Privacy policy

Policy for Shopify website:

Last updated: March 31, 2026

Here it is:

PRIVACY POLICY Safe & Snappy Ltd Last updated: March 2026 | Company No. 16909758 | ICO Registered

1. Who We Are

Safe & Snappy Ltd is a UK registered company (Company No. 16909758) providing QR code and NFC-enabled emergency identification products and a supporting digital platform. We are registered with the Information Commissioner's Office (ICO) as a data controller for our own processing activities.

This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and your rights in relation to it. It applies to all of our products and services including our website, the Safe & Snappy registration platform, the school portal, and our Shopify online store.

Company: Safe & Snappy Ltd Company Number: 16909758 Registered Address: 508 Manchester Road, Paddington, Warrington, Cheshire, WA1 3TZ Email: info@safeandsnappy.com Website: www.safeandsnappy.com ICO Registration: Registered with the Information Commissioner's Office

2. Who This Policy Covers

This policy applies to everyone whose personal data we handle, including:

Individual consumers (D2C): Parents, guardians, carers, and individuals who purchase and register Safe & Snappy products directly through our Shopify store or registration platform.

Schools (B2B): Schools and academies that subscribe to our school portal and purchase bands for school trips.

Website visitors: Anyone who visits www.safeandsnappy.com.

Staff on school trips: Teachers and staff whose contact details are entered into the school portal by schools.

People who scan a band: Members of the public who scan a Safe & Snappy QR code or tap an NFC band in an emergency.

3. Individual Consumers: What Data We Collect

When you register a Safe & Snappy product, the data we collect depends on the product type.

Lost and Emergency Bands (P-)

  • Wearer's name (private, never shown on scan page)
  • Wearer's photo (optional, public when band is scanned)
  • Parent or guardian contact details (public when band is scanned)
  • Additional emergency contacts (public when band is scanned)
  • Any important notes such as allergies (public when band is scanned)

Medical Bands (M-)

  • Wearer's name and age (optional, hidden by default, public only if you enable Show name on scan)
  • Wearer's photo (optional, public when band is scanned)
  • NHS number (optional, public when band is scanned, to assist medical professionals)
  • Medical conditions, medications, and allergies (public when band is scanned)
  • Behavioural notes (public when band is scanned)
  • Emergency contact details (public when band is scanned)
  • Doctor or medical provider name and phone number (optional, public when band is scanned)
  • Medical instructions (public when band is scanned)

Allergy Tags (A-)

  • Wearer's name (hidden by default, public only if you enable Show name on scan)
  • Allergen information and severity levels (public when band is scanned)
  • EpiPen or medication requirements (public when band is scanned)
  • Emergency contact details (public when band is scanned)
  • Additional medical notes (public when band is scanned)

Account Information (All Products)

  • Email address (for account access and notifications)
  • First and last name
  • Password (stored encrypted, never visible to us)

4. Individual Consumers: Purchase Data

When you buy products through our Shopify store, the following data is collected as part of checkout:

  • Name and email address
  • Shipping and billing address
  • Payment details (processed securely by Shopify)
  • Order history

Safe & Snappy does not receive or store your full payment card details. Payment is processed by Shopify, which is PCI DSS Level 1 compliant. Shopify's own Privacy Policy applies to how they handle your checkout data and is available at shopify.com/legal/privacy.

5. Schools: What Data We Collect and Our Role

Data Controller Relationship

For all personal data entered via the School Portal, the school is the data controller. Safe & Snappy Ltd acts as the data processor, processing this data on the school's behalf to deliver the emergency identification service. This relationship is governed by our Data Processing Agreement, which forms part of every school subscription.

Safe & Snappy Ltd is the data controller only in respect of data we collect about schools for our own business purposes, such as account management and billing.

School Account Data

  • School name and address
  • Contact person name and email address
  • School phone number
  • School logo (optional, displayed on scan pages)
  • Account password (stored encrypted)

Trip and Staff Data

  • Trip name, date, destination, and notes
  • Staff names and mobile phone numbers for staff on duty
  • Medical instructions relevant to the trip
  • Band URN assignments per trip

Important: Staff names and mobile numbers entered for a trip are publicly visible when someone scans a school trip band. This is the core purpose of the product: so that a member of the public who finds a pupil can immediately contact the supervising teacher. When a trip is ended by the school, bands are reset and no longer display any staff or trip information when scanned.

