Privacy Policy
Last updated: February 2026
This privacy policy explains how Sproggo ("we", "us", "our") collects and uses your personal data when you use our website at sproggo.co.uk and any associated services (together, "the Service"). We are committed to protecting your privacy and handling your data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Who We Are
Sproggo is the data controller for the personal data we collect through the Service. This means we decide how and why your data is processed.
- Website: sproggo.co.uk
- Contact email: hello@sproggo.co.uk
- Data protection: privacy@sproggo.co.uk
What Personal Data We Collect
The data we collect depends on how you use the Service:
If you create an account
- Email address and name to identify your account. Account sign-in is handled by a third-party authentication provider on our behalf.
- Children's first names and dates of birth so we can recommend age-appropriate activities as they grow. Each child's name and date of birth is individually encrypted using a dedicated encryption key before being stored. Only the birth month and year are kept in a form we can use, so we can match activities to your child's age. We do not collect surnames, photos, or any other identifying information about your children. You can delete any child from your account at any time.
- Postcode if you choose to provide one. We convert your postcode into approximate coordinates (latitude and longitude) so we can find activities near you. The original postcode and its coordinates are stored on your account and can be changed or removed at any time from your account settings.
If you make a booking
- Booking details including the activity, date, time, and number of places
- Payment information processed securely through Stripe. Your payment goes directly to the activity provider. We do not hold your funds or store your full card number. Stripe provides us with a partial card number and transaction reference for our records.
- Star ratings if you choose to rate an activity after a completed booking. Ratings contribute to an aggregate score shown on the activity page. Individual ratings are not displayed publicly and are not linked to your name.
If you use the site without an account
- Location data (coordinates from your browser's geolocation API, or a postcode you enter manually) stored locally on your device to show nearby activities. This is never sent to our servers automatically.
- Cookie preferences stored locally on your device.
If you are an activity provider
- Business name, contact details, and activity listings which you provide when creating or managing your listings. This information is published on the Service and is visible to parents.
- Payment and subscription details processed through Stripe Connect, including bank account information required for payouts.
- Booking and attendance data for participants in your activities, including which children attended a given session.
- AI-assisted content: if you use our listing tools, the details you provide may be sent to a third-party AI service to help create activity descriptions. You review and approve the result before it is published.
Automatically collected data
- Standard server logs (IP address, browser type, pages visited) collected by our hosting provider for security and operational purposes.
- Analytics data (pages viewed, interactions) collected via Google Analytics, only if you consent to analytics cookies.
- Error reports and performance data collected by our error monitoring service to help us find and fix problems. This may include the page you were viewing, your browser type, and technical details about the error. No payment data or children's data is included in error reports.
Why We Process Your Data (Legal Basis)
Under UK GDPR, we need a lawful basis to process your personal data. Here is the basis for each purpose:
| Purpose | Legal basis |
|---|---|
| Creating and managing your account | Contract: necessary to provide the service you signed up for |
| Processing bookings and payments | Contract: necessary to fulfil the booking you made |
| Sending transactional emails (booking confirmations, account notifications) | Contract: necessary to operate the service |
| Sending marketing emails about Sproggo | Consent: you can opt out at any time |
| Sending activity suggestion emails based on your children's ages and your location | Consent (Article 6(1)(a)): you must explicitly opt in, and can opt out at any time from your email preferences or via the unsubscribe link in any email |
| Analytics and improving the Service | Consent: only with your cookie consent |
| Operating and securing the website | Legitimate interest: keeping the service running and safe |
| Monitoring errors and maintaining the Service | Legitimate interest: keeping the service running and identifying technical problems |
| Publishing provider listings | Contract: necessary to provide the listing service providers signed up for |
Where we rely on consent, you can withdraw it at any time by visiting your email preferences, clicking the unsubscribe link in any email, or emailing privacy@sproggo.co.uk. Withdrawing consent does not affect the lawfulness of processing that happened before you withdrew it.
How We Store Your Data
Your data is stored in a secure, encrypted database hosted in the EU/EEA. All connections are encrypted in transit using TLS/SSL.
Children's names and dates of birth receive an extra layer of protection. Each value is individually encrypted using a dedicated encryption key managed by Amazon Web Services before it is written to the database. This means that even in the unlikely event of a database breach, these details cannot be read without separate access to the encryption key.
Your data may be processed in the EU/EEA, which is covered by a UK adequacy decision, meaning it is considered to provide an adequate level of data protection.
Account authentication is handled by a specialist third-party provider. We do not store your password. We take reasonable steps to protect your personal data from unauthorised access, loss, or misuse. However, no method of transmission or storage is 100% secure.
