Skip to content
Willowfolio
Legal

Privacy notice

A plain-English summary of what we collect, why, and how to stay in control of it. The detail below follows UK GDPR Articles 13 and 14.

A note on this notice. We have drafted this in good faith without paid solicitor review yet. It reflects how we actually handle your data today. We will commission a formal review as the site grows, and we will flag material updates at the top of this page when they happen.

What this means in plain English. We try to collect as little as possible. The marketing site is mostly anonymous browsing. When you do hand us something, like an email for a printable, we keep it for as long as we need it for that purpose, then we delete it.

Who we are

This notice covers the Willowfolio marketing site at willowfolio.com and any printable, newsletter, or knowledge-base feature reached from it. You can reach us at [email protected].

The Willowfolio app, available separately, has its own privacy notice covering signed-in product use. This notice applies only to the marketing site and its public features.

The data controller is Anam & Choudhury Limited (trading as A&C), a company registered in England & Wales (company number 07781134) at Kemp House, 124 City Road, London EC1V 2NX. We are registered with the Information Commissioner’s Office (registration Z3038897). Privacy questions go to [email protected]; we do not currently appoint a separate Data Protection Officer.

What we collect

What this means. Different pages collect different things. The list below is exhaustive: if it isnt here, we dont store it.

Browsing the marketing site

  • Standard server logs (truncated IP via Cloudflare, user-agent string, requested path, timestamp) for security and abuse prevention.
  • Self-hosted, cookieless aggregate page-view analytics (page views, referrer, country at country-level only, no cross-site identifier). Runs on our own infrastructure, not a third-party processor.
  • If you accept analytics cookies in the consent banner: Google Analytics 4 page-view events with GA4s standard cookies, and Microsoft Clarity heatmaps and session recording with Claritys standard cookies. Both are listed in the cookies notice.

Voting on a knowledge-base article

  • The article slug and pillar you voted on, the value (-1, 0, or 1), and a 32-character random fingerprint stored in the kb-fingerprint cookie.
  • Country code derived from the Cloudflare edge header (two letters).
  • Timestamp.

The fingerprint is a pseudonymous identifier created the first time you interact with a vote or suggest-edit form. It is not your name, email, IP address, or device fingerprint. Clearing the cookie wipes the link; we have no way to recover it.

Suggesting an edit on a knowledge-base article

  • The article slug and pillar.
  • The text of your suggestion (up to 4,000 characters).
  • Your fingerprint (same cookie as above).
  • An optional contact email if you choose to add one.
  • Country code from the Cloudflare edge header.
  • Moderation status, moderator note, and timestamps.

Requesting a printable

  • The email address you provide.
  • The printable slug you requested.
  • Your fingerprint cookie.
  • Country code from the Cloudflare edge header.
  • A signed token identifier (JTI), download counter, last-downloaded timestamp, and a one-shot consumed marker.
  • A waitlist flag if the printable was still in production at the time.

Newsletter subscription

We do not run our own newsletter list. When you submit the newsletter form on the homepage, the footer, or the optional opt-in checkbox on a printable request, your email and first name are forwarded to Brevo (Sendinblue SAS, France). Brevo immediately sends you a confirmation email; only after you click the confirmation link are you added to the list. Until you click that link, you are not a subscriber.

We mirror four lifecycle events from Brevo back into our own records: confirmation (so we know you completed the double-opt-in), unsubscribe, hard bounce, and spam complaint. We do not mirror open or click events - Brevo holds those. The mirror is so we can show accurate state and honour unsubscribes locally without a Brevo round trip on every page render.

Contact form

The public contact form at /contact sends your name, email address, and message straight to our support inbox via email. We do not store the submission in any database. Your email provider and ours retain it as part of normal email delivery; once we reply (or close the conversation), it sits in the support inbox until manually deleted in line with our retention practice.

Signing up to the Willowfolio app

Account creation happens on the Willowfolio app. This marketing site does not store app credentials. The categories of data the app holds are listed below.

