Early Tree

Privacy Policy

Last updated: 1 December 2024

1. Introduction

Early Tree ("we", "us", or "our") is committed to protecting your privacy and handling your personal data responsibly, transparently, and in compliance with all applicable laws. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you use any of our services, including:

  • Our websites (including earlytree.co.uk and associated subdomains)
  • Our web applications (including the Early Tree Nursery Management System, Inspector Who, and the Early Years Funding Portal)
  • Our mobile applications for iOS and Android devices
  • Any APIs, integrations, or third-party connections we provide
  • Any related support, communications, or administrative services

Collectively, all of the above are referred to in this policy as the "Services". Please read this policy carefully. If you do not agree with any part of it, please do not use our Services.

We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where we process personal data about children, parents, or staff members on your behalf, we do so as a data processor, and you (the nursery, early years setting, or local authority) remain the data controller responsible for that data.

2. Data Controller

For personal data that we collect directly from you (such as account information, contact details, and usage data), Early Tree acts as the data controller. Our contact details are:

Early Tree
Email: hello@earlytree.co.uk

Where we process Customer Data (data about children, families, or staff that you upload or input into our Services), we act as a data processor and you act as the data controller. In those cases, our processing activities are governed by a separate Data Processing Agreement.

3. What Personal Data We Collect

3.1 Information You Provide Directly

We collect personal data that you voluntarily provide to us, including:

  • Account registration: Name, email address, phone number, job title, and organisation name
  • Profile information: Profile photo, role, and preferences you set in your account
  • Contact and enquiry data: Information submitted through our contact forms, demo requests, and sales enquiries
  • Payment and billing information: Billing address, invoicing details, and payment card information (payment card data is processed directly by our PCI-DSS-compliant payment provider and is not stored on our systems)
  • Communications: The content of emails, support tickets, live chat messages, feedback submissions, and other communications you send to us
  • Survey and research data: Responses to surveys, feedback forms, and user research activities

3.2 Information We Collect Automatically

When you use our websites, web applications, or mobile applications, we automatically collect certain technical and usage information, including:

  • Device information: IP address, browser type and version, operating system, device type (desktop, mobile, tablet), device model, and manufacturer
  • Mobile device identifiers: When using our mobile apps, we may collect your device's unique advertising identifier (IDFA on iOS, GAID on Android) if you consent, your device's hardware identifiers, and push notification tokens
  • Network information: Mobile network operator, Wi-Fi network information, and connection type (Wi-Fi, 4G, 5G)
  • Usage data: Pages and screens visited, features used, time spent on pages and screens, actions taken within the app, button clicks, and navigation paths
  • Performance data: App crashes, error logs, latency metrics, and other diagnostic data to help us maintain and improve service quality
  • Location data: We do not collect precise GPS location data unless you explicitly grant permission. If you grant permission, this may be used for features such as identifying nearby settings or mapping
  • Cookies and similar technologies: We use cookies, local storage, and session storage on our websites and web apps. Our mobile apps may use equivalent SDK-based tracking mechanisms. See our Cookie Policy for full details
  • Referral data: The URL of the page or app store listing that referred you to our website or app

3.3 Permissions Requested by Our Mobile Applications

Our mobile applications may request access to certain device features. We only request permissions that are genuinely necessary for the functionality of the app. Permissions we may request include:

  • Camera: To allow staff to capture photos of children's activities, observations, or documents directly within the app
  • Photo library / media storage: To allow you to upload images from your device's photo library
  • Push notifications: To send you in-app alerts about important updates, tasks, or communications
  • Biometric authentication: Face ID, Touch ID, or equivalent Android biometric authentication, used solely to secure access to the app on your device. Biometric data is processed entirely by your device's operating system and is never transmitted to or stored by Early Tree
  • Local storage: To store data locally on your device for offline access and improved performance

You can manage app permissions at any time through your device's operating system settings. Revoking a permission may limit certain features of the app.

3.4 Customer Data

When you use our Services (such as the Early Tree Nursery Management System or Early Years Funding Portal), you may upload or input data about children, parents, guardians, and staff members ("Customer Data"). Customer Data may include sensitive categories of personal data such as health information, special educational needs (SEN) records, and safeguarding notes. This data remains entirely under your control as the data controller. We process Customer Data only as your data processor, solely to provide the Services to you and as described in our Data Processing Agreement.

