
  • Financial data: invoices, payments, refunds.
  • Safeguarding and incident records, where relevant.

We process this data on the Customer’s documented instructions, in accordance with our Data Processing Agreement.

2.3 Technical and usage data

  • Server logs (IP address, request path, response code, timestamps).
  • Device information (browser, operating system, screen size).
  • Cookies and similar technologies, as described in our Cookies Policy.

3. Lawful bases (UK GDPR)

We rely on the following lawful bases under Article 6 UK GDPR:

  • Contract— for processing necessary to provide the Service to a Customer (account management, billing, support).
  • Legitimate interests— for service operation, security, fraud prevention, product analytics, and direct marketing to business contacts where this is balanced against your rights.
  • Legal obligation— for tax, accounting, regulatory records, and responding to lawful requests.
  • Consent— for non-essential cookies, marketing emails to new prospects, and any special-category data we process under Customer instructions where the Customer relies on consent.

4. Special category and children’s data

When Customers use the Service to manage nurseries and schools, they may upload data relating to children and may include data relating to health, disability, religion, or ethnicity (for example, dietary requirements, medical conditions, safeguarding notes). We process this only on the Customer’s instructions and apply additional access controls to safeguarding records. Customers are responsible for ensuring they have an appropriate lawful basis and condition for such processing.

5. How we use data

  • To deliver, maintain and improve the Service.
  • To process payments and send transactional emails (invoices, receipts, password resets, security alerts).
  • To provide customer support and resolve issues.
  • To detect, prevent and address fraud, security incidents and abuse.
  • To comply with legal obligations.
  • With your separate consent, to send marketing communications about Nine Pebbles.

6. Sharing data

We share personal data with:

  • Sub-processors we use to operate the Service. Current sub-processors:
    • Supabase (database and authentication hosting, EU region)
    • Vercel (application hosting)
    • Stripe (card payment processing)
    • GoCardless (Direct Debit processing)
    • Resend (transactional email)
    • Anthropic (AI features — only when AI features are explicitly invoked)
  • Professional advisers (lawyers, accountants, auditors) under confidentiality.
  • Authorities when required by law, court order, or in response to a valid request from law enforcement.
  • An acquirer if Nine Pebbles is sold or merges — subject to equivalent privacy protections.

We do not sell personal data.

7. International transfers

Our primary infrastructure is hosted within the EEA and UK. Some sub-processors (e.g. Stripe, Vercel, Anthropic) may process data in the United States. Where this occurs, we rely on Standard Contractual Clauses, the UK International Data Transfer Agreement, or equivalent safeguards to ensure your data is protected.

8. Retention

We retain personal data for as long as needed to provide the Service or comply with legal obligations. Typical periods:

  • Active account data — for the life of the subscription.
  • Customer Data after termination — 30 days export window, then deleted from active systems within a further 60 days.
  • Backups — up to 12 months.
  • Financial records (UK tax requirement) — 6 years.
  • Audit logs — 7 years for security and compliance reasons.

Customers can configure shorter retention periods for some data types within their Service settings.

9. Security

We use industry-standard measures to protect your data: encryption in transit (TLS 1.2+) and at rest (AES-256), Row-Level Security on all tenant tables, role-based access controls, multi-factor authentication for staff, audit logging, automated vulnerability scanning, and least-privilege access for our team. No system is perfectly secure; we will notify affected users and the ICO of any personal data breach in line with our legal obligations.

10. Your rights (UK GDPR)

You have the right to:

  • Access the personal data we hold about you.
  • Have inaccurate data corrected.
  • Have your data erased in certain circumstances.
  • Restrict or object to processing.
  • Data portability.
  • Withdraw consent at any time, where we rely on consent.
  • Lodge a complaint with the UK Information Commissioner’s Office (ico.org.uk).

If you are a staff or parent user of a Customer’s Service instance, please direct rights requests to your Customer first — they are the controller of your personal data and have the in-app tools to fulfil requests. If you cannot reach them, contact us and we will assist.

11. Children

The Service is not designed for direct use by children under 13. We process children’s data only on behalf of our Customers (i.e. education businesses) in the ordinary course of their operations.

12. Marketing

We may send service-related transactional emails (these are required for the Service to function and cannot be opted out of while you have an account). With your consent, we may also send marketing emails about new features and best practices. You can opt out of marketing at any time via the link in any marketing email or in your account preferences.

13. Changes to this Policy

We may update this Policy from time to time. Material changes will be notified by email and in-app banner at least 30 days before they take effect. The “Last updated” date at the top of this page reflects the latest revision.

14. Contact us

For data protection enquiries: [email protected].
For complaints to the UK regulator: the Information Commissioner’s Office at ico.org.uk (telephone 0303 123 1113).

This Privacy Policy is a template intended as a starting point. It has not been reviewed by a UK-qualified solicitor or Data Protection Officer and may not reflect the specific processing activities, sub-processor list, or international transfer arrangements that apply to your Nine Pebbles deployment. Please obtain independent legal advice and complete an up-to-date Record of Processing Activities (ROPA) before relying on it.