How we handle your data.
Last updated: June 2026. You can use GrammarBound's map without an account, and the postcodes you search stay in your browser except to be geocoded. If you create a free or Pro account, we store the details you save — your addresses, tracked schools, commute settings and child profile — so they're there next time you sign in.
Data controller
Joseph Spence, operating as GrammarBound. Contact: privacy@grammarbound.co.uk
What data we collect
What we process depends on whether you use the map anonymously or sign in to an account.
Used anonymously (no account)
- Postcodes — entered by you in the search box, sent to the postcodes.io API to obtain coordinates. Not stored on our servers.
- Pin coordinates — latitude/longitude of map pins you place, held transiently in your browser URL and session only. Not stored on our servers.
- Browser local storage — outcome tracker data (e.g. "Applied", "Offered") and any Admissions Index Report you generate are stored in your browser's
localStorageonly and are not transmitted to us.
When you create an account
Accounts (free or Pro) are provided through Supabase Auth. When you register or sign in we store the following in our database:
- Account details — your email address and an encrypted (hashed) password, managed by Supabase Auth. We never store your password in plain text.
- Tracked schools — the schools you add to your watchlist.
- Saved addresses (Pro) — postcodes and optional labels you choose to save.
- Commute preferences (Pro) — your travel mode (walk, drive or public transport) and maximum journey time.
- Child profile (optional, free for signed-in users) — to personalise eligibility and tier analysis we save only non-sensitive admissions facts about your child or children: an optional nickname, a home postcode, service-family (service premium) status, and links to schools where they have a sibling or a parent on the staff. We do not collect your child's name, date of birth or test scores, and we do not store sensitive criteria (see Children's data below).
- Billing record — your subscription tier, its expiry, subscription status and the Stripe customer/subscription identifiers needed to manage your plan. We never see or store your full card details.
All of this account data is optional beyond your email address — you choose what to save, you can edit or clear each item at any time from your account, and deleting your account removes it.
Children's data
The saved child profile is provided by you, the parent, carer or guardian, to tailor the eligibility and tier indications to your circumstances, and holds only the non-sensitive admissions facts listed above. Providing it is optional, every field can be left blank or cleared, and it is only ever used to personalise what you see — never for advertising, and never shared with third parties.
Sensitive circumstances are not stored. The more sensitive admissions criteria — Pupil Premium eligibility, looked-after or previously-looked-after status, an Education, Health and Care Plan (EHCP), and exceptional medical or social need — are entered as on/off toggles under Tier analysis on the map. These are held only in your browser for the current session (they clear when you close the tab or sign out) and are never sent to or stored on our servers. You can delete the saved profile, or your whole account, at any time.
How we use your data
- To provide the map, eligibility indications and personalised tier analysis you request.
- To create and secure your account and keep you signed in.
- To process Pro payments and manage your subscription.
- To understand aggregate usage and improve performance.
Under UK GDPR our lawful bases are: performance of a contract (running your account and subscription), your consent (the optional child profile and other saved details), and our legitimate interests (keeping the service secure and improving it).
Where your data is stored and who processes it
We use the following service providers (processors), some of which may receive personal data:
- Supabase — hosts our database and authentication, storing your account, saved details and child profile. Your data is held in Supabase's London (UK / West Europe) region.
- Vercel — hosts the website and serverless functions, and provides privacy-friendly, cookie-less Web Analytics and Speed Insights (aggregated usage and performance data).
- Stripe — processes payments and manages subscriptions. Card details are entered with and held by Stripe, not us.
- OpenRouteService — receives map coordinates (not your identity) to calculate walking and driving commute times for the Pro commute overlay.
- Google Maps Platform (Routes API) — when you choose the public-transport commute mode, receives the pin and school map coordinates (not your identity) to calculate public-transport journey times. Google processes this data outside the UK under appropriate safeguards.
- postcodes.io — receives postcodes, and the coordinates of a pin you drop on the map, for geocoding. See their privacy policy at postcodes.io.
- CartoDB / CARTO and ESRI — provide map tiles. Your IP address may be visible to these services.
- jsDelivr / unpkg — CDN delivering the Leaflet and Turf.js libraries.
Your account data and child profile are stored in the United Kingdom (Supabase's London region). Some of the other providers above (for example Stripe, Google and our other map and analytics providers) may process data outside the UK; where they do, they are bound by appropriate safeguards such as the UK's International Data Transfer Agreement or equivalent.
Cookies
GrammarBound does not use advertising or tracking cookies. When you sign in we set a single essential cookie, grammarbound_session — an HttpOnly cookie that keeps you signed in and expires after about seven days (or when you sign out). Outcome tracker data and generated reports are stored in your browser's localStorage, not in cookies. Our Vercel analytics are cookie-less.
Data retention
We keep your account data for as long as your account is open. If you delete your account, your record and saved details are removed from our database and your authentication record is deleted. Stripe retains payment and invoice records as required by law. Data held only in your browser (tracker, reports) is removed when you clear your browser's localStorage.
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you.
- Correct inaccurate data — you can edit your saved details and child profile directly in your account.
- Erasure (right to be forgotten) — you can delete your account and all the data it holds at any time using the Delete account option in your account settings. Data held only in your browser can be erased by clearing your browser's
localStorage. For any other request, contact privacy@grammarbound.co.uk. - Portability of, and objection to, our processing — contact us using the address below.
You also have the right to complain to the UK's Information Commissioner's Office (ICO).
Payments and subscriptions
Payments for Pro plans are processed by Stripe, our payment processor — we never see or store your full card details. The Pro Monthly plan is a recurring subscription billed at £10 per month until you cancel it; the Pro Pass is a one-off payment. You can manage or cancel your subscription at any time through the Stripe Customer Portal, reached from the Manage subscription button in your account drawer. On cancellation your Pro access continues until the end of the current billing period.
Contact
Privacy enquiries: privacy@grammarbound.co.uk