Privacy notice

What this means in plain English. We try to collect as little as possible. The marketing site is mostly anonymous browsing. When you do hand us something, like an email for a printable, we keep it for as long as we need it for that purpose, then we delete it.

Who we are

This notice covers the Willowfolio marketing site at willowfolio.com and any printable, newsletter, or knowledge-base feature reached from it. Our contact details are at the bottom of this notice.

The Willowfolio app, available separately, has its own privacy notice covering signed-in product use. This notice applies only to the marketing site and its public features.

The data controller is Anam & Choudhury Limited (trading as A&C), a company registered in England & Wales (company number 07781134) at Kemp House, 124 City Road, London EC1V 2NX. We are registered with the Information Commissioner’s Office (registration Z3038897). Privacy questions are answered through the contact at the bottom of this notice; we do not currently appoint a separate Data Protection Officer.

What we collect

What this means. Different pages collect different things. The list below is exhaustive: if it isn’t here, we don’t store it.

Browsing the marketing site

• Standard server logs (truncated IP via Cloudflare, user-agent string, requested path, timestamp) for security and abuse prevention.
• Self-hosted, cookieless aggregate page-view analytics (page views, referrer, country at country-level only, no cross-site identifier). Runs on our own infrastructure, not a third-party processor.
• If you accept analytics cookies in the consent banner: Google Analytics 4 page-view events with GA4’s standard cookies, and Microsoft Clarity heatmaps and session recording with Clarity’s standard cookies. Both are listed in the cookies notice.

Voting on a knowledge-base article

• The article slug and pillar you voted on, the value (-1, 0, or 1), and a 32-character random fingerprint stored in the kb-fingerprint cookie.
• Country code derived from the Cloudflare edge header (two letters).
• Timestamp.

The fingerprint is a pseudonymous identifier created the first time you interact with a vote or suggest-edit form. It is not your name, email, IP address, or device fingerprint. Clearing the cookie wipes the link; we have no way to recover it.

Suggesting an edit on a knowledge-base article

• The article slug and pillar.
• The text of your suggestion (up to 4,000 characters).
• Your fingerprint (same cookie as above).
• An optional contact email if you choose to add one.
• Country code from the Cloudflare edge header.
• Moderation status, moderator note, and timestamps.

Requesting a printable

• The email address you provide.
• The printable slug you requested.
• Your fingerprint cookie.
• Country code from the Cloudflare edge header.
• A signed token identifier (JTI), download counter, last-downloaded timestamp, and a one-shot consumed marker.
• A waitlist flag if the printable was still in production at the time.

For printable requests specifically, your email and the device fingerprint are stored on the same record so we can deliver the download link to that email and prevent abuse of the rate limit by clearing the cookie. In that record the fingerprint is linked to you, even though it remains pseudonymous on every other surface across the site. The record is purged 30 days after the download token expires.

Newsletter subscription

We do not run our own newsletter list. When you submit the newsletter form on the homepage, the footer, or the optional opt-in checkbox on a printable request, your email and first name are forwarded to Brevo (Sendinblue SAS, France). Brevo immediately sends you a confirmation email; only after you click the confirmation link are you added to the list. Until you click that link, you are not a subscriber.

We mirror four lifecycle events from Brevo back into our own records: confirmation (so we know you completed the double-opt-in), unsubscribe, hard bounce, and spam complaint. We do not mirror open or click events - Brevo holds those. The mirror is so we can show accurate state and honour unsubscribes locally without a Brevo round trip on every page render.

Contact form

The public contact form at /contact sends your name, email address, and message straight to our support inbox via email. We do not store the submission in any database. Your email provider and ours retain it as part of normal email delivery; once we reply (or close the conversation), it sits in the support inbox until manually deleted in line with our retention practice.

Signing up to the Willowfolio app

Account creation happens on the Willowfolio app. This marketing site does not store app credentials. The categories of data the app holds are listed below.

Using the Willowfolio app account

What this means in plain English. If you sign in to the Willowfolio app, the account holds the records you choose to put in it: your child profiles, the activities and observations you log, photo attachments, and the council reports you generate. We process this data on your instruction, to provide the service you asked for. The marketing site itself does not see any of it; the list below covers what the app stores when you sign in.

