Phonics Check.Open app

Privacy

Last updated: 7 May 2026

Who we are

PhonicsCheck.co.uk is a small UK-based tool built by a parent, for parents preparing children for the Year 1 Phonics Screening Check. If you have any question at all about how we handle your data, please email support@phonicscheck.co.uk. A real person reads it.

What we collect

We collect three things, and only these three things:

  • Your email address. This is your sign-in identity. We use it to send you a one-time magic link when you want to access your account, and to send your purchase receipt.
  • Your child’s first name.This is shown in the app as a label — for example, “Lily’s progress”. We never use it for marketing. We never send your child anything. You can clear it at any time, and you can leave it blank from the start if you prefer.
  • Your child’s practice results. Which words they read correctly, which sounds they find tricky, which alien characters they collected, and their daily streak. This is what powers the Progress and Practice screens.

We do not collect any contact details for your child, and we never will. No address, no phone number, no school, no date of birth, no photo, no second email. The child does not have an account with us — you do.

Why we collect it (lawful basis)

For paid users, we collect what we need to fulfil our contract with you (UK GDPR Article 6(1)(b)) — we have to know who has paid in order to unlock the app for them, and we have to send a magic link to verify that it’s you when you sign back in.

For practice diagnostics — which letter-sound pairs your child finds tricky — we rely on legitimate interests (Article 6(1)(f)). Showing you that detail is the core of the product; without it the app is just a word-list. We have considered the impact on your child and consider it to be minimal: the data is shown only to you, never shared, never sold, never used for advertising.

We do not rely on consent for anything beyond strictly-necessary cookies (see below), because we don’t need to.

Each piece of data is voluntary. If you don’t give us your email, we can’t sign you in or unlock the season pass; if you leave the child’s name blank, the app shows a generic label; if your child doesn’t complete sessions, the Progress and Practice screens have nothing to show. The only consequence of not providing a piece of data is a feature that can’t operate.

Automated decisions

We don’t make any automated decisions about you or your child that have a legal or similarly significant effect. The Progress and Practice screens surface patterns from your child’s session results so you can see what to drill next, but the app doesn’t score, rank, grade, or profile anyone, and nothing it does is binding on you.

Who we share it with

We use a small set of trusted suppliers (“data processors”) to actually run the service. Each one only sees the slice of data they need:

  • Neon hosts our database in the EU. They see your email, your child’s first name, and the practice results.
  • Resend sends our transactional email (sign-in links, receipts). They see your email and the email contents.
  • Stripe processes payments. They see your email and your card details. We never see your card details — Stripe handles them directly.
  • Vercel hosts the website and provides cookieless aggregate analytics (page views, no individual tracking).

We do not sell your data, share it with advertisers, or use it to build a profile of your child. We do not use any third-party advertising or tracking tools.

How long we keep it

We keep your account and your child’s session history for as long as you have an account with us. There’s no rolling delete — parents tell us they like seeing how their child has progressed over the practice season, and across seasons if they return for a younger sibling.

If you’d like everything deleted, email support@phonicscheck.co.uk and we’ll erase it within 30 days. We’ll send you a confirmation when it’s done.

Children’s data (the Children’s Code)

The UK’s Age Appropriate Design Code (the “Children’s Code”) sets a high bar for online services that process children’s personal data. This is how we’ve designed PhonicsCheck.co.uk against it:

  • The service is operated by you, the parent. The child sits next to you and reads words aloud; they don’t have an account, a password, a profile, or any way to sign in.
  • The only piece of personal data we hold about your child is their first name, and only if you choose to enter it. We use it as a label in the interface and nothing else.
  • We do not build a profile of your child for advertising, nudging, or external sharing. We do not use behavioural advertising. We do not have in-app messaging that targets your child.
  • Default settings are privacy-preserving. There are no public profiles, no leaderboards visible to other users, no social features.
  • The service is presented to the parent. We don’t consider this a service “directed at children” in the sense the Code uses — but we’ve applied its protections anyway, because a child uses it next to you.

Cookies

We set one cookie: pc_session. It’s a signed, httpOnly, Secure, SameSite=Lax cookie that holds your sign-in state. Without it, you would have to sign in every time you reload the page. It is strictly necessary, so we don’t need to ask your permission to set it.

We set no advertising cookies. We set no analytics cookies. Vercel Web Analytics, our analytics provider, is cookieless — it counts page views without identifying individual visitors.

Because the only cookie we set is strictly necessary, we don’t show a cookie banner.

Your rights

Under UK GDPR you have the right to:

  • access the data we hold about you;
  • correct it if it’s wrong;
  • have it erased;
  • have it sent to you in a portable format;
  • restrict how we use it;
  • object to how we use it.

To exercise any of these, email support@phonicscheck.co.uk. We’ll respond within 30 days, usually much sooner. There is no charge.

If you’re unhappy with how we’ve handled your data, you have the right to complain to the Information Commissioner’s Office at ico.org.uk/concerns. We’d much rather hear from you first so we can put it right.

How we protect it

Everything you send us travels over HTTPS. The database is encrypted at rest by our hosting provider, and access to it is limited to the maintainer and the provider’s standard infrastructure. If we ever have a personal-data breach that is likely to put you at risk, we’ll notify the Information Commissioner’s Office within 72 hours and email any affected user without delay.

International transfers

Stripe, our payment processor, is based in the United States. Card and payment data flows to them under the UK International Data Transfer Agreement and Stripe’s standard contractual clauses. Everything else — your email, your child’s first name, the practice results — stays in the UK or the EEA.

Changes to this policy

If we make a material change to how we handle your data, we’ll update the “Last updated” date at the top of this page, and we’ll email you. Smaller wording fixes won’t trigger an email.