Parent Inbox
← Back to home

Legal

Privacy Policy

Effective date: 11 June 2026  ·  Last updated: 11 June 2026

This Privacy Policy explains how H&N Oriental Trading Ltd("we", "us", "our") collects, uses, and protects your personal data when you use Parent Inbox. We are committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this policy carefully. By using the service, you acknowledge that you have read and understood it.

1. Who we are

H&N ORIENTAL TRADING LTD is the data controller for personal data processed through Parent Inbox.

  • Registered company name: H&N ORIENTAL TRADING LTD
  • Company number: 16800132
  • Registered in: England and Wales
  • Registered office: 20 Broad Street, Wokingham, RG40 1AH
  • Trading name: Parent Inbox
  • Contact email: info@shinta.tech

For any questions about this policy or to exercise your rights, contact us at info@shinta.tech.

2. What data we collect

Account data

  • Your name and email address (provided when you sign up with Google)
  • Your Google account identifier
  • Your subscription status and billing history (managed via Stripe)

School configuration data

  • The names of your children (first name only, as you enter them)
  • The names of their schools and the email addresses or domains you configure as school senders

Processed email data

When you connect your Gmail account, we access your inbox solely to identify emails from the school senders you configure. For each matching email, we extract:

  • Dates and deadlines mentioned in the email
  • Action items (e.g., "return consent form", "make payment")
  • Event names and descriptions

We do not store the full text of your emails. Email content is processed and immediately discarded after extraction. Only the extracted action items and events are saved to your account.

Usage data

  • Log data: IP address, browser type, pages visited, timestamps
  • Feature usage (e.g., which actions you mark as done)

3. Legal basis for processing

We process your data on the following legal bases under UK GDPR:

  • Contract performance (Art. 6(1)(b)): Most processing is necessary to provide the service you have signed up for — scanning emails, extracting action items, sending reminders, and syncing to your calendar.
  • Legitimate interests (Art. 6(1)(f)): We process usage data to improve the service, prevent fraud, and ensure security. We have assessed that this does not override your rights and interests.
  • Legal obligation (Art. 6(1)(c)): We retain billing records as required by applicable financial and tax law.
  • Consent (Art. 6(1)(a)): Where we ask for your consent specifically (e.g., for optional communications), you can withdraw it at any time.

4. How we use your data

  • Scanning your school emails and extracting action items and events
  • Displaying action items and upcoming activity in your dashboard
  • Sending WhatsApp reminders when deadlines are approaching
  • Creating events in your Google Calendar
  • Processing payments and managing your subscription
  • Sending service-related notifications (account alerts, policy updates)
  • Improving and debugging the service

We never sell your data to third parties. We do not use your data for advertising.

5. Third-party processors

We use the following trusted third-party services to deliver the product. Each acts as a data processor on our behalf and is bound by appropriate data processing agreements:

  • Google (Gmail API, Google Calendar API):To access your school emails and create calendar events. Governed by Google's API Services User Data Policy.
  • Twilio: To send WhatsApp notification messages on our behalf. We share your phone number and message content with Twilio, which routes the messages through the WhatsApp platform (operated by Meta). Twilio acts as our data processor and is bound by a data processing agreement. Messages are subject to Twilio's Privacy Policy and WhatsApp's terms of service.
  • Stripe: To process payments. We never see or store your full card details. Stripe is PCI-DSS compliant.
  • Cloud infrastructure provider: To host the application and database. All data is stored within the UK or EU.

6. Data retention

  • Active account: Your data is retained for as long as your account is active.
  • After deletion: When you delete your account, your personal data and extracted action items are deleted within 30 days. Anonymised usage statistics may be retained.
  • Billing records: We retain transaction records for 7 years as required by UK tax law.
  • Email content: Never retained — processed in memory and discarded immediately.

7. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Right of access (Art. 15): Request a copy of the data we hold about you.
  • Right to rectification (Art. 16): Ask us to correct inaccurate data.
  • Right to erasure (Art. 17):Ask us to delete your data ("right to be forgotten"), subject to legal retention obligations.
  • Right to restrict processing (Art. 18): Ask us to limit how we use your data in certain circumstances.
  • Right to data portability (Art. 20): Receive your data in a structured, machine-readable format.
  • Right to object (Art. 21): Object to processing based on legitimate interests.
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email us at info@shinta.tech. We will respond within 30 days. We may need to verify your identity before fulfilling a request.

If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

8. Google API scopes and data access

Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

We request read-only access to your Gmail inbox. We use this access exclusively to identify and extract school-related emails based on the sender addresses you configure. We do not read, store, or share any other emails.

You can revoke our access to your Google account at any time via your Google Account permissions page. Revoking access will disable email scanning until you reconnect.

9. Cookies

We use a minimal set of cookies:

  • Session cookie: A secure, HTTP-only cookie that keeps you signed in. It is deleted when you log out or after a period of inactivity.
  • CSRF token: A security cookie used to protect against cross-site request forgery attacks.

We do not use analytics cookies, advertising cookies, or any third-party tracking scripts.

10. Children's data

Parent Inboxis intended for parents and guardians aged 18 and over. We do not knowingly collect data directly from children. The children's names you enter are held as part of your account to label your action items — this data is processed only on your behalf and under your control.

11. Security

We take the security of your data seriously. We use encryption in transit (TLS) and at rest, access controls, and regular security reviews. However, no system is completely secure, and we cannot guarantee absolute security.

If you believe your account has been compromised, contact us immediately at info@shinta.tech.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or via an in-app notice at least 14 days before the change takes effect. The updated policy will always be available at this URL. Continued use of the service after the effective date constitutes acceptance of the updated policy.

13. Contact and data controller details

For any privacy-related questions, requests, or concerns, contact us at:

  • Email: info@shinta.tech
  • Company: H&N ORIENTAL TRADING LTD
  • Company number: 16800132
  • Registered in: England and Wales
  • Registered office: 20 Broad Street, Wokingham, RG40 1AH