How Kensington Square Therapy Ltd handles personal data
Privacy Policy.
Effective 31 May 2026 · v3.0 (Parent Book subscription tier added)
v3.0 supersedes v2.0 (February 2026) and folds in the additions required for the individual subscriber tier at theparentbook.com/parents. Statutory references appear in italics throughout.
1. Who the data controller is
| Legal name | Kensington Square Therapy Ltd (KST) |
| Company number | 16707111 (England and Wales) |
| Registered office (statutory) | Flat 408, 2 Macfarlane Place, London W12 7RS |
| Trading address (correspondence) | 23 Kensington Square, London W8 5HN |
| ICO Registration | ZC022097 |
| Data Protection Lead | Sam McManus, Sole Director |
| Subscriber-tier customer contact | hello@theparentbook.com |
| Clinical and corporate contact | contact@kst.ltd |
KST is the data controller for all the personal data described in this policy. We do not have a Data Protection Officer; the person responsible for data protection is the company's sole director.
2. What this policy covers
This policy covers personal data processed in connection with: (a) visits to theparentbook.com and kst.ltd; (b) the "introduce your school" form on theparentbook.com; (c) the individual Parent Book subscription at theparentbook.com/parents (added in v3.0); and (d) the clinical services and school-based provision offered by KST (covered in the existing structure carried over from v2.0).
3. Data subject categories
3.1 Website visitors and enquirers (existing)
If you visit our sites we use Cloudflare Web Analytics, which is cookieless and does not set tracking identifiers. We see aggregate page-view counts and country-level geolocation. We do not see individual visitor IPs in any usable form. If you submit the "introduce your school" form we collect your name, email, your school's name and website, and (optionally) a contact at the school's Senior Leadership Team. We use this only to write back to you about partnering your school.
3.2 Individual subscribers (new in v3.0)
Where you take out an individual subscription to The Parent Book at theparentbook.com/parents, KST collects:
- Your subscriber email address. The account is keyed to this address. It is used to sign you in (via magic link), to email you about renewals, and to reach you about anything to do with the subscription.
- Your name, if you choose to give it. Name is optional. If you do not give us a name, we will address you by the first part of your email address in renewal reminders.
- Payment identifiers. Your bank details are held by GoCardless Ltd, our payment processor, under the rules of the UK Direct Debit Scheme. KST does not see or store your bank details. KST stores only the GoCardless customer ID, mandate ID and subscription ID that link your account to your subscription.
- Reading activity. Which editions and articles you have opened, and when. This is used by KST for internal product analytics only (understanding which editions land, which signposting resources are used, which back-catalogue articles are still earning their keep). It is not used for advertising, not used to build a profile of you for sale, and not shared with any third-party analytics service.
- Operational metadata. Magic-link request timestamps, sign-in timestamps, device user-agent strings (for session security and abuse detection), and IP address (kept in server logs for 30 days then rotated). No precise location tracking.
- Consent records. The state and timestamp of (a) your immediate-access waiver at checkout (per CCRs 2013 reg 37) and (b) your marketing-email opt-in if you have given one. These records are kept to evidence the lawful basis for processing under Article 7(1) UK GDPR.
What KST does not collect about subscribers. KST does not collect or process special category data about subscribers in connection with the subscription. KST does not intentionally collect any personal data about a subscriber's child or any other family member through the subscription. If you choose to write to hello@theparentbook.com about your situation and share information about your family, KST treats that correspondence under section 7 (Sub-processors and sharing) and the email correspondence retention rules.
3.3 Children's data
The individual subscriber tier is a service for adult parents and carers. KST does not knowingly process personal data about a specific named child through the subscription, does not link reading activity to any individual child, and does not profile any child based on the parent's account. The signposting library is a directory of organisations available to subscribers and their families; it is not personalised to any individual child. The Children's Code (Age Appropriate Design Code) is engaged for KST's clinical services to children but is not engaged for the subscriber tier in the absence of any child-user processing.
