Privacy Policy

Last updated: March 2026

1. Introduction

This Privacy Policy explains how StoryStarlings, operated by StarlingCloud Ltd, collects, uses, and protects personal information when you use our school library management platform.

We are committed to protecting the privacy of all users, particularly the children whose information may be stored in the system.

2. Data Controller and Processor

Under UK GDPR:

  • Data Controller: Your school or organisation is the data controller for student and borrower information
  • Data Processor: StarlingCloud Ltd acts as the data processor, processing data on behalf of your organisation

Our Details:

  • Company: StarlingCloud Ltd
  • Company Number: 14619898
  • Registered Address: 32 Hinton Road, Easton, Bristol, BS5 6HB
  • Privacy Contact: privacy@storystarlings.com

3. Information We Collect

3.1 Account Information

When you register for StoryStarlings, we collect:

  • School/organisation name and address
  • Staff names and email addresses
  • Account credentials (passwords are encrypted)
  • Billing information (processed by Stripe)

3.2 Student Information

Your organisation may store the following student data:

  • Student names
  • Year group/class
  • Student ID or library card number
  • Borrowing history
  • Reading progress and assessments (where used)

3.3 Book and Library Data

  • Book catalogue information (titles, authors, ISBNs)
  • Loan records and due dates
  • Book condition and location data

3.4 Technical Information

  • IP addresses and browser information
  • Usage data and access logs
  • Device information

4. How We Use Information

We use the collected information to:

  • Provide and maintain the library management service
  • Process book loans and returns
  • Send overdue notifications (to school staff)
  • Generate reports and analytics for your organisation
  • Provide customer support
  • Improve and develop the Service
  • Comply with legal obligations

5. Legal Basis for Processing

We process personal data based on:

  • Contract: To provide the services you have requested
  • Legitimate Interests: To improve our services and maintain security
  • Legal Obligation: To comply with applicable laws
  • Consent: Where specifically required

6. Children's Data

We take special care with children's information:

  • Student data is only accessible to authorised staff within your organisation
  • Children's information is encrypted at rest and in transit
  • We never use children's data for marketing purposes
  • We never share children's data with third parties for their own purposes
  • The public catalogue feature does not display any personal student information

Your organisation is responsible for obtaining appropriate consent from parents/guardians for processing student data.

7. Data Sharing

We only share data with:

  • Service Providers: Essential third parties who help us operate the Service (hosting, payment processing)
  • Legal Requirements: When required by law or to protect our rights

We do not sell personal information to third parties.

7.1 Third-Party Services

  • Hosting: UK-based cloud infrastructure
  • Payment Processing: Stripe (PCI DSS compliant)
  • Book Data: Google Books API, Open Library (for ISBN lookups - no personal data shared)

8. Data Security

We implement robust security measures:

  • All data encrypted in transit (TLS 1.2+) and at rest
  • Regular security audits and updates
  • Access controls and authentication
  • Secure UK-based data centres
  • Regular backups with encryption
  • Staff security training

9. Data Retention

  • Active Accounts: Data retained while your subscription is active
  • After Cancellation: Data available for export for 90 days, then securely deleted
  • Student Records: Retained according to your organisation's instructions (typically aligned with your school's retention policy)
  • Financial Records: 7 years as required by law
  • Backup Data: Removed within 30 days of deletion request

10. Your Rights

Under UK GDPR, individuals have the right to:

  • Access: Request a copy of personal data we hold
  • Rectification: Request correction of inaccurate data
  • Erasure: Request deletion of personal data
  • Portability: Request data in a portable format
  • Objection: Object to certain processing activities
  • Restriction: Request limited processing in certain circumstances

For student data, requests should be directed to your school as the data controller. For account holder data, contact us directly.

We will respond to requests within 30 days.

11. International Transfers

All data is stored and processed within the United Kingdom. We do not transfer personal data outside the UK unless:

  • Required for essential service provision
  • Appropriate safeguards are in place (Standard Contractual Clauses)
  • You have been informed

12. Cookies

We use essential cookies to:

  • Maintain your login session
  • Remember your preferences
  • Ensure security

We do not use advertising or tracking cookies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by:

  • Email notification to account holders
  • Notice within the Service
  • Updating the "Last updated" date

14. Complaints

If you have concerns about how we handle personal data, please contact us first at privacy@storystarlings.com.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):

15. Contact Us

For privacy-related enquiries:

  • Email: privacy@storystarlings.com
  • General: hello@storystarlings.com
  • Address: StarlingCloud Ltd, 32 Hinton Road, Easton, Bristol, BS5 6HB