Short version: For the website, we collect the minimum we need to respond to school enquiries and send the newsletter. For the Cloak Check browser extension, we collect nothing at all — every check runs locally in your browser and no data is transmitted anywhere. We don't sell data, we don't use trackers, and you can ask us to delete anything we hold about you at any time.
1. Who we are
Cloak is a cyber safety education brand for teenagers. It's a product of Solid Code Solutions Ltd, an IT consultancy based in Leamington Spa, UK.
For the purposes of UK GDPR and the Data Protection Act 2018, the data controller for this website is:
- Solid Code Solutions Ltd
- Registered address: 20 - 22 Wenlock Road, London, England, N1 7GU
- Company number: 08750436
- ICO registration: ZC141966
- Privacy contact: matt@solidcodesolutions.co.uk
2. What we collect
We only collect personal data when you choose to give it to us.
| When | What we collect | Why |
|---|---|---|
| You register interest as a parent or school | Your name, email, school or organisation, role, and anything you choose to write in the optional "what would be most useful?" field | To follow up about Cloak's school programme as it takes shape |
| You subscribe to the newsletter | Your email address | To notify you when we publish new content |
| You email us directly | Your email address and anything you choose to put in the message | To reply to you |
| You visit any page | Standard server logs (IP address, browser type, pages viewed, timestamp) held by our hosting provider | Security, abuse prevention, basic operational diagnostics |
We do not currently use website analytics (e.g. Google Analytics), advertising trackers, or social media pixels. If we add any of these in future, we'll update this policy and add a cookie consent banner first.
The table above covers the website only. The Cloak Check browser extension is covered separately in section 10 — it transmits no data of any kind and is not represented in any row above because there is nothing to collect.
3. Why we use it (lawful basis)
- School enquiries — legitimate interest. You've contacted us about a service for your school, and replying is the obvious thing to do.
- Newsletter — consent. You've opted in by submitting the form, and you can unsubscribe at any time using the link in every email.
- Server logs — legitimate interest in keeping the site secure and operational.
4. If you're under 18
Cloak is aimed at teenagers aged 13–18. We're aware that many of our visitors are minors, and we follow the ICO's Age Appropriate Design Code (the "Children's Code").
What that means in practice:
- We don't ask for personal information from anyone under 13. The "register interest" form is intended for parents and school staff, not students.
- If you're under 18 and want to subscribe to the newsletter, we ask that you check with a parent or carer first.
- We don't profile you, target advertising at you, or share your data with anyone for marketing purposes.
- If a parent or guardian is concerned about data we hold about a young person, they can contact us at the address in section 12 and we'll act on it promptly.
5. Who we share data with
We don't sell your data. We share it only with the providers we use to actually run the site and respond to you:
- Netlify — hosts this website and processes form submissions on our behalf. See Netlify's privacy policy.
- Google Fonts — serves the typefaces used on this site. Loading the page sends your IP address to Google so the fonts can be delivered. See Google's privacy policy.
- Our email provider — Microsoft 365 handles the inboxes we use to reply to you.
- Our newsletter platform — Mailchimp will store your email address to send drop notifications and occasional updates.
We may also disclose data where we're legally required to (for example, in response to a court order, or to protect someone from serious harm).
6. Cookies and tracking
This website does not currently set any cookies on your device, and we don't use analytics or advertising trackers.
Third-party services we link to or embed (TikTok, YouTube, Instagram) will set their own cookies once you click through to them. Their cookie policies apply on their own sites.
7. How long we keep data
- School enquiries — kept for up to 3 years from last contact, then deleted, unless you become a paying customer (in which case standard business records apply).
- Newsletter subscribers — kept until you unsubscribe, then promptly removed.
- Email correspondence — kept for up to 2 years for reference, unless there's a reason to keep it longer (e.g. an ongoing project).
- Server logs — typically rotated and deleted by our host within 30 days.
8. International transfers
Some of our service providers (notably Netlify and Google) are based in the United States and may process your data there. Where this happens, transfers are protected by the EU–US / UK Data Privacy Framework or by Standard Contractual Clauses, in line with UK GDPR requirements.
