Who we are
We are IntelComms Ltd, a company registered in England and Wales. IntelComms provides an AI-powered WhatsApp communication service for UK primary schools, enabling schools to answer parent queries automatically, log absences, and escalate safeguarding concerns.
Company name: IntelComms Ltd
Company number: [To be confirmed upon registration]
ICO registration: [To be obtained — register at ico.org.uk]
Registered address: [To be confirmed]
Data protection contact: contact@intelcomms.co.uk
Website: intelcomms.co.uk
Our data protection philosophy
Schools entrust IntelComms with some of their most sensitive data — parent contact details, pupil absence records, and safeguarding conversations. We take that responsibility seriously.
Our principles are straightforward:
- Your data is yours. We process it only to deliver the service. We never sell it, share it without your permission, or use it to train AI models.
- We store data in the EU only. All data is held in Supabase's EU West (Ireland) region. It never leaves the European Economic Area.
- We use the minimum data necessary. We only collect what is needed to make the service work safely and accurately.
- We are transparent. This notice tells you exactly what we collect, why, and how long we keep it.
- We take security seriously. All data is encrypted in transit and at rest. Access is strictly controlled and logged.
About this notice
This Privacy Notice, together with our Terms of Service, sets out how IntelComms handles personal data. It applies to:
- Visitors to intelcomms.co.uk
- School staff who enquire about or sign up for IntelComms
- School staff who use the IntelComms dashboards
- Parents and guardians who message their school via the IntelComms WhatsApp number
- Pupils whose information is held by the school and processed as part of absence logging and safeguarding
We will update this notice when we change how we process data. We will notify schools of material changes with at least 30 days' notice.
Data controller vs data processor
Understanding this distinction is important, particularly for schools' own GDPR compliance.
IntelComms as Data Controller
IntelComms acts as a Data Controller for information we collect directly to operate our business — for example, the contact details of headteachers and school business managers who sign up for a trial or subscription.
IntelComms as Data Processor
When a school uses the IntelComms platform, the school is the Data Controller for all personal data processed through the service — including parent messages, pupil absence records, and safeguarding logs. IntelComms acts as the school's Data Processor, processing data only on the school's instructions and in accordance with our Data Processing Agreement (DPA). Schools may request a copy of our Data Processing Agreement by emailing contact@intelcomms.co.uk.
Our Terms of Service constitute the written contract required under UK GDPR to legitimise this processing relationship. Schools should ensure parents are informed that an AI-powered WhatsApp messaging service is in operation via their school's own privacy notice.
What we collect as Data Controller
When you contact us or sign up
When a school enquires about IntelComms, requests a free trial, or becomes a subscriber, we collect:
- Name and job title
- School email address and telephone number
- School name, address, and DfE number
- Any information provided in correspondence with us
Purpose: To manage enquiries, set up and administer accounts, provide onboarding support, and deliver the service.
Lawful basis: Contract — this processing is necessary to fulfil or prepare to fulfil our agreement with the school.
Retention: We retain this information for the duration of the subscription and for up to 12 months following closure of an account, unless a longer period is required by law.
When you visit our website
We may use analytics tools to collect anonymised information about how visitors use intelcomms.co.uk. This does not identify individuals and is used solely to improve the website.
Lawful basis: Legitimate interests — understanding how schools find and use our website helps us improve it.
Parent, guardian & pupil data
This is the most sensitive data processed through IntelComms and we handle it with the highest level of care.
What is processed
- Parent/guardian mobile number — used to identify who is messaging the school and to route the reply to the correct number via WhatsApp
- Parent/guardian name — used to personalise responses where provided by the school
- Pupil name, year group, and date of birth — used to verify the relationship between the parent and the pupil before the AI responds, and to log absences correctly
- Message content — the content of WhatsApp messages sent by parents to the school number, used to generate an AI response and logged for the school's records
- Absence reasons and return dates — collected during the absence reporting conversation and logged to the school's dashboard
- Safeguarding flags — where a message contains content that may indicate a welfare concern, it is flagged, logged in full, and an alert is sent to the school's Designated Safeguarding Lead
How messages are processed
When a parent sends a WhatsApp message to the school's IntelComms number, the message is received by our backend, passed to Anthropic's Claude AI to generate a response using only the school's approved documents, and the response is sent back to the parent via Meta's WhatsApp Cloud API. The message and response are logged in the school's secure dashboard.