3.5 Data from Third Parties

We may also receive personal data about you from third parties, including:

  • App stores: When you download our mobile app, Apple App Store or Google Play Store may share limited information such as your country and download date with us for analytics purposes
  • Payment processors: Our payment provider may share transaction status and fraud signals with us
  • Integration partners: If you connect third-party tools or services to your Early Tree account, those services may share relevant data with us
  • Marketing and analytics platforms: We may receive aggregated or pseudonymised audience data from advertising platforms to measure the effectiveness of our marketing

4. How We Use Your Personal Data

We use the personal data we collect for the following purposes:

  • Account creation and management: To register your account, verify your identity, and manage your access to our Services
  • Service delivery: To provide, operate, and maintain the features and functionality of our Services across web and mobile platforms
  • Mobile app functionality: To enable push notifications, offline mode, biometric login, and other mobile-specific features you have enabled
  • Customer support: To respond to your enquiries, resolve technical issues, and provide assistance
  • Billing and payments: To process subscription fees, issue invoices, and manage your billing account
  • Communications: To send you service-related notifications (such as password resets, subscription renewals, and feature updates) and, where you have consented or we have a legitimate interest, marketing communications about our products
  • Product improvement: To analyse usage patterns, conduct A/B testing, and undertake research and development to improve our Services
  • Security and fraud prevention: To detect, investigate, and prevent unauthorised access, fraud, abuse, and other harmful activity on our Services
  • Legal compliance: To comply with applicable laws, respond to regulatory requests, and enforce our legal rights and obligations
  • Analytics and performance: To measure app performance, identify bugs and crashes, and monitor service reliability

5. Legal Bases for Processing

Under the UK GDPR, we are required to have a lawful basis for each processing activity. We process your personal data on the following bases:

  • Performance of a contract (Article 6(1)(b)): Processing that is necessary to create and manage your account, deliver the Services you subscribe to, process payments, and respond to pre-contractual enquiries.
  • Legitimate interests (Article 6(1)(f)): Processing that is necessary for our legitimate business interests, including improving our products, preventing fraud, securing our systems, sending direct marketing to existing customers about similar products, and understanding how our Services are used — provided these interests are not overridden by your rights and interests.
  • Legal obligation (Article 6(1)(c)): Processing that is necessary for us to comply with legal and regulatory obligations, including financial record-keeping, responding to court orders, and cooperating with regulatory investigations.
  • Consent (Article 6(1)(a)): Where we rely on your consent, such as for the placement of non-essential cookies, sending marketing emails to non-customers, or collecting precise location data. You may withdraw your consent at any time without affecting the lawfulness of processing before withdrawal.
  • Special category data (Article 9(2)): Where Customer Data includes special category personal data (such as health or SEN information relating to children), we process this data as a data processor on your instruction. You as the data controller are responsible for identifying and documenting the appropriate Article 9 basis, which is typically explicit consent (Article 9(2)(a)) or the provision of health or social care (Article 9(2)(h)).

6. Data Sharing and Disclosure

We do not sell your personal data or share it with third parties for their own marketing purposes. We may share your data in the following circumstances:

  • Service providers and sub-processors: We share data with carefully selected third-party companies who help us deliver our Services. These include cloud hosting providers, database and storage services, payment processors, email delivery services, customer support platforms, analytics providers, mobile push notification services, and crash reporting tools. All sub-processors are required to process data only on our instructions and to implement appropriate security measures.
  • App platform providers: When you use our mobile apps, Apple (iOS) and Google (Android) may collect certain data as part of operating their app distribution platforms, governed by their own privacy policies.
  • Professional advisers: Solicitors, accountants, auditors, and insurers who require access to data as part of providing their professional services to us, subject to binding duties of confidentiality.
  • Legal and regulatory authorities: We may disclose personal data to courts, regulators, law enforcement agencies, or other public authorities where required by law, court order, or where we believe disclosure is necessary to protect the rights, property, or safety of Early Tree, our customers, or others.
  • Business transfers: If Early Tree undergoes a merger, acquisition, restructuring, or sale of all or part of its assets, your personal data may be transferred to the relevant acquirer or successor entity. We will notify affected users before any such transfer occurs.
  • With your consent: We may share data with other third parties where you have given explicit consent for us to do so.

7. International Data Transfers

Our Services are primarily hosted within the United Kingdom and the European Economic Area. However, some of our third-party service providers may process data outside these territories, including in the United States and other countries. Where we transfer personal data outside the UK, we ensure that an appropriate safeguard is in place, using one or more of the following mechanisms:

  • An adequacy decision by the UK Secretary of State in respect of the recipient country
  • UK International Data Transfer Agreements (IDTAs) or addenda to EU Standard Contractual Clauses as approved by the UK Information Commissioner's Office
  • Binding corporate rules, or other approved transfer mechanisms under UK GDPR

You may request further information about the specific safeguards applicable to any international transfer by contacting us at hello@earlytree.co.uk.

8. Data Retention

We retain personal data only for as long as is necessary for the purposes set out in this policy, and as required by applicable law. The following table sets out our general retention approach:

Category of Data Retention Period Basis
Account information Duration of account plus 2 years Contract / Legal obligation
Customer Data (uploaded by you) Duration of subscription, then deleted or anonymised within 90 days of termination Contract / Data processor obligation
Financial and billing records 7 years Legal obligation (Companies Act / HMRC)
Communications and support records 3 years from last interaction Legitimate interest
Usage and analytics data 26 months (anonymised after this period) Legitimate interest
Security and access logs 12 months Legitimate interest / Legal obligation
Marketing consent records Until consent is withdrawn, plus 3 years Legal obligation (PECR / UK GDPR)
Mobile app crash and performance logs 90 days Legitimate interest

When your personal data is no longer required, we will securely delete or anonymise it. Where full deletion is not immediately practicable (e.g. due to backup systems), the data will be isolated and protected from further use until deletion is complete.