Scan Event Data

Each time a school trip band is scanned, the following data is automatically recorded as part of the safeguarding audit trail:

  • Timestamp of the scan
  • Band URN code
  • IP address of the scanning device
  • Device and browser information (user agent)
  • GPS coordinates and resolved location address, if the scanner grants location permission on their device

This data is retained for the duration of the school's subscription plus six years, in line with safeguarding record-keeping guidance.

What We Do Not Collect

Safe & Snappy school bands do not store or display individual pupil names, dates of birth, home addresses, or any pupil-specific personal data. Bands display school and staff contact information only.

6. How We Use Your Data

  • Emergency identification: Displaying the right information when a band or tag is scanned by someone who finds your child, vulnerable adult, or the person wearing the product
  • Scan alert notifications: Sending you an email when your QR code is scanned so you know your emergency information has been accessed
  • Account management: Allowing you to view, edit, and manage your registrations
  • Order fulfilment: Processing and delivering your purchase (D2C customers)
  • Safeguarding audit trail: Maintaining permanent trip history records for schools to demonstrate compliance with Ofsted and KCSIE requirements
  • Service communications: Contacting you about your account, service updates, or changes to our terms
  • Billing and invoicing: Managing subscription payments and invoicing (school and B2B customers)
  • Security and fraud prevention: Protecting our platform and users from unauthorised access or misuse

7. Public Visibility: What Is Visible When a Band Is Scanned

The core purpose of Safe & Snappy is to make emergency contact and safety information available to anyone who finds a person wearing one of our products. Most information you enter is intentionally public when a band is scanned. Please only enter information you are comfortable being visible to a member of the public or emergency responder.

What stays private (never shown on scan page)

  • Lost/Emergency Bands: Wearer's name
  • Medical Bands and Allergy Tags: Wearer's name and age (hidden by default, you can choose to display via Show name on scan toggle)
  • All products: Your account login email and password

What becomes public when a band is scanned

  • All products: Contact phone numbers, emergency instructions, wearer's photo (if uploaded)
  • Medical Bands: Medical conditions, medications, allergies, NHS number, doctor details, behavioural notes
  • Allergy Tags: Allergen information, severity, EpiPen requirements, additional medical notes
  • School trip bands: School name, trip name, staff names and mobile numbers for staff on duty

You have full control and can edit or delete any information at any time through your account.

8. Lawful Basis for Processing

  • Consent: Special category data including medical conditions, allergies, and health information on Medical Bands and Allergy Tags. You provide explicit consent when registering these products and can withdraw consent at any time by deleting your registration.
  • Contract: To provide the service you have purchased, including displaying emergency information when bands are scanned and fulfilling product orders.
  • Legitimate interests: Scan alert notifications, essential service communications, and security and fraud prevention.
  • Legitimate interests (safeguarding): Retaining school trip history as a safeguarding audit trail, in line with schools' statutory duties under the Education Act 2002 and Ofsted requirements.
  • Legal obligation: Complying with applicable UK law, regulatory requirements, and responding to lawful requests from authorities.

9. Children and Vulnerable Adults

Our products are specifically designed to help protect children, vulnerable adults, and individuals who may need assistance in an emergency. We process personal data about children and vulnerable adults only with the consent of a parent, guardian, or carer, for the legitimate purpose of safety and emergency identification.

Parents, guardians, and carers have full control over this data at all times and can view, edit, or delete it through their account. We collect only the minimum information necessary to provide an effective emergency identification service.

For school trip bands, the school is the data controller for all trip and staff data. Safe & Snappy does not collect individual pupil names or pupil-specific personal data through the school trip system.

10. Data Storage and Security

All Safe & Snappy platform data is stored on Supabase, hosted on AWS eu-west-2 (London, United Kingdom). All data is stored within the UK.

  • Data location: United Kingdom (AWS eu-west-2, London region)
  • Encryption at rest: AES-256 encryption
  • Encryption in transit: TLS (Transport Layer Security)
  • Access controls: MFA enforced on Safe & Snappy internal admin accounts. Platform accounts use encrypted credentials.
  • Backups: Automatic daily backups retained within the UK region
  • Breach notification: Schools notified within 72 hours of any confirmed breach affecting their data

No system is 100% secure. We use reasonable and appropriate technical and organisational measures to protect your data, but we cannot guarantee absolute security.

11. Third Party Services

We use the following third party services to operate Safe & Snappy. Each acts as a data processor on our behalf and is subject to appropriate data processing agreements.