Using the Willowfolio app account

What this means in plain English. If you sign in to the Willowfolio app, the account holds the records you choose to put in it: your child profiles, the activities and observations you log, photo attachments, and the council reports you generate. We process this data on your instruction, to provide the service you asked for. The marketing site itself does not see any of it; the list below covers what the app stores when you sign in.

  • Child profiles: name, date of birth, an optional photo, and any optional notes you add about the child.
  • Activity logs and observations: free-text records you enter against a child or a session. Because these are free-text, they may incidentally include special-category data, for example health information when you record SEND adjustments, religion or philosophy when you record curriculum choices, or ethnicity when you log cultural-heritage activities. Where the app captures this kind of detail, it does so only because you typed it in for the purpose of recording your home-education activity, and the lawful basis for the special-category element is your explicit consent at the point of entry.
  • Photo attachments: up to 200MB of attachments are included on UK-hosted Appwrite storage. If you choose the bring-your-own-Dropbox option, those attachments sit on your own Dropbox under your contract with Dropbox (App Folder scope only) and are never on our servers, except transiently while we generate a council-report PDF that includes them.
  • Council report PDFs: generated from the records on your account, stored on your account, and re-generable at any time. Each PDF carries the local authoritys name on the cover.
  • Co-parent records: when the bill-payer invites a second adult, we store that adults email address, display name, and the access scope you grant them.
  • Billing records via Stripe: cardholder name, billing address, the last four digits of your card, and VAT receipts. We do not store your full card number; Stripe holds it.
  • Session and authentication state: the Appwrite session token issued when you sign in, and a last-active timestamp.
  • App error monitoring: events sent from the app to Sentry, kept for 90 days. Once production Sentry is fully provisioned at M5, our PII-redaction policy will apply to outgoing events; until then, error monitoring is wired but not yet receiving production traffic.

How and why we use it

  • To run the site, deliver pages, and protect against abuse (server logs, Cloudflare).
  • To count helpful and unhelpful votes on knowledge-base articles so we can prioritise improvements.
  • To receive and moderate suggested edits, and to write back to you if you provided an email and asked us to.
  • To deliver the printable you requested.
  • To understand aggregate site usage (cookieless self-hosted page-view analytics always; Google Analytics 4 and Microsoft Clarity only with consent).
  • To investigate and fix errors (Sentry; PII-redaction policy will apply once production Sentry is fully provisioned at M5).

Lawful basis matrix

What this means. UK GDPR requires a lawful basis for each processing purpose. Ours are listed below in one place.

PurposeDataLawful basis (Art. 6)Retention
Serving pages and protecting the site from abuseServer logs, truncated IP, user-agentLegitimate interests (Art. 6(1)(f)): operating a secure websiteUp to 18 months (network and server logs)
Anonymous KB voting and suggest-edit dedupeFingerprint cookie, article slug, vote value, country codeLegitimate interests (Art. 6(1)(f)): preventing repeat votes and spam without identifying youVote rows kept for the lifetime of the article; deleting the cookie unlinks future activity
Moderating suggested editsSuggestion body, optional contact email, fingerprintConsent (Art. 6(1)(a)) for the optional contact email; legitimate interests for the suggestion itselfOptional contact emails are deleted within 90 days of moderation by an automated daily purge. Suggestion body is kept for editorial audit.
Delivering a requested printableEmail, printable slug, signed token identifierPerformance of a request you made (Art. 6(1)(b))Download token expires after 7 days; request row deleted within 30 days of token expiry
Newsletter subscriptionEmail and first name forwarded to Brevo; we mirror back confirmation, unsubscribe, bounce, and spam-complaint statusConsent (Art. 6(1)(a)), via Brevo’s double opt-inUntil you unsubscribe; address then held on a suppression list so we don’t accidentally email you again
Aggregate analytics (self-hosted, cookieless)Page view counts, referrer, countryLegitimate interests (Art. 6(1)(f)): understanding which pages help readersUp to 18 months (aggregate, no personal identifiers)
Google Analytics 4 (consent-gated)GA4 standard cookies and event payloadConsent (Art. 6(1)(a))Up to 18 months (GA4 data-retention setting)
Microsoft Clarity (consent-gated)Clarity standard cookies, heatmap interactions, and session recording with input masking applied to form fields by defaultConsent (Art. 6(1)(a))Up to 13 months (Clarity default retention)
Error monitoringStack traces, request metadata, route tagsLegitimate interests (Art. 6(1)(f)): keeping the site working90 days (error events and stack traces)
Operating your Willowfolio app accountChild profiles, activity logs and observations, photo attachments, council report PDFsPerformance of contract (Art. 6(1)(b))For the life of the account, plus the cancellation grace period (length to be confirmed)
Special-category data within observationsHealth notes (SEND adjustments), religion or philosophy (curriculum choices), ethnicity (cultural-heritage activities)Explicit consent (Art. 9(2)(a)) recorded at the point of entry, alongside the Art. 6 basis aboveSame as the parent record. (consent-capture mechanism to be confirmed)
Billing and tax records (Stripe)Cardholder name, billing address, last four digits of the card, VAT receiptsPerformance of contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) under HMRC retention rulesSix years from the end of the relevant accounting period
Co-parent invitation and access managementInvited adults email, display name, and access scopePerformance of contract (Art. 6(1)(b))For the life of the account
App error monitoring (Sentry, app-side)Request metadata, stack traces, an anonymous user identifier (PII-redaction policy to be applied at M5 production rollout)Legitimate interests (Art. 6(1)(f)): running a stable service90 days

Where we rely on legitimate interests, we have weighed our need against your rights and freedoms. You can object at any time using the contact details below.

Who we share it with

What this means. We use a small number of vendors who process data on our behalf. We do not sell your data and we do not share it for advertising.

About our infrastructure. Our analytics, error reporting, search index, and database all run on our own infrastructure in the UK / EEA. Your data is not sent to a third-party analytics, error-monitoring, or search vendor for those surfaces.

  • Cloudflare: content delivery, the public tunnel in front of our hosting, and Turnstile bot challenges on forms.
  • OVH (France): the underlying VPS hosting on which our application servers, database, analytics, and search index run.
  • Mailgun for transactional email (printable delivery, contact replies).
  • Brevo (Sendinblue SAS, France) for newsletter email and double-opt-in confirmation. EU data residency option selected.
  • Google: Google Analytics 4 (only when you accept analytics cookies) and Google Sign-In / OAuth on the Willowfolio app. Both routed onward to Google infrastructure in the United States under Standard Contractual Clauses and the UK International Data Transfer Agreement.
  • Microsoft: Microsoft Clarity for heatmaps and session recording on the marketing site (only when you accept analytics cookies). Routed to Microsoft infrastructure in the United States under Standard Contractual Clauses and the UK International Data Transfer Agreement. Claritys default masking hides text input from session recordings.
  • Stripe for payment processing on the Willowfolio app. Stripe Payments Europe Ltd (Ireland) acts as the EEA controller for UK customers. Card and billing data are routed onward to Stripes United States infrastructure under Standard Contractual Clauses and the UK International Data Transfer Agreement. Stripes privacy notice is published at stripe.com/privacy.

International transfers

Most processing happens in the European Economic Area. Where vendors transfer data outside the UK or EEA, we rely on the UK Addendum to the EU Standard Contractual Clauses or an equivalent transfer tool. Google Analytics 4 and Microsoft Clarity in particular involve transfers to the United States covered by SCCs and the UK Extension. Payment processing through Stripe also involves transfers to the United States: Stripe Payments Europe Ltd is the EEA-side controller for UK customers, and onward transfers to Stripes US infrastructure are covered by Standard Contractual Clauses with the UK Addendum (the UK International Data Transfer Agreement).

How long we keep it

The short version. Personal data you give us (contact emails, printable request emails, contact-form submissions) is deleted within 30 days of the purpose ending. Aggregate analytics and network logs (Cloudflare, server, Umami, GA4) are kept for up to 18 months. Sentry error events are kept for 90 days.