4. Lawful bases for processing
| Processing activity | Lawful basis (Art. 6) |
|---|---|
| Delivering the individual subscription (access provision, magic-link sign-in, renewal reminders) | Contract (Art. 6(1)(b)) |
| Taking subscription payments and reconciling against accounts | Contract (Art. 6(1)(b)) and Legal obligation (Art. 6(1)(c)) for HMRC and Companies Act 2006 record-keeping |
| Subscriber product analytics (reading activity, in-house only) | Legitimate interests (Art. 6(1)(f)), balanced through (i) in-house processing only, (ii) no third-party analytics, (iii) no profiling for advertising, (iv) 12-month anonymisation. Subscribers can object via hello@theparentbook.com. |
| Operational security and abuse detection (sign-in metadata, IP logs) | Legitimate interests (Art. 6(1)(f)). Balanced through short retention (30 days for IP logs) and minimum-necessary processing. |
| Service-related transactional emails (renewal reminders, magic-link emails, account notices) | Contract (Art. 6(1)(b)). Not marketing communications. PECR consent rules for marketing email do not apply because these are service emails. |
| Marketing emails about new editions, seasonal companions and resources | Consent (Art. 6(1)(a)) and PECR 2003 reg 22. Captured via a separate, unticked-by-default opt-in checkbox at signup, and toggleable on the account page. Withdrawal: one-click unsubscribe link in every marketing email, plus the account-page toggle. Withdrawal is effective immediately. Marketing consent has no effect on access to the subscription. |
5. Storage and security
Subscriber records (email, name where given, GoCardless identifiers, reading activity, account state) are stored in Cloudflare KV in the UK/EU region. Access is restricted to the Director and to deployment automation; no other subcontractor has access. Subscriber data in Cloudflare KV is encrypted at rest and in transit. Subscriber correspondence and accounting records continue to sit in Google Workspace and Xero respectively, in line with the existing arrangements carried over from v2.0. The subscriber tier does not store personal data on local devices or unencrypted removable media.
6. Cookies on the subscriber tier
The /parents pages use one first-party cookie only:
| Cookie | Purpose and properties |
|---|---|
tpb_sess | Keeps you signed in after you click a magic link. First-party, strictly necessary. HttpOnly; Secure; SameSite=Lax; expires 90 days from last sign-in. Lawful basis: PECR 2003 reg 6(4)(b) "strictly necessary" exemption from consent. |
No analytics cookies, advertising cookies, or third-party trackers are set on the subscriber tier. The subscriber tier does not embed third-party scripts, pixels, tags or beacons. The cookie banner on the rest of the KST site does not apply because no consent-required cookies are set on the /parents pages.
7. Sub-processors and sharing
KST uses the following sub-processors to operate the individual subscriber tier and certain related services. Each acts as a "processor" under UK GDPR, processes personal data only on KST's documented instructions, and is bound by a written data processing agreement consistent with Article 28 UK GDPR.
| Sub-processor | Purpose, data, location and transfer mechanism |
|---|---|
| GoCardless Ltd (UK, FCA FRN 597190) | Purpose: direct debit mandate setup, recurring payment collection, payment reconciliation. Data: subscriber name (optional), subscriber email, bank account details, GoCardless customer/mandate/subscription IDs. Location: UK. Transfer: UK-based controller, no international transfer engaged. |
| Cloudflare, Inc. | Purpose: site hosting, edge delivery, KV storage for subscriber records, DDoS and bot mitigation. Data: subscriber email, account state, reading activity, IP address (transient, in edge logs). Location: Cloudflare's UK/EU region for KV storage; global edge for delivery. Transfer: UK IDTA and EU SCCs in place for any onward transfer outside the UK or EU; Cloudflare is a UK GDPR Article 28 processor under its Customer DPA. |
| Resend Inc. | Purpose: transactional email delivery (magic-link sign-in emails, renewal reminders, welcome and receipt emails, payment-failure notices, account notices). Data: subscriber email, content of transactional emails. Location: Resend EU region (eu-west-1, Ireland). Transfer: Resend operates EU-hosted infrastructure for theparentbook.com; UK IDTA in place via Resend's standard DPA where any onward transfer applies. |
| Google LLC (carried from v2.0) | Purpose: Google Workspace for administrative and financial records, including subscriber correspondence and accounting records. Data: subscriber email, correspondence, invoice records. Location: US (Google Workspace with EU/UK data residency configured where supported). Transfer: UK IDTA and Google Workspace UK Addendum. |
| Xero (carried from v2.0) | Purpose: accounting records for subscription income. Data: subscriber email, invoice metadata, payment amounts. Location: UK, EU and Australia. Transfer: UK IDTA and EU SCCs as per Xero DPA. |
KST does not use the following classes of sub-processor for the subscriber tier: third-party advertising networks; third-party analytics platforms (such as Google Analytics, Mixpanel, Amplitude or similar); customer data platforms; marketing automation platforms (other than as covered by the optional marketing-email opt-in, which uses Resend only). KST will not add a new sub-processor with access to subscriber personal data without first updating this list and giving subscribers at least 30 days' notice. Sub-processor changes that are functional substitutions (for example, a hosting region change with the same Article 28 protections) may be made with shorter notice; KST will explain the reason and the data-protection assessment in the notice.