Supabase | Database, authentication, and file storage | All platform registration and account data

Shopify | Online store, order processing, and payments | Name, email, shipping address, payment details (PCI DSS compliant)

Resend | Transactional email notifications | Email address only

Google Maps API | Resolving GPS location on scan alert emails | Scan GPS coordinates (only when scanner grants location permission). Data transferred to USA under Standard Contractual Clauses.

12. Scan Alert Notifications

When someone scans a Safe & Snappy QR code or taps an NFC band, we automatically send an email alert to the registered account holder containing:

  • The date and time of the scan
  • Which product or band was scanned
  • The location of the scan, if the scanner chose to share their location, including a map link

Scan alerts cannot be opted out of as they are a core safety feature of the service. Location data is only included if the person scanning actively grants location permission on their device. Location sharing is never required.

13. Cookies and Analytics

Our registration platform uses essential cookies only, to keep you logged into your account and maintain your session. We do not use advertising cookies or third party tracking on our registration platform.

Our Shopify store may use additional cookies for shopping cart functionality and analytics. Please refer to Shopify's cookie policy for full details.

We may use basic, privacy-respecting analytics to understand how our platform is used and to improve our service.

14. Data Retention

Individual consumer data

  • Active accounts: Retained for as long as your account is active and products are registered
  • Deleted registrations: Associated data permanently removed within 30 days of deletion
  • Deleted accounts: All data permanently removed within 30 days
  • Inactive accounts: Accounts with no registered products inactive for 3 years may be deleted after we attempt to contact you

School and trip data

  • Active school accounts: Retained for the duration of the school's subscription
  • Staff contact details: Retained for the duration of the subscription and deleted within 30 days of subscription end
  • Trip history records: Retained indefinitely by default as a safeguarding audit trail. Schools can request deletion by contacting info@safeandsnappy.com.
  • Scan event logs: Retained for the duration of the subscription plus 6 years, in line with safeguarding record-keeping guidance
  • End of subscription: All school account data deleted within 30 days of subscription end, unless a data export has been requested first

Purchase data

  • Shopify order data: Retained by Shopify in accordance with their data retention policy and applicable tax and accounting requirements

15. Your Rights Under UK GDPR

  • Right of access: Request a copy of the personal data we hold about you
  • Right to rectification: Ask us to correct inaccurate or incomplete data
  • Right to erasure: Ask us to delete your data, subject to any legal retention obligations
  • Right to portability: Request your data in a portable, machine-readable format
  • Right to withdraw consent: Withdraw consent for special category data at any time by deleting your registration
  • Right to object: Object to processing based on legitimate interests
  • Right to restrict processing: Ask us to restrict how we use your data in certain circumstances

To exercise any of these rights, contact us at info@safeandsnappy.com. We will respond within 30 days. We may need to verify your identity before acting on your request.

16. Special Category Data

Medical conditions, allergies, health information, and behavioural notes are classified as special category data under UK GDPR and receive additional protection. We only collect this data:

  • With your explicit consent
  • For the specific purpose of emergency medical identification
  • When you choose to register a Medical Band or Allergy Tag

Photos of the wearer, if uploaded, are also personal data and are processed on the basis of your explicit consent. They are displayed publicly when the QR code is scanned to help identify the wearer in an emergency.

You can withdraw consent and permanently delete this data at any time by deleting your registration through your account.

17. International Data Transfers

Safe & Snappy stores all platform data within the United Kingdom. The only transfer of data outside the UK occurs when Google Maps API resolves GPS location coordinates from scan events. This transfer is made to Google LLC in the USA and is covered by Standard Contractual Clauses (SCCs) approved for use under UK GDPR.

Shopify may process data in various locations as part of their global infrastructure. Please refer to Shopify's Privacy Policy at shopify.com/legal/privacy for details of their international transfer arrangements.

18. Complaints

If you have concerns about how we handle your personal data, please contact us first at info@safeandsnappy.com and we will do our best to resolve the matter promptly.

If you remain unhappy after contacting us, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's data protection regulator.

ICO website: www.ico.org.uk ICO helpline: 0303 123 1113

19. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal requirements. If we make significant changes we will notify you by email or through a notice on our website. The latest version will always be available at www.safeandsnappy.com with an updated date at the top.

20. Contact Us

For any questions about this Privacy Policy or to exercise your data rights:

Email: info@safeandsnappy.com Address: 508 Manchester Road, Paddington, Warrington, Cheshire, WA1 3TZ Response time: We will respond to all privacy requests within 30 days

Safe & Snappy Ltd · Company No. 16909758 · Registered in England & Wales · ICO Registered · GDPR Compliant