How we look after your data.

Class Prayer is a prayer-planning tool for Catholic schools in the United Kingdom. We take the privacy of pupils, teachers, and school leaders seriously. This statement explains what personal data we collect, why we collect it, how we keep it safe, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who is the data controller?

Class Prayer is operated by All Saints Catholic Academy Trust. For questions about your personal data, or to exercise any of the rights set out below, please contact us at info@classprayer.app.

Where Class Prayer is used inside a school, the school is the data controller for pupil and staff records relating to its classes; Class Prayer acts as a data processor on the school's behalf in line with our Data Processing Agreement.

What we collect

• Account data — name, email, role (teacher, school leader, pupil), and the school you belong to.
• School data — school name, address, motto, crest, and brand colours, supplied by your school leader.
• Class & pupil data — class names, year group, pupil first names and login codes. We do not collect pupil surnames, dates of birth, or contact details.
• Prayer content — prayers you create, the questions you answer in the builder, and chat-style refinements.
• Safeguarding flags — where pupil input raises concern, the relevant excerpt and surrounding chat are stored so the school's Designated Safeguarding Lead can review and act.
• Technical data — minimal logs needed to keep the service running and secure (e.g. error logs, authentication events).

Why we collect it (lawful basis)

• Contract — to provide the service to teachers and schools that have signed up.
• Legitimate interests — to keep the service secure, prevent abuse, and improve features. We balance this against your rights and freedoms.
• Legal obligation & vital interests — for safeguarding alerts, where processing is necessary to protect a child.
• Consent — for any optional communications. You can withdraw consent at any time.

Children's data

Pupils sign in with a first name and a class login code provided by their teacher. We deliberately collect the minimum needed to operate a class. Pupil chat content is stored only so it can be displayed back to the pupil and reviewed where a safeguarding concern is raised. We never use pupil data for advertising or to train third-party AI models.

How we use AI

Prayer drafts are generated by AI models hosted by trusted providers. Inputs are sent over encrypted connections, are not used to train the underlying models, and are not retained by the model provider beyond the time needed to return a response. A safeguarding classifier reviews pupil input on-the-fly and creates a flag for the school if it detects a potential concern.

Where data is stored

Personal data is stored in our managed backend (Lovable Cloud, powered by Supabase) in data centres located in the European Union or the United Kingdom. Where any processing involves a transfer outside the UK/EEA, we rely on UK International Data Transfer Agreements or the EU Standard Contractual Clauses with appropriate safeguards.

How long we keep it

• Account & school data: for as long as the account is active.
• Prayers: until you or your school deletes them.
• Safeguarding flags: for the period required by your school's safeguarding policy, and at most 7 years.
• On account closure, personal data is deleted or anonymised within 30 days, except where law requires us to retain it.

Your rights

Under the UK GDPR you have the right to:

• Access the personal data we hold about you.
• Ask us to correct data that is inaccurate or incomplete.
• Ask us to delete your data ("right to be forgotten").
• Restrict or object to certain processing.
• Receive a copy of your data in a portable format.
• Withdraw consent at any time, where consent is the lawful basis.
• Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, email info@classprayer.app. We will respond within one calendar month.

How we keep data safe

All traffic is encrypted in transit (TLS) and data at rest is encrypted by our backend provider. Access is protected by row-level security so users can only see data they are entitled to. Staff access to production systems is logged and limited to those who need it. We review our security posture regularly.

Cookies

We use a small number of strictly necessary cookies (and equivalent local storage) to keep you signed in and to remember your preferences. We do not use advertising or cross-site tracking cookies.

Changes to this statement

We will update this page when our practices change. Material changes will be communicated to school leaders by email.