  • Optional contact email on a suggested edit:deleted within 90 days of moderation by an automated daily purge.
  • Printable download token: 7 days from issue, single use; the request row is deleted within 30 days of token expiry.
  • Contact-form email and message: retained in our support inbox while we reply, then deleted within 30 days of the conversation closing.
  • Newsletter subscription: Brevo keeps your address until you unsubscribe through the link in any newsletter email. We keep our local mirror row (status, confirmation timestamp, unsubscribe timestamp) for the same period; once you unsubscribe in Brevo, our local row also flips to unsubscribed.
  • Vote rows: kept for the lifetime of the article so that aggregate counts remain accurate. Clearing your fingerprint cookie unlinks future activity.
  • Network and server logs (Cloudflare, hosting): up to 18 months, then automatically rotated out.
  • Self-hosted aggregate analytics and GA4:up to 18 months (aggregate; GA4’s data-retention setting is configured to 18 months).
  • Microsoft Clarity:up to 13 months (Clarity’s default retention).
  • Sentry error events: 90 days.

Using the Willowfolio app account

  • Cancellation grace period: if you cancel, you keep read and export access for a grace period (length to be confirmed before launch), mirroring the terms of use. After that window, account records are deleted from our hosted store.
  • Billing and tax records: retained for six years from the end of the accounting period, in line with HMRC requirements, even after the account itself is deleted.
  • Photo attachments on bring-your-own-Dropbox: records on your own Dropbox are governed by your contract with Dropbox, not by us. We delete copies from our hosted store at deletion time, but we cannot reach into your Dropbox to delete anything there; you control that directly.

Cookies and similar technologies

The marketing site sets a single first-party cookie by default (kb-fingerprint) to dedupe anonymous votes and edit suggestions. Google Analytics and Microsoft Clarity cookies only run if you accept them in the consent banner. Our self-hosted aggregate analytics uses no cookies. The full list, with purpose and duration, lives in the cookies notice.

Your rights

What this means. You have a set of rights over your personal data under UK GDPR. You can use any of them at no charge.

  • Access (Art. 15): ask us what we hold about you.
  • Rectification (Art. 16): correct anything that is wrong.
  • Erasure (Art. 17): ask us to delete it.
  • Restriction (Art. 18): ask us to pause processing.
  • Portability (Art. 20): get a copy in a portable format.
  • Objection (Art. 21): object to processing based on legitimate interests, including direct marketing.
  • Rights related to automated decision-making (Art. 22). We do not carry out solely automated decisions with legal or similarly significant effects.
  • Withdraw consent at any time, where we relied on consent.

To exercise any of these, email [email protected]. We respond within one calendar month per Article 12(3); we will tell you if we need an extension.

Children

What this means in plain English. The marketing site is for parents and carers. The app is built for parents and carers too, but the records inside an account are about children. We treat those two situations differently, and explain both below.

Children visiting the marketing site

The marketing site is for parents and carers researching home education. The Willowfolio app is not directed at children under 13 and we do not knowingly process childrens personal data through this site. If you believe a child has submitted information, contact [email protected] and we will delete it.

Children whose data is recorded in the app

When a parent or carer uses the Willowfolio app to record home-education activity, the records are about a child but the person providing the input is the parent. The parent acts on the childs behalf and provides the data for the practical purpose of running their familys home-education programme, with Anam & Choudhury Limited as the controller of that data. Article 8 UK GDPR concerns information-society services offered directly to a child; that is not the position here, because the service is offered to the parent.

When a child reaches an age and capacity to exercise data-protection rights in their own name, we will handle requests from that child directly. (the exact handover process is being confirmed before launch.) If you are a parent and want to discuss this in advance of a formal request, email [email protected].

Changes to this notice

We update this notice when our data flows or vendors change. The Last updated date below shows the most recent revision. Material changes (new categories of data, new purposes, or new recipients) will be flagged at the top of the page for at least 30 days.

Contact

Email [email protected] for any privacy question, rights request, or concern. Postal address: Anam & Choudhury Limited, Kemp House, 124 City Road, London EC1V 2NX.

Complaints to the ICO

If you are not satisfied with our response, you can complain to the Information Commissioners Office at ico.org.uk, by phone on 0303 123 1113, or by post to Information Commissioners Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would always rather hear from you first so we have a chance to put things right.

Last updated: 7 May 2026 (newsletter section flipped to live Brevo flow).