• Child profiles: child’s name and birth month + year only (we don’t collect the day). Photos and notes are recorded against activity logs and observations, not the child profile itself.
• Activity logs and observations: free-text records you enter against a child or a session. Because these are free-text, they may incidentally include special-category data, for example health information when you record SEND adjustments, religion or philosophy when you record curriculum choices, or ethnicity when you log cultural-heritage activities. Where the app captures this kind of detail, it does so only because you typed it in for the purpose of recording your home-education activity, and the lawful basis for the special-category element is the substantial-public-interest condition for educational purposes (Article 9(2)(g) UK GDPR; DPA 2018 Schedule 1 Part 2 §18). The "About special-category data inside observations" paragraph below the retention table sets out the position in full.
• Photo attachments: up to 200MB of attachments are included with your account. If you choose the bring-your-own-Dropbox option, those attachments sit on your own Dropbox under your contract with Dropbox (App Folder scope only) and are never on our servers, except transiently while we generate a council-report PDF that includes them.
• Council report PDFs: generated from the records on your account, stored on your account, and re-generable at any time. Each PDF carries the local authority’s name on the cover.
• Co-parent records: when the bill-payer invites a second adult, we store that adult’s email address, display name, and the access scope you grant them.
• Billing records via Stripe: cardholder name, billing address, the last four digits of your card, and VAT receipts. We do not store your full card number; Stripe holds it.
• Session and authentication state: the session token issued when you sign in, and a last-active timestamp.
• App error monitoring: events sent from the app to our self-hosted error-monitoring tool, retained for 90 days. The tool runs on our own UK / EU infrastructure and is not a third-party SaaS, so error events are not transferred outside the UK / EU. Our PII-redaction policy applies to outgoing events.

How and why we use it

• To run the site, deliver pages, and protect against abuse (server logs, Cloudflare).
• To count helpful and unhelpful votes on knowledge-base articles so we can prioritise improvements.
• To receive and moderate suggested edits, and to write back to you if you provided an email and asked us to.
• To deliver the printable you requested.
• To understand aggregate site usage (cookieless self-hosted page-view analytics always; Google Analytics 4 and Microsoft Clarity only with consent).
• To investigate and fix errors (via our self-hosted error-monitoring tool; PII-redaction policy applies).

Lawful basis matrix

What this means. UK GDPR requires a lawful basis for each processing purpose. Ours are listed below in one place.

Where we rely on legitimate interests, we have weighed our need against your rights and freedoms. You can object at any time using the contact details below.

Decisions to suspend or terminate an account under the One family per account clause are reviewed by a human. We do not make solely automated decisions of legal or similarly significant effect within the meaning of Article 22 UK GDPR.

About special-category data inside observations. Home-education records sometimes touch on a child’s health (an SEND adjustment that shaped what you tried that day), religion or philosophy (a text or holiday at the centre of a week’s plan), or ethnicity (a cultural-heritage activity you logged). You decide what records you add. We do not read, share, or otherwise process the content of these notes except as needed to run the app for you: showing you your own records, generating your council reports, running your progress views, and the other things the app does. We handle that content under the substantial-public-interest condition for educational purposes at Article 9(2)(g) UK GDPR, read with paragraph 18 of Schedule 1 Part 2 of the Data Protection Act 2018. This is the same condition a school relies on when it keeps the same kinds of records about its pupils.

Who we share it with

What this means. We use a small number of vendors who process data on our behalf. We do not sell your data and we do not share it for advertising.

About our infrastructure.Our analytics, error reporting, search index, and database all run on our own infrastructure in the UK / EU. Your data is not sent to a third-party analytics, error-monitoring, or search vendor for those surfaces. If you open your browser’s developer tools while using the site you may see traffic to subdomains of dontwaffle.me (e.g. umami.dontwaffle.me, glitchtip.dontwaffle.me, typesense.dontwaffle.me); those are our own infrastructure domain, not third-party vendors.

• Cloudflare: content delivery, the public tunnel in front of our hosting, and Turnstile bot challenges on forms.
• OVH (France) and Hetzner(Germany) for VPS hosting (primary infrastructure on OVH; encrypted offsite backups on Hetzner).
• Mailgun for transactional email (printable delivery, contact replies, magic-link logins, password resets, and other system emails).
• Brevo (Sendinblue SAS, France) for newsletter email and double-opt-in confirmation. EU data residency option selected.
• Google: Google Analytics 4 (only when you accept analytics cookies) and Google Sign-In / OAuth on the Willowfolio app. Both routed onward to Google infrastructure in the United States under Standard Contractual Clauses and the UK International Data Transfer Agreement.
• Microsoft: Microsoft Clarity for heatmaps and session recording on the marketing site (only when you accept analytics cookies). Routed to Microsoft infrastructure in the United States under Standard Contractual Clauses and the UK International Data Transfer Agreement. Clarity’s default masking hides text input from session recordings.
• Stripe for payment processing on the Willowfolio app. Stripe Payments Europe Ltd (Ireland) acts as the EEA controller for UK customers. Card and billing data are routed onward to Stripe’s United States infrastructure under Standard Contractual Clauses and the UK International Data Transfer Agreement. Stripe’s privacy notice is published at stripe.com/privacy.

