Privacy Policy

Sprig is a project management tool built for Irish primary schools. It is operated by Sprig Schools, a sole trader based in Ireland.

This policy explains what personal data we collect, how we use it, and your rights in relation to it. If you have questions, contact us at [email protected].

Under GDPR, there is an important distinction between a data controller (who decides why and how personal data is processed) and a data processor(who processes data on the controller's behalf).

When a school subscribes to Sprig and enters their staff and project data into the platform, the school is the data controller. Sprig acts as the data processor — we only handle that data as instructed by the school and in accordance with this policy and our Data Processing Agreement (DPA), which forms part of our Terms of Service.

We collect a small amount of personal data from website visitors and prospective customers directly — for this data, Sprig is the controller.

School staff accounts

When a school administrator creates an account and invites colleagues, we collect:

• Name and email address — to create and identify your account
• Role (e.g. Principal, Deputy, AP1) — to determine what you can see and do
• Password (stored as a one-way hash — we never store plaintext passwords)
• Usage activity — which pages you visit, actions you take, so we can operate the service and investigate support issues

Project and task data

Content you create in Sprig — project names, task descriptions, comments, attachments, due dates, and assignees — is stored and processed to deliver the service. This content belongs to your school.

Billing data

Payment card details are handled entirely by Stripe, our payment processor. We never see or store your card number. We do store your subscription status, plan, and billing history.

Website visitors

We do not currently use any analytics or tracking cookies on sprig.ie. No personal data is collected when you browse this website.

We rely on the following lawful bases under GDPR Article 6:

• Contract — processing necessary to provide the service you have subscribed to
• Legitimate interests — operating and improving the service, fraud prevention, and security
• Legal obligation — complying with applicable Irish and EU law

Sprig is designed for use by school staff, not by children. Staff may enter pupil names in task descriptions or project notes, but Sprig does not create accounts for children, and children do not directly interact with the platform.

Schools are responsible for ensuring that any pupil information entered into Sprig is done so in accordance with their own data protection policies and applicable law.

All Sprig data is stored in data centres located within the European Union. We do not transfer personal data outside the EEA.

We take the following steps to protect your data:

• Encryption in transit (TLS) and at rest
• Access controls limiting who within Sprig can access school data
• Regular security reviews

In the event of a personal data breach that is likely to affect your rights and freedoms, we will notify you and the Data Protection Commission without undue delay, and in any case within 72 hours of becoming aware.

• Active accounts: for as long as your subscription is active
• After cancellation: your school data is retained for 90 days, during which you can export it or request deletion. After 90 days it is permanently deleted.
• Billing records: retained for 7 years as required by Irish tax law
• Security and audit logs: retained for 12 months

We do not sell or rent personal data. We share data only with the following sub-processors, under contractual obligations that protect your data to the same standard as this policy:

• Amazon Web Services (AWS) — hosting and infrastructure (EU region)
• Stripe — payment processing

We may disclose personal data if required to do so by law or a competent authority.

Under GDPR, you have the right to:

• Access — request a copy of personal data we hold about you
• Rectification — correct inaccurate data
• Erasure — ask us to delete your data (subject to legal retention obligations)
• Portability — receive your data in a structured, machine-readable format
• Restriction — ask us to pause processing in certain circumstances
• Object — object to processing based on legitimate interests

To exercise any of these rights, email [email protected]. We will respond within 30 days.

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Data Protection Commission (dataprotection.ie).

The Sprig landing page (sprig.ie) does not use any tracking or advertising cookies. The Sprig application (app.sprig.ie) uses strictly necessary session cookies to keep you logged in. No consent is required for strictly necessary cookies.

If we introduce any non-essential cookies in future, we will update this policy and provide a cookie consent mechanism.

We may update this policy from time to time. When we make material changes, we will notify school administrators by email at least 14 days before the change takes effect. The current version is always available at sprig.ie/privacy.

For any privacy-related questions, contact us at: