Privacy Notice

Bright Steps is a UK-based SEND support platform created to help families access practical information, activities, templates, routines, reward tools and support resources.

For privacy questions, data requests or concerns, please get in touch via our contact page.

Depending on how you use the website, we may collect:

• Names
• Email addresses
• Account login details
• Subscription/payment status
• Messages sent through contact forms
• Community posts, comments or questions
• Child profile information that you choose to enter
• SEND-related notes, preferences, routines or tracker information that you choose to add
• Website usage information
• Device, browser and IP information
• Cookie and analytics data
• Marketing preferences
• Customer support messages

We only ask for information that is needed to provide the service, improve the website, respond to you, manage subscriptions, keep users safe, or meet legal responsibilities.

Bright Steps may allow parents or carers to create child profiles, routines, reward charts, trackers or support records.

Where information about a child is entered, this should only be done by a parent, carer or responsible adult with the right to provide that information.

We do not knowingly collect personal information directly from children without appropriate adult involvement. If we become aware that information has been provided by a child without permission, we will take reasonable steps to remove it.

Users should avoid adding unnecessary sensitive details, medical documents, school reports or highly private information unless the feature specifically asks for it and it is genuinely needed.

Some SEND-related information may be classed as special category data under UK GDPR. This may include information about health, disability, neurodivergence, behaviour, development, support needs or medical conditions.

We only process this type of information when you choose to provide it and where it is needed to deliver the service or support feature you are using.

We treat this information with extra care and do not sell it to third parties.

We may use personal information to:

• Create and manage user accounts
• Provide website features and subscription services
• Allow users to save activities, trackers, routines and reward charts
• Respond to contact forms or support requests
• Send account, service or payment-related messages
• Send newsletters or updates where consent has been given
• Improve website content, tools and user experience
• Maintain safety and moderation in community areas
• Prevent misuse, spam, fraud or security issues
• Keep appropriate records for legal, accounting or tax purposes
• Comply with legal obligations

Under UK GDPR, we must have a lawful reason for using personal information. Depending on the situation, we may rely on:

Consent — for example, when you sign up to receive newsletters or agree to optional cookies.

Contract — for example, when we provide a paid subscription, account access, downloads or digital tools.

Legitimate interests — for example, improving the website, keeping the service secure, responding to enquiries and preventing misuse.

Legal obligation — for example, keeping payment, tax or accounting records where required.

Explicit consent — where special category data is entered voluntarily into certain tools or features.

If Bright Steps offers paid subscriptions, payments may be handled by a third-party payment provider such as Stripe, PayPal or another secure payment platform.

Bright Steps does not store full card details on its own website unless clearly stated. Payment providers may process payment information according to their own privacy notices and security standards.

We may store subscription status, billing history, payment confirmation, plan type and renewal/cancellation information.

We may send you service-related emails about your account, subscription, password changes, important website updates or safety notices.

We will only send marketing emails, newsletters or promotional updates where you have given consent or where the law allows us to do so.

You can unsubscribe from marketing emails at any time by using the unsubscribe link or contacting us.

Bright Steps may use cookies or similar technologies to:

• Keep the website working properly
• Remember user preferences
• Understand how visitors use the site
• Improve website performance
• Support login and account features
• Measure content and feature usage
• Support security and fraud prevention

Where required, we will ask for your consent before using non-essential cookies.

You can usually control or delete cookies through your browser settings.

If the website includes community features, comments, forums or parent discussion spaces, information you post may be visible to other users depending on the feature.

Please do not post private information about yourself, your child, another child, school staff, medical professionals or other families.

Bright Steps may moderate, remove or restrict content that is unsafe, harmful, abusive, discriminatory, misleading or inappropriate.

Bright Steps may include AI-assisted tools to help explain SEND information, suggest activities, create routines, draft templates or provide general guidance.

AI tools should not be used as a replacement for professional medical, legal, safeguarding, educational or diagnostic advice.

Users should avoid entering highly sensitive personal information into AI tools unless clearly necessary. Outputs should always be checked by a responsible adult before being used.

We may share limited information with trusted service providers who help us operate the website, including:

• Website hosting providers
• Email providers
• Payment processors
• Analytics providers
• Security and spam-prevention tools
• Customer support tools
• Database or cloud storage providers
• Professional advisers, where necessary
• Legal or regulatory authorities, where required

We do not sell personal information.

We only share information where necessary and where appropriate safeguards are in place.

Some service providers may store or process data outside the UK.

Where this happens, we will take reasonable steps to make sure appropriate safeguards are in place, such as adequacy decisions, standard contractual clauses or other lawful transfer mechanisms.

We only keep personal information for as long as needed.

This may depend on:

• How long you have an account with us
• Whether you have an active subscription
• Whether we need records for tax, legal or accounting reasons
• Whether information is needed to resolve a complaint or dispute
• Whether you ask us to delete your data
• Whether safeguarding, legal or security concerns apply

If you delete your account, we will remove or anonymise personal information where possible, unless we need to keep certain records for legal, safety or legitimate business reasons.

We take reasonable steps to protect personal information against loss, misuse, unauthorised access, alteration or disclosure.

This may include secure hosting, password protection, restricted access, encryption where appropriate, monitoring, backups and regular review of systems.

No online service can be guaranteed to be completely secure, so users should also take care with passwords and avoid sharing sensitive information unnecessarily.

Under UK GDPR, you may have rights including:

• The right to be informed about how your data is used
• The right to access your personal data
• The right to correct inaccurate data
• The right to ask for data to be erased
• The right to restrict processing
• The right to object to certain processing
• The right to data portability
• The right to withdraw consent where consent is used
• The right to complain to the Information Commissioner's Office

You have the right to object to certain uses of your personal information.

You have an absolute right to object to your personal data being used for direct marketing.

To object, get in touch via our contact page.

To make a data protection request, get in touch via our contact page.

We may need to confirm your identity before responding.

We aim to respond within the required legal timeframe.

Please contact us first so we can try to resolve any privacy concern.

You also have the right to complain to the UK data protection regulator:

Information Commissioner's Office
Website: ico.org.uk

We may update this Privacy Notice from time to time.

Significant changes may be highlighted on the website or sent by email where appropriate.