Important for schools: Schools must inform parents that their WhatsApp messages to the school number will be processed by an AI system. This should be included in the school's own privacy notice and communicated to parents when the service is introduced.
Lawful basis for processing parent and pupil data
IntelComms processes parent and pupil data as a Data Processor, on behalf of the school as Data Controller. The school is responsible for establishing and documenting the lawful basis for this processing. We recommend schools rely on one or more of the following:
- Public task — processing is necessary for the school to perform its statutory functions, including maintaining communication with parents and recording absences
- Vital interests — for safeguarding processing where there is a risk to a child's life or safety
- Legal obligation — for safeguarding logging, which supports schools' statutory duties under the Children Act 1989 and Keeping Children Safe in Education
Note for academies and independent schools: The Public Task basis applies to maintained schools exercising statutory functions. Academies and independent schools are independent legal entities and may need to rely on Legitimate Interests or Consent as the lawful basis for some processing. Schools are encouraged to seek advice from their DPO to confirm the appropriate basis for their specific circumstances.
In our capacity as Data Controller (for school staff contact details), our lawful basis is Contract for account management and Legitimate Interests for website analytics.
Sub-processors
We use the following carefully selected sub-processors to deliver the IntelComms service. All have been assessed for GDPR compliance and we have entered into data processing agreements with each.
| Sub-processor | Purpose | Data location |
|---|---|---|
| Supabase | Database — stores all school data, parent messages, absence records, and safeguarding logs | EU West (Ireland) |
| Anthropic (Claude AI) | AI response generation — message content is passed to the Claude API to generate replies based on school documents | United States (Standard Contractual Clauses apply) |
| Meta (WhatsApp Cloud API) | Message delivery — sends and receives WhatsApp messages between parents and the school number | United States (Standard Contractual Clauses apply) |
| OpenAI | Embeddings — used to index school documents for accurate AI retrieval (no personal data passed) | United States (Standard Contractual Clauses apply) |
| Railway | Backend hosting — runs the IntelComms API that connects all components | EU West (Ireland) |
| Resend | Email — sends safeguarding alerts and system notifications to school staff | EU (Standard Contractual Clauses apply) |
Where sub-processors are located outside the UK or EEA, we rely on Standard Contractual Clauses (SCCs) approved by the ICO to safeguard the transfer.
We will notify schools in writing before adding any new sub-processor that processes personal data.
Sharing and access to personal information
School authorised users
School staff designated as Authorised Users by the school will have access to parent messages, absence records, and safeguarding logs through the IntelComms dashboard. The school is responsible for managing who has access and for removing access when staff leave.
IntelComms employees
Authorised IntelComms employees may access school data solely for the purpose of providing support, investigating technical issues, or fulfilling legal obligations. All such access is logged. Employees sign confidentiality agreements and are trained in data protection.
Legal requirements
We may disclose personal information to third parties where required to comply with a legal obligation, prevent fraud, protect the safety of individuals, or enforce our Terms of Service.
Sale or transfer of business
If IntelComms Ltd or substantially all of its assets are sold or transferred, schools will be notified in advance and personal data may be transferred to the acquiring organisation subject to the same protections as this notice.
Security
We take the security of personal data seriously. Our technical and organisational measures include:
- Encryption in transit: All data is transmitted over HTTPS. All API communications are encrypted using TLS.
- Encryption at rest: All data stored in Supabase is encrypted at rest.
- EU-only storage: All personal data is stored in Supabase's EU West (Ireland) region and does not leave the EEA except where necessary to use the sub-processors listed above (subject to SCCs).
- Access controls: Access to production systems is limited to authorised IntelComms personnel. All access is logged.
- Message deduplication: Each inbound WhatsApp message has a unique ID that prevents it from being processed more than once.
- Webhook signature validation: All inbound messages from Meta are validated using HMAC-SHA256 to confirm authenticity before processing.
We will notify affected schools as soon as reasonably practicable in the event of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. We will also report such breaches to the ICO within 72 hours as required by UK GDPR.
