Your data.

This policy covers both the Flybrite website at flybrite.co.uk and the Flybrite iOS app. Where a particular type of data only applies to one of those, we say so.

The personal data we hold falls into the following categories:

• Account details: your name (first, last, and the display name shown in the app), email address, and a hashed password. Phone number and postal address (house number, city, county, postcode) are optional but required if you want Flybrite to generate a Local Authority report addressed correctly.
• Children you add: the child’s display name, age or birth date, interests, and an optional profile photo. You enter this; we do not gather it from any other source.
• What you record: diary entries, learning notes, observations, photos and videos you attach to moments, and any voice recordings you choose to log. Voice recordings are transcribed to text on our server and the resulting transcript is stored; the original audio is not retained.
• AI categorisation output: when you log a moment, we send the text (and any photo URL) to OpenAI for categorisation and short narrative generation. The output (learning areas, categories, a written summary) is stored alongside the moment.
• Conversations: messages you send and receive in the in-app chat, including any attachments.
• Subscription state: if you subscribe to Flybrite we store your plan, status, and trial dates. We do not store your card number — that lives with Stripe (web) or Apple (iOS in-app purchase).
• Customer support: emails, in-app feedback, and any attachments you send when you contact us.
• Technical identifiers: your Flybrite user ID, your session tokens, and an Expo push-notification token tied to your device. We do not collect your device’s advertising identifier (IDFA).

We do not collect: your location, your contacts, browsing history outside Flybrite, health or fitness data, biometric data, or any data about people other than you, your children, and people you choose to chat with. We do not run third-party analytics, advertising pixels, or tracking SDKs in the app or on the website.

We use your data only to run the service you signed up for:

• Provide the product. Show you your own diary, your children, your moments, your reports, and your messages.
• Authenticate you. Email and hashed password let you sign in; session tokens keep you signed in.
• Generate Local Authority reports. Your name and address appear on the report header; your moments become the report’s evidence.
• Categorise what you log. The text and any photo URL you attach to a moment is sent to OpenAI to identify learning areas and write a short summary, so your diary becomes useful evidence rather than a pile of notes.
• Take payment. Your subscription status comes from Stripe (web) or Apple (iOS). We never see your card.
• Send push notifications. If you grant the iOS permission, your push token is used to remind you about logged moments and weekly summaries. You can turn this off in iOS Settings.
• Service email. Important account messages (password reset, subscription changes). We do not send marketing email unless you explicitly opt in.

We do not use your data to train any AI model. The OpenAI calls we make are per-moment and stateless — OpenAI’s API does not retain your prompts for model training (this is a contractual commitment under their API terms, separate from ChatGPT consumer behaviour).

Flybrite is run by a small UK team. To deliver the service we use a handful of named sub-processors. We share only the data each one needs to do its job. None of them use your data to advertise to you.

• DigitalOcean — hosting (UK region) for our application servers and database. Receives everything you store with Flybrite, encrypted at rest and in transit.
• DigitalOcean Spaces — encrypted object storage (UK region) for photos and other attachments.
• OpenAI — runs the categorisation, narration, and Local Authority report-drafting calls. Receives the text and image URLs you log, plus child age. Bound by OpenAI’s API terms which prohibit training on your data.
• Stripe — processes web subscriptions and stores card details. Receives your email and subscription preferences; we receive a Stripe customer ID back.
• Apple — processes iOS in-app subscriptions via StoreKit. Receives the data Apple requires for IAP; we receive a transaction receipt.
• Mapbox — powers the address autocomplete inside the iOS app (typing your address into the profile or the LA-report builder). Receives only the partial address string you type as you search.
• Expo — relays push notifications from our server to Apple’s push service. Receives your push token and the notification payload.

We will only disclose your data outside this list if we are legally required to, for example by a UK court order or a valid request under the Data Protection Act 2018. We do not sell your personal data to any third party, ever.

Your account, diary, and attachments are stored on DigitalOcean servers in the London (LON1) region. They are encrypted at rest by our infrastructure provider and travel between your device and our servers over HTTPS.

Two narrow exceptions cross UK borders:

• OpenAI processes the categorisation and narration calls on US infrastructure. We send the minimum needed (text, image URL, child age) per call. OpenAI is bound by EU/UK data-transfer Standard Contractual Clauses.
• Stripe and Apple process payments on their own infrastructure (Stripe: EU/US; Apple: US). Both are bound by the same SCCs.

We retain your data for as long as your Flybrite account is active. When you delete your account, all of your personal data is removed from our systems within 30 days, except where we are legally required to retain it (e.g. financial records for HMRC, which are retained for the statutory 6 years).

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate or incomplete data. Most fields are editable directly in the app under Me → Settings.
• Delete your data. You can delete your account from Me → Settings; this removes your profile, children, moments, photos, reports, and messages within 30 days. Email [email protected] if you’d rather we handle it.
• Object to or restrict certain processing.
• Take your data with you. Email [email protected] and we’ll send you a structured JSON export of everything tied to your account, free, within 30 days.
• Withdraw consent at any time without affecting prior lawful processing.
• Complain to the ICO. See “Contact us” below.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

We use only strictly-necessary cookies on flybrite.co.uk — the ones that keep you signed in and protect against cross-site request forgery. They expire when you sign out.

We do not run Google Analytics, Meta Pixel, TikTok Pixel, or any other third-party tracker on the website or in the iOS app. We do not show third-party advertisements, and we do not share data with advertising networks or data brokers. We do not call Apple’s App Tracking Transparency framework because we have nothing to track.

If we ever add a privacy-friendly analytics tool to understand which marketing pages help people find Flybrite, we will update this section and note the date.

Flybrite is designed for use by parents and guardians of home-educated children. Children do not create accounts or interact with the platform directly. Profile data about a child — name, age, interests, photos — is entered and managed by the parent or guardian who holds the account.

Under UK GDPR you are responsible for the lawful basis for entering your child’s data. In most home-education contexts that lawful basis is parental responsibility combined with the child’s vital interests in having an educational record. We are the data processor for the child’s data and you are the data controller; we process it only as instructed by you, the parent.

The child is the subject of the record. One day they will also be its reader. You can export or delete the full record at any time.

We will update this policy when our practices change — for example if we add a new sub-processor, change where data is stored, or start collecting a new type of data. We will:

• Update the “Last updated” date at the top of this page.
• Email you in advance if the change materially affects your rights or how your data is used.

Continued use of Flybrite after a change implies you accept the updated policy. If you don’t accept, you can export your data and close your account at any time (see “Your rights”).

Flybrite is operated by Zanzero Investments Ltd, a company registered in England & Wales. To exercise any of the rights described above, or to ask any privacy question, email [email protected].

If we don’t resolve your concern, you have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.