9. Your Rights Under UK GDPR

Subject to certain exemptions, you have the following rights in respect of your personal data:

  • Right of access (Subject Access Request): You have the right to request a copy of the personal data we hold about you, information about how we use it, and who we share it with.
  • Right to rectification: You have the right to ask us to correct inaccurate or incomplete personal data about you.
  • Right to erasure ("right to be forgotten"): You may ask us to delete your personal data in certain circumstances, for example where the data is no longer necessary, where you withdraw consent, or where you object to processing on grounds of legitimate interests.
  • Right to restriction of processing: You may ask us to restrict how we use your data in certain circumstances, for example while a dispute about accuracy is resolved.
  • Right to data portability: Where we process your data based on contract or consent, and processing is carried out by automated means, you may request that we provide your data in a structured, commonly used, machine-readable format.
  • Right to object: You have the right to object to processing based on our legitimate interests. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or where the processing is necessary for legal claims.
  • Right to withdraw consent: Where we rely on your consent as the basis for processing, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before withdrawal.
  • Rights in relation to automated decision-making: You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you. We do not currently carry out such automated decision-making, but if we introduce it in future, we will update this policy and provide appropriate safeguards.

To exercise any of these rights, please submit a written request to hello@earlytree.co.uk. We will respond within one calendar month. We may extend this period by a further two months for complex or numerous requests, in which case we will notify you within the first month. We may need to verify your identity before processing your request. We will not charge a fee for reasonable requests.

10. Electronic Marketing (PECR)

In addition to the UK GDPR, the Privacy and Electronic Communications Regulations 2003 (PECR) govern how we may send marketing communications electronically.

  • We will only send you marketing emails if you have consented, or if you are an existing customer and we are contacting you about similar products or services (the "soft opt-in"), and you have not opted out
  • Every marketing email we send includes a clear and easy way to unsubscribe
  • Push notifications via our mobile apps are only sent if you have granted notification permission on your device. You may withdraw this permission at any time through your device settings
  • We do not send marketing SMS messages without your explicit prior consent

11. Security

We implement appropriate technical and organisational measures proportionate to the risks of our processing activities. Our security measures include:

  • Encryption in transit: All data transmitted between your browser or mobile app and our servers is encrypted using TLS 1.2 or above
  • Encryption at rest: Sensitive data stored in our databases and backups is encrypted at rest
  • Access controls: Access to personal data is restricted on a need-to-know basis, with role-based access controls and multi-factor authentication for staff accessing production systems
  • Mobile app security: Our mobile apps implement platform-recommended security practices, including certificate pinning, secure local storage, and biometric authentication options
  • Regular security assessments: We conduct periodic vulnerability assessments and penetration tests of our systems
  • Incident response: We maintain a data breach response procedure and will notify the ICO within 72 hours and affected individuals without undue delay where a breach is likely to result in a high risk to their rights and freedoms
  • Staff training: All staff receive data protection and information security training
  • Sub-processor due diligence: We assess the security practices of all sub-processors before engaging them

Despite these measures, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.

12. Children's Privacy

Our marketing websites and account registration process are not directed at children under the age of 16. We do not knowingly collect personal data directly from children under 16. If you believe we have inadvertently collected such data, please contact us immediately and we will take prompt steps to delete it.

For our Services that are used by nurseries and early years settings to manage child records, you as the data controller are responsible for obtaining appropriate consents from parents or guardians and for complying with all applicable laws relating to the processing of children's personal data, including any requirements under the EYFS statutory framework and local authority guidance.

13. Third-Party Links and Integrations

Our Services may contain links to third-party websites, and our mobile apps may include integrations with third-party services (such as accounting software or local authority portals). This Privacy Policy does not apply to those third parties. We encourage you to review the privacy policies of any third-party service you access through our Services, as we are not responsible for their privacy practices.

14. Complaints

If you have concerns about how we handle your personal data, please contact us in the first instance and we will endeavour to resolve your concerns promptly. You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Website: ico.org.uk
Telephone: 0303 123 1113
Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

If you are located in another jurisdiction, you may also have the right to lodge a complaint with your local data protection supervisory authority.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Services. We will notify you of material changes by posting the updated policy on this page, updating the "Last updated" date, and where appropriate, sending you a notification by email or within the app. We encourage you to review this policy periodically. Your continued use of the Services after any changes constitutes your acceptance of the updated policy.

16. Contact Us

If you have any questions about this Privacy Policy, wish to exercise your data subject rights, or have concerns about our privacy practices, please contact us:

Email: hello@earlytree.co.uk
Contact form: earlytree.co.uk/contact