International transfers

Most processing happens in the European Economic Area. Where vendors transfer data outside the UK or EEA, we rely on the UK Addendum to the EU Standard Contractual Clauses or an equivalent transfer tool. Google Analytics 4 and Microsoft Clarity in particular involve transfers to the United States covered by SCCs and the UK Extension. Payment processing through Stripe also involves transfers to the United States: Stripe Payments Europe Ltd is the EEA-side controller for UK customers, and onward transfers to Stripe’s US infrastructure are covered by Standard Contractual Clauses with the UK Addendum (the UK International Data Transfer Agreement).

How long we keep it

The short version. Personal data you give us (contact emails, printable request emails, contact-form submissions) is deleted within 30 days of the purpose ending. Aggregate analytics and network logs (Cloudflare, server, Umami, GA4) are kept for up to 18 months. Error-monitoring events are kept for 90 days.

• Optional contact email on a suggested edit:deleted within 90 days of moderation by an automated daily purge.
• Printable download token: 48 hours from issue, single use; the email and token identifier on the request row are scrubbed 90 days after the request was made.
• Contact-form email and message: retained in our support inbox while we reply, then deleted within 30 days of the conversation closing.
• Newsletter subscription: Brevo keeps your address until you unsubscribe through the link in any newsletter email. We keep our local mirror row (status, confirmation timestamp, unsubscribe timestamp) for the same period; once you unsubscribe in Brevo, our local row also flips to unsubscribed. We retain unsubscribed addresses on a suppression list for three years to prevent accidentally re-adding you. After that we delete the row, and if you sign up again you will receive a fresh confirmation email.
• Vote rows: kept for the lifetime of the article so that aggregate counts remain accurate. Clearing your fingerprint cookie unlinks future activity.
• Network and server logs (Cloudflare, hosting): up to 18 months, then automatically rotated out.
• Self-hosted aggregate analytics and GA4:up to 18 months (aggregate; GA4’s data-retention setting is configured to 18 months).
• Microsoft Clarity:up to 13 months (Clarity’s default retention).
• Error-monitoring events (self-hosted): 90 days.

Using the Willowfolio app account

• Cancellation grace period: we retain your data for 30 days after your subscription ends, in case you reactivate. Reads and exports remain available throughout. After 30 days, we delete your account records permanently, except for billing and tax records held under HMRC rules (see below). This mirrors the cancellation paragraph in the terms of use.
• Public contributions you submitted while using the app: suggestions you posted to the public suggestions board and entries you contributed to community catalogues (for example, shared activities or shared reading lists). These rows stay published after your account is deleted, but we anonymise them: your name is removed and the link between the row and your family record is severed. The content itself stays useful to other families. This is the same public-by-design model that applies while your account is active. If you want a specific contribution removed before the account deletion runs, contact us using the details at the bottom of this page and we will remove it (right of erasure under Art. 17).
• Billing and tax records: retained for six years from the end of the accounting period, in line with HMRC retention rules (Companies Act 2006 s.386 for company records and VAT Notice 700/21 for VAT records), even after the account itself is deleted.
• Photo attachments on bring-your-own-Dropbox: records on your own Dropbox are governed by your contract with Dropbox, not by us. Uploads go directly from your browser to Dropbox using OAuth permissions you grant; Dropbox acts as your independent controller for those files, not our Article 28 processor. We delete copies from our hosted store at deletion time, but we cannot reach into your Dropbox to delete anything there; you control that directly.

Cookies and similar technologies

The marketing site sets a single first-party cookie by default (kb-fingerprint) to dedupe anonymous votes and edit suggestions. Google Analytics and Microsoft Clarity cookies only run if you accept them in the consent banner. Our self-hosted aggregate analytics uses no cookies. The full list, with purpose and duration, lives in the cookies notice.

Your rights

What this means. You have a set of rights over your personal data under UK GDPR. You can use any of them at no charge.

• Access (Art. 15): ask us what we hold about you.
• Rectification (Art. 16): correct anything that is wrong.
• Erasure (Art. 17): ask us to delete it.
• Restriction (Art. 18): ask us to pause processing.
• Portability (Art. 20): get a copy in a portable format.
• Objection (Art. 21): object to processing based on legitimate interests, including direct marketing.
• Rights related to automated decision-making (Art. 22). We do not carry out solely automated decisions with legal or similarly significant effects.
• Withdraw consent at any time, where we relied on consent.