How Long We Keep Your Data
- Account data: kept for as long as your account is active. If you delete your account, we will erase your personal data within 30 days.
- Booking records: kept for 6 years after the booking date to comply with financial record-keeping requirements.
- Marketing preferences and consent records: kept until you delete your account. We retain a record of when you opted in or out to demonstrate lawful consent.
- Activity suggestion log: a record of which sessions we have suggested to you, kept to avoid sending duplicates. Deleted when you delete your account.
- Ratings: kept for as long as the activity exists on the Service. If you delete your account, your rating is removed.
- Error reports: kept for up to 90 days.
- Notifications: automatically deleted after expiry (typically 30 days).
- Server logs: kept for up to 90 days for security and debugging purposes.
Who We Share Your Data With
We do not sell your personal data to anyone. We share it only with the following service providers who help us run the Service:
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services | Application hosting (eu-west-2, London) | UK/EU |
| Clerk | Authentication and account management | US/EU |
| Neon | Database hosting | EU |
| Vercel | Website hosting and CDN | Global (with EU regions) |
| Stripe | Payment processing | EU/US |
| Analytics (only with your consent) | Global | |
| Resend | Transactional email delivery | US/EU |
| Sentry | Error monitoring and performance tracking | EU |
| Anthropic | AI-assisted activity content generation (provider data only) | US |
| CARTO / OpenStreetMap | Map tiles and location display | EU/Global |
These providers only process your data on our behalf and under our instructions. Where data is transferred outside the UK, we ensure appropriate safeguards are in place (such as Standard Contractual Clauses or UK adequacy decisions).
When you make a booking, the activity provider will receive the details necessary to fulfil that booking (your name and the booking details). Providers are responsible for their own use of that data.
Your Rights
Under UK GDPR, you have the following rights:
- Right of access: you can ask for a copy of the personal data we hold about you
- Right to rectification: you can ask us to correct any data that is wrong or incomplete
- Right to erasure: you can ask us to delete your personal data
- Right to restrict processing: you can ask us to limit how we use your data
- Right to data portability: you can ask for your data in a structured, machine-readable format
- Right to object: you can object to us processing your data, including for direct marketing
- Right to withdraw consent: where we rely on your consent, you can withdraw it at any time
To exercise any of these rights, email us at privacy@sproggo.co.uk. We will respond within one month. If your request is particularly complex, we may extend this by up to two further months, but we will let you know.
Right to Complain
If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator.
- Website: ico.org.uk
- Phone: 0303 123 1113
We would appreciate the chance to address your concerns first, so please contact us at privacy@sproggo.co.uk before raising a complaint with the ICO.
Children's Privacy
Sproggo is a service for parents and activity providers. We do not knowingly collect personal data directly from anyone under the age of 16. Accounts are intended for adults only.
We collect limited data about children (first name and date of birth) from their parent or carer, solely to recommend age-appropriate activities. Each child's name and date of birth is individually encrypted using a dedicated encryption key before being stored. Only the birth month and year are kept in a readable form so we can match activities to your child's age. This data can be permanently deleted at any time from your account settings. We do not collect surnames, photos, or any other identifying information about children.
When your child attends a booked activity, the provider may record their attendance for that session. This is limited to a record that the child attended on a given date.
If you believe a child under 16 has given us their personal data, please contact us at privacy@sproggo.co.uk and we will delete it promptly.
Activity Suggestion Emails
If you opt in, we will send you occasional emails about upcoming sessions near you with spots available. To do this, we use:
- Your children's ages (calculated from the birth month and year you provided) to find sessions that are age-appropriate
- Your postcode (converted to approximate coordinates) to find sessions within roughly 15 kilometres of you
We only send these emails to parents who have explicitly opted in. We record when you gave consent and how (for example, during onboarding or from your account settings) so we can demonstrate that consent was freely given, as required by PECR and UK GDPR Article 6(1)(a).
Each email includes a direct link to your email preferences page where you can turn off activity suggestions at any time. We keep a log of which sessions we have suggested to you so we do not send you the same suggestion twice. This log is deleted when you delete your account.
These emails are sent through Resend, our email delivery provider (listed in the "Who We Share Your Data With" section above). Resend processes your email address on our behalf to deliver the message. No other personal data is shared with Resend.
Changes to This Policy
We may update this privacy policy from time to time. If we make significant changes, we will let you know by email (if you have an account) or by placing a notice on the website. The "Last updated" date at the top of this page shows when the policy was last changed.
Contact Us
If you have any questions about this privacy policy or how we handle your data, get in touch:
- General enquiries: hello@sproggo.co.uk
- Data protection: privacy@sproggo.co.uk
See also: Cookie Policy | Terms of Service