SimmaSend

Privacy Policy

How we collect, use and protect your data.

Last updated: April 2026

This privacy policy is served by SimmaSend under the websites simmasend.com and app.simmasend.com. The purpose of this policy is to explain how we control, process, handle and protect your personal information when you use our service. If you do not agree to this policy, you may wish to stop using the website.

Policy key definitions

  • “We”, “us”, “our” refer to SimmaSend.
  • “You”, “the user” refer to the person or organisation using SimmaSend.
  • “School” refers to the educational establishment that has subscribed to SimmaSend.
  • “Teacher” refers to a member of staff at a school who records feedback.
  • “Student” refers to a pupil at a school who receives feedback.
  • GDPR means the UK General Data Protection Regulation.
  • ICO means the Information Commissioner's Office.

Key principles of GDPR

Our privacy policy is built on the following principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.

Who is the data controller?

For the purposes of GDPR, the school is the data controller. SimmaSend acts as the data processor, processing personal data on behalf of the school under a Data Processing Agreement. SimmaSend does not independently decide how or why personal data is processed — those decisions are made by the school.

What personal data we collect

School administrators

  • Email address (used for magic link sign-in and account identification)
  • Name (used for display within the admin dashboard)

Teachers

  • Name and subject (entered once on first use, stored in a browser cookie and in our database)
  • Email address (optional — may be provided by a school administrator for invitations and communications)
  • No password or login is required for teachers

Students

  • First name and last name (entered by a school administrator)
  • Email address (optional — may be provided by a school administrator to enable email notifications when new feedback is available)
  • No login, password or account is created for students
  • Students access their feedback via a unique URL (UUID) embedded in a QR code. This URL acts as the access token — anyone with the link can view that student's feedback.

Feedback data

  • Audio recordings, video recordings, photographs and text feedback uploaded by teachers
  • AI-generated transcripts, summaries, titles, subject classifications and action points produced by processing the above
  • Student responses to feedback (text)

Marketing site

  • Email addresses submitted via the “Get notified when we launch” form on simmasend.com. These are stored solely for the purpose of sending launch updates and are not shared with any third party.

How we use your data

All personal data is processed for the legitimate interest of providing the SimmaSend feedback service to schools. Specifically:

  • Administrator email addresses are used to send magic link sign-in emails and to identify the admin within the system.
  • Teacher names and subjects are displayed alongside feedback so students know who left the feedback and in which subject.
  • Teacher email addresses, where provided, are used by school administrators to send invitations and communications.
  • Student names are displayed on their feedback dashboard and in the admin panel.
  • Student email addresses, where provided, are used solely to send notification emails when new feedback is available. These emails do not contain any feedback content — they simply prompt the student to check their dashboard.
  • Audio and video recordings are transcribed and summarised using OpenAI's Whisper and GPT-4o-mini APIs. The audio/video content is sent to OpenAI for processing and is not retained by OpenAI beyond the processing request (see OpenAI's API data usage policy).
  • Feedback data (recordings, transcripts, summaries) is stored so that students and teachers can retrieve it.

Third-party processors

We use the following third-party services to operate SimmaSend:

ServicePurposeData accessed
SupabaseDatabase and file storageAll application data
VercelWebsite hostingRequest logs, IP addresses
OpenAIAudio transcription (Whisper) and text summarisation (GPT-4o-mini)Audio/video recordings, generated transcripts
ResendTransactional email (magic links, feedback notifications)Administrator and student email addresses

We do not sell, rent or share personal data with any other third parties.

Data storage and security

  • All data is stored in Supabase (hosted on AWS infrastructure in the EU/UK region).
  • Audio and media files are stored in a private Supabase Storage bucket. Access requires a time-limited signed URL generated server-side.
  • The database uses Row Level Security (RLS) to ensure that users can only access data they are authorised to see.
  • Admin sessions are secured via magic links (single-use, 15-minute expiry) with 24-hour session duration.
  • Teacher identity is stored in an HTTP-only browser cookie with a 365-day expiry.
  • All connections use HTTPS/TLS encryption in transit.

Data retention

  • Feedback data is retained for as long as the school's SimmaSend account is active.
  • When a school requests account deletion, all associated data (students, teachers, feedback, audio files) is permanently deleted.
  • Marketing email addresses are retained until the individual unsubscribes or requests removal.

Children's data

SimmaSend is designed for use in schools and will process data relating to children (students). We recognise the importance of protecting children's data. Student data is limited to first name, last name, optionally an email address (provided by a school administrator, not the student), and feedback content. Students do not have accounts and do not log in. Where a student email is provided, it is used only to send a notification when new feedback is available — the notification does not contain any feedback content. Access to a student's feedback requires knowledge of their unique QR code URL.

Your rights under GDPR

You have the right to: be informed; access your data; rectification; erasure; restrict processing; data portability; object to processing; and not be subject to automated decision-making. To exercise any of these rights, contact your school (as the data controller) or email us at hello@simmasend.com. We handle subject access requests in accordance with the GDPR.

You also have the right to complain to the ICO (www.ico.org.uk) if you believe there is a problem with how your data is being handled.

Cookies

We use cookies on this site. For full details, please see our Cookie Policy.

Contact

If you have any questions about this privacy policy, please contact us at hello@simmasend.com.