Two limits on erasure to be aware of. First, where law requires us to keep certain data, we keep it: this applies to billing and tax records under HMRC retention rules (six years from the end of the relevant accounting period). An erasure request will not delete those records before that period ends; once it ends, they are deleted. Second, Stripe holds its own copy of your billing data as a separate controller under its own privacy notice; we can ask Stripe to delete on our request, but Stripe applies its own legal-retention rules (typically the same HMRC six years), so the practical position is the same on their side.

To exercise any of these, contact us using the details at the bottom of this notice. We respond within one calendar month per Article 12(3); we will tell you if we need an extension.

If you’ve been invited as a co-parent

Where someone has invited you into a Willowfolio app account as a co-parent or other responsible adult, we received your email address, display name, and the access scope they granted you from the bill-payer, not from you directly. Article 14 UK GDPR requires us to tell you about that collection.

The invitation email is our first contact with you. It tells you what data we hold (email address, display name, access scope), why we hold it (so the bill-payer can grant you shared access to the account), the lawful basis we rely on (performance of contract under Article 6(1)(b), with the bill-payer as the contract counterparty), how long we hold it (for the life of the account), and how to exercise your rights. The same rights listed in the Your rights section above apply to you, and you can exercise them with the same effect as the bill-payer would for their own data.

If you do not want to accept the invitation, the invitation email also gives you a one-click way to decline and delete the data we hold about you. Declining removes your row from the invitation list and stops any further contact from us about that account. You can also contact us at any time (see Contact below) to ask us to delete your data, correct it, or restrict its use.

Children

What this means in plain English. The marketing site is for parents and carers. The app is built for parents and carers too, but the records inside an account are about children. We treat those two situations differently, and explain both below.

Children visiting the marketing site

The marketing site is for parents and carers researching home education. The Willowfolio app is not directed at children under 13 and we do not knowingly process children’s personal data through this site. If you believe a child has submitted information, contact us using the details below and we will delete it.

Children whose data is recorded in the app

When a parent or carer uses the Willowfolio app to record home-education activity, the records are about a child but the person providing the input is the parent. The parent acts on the child’s behalf and provides the data for the practical purpose of running their family’s home-education programme, with Anam & Choudhury Limited as the controller of that data. Article 8 UK GDPR concerns information-society services offered directly to a child; that is not the position here, because the service is offered to the parent.

We do not consider the parent to be a joint controller with us under Article 26 UK GDPR for the records they create in the app. The parent decides what to log about their own family’s education as part of running their household, which is a personal-administration activity rather than an independent controllership; we decide how that data is stored, retained, secured, and made available, which is what makes us the controller. Where a parent later asks us to act on a record (for example, to export it, correct it, or delete it), we treat that as the parent exercising rights and instructing us as the controller, not as a joint-controller decision.

Where two adults associated with the account disagree about a rights request, we approach it in three layers. (1) For decisions about the account itself (billing, access scope, who is invited), the bill-payer’s position controls under the Terms of Use. (2) For rights requests over an adult’s own personal data (an invited co-parent’s email address, their access logs), each adult can exercise their own rights without the other’s agreement. (3) For rights requests over a child’s records, we treat the bill-payer as the child’s representative by default. If a second adult with parental responsibility lodges a competing request, we pause and ask both adults to confirm a shared position in writing; where no shared position can be reached we may decline to act unilaterally and signpost both adults to family-law advice. Where the request is about a record’s factual accuracy (a rectification right under Article 16), we will normally act on a request from either adult to correct an evidently wrong fact, on the basis that an accurate record is in the child’s interest regardless of which adult notices the error.

When a child reaches an age and capacity to exercise data-protection rights in their own name (typically from age 12 in the UK, though we assess this case-by-case), we will handle requests from that child directly. We verify the child’s identity through a parent-account-linked email confirmation or, where the child contacts us independently, by other reasonable means. We will normally notify the bill-paying parent that a request has been made, except where doing so would put the child at risk or where the child specifically asks us not to. If a parent and child disagree about a record, we will pause the request, explain the position to both, and act in line with the child’s wishes where they have capacity to decide. If you are a parent and want to discuss this in advance of a formal request, contact us using the details below.

Changes to this notice

We update this notice when our data flows or vendors change. The Last updated date below shows the most recent revision. Material changes (new categories of data, new purposes, or new recipients) will be flagged at the top of the page for at least 30 days.

Contact

Email [email protected] for any privacy question, rights request, or concern. Postal address: Anam & Choudhury Limited, Kemp House, 124 City Road, London EC1V 2NX.

Complaints to the ICO

If you are not satisfied with our response, you can complain to the Information Commissioner’s Office at ico.org.uk, by phone on 0303 123 1113, or by post to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would always rather hear from you first so we have a chance to put things right.

Last updated: 7 May 2026 (newsletter section flipped to live Brevo flow).