KST does not sell, rent or trade subscriber personal data. KST does not share subscriber personal data for marketing purposes.
8. International transfers
For the individual subscriber tier, the principal international-transfer considerations are Google Workspace (US) and Xero (UK, EU and Australia). KST relies on the UK International Data Transfer Agreement (IDTA) for these transfers, supplemented by each provider's standard data processing agreement. Resend is EU-hosted (eu-west-1) and does not engage an onward international transfer for the subscriber tier in routine operation.
9. Retention
| Record type | Retention period and legal basis |
|---|---|
| Subscriber account records (email, name, GoCardless IDs, subscription status) | While the account is active, and for 6 years after the final payment date. Basis: Companies Act 2006 record-keeping; HMRC accounting and tax requirements; Limitation Act 1980 contractual claim window. |
| Subscriber reading activity (in identifiable form) | 12 months, then anonymised. Anonymised aggregates may be retained indefinitely as non-personal data. Basis: legitimate interests with retention limited to the period necessary for product analytics. |
| Subscriber transactional email logs (magic-link send, renewal reminders) | 12 months, then deleted. Basis: legitimate interests (operational audit trail). |
| Subscriber IP address logs (edge and sign-in) | 30 days, then rotated. Basis: legitimate interests (security and abuse detection). |
| Subscriber correspondence at hello@theparentbook.com | Up to 3 years from resolution of the enquiry, or longer if the matter is a complaint or DSAR. Basis: legitimate interests; complaints retention; DSAR accountability. |
| Consent records (immediate-access waiver, marketing opt-in state and timestamp) | Kept for as long as the consent is being relied upon, and for 6 years after withdrawal or end of subscription. Basis: Article 7(1) UK GDPR accountability; Limitation Act 1980. |
| "Introduce your school" submissions | 2 years from submission, then deleted. |
| Webhook event records | 7 days (deduplication only), then deleted. |
10. Your rights as an individual subscriber
Under UK GDPR you have the rights set out below. To exercise any of them, email hello@theparentbook.com from your subscriber email address. KST will respond within one calendar month (per Article 12(3) UK GDPR).
- Subject Access. Ask for a copy of the personal data we hold about you.
- Rectification. Ask us to correct any incorrect data.
- Erasure. On request, KST will erase the personal data held about you for the subscriber tier. KST is required by the Companies Act 2006 and HMRC rules to retain a limited record of the financial transaction (date, amount, payee identifier) for 6 years from your final payment. KST will explain what has been retained and why if you ask.
- Portability. KST can supply your subscriber record (account metadata and reading activity) in a structured, common format on request.
- Objection to product analytics. You may object to reading-activity processing under Article 21 UK GDPR. KST will stop linking reading activity to your account within 14 days of your objection and anonymise the historical record for your account within 30 days, retaining only aggregated and unidentifiable counts.
- Withdrawing marketing consent. If you have opted in to marketing emails, you can withdraw consent at any time using the one-click unsubscribe link in any marketing email, or the toggle on your account page at theparentbook.com/parents/me. Withdrawal takes effect immediately and has no effect on your subscription.
- Restriction of processing. In specific circumstances, ask us to restrict processing.
- Complaint to the ICO. See section 11.
11. Complaints and the ICO
If you wish to complain about how KST has handled your personal data, please follow the Parent Book complaints procedure set out in the Terms of Subscription (section 16): email hello@theparentbook.com with the heading "Complaint". KST will acknowledge within 5 working days and respond substantively within 20 working days. If you remain unhappy, you may complain to the Information Commissioner's Office at ico.org.uk or on 0303 123 1113.
12. Changes to this policy
If we make a material change, we will email all active subscribers at least 14 days before it takes effect. We will publish the previous version in our archive on request. The current version number and effective date are shown at the top of this page.
13. Related policies
14. Contact
For anything in this policy: hello@theparentbook.com. For complaints we cannot resolve, please contact the Information Commissioner's Office.
Document version 3.0 · Effective from 31 May 2026 · Review date: February 2027 · Owner: Sam McManus, Sole Director and Data Protection Lead, Kensington Square Therapy Ltd.