Retention
We retain personal data only for as long as necessary for the purposes for which it was collected:
- Parent messages and AI responses: Retained for the duration of the subscription and deleted within 30 days of account closure, unless the school requests earlier deletion
- Absence records: Retained for the duration of the subscription. Schools may export records at any time from the dashboard
- Safeguarding logs: Retained for a minimum of 7 years in line with statutory guidance (Keeping Children Safe in Education / Information Management: IRMS Toolkit for Schools). Schools are responsible for ensuring their own retention policies align with statutory requirements
- School staff contact details: Retained for the duration of the subscription and up to 12 months following account closure
- Website analytics: Anonymised — no personal data retained
On termination of a subscription, we will delete or return all Customer Data within 30 days of written request, except where retention is required by law.
Automated processing and decision-making
IntelComms uses AI to generate responses to parent messages automatically, without a human reviewing each message before it is sent. We want to be transparent about how this works and what safeguards are in place.
What is automated
- Reading inbound WhatsApp messages from parents
- Generating a response using the school's approved documents
- Logging absence reasons and return dates to the school dashboard
- Scanning messages for safeguarding indicators and sending alerts to the DSL
What is not automated
IntelComms does not make automated decisions with legal or similarly significant effects on data subjects within the meaning of Article 22 UK GDPR. Specifically:
- The AI does not make safeguarding decisions — it flags concerns and escalates to a human DSL
- The AI does not take disciplinary or attendance action — it logs information for staff to act on
- No automated profiling of parents or pupils takes place
Your right to human review
Any parent who receives an AI-generated response and wishes to speak with a member of school staff directly may request this at any time. Schools can configure IntelComms to direct parents to the office for any query type. Parents can also request that the school review any AI response they believe was inaccurate.
Your rights
Under UK GDPR, individuals have the following rights in relation to their personal data:
- Right of access — you can request a copy of the personal data we hold about you
- Right to rectification — you can ask us to correct inaccurate data
- Right to erasure — you can ask us to delete your data in certain circumstances
- Right to restriction — you can ask us to restrict how we use your data
- Right to portability — you can ask for your data in a machine-readable format
- Right to object — you can object to processing based on legitimate interests
For parents and pupils: Because IntelComms acts as a Data Processor on behalf of your school, requests relating to data processed through the service (messages, absence records, safeguarding logs) should in the first instance be directed to your school as the Data Controller. The school will then instruct us accordingly.
For school staff: Requests relating to your contact details held by IntelComms as Data Controller should be sent to contact@intelcomms.co.uk.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data has been handled unlawfully.
Children's data
IntelComms processes information about pupils as part of absence logging and safeguarding alerting. This processing is carried out on behalf of the school as Data Controller. Pupils' data processed through IntelComms includes names, year groups, and dates of birth — used solely to verify the parent-pupil relationship and to attribute absence records correctly.
IntelComms is not directed at children. The service is designed exclusively for use by parents, guardians, and school staff. Children do not interact with IntelComms directly. The ICO's Children's Code (Age Appropriate Design Code) does not apply to IntelComms as it is not an online service likely to be accessed by children.
Schools should ensure that their own privacy notices and parent communications make clear that IntelComms processes pupil reference data (name, year group, date of birth) solely for the purposes described above.
Safeguarding data
IntelComms scans every inbound parent message for content that may indicate a welfare concern — including references to harm, abuse, neglect, or distress. Where such content is detected:
- The message is flagged and logged in full with a timestamp
- An immediate alert is sent to the school's designated DSL email address
- The full conversation thread is preserved in a searchable, timestamped audit trail
- The AI does not attempt to handle the conversation — it acknowledges the message and directs the parent to the school office
Safeguarding logs are retained for a minimum of 7 years. This data is treated with the highest level of access control — it is visible only to Authorised Users with DSL-level access and to authorised IntelComms personnel for support purposes.
For schools: IntelComms is a communication tool, not a safeguarding case management system. Schools remain responsible for all safeguarding decisions and actions following an alert. The IntelComms audit trail supports, but does not replace, the school's own safeguarding records and processes.
Changes to this notice
We will update this notice from time to time as we develop new features, in response to legal changes, or when we change how we process data. Schools will be notified of material changes with at least 30 days' written notice.
Contact us
If you have any questions about this Privacy Notice, want to exercise your rights, or have concerns about how your data is handled, please contact us:
Email: contact@intelcomms.co.uk
Website: intelcomms.co.uk
Post: IntelComms Ltd, [Registered Address]
We aim to respond to all data protection enquiries within 5 business days. For formal subject access requests, we will respond within 30 days as required by UK GDPR.