9. Your rights
Under UK GDPR, you have the right to:
- Access the personal data we hold about you
- Correct anything that's inaccurate or out of date
- Delete your data ("right to be forgotten") in most circumstances
- Object to us processing your data, or restrict how we use it
- Take your data with you in a portable format
- Withdraw consent at any time (e.g. unsubscribe from the newsletter)
To exercise any of these, email us using the address in section 12. We'll respond within one month.
If you're unhappy with how we've handled your data, you have the right to complain to the Information Commissioner's Office (ICO), the UK's data protection regulator. We'd appreciate the chance to put things right first, but it's your call.
10. The Cloak Check browser extension
Cloak Check is a free, open-source browser extension we publish on the Chrome Web Store. It scans the page you're currently looking at for cyber security signals (HTTPS use, lookalike domain tricks, missing security headers, phishing patterns, and so on) and shows you a traffic-light verdict in plain English.
The extension is built around one promise: nothing about your browsing leaves your browser.
What the extension reads
To produce a verdict for the page you're on, the extension reads:
- The page's URL and the response headers Chrome received when loading it
- The page's HTML, the scripts it references, and any iframes embedded in it
- Cookie attributes (the Secure flag and similar metadata) for the current page — never the cookie values themselves
- The page's favicon URL
This inspection happens locally inside your browser. The extension does not record what you read, what you type, what you click, or which pages you visit over time.
What the extension stores
Scan results are written to chrome.storage.session, a per-session RAM-only area provided by Chrome that is wiped automatically when you close the browser. The extension does not use chrome.storage.local, IndexedDB, or any other persistent storage, and writes nothing about your browsing to disk.
What the extension transmits
Nothing. The extension makes no network requests to our servers or to anyone else's, because there is no server. Cloak Check has no backend, no telemetry, no analytics, no error reporting, no remote configuration, and no update channel beyond the Chrome Web Store's standard distribution. The source ships unminified, so any of this can be verified by inspecting the unpacked extension.
Permissions, in plain English
Chrome asks you to approve the following permissions when you install the extension. Each one is used for the specific purpose described below and nothing else:
- activeTab — lets the popup talk to the page currently in focus when you click the icon.
- storage — used only for the RAM-only chrome.storage.session area described above.
- webRequest — read-only access to the response headers (CSP, X-Frame-Options, HSTS, and so on) of pages as they load. The extension never blocks, redirects, or modifies any request.
- cookies — read-only inspection of cookie attributes (Secure flag, SameSite, and so on) on the current page. Cookie values are not read.
- webNavigation — lets the extension re-run its checks automatically when a tab finishes loading, so the verdict is ready by the time you click.
- host_permissions: <all_urls> — required so the above can happen on whichever page you're visiting. The permission is broad by necessity but the use is narrow: read-only inspection, with no transmission of data anywhere.
Children and the extension
Because the extension transmits no data of any kind, it does not collect personal information from anyone, including under-18s. Nothing about the analysis or the storage changes based on who's using it. A parent or guardian who wants to verify the extension's behaviour can inspect the source or contact us at the address in section 12.
If this ever changes
If a future version of the extension changes any of the above — for example, if we were ever to add an opt-in feature that transmitted data — we would update this policy first, update the Chrome Web Store listing, and ask for explicit consent within the extension before any new data flow began.
Reporting an issue
Bugs, wrong verdicts, or anything else about the extension can be reported on the Cloak Check support page.
11. Changes to this policy
If we change this policy in a way that materially affects you (for example, if we add analytics or change who processes your data), we'll update the "last updated" date at the top of this page and, where appropriate, notify you by email or with a banner on the site.
12. Contact us
For anything privacy-related — data requests, questions, complaints, or concerns about a young person's data — get in touch:
- Email: matt@solidcodesolutions.co.uk
- Post: Solid Code Solutions Ltd, 20 - 22 Wenlock Road, London, England, N1 7GU