
How we collect, use, and protect your information at Myharambee.
Grain Rain Holdings Ltd. ("Myharambee", "we", "us", "our") operates the Myharambee community childcare exchange platform, available at myharambee.com and through our iOS and Android applications. We are the data controller for personal data processed through the Service, registered with the UK Information Commissioner's Office under registration number ZB987100. Our registered office is at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ.
This Privacy Policy explains what personal data we collect about you, why we collect it, how we use and share it, and the rights you have over your data. It applies to everyone who uses Myharambee. For questions, write to privacy@myharambee.com. For matters specifically requiring our Data Protection Officer, write to dpo@myharambee.com.
Name, email address, telephone number, postal address, date of birth, profile photograph, emergency contact information, and the user type you registered as (parent, solo provider, or partnered provider).
Government-issued identification documents and a biometric selfie used for liveness and face match. This data is collected and processed by Stripe Identity (Stripe Payments UK Ltd. and its affiliates) on our behalf. We receive only a verification outcome and minimal verification metadata; we do not store the original identity document images on our servers.
For users acting as childcare providers, we process Disclosure and Barring Service (DBS) certificate numbers and Update Service subscription details supplied by the provider. We do not generate or hold the underlying criminal record information.
Your progress and completion status for required and supplementary training courses provided through the platform.
Help requests you create or accept, the time and location of agreed sessions, session check-in and check-out events, points balances, point transactions, escrow movements, reliability scores, ratings, and reviews.
When a provider checks in to a confirmed session, we activate location-based safeguards to verify the provider remains with the children for the duration of care. This includes:
This processing is active only while a session is in progress. It begins at provider check-in and ends at provider check-out. We do not collect background location at any other time. Providers consent to this processing per session through an in-app prompt; refusing the prompt ends the session. The lawful basis for this processing is our legitimate interest in protecting the safety and wellbeing of children placed in the care of providers, balanced against the privacy of the provider, with vital interests as an additional basis during a live incident. A Legitimate Interest Assessment is available on request.
Messages exchanged with other users through the in-app messaging system, support tickets, community posts and comments, and notifications.
Device model and operating system, device push notification token, IP address, app version, language and locale, and crash diagnostics. We do not use third-party SDKs to track you across other apps or websites.
We use strictly necessary cookies to keep you signed in and remember preferences. We do not use advertising or cross-site tracking cookies. You can manage cookies in your browser settings; disabling strictly necessary cookies will prevent the website from working.
We rely on the following lawful bases under UK GDPR Article 6:
| Processing | Lawful basis |
|---|---|
| Creating and managing your account | Performance of a contract (Art. 6(1)(b)) |
| Identity verification (KYC) and DBS verification | Legal obligation and legitimate interest in keeping children safe (Art. 6(1)(c) and (f)) |
| Facilitating bookings and the points exchange | Performance of a contract (Art. 6(1)(b)) |
| Session location monitoring | Legitimate interest in child safety (Art. 6(1)(f)); vital interests during a live incident (Art. 6(1)(d)) |
| Sending service notifications | Performance of a contract (Art. 6(1)(b)) |
| Fraud prevention, abuse moderation, audit logging | Legitimate interest (Art. 6(1)(f)) |
| Marketing communications (where applicable) | Consent (Art. 6(1)(a)), withdrawable at any time |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
For special category data (biometric data used for KYC), we rely on your explicit consent under Art. 9(2)(a), captured before the verification flow begins.
We use the data above to:
We do not subject you to solely automated decision-making that produces legal or similarly significant effects on you without human review.
We do not sell, rent, or trade your personal data. We share it only as described below.
We share the minimum data necessary with vetted processors operating under written data processing agreements:
Stripe Identity (Identity Verification)
Stripe Payments UK Ltd. and its affiliates collect and process government-issued ID information and biometric data (selfie for liveness and face match) on our behalf to confirm your identity. Privacy Policy: https://stripe.com/privacy
Mailgun (Email Services)
Mailgun (Sinch Email) handles transactional and notification email. Mailgun does not use your data for marketing. https://www.mailgun.com/privacy-policy
Google Cloud Services
Maps API for location services, Vision API for OCR, Perspective API for content moderation. Content sent to Perspective API is not stored by Google. https://policies.google.com/privacy
Digital Ocean (Cloud Infrastructure)
Hosts our servers and stores data in encrypted format. https://www.digitalocean.com/legal/privacy-policy
Apple Push Notification service / Firebase Cloud Messaging
Push notification delivery to your device.
Our internal admin and customer support team can access account, verification, session, message, and incident data on a need-to-know basis to operate the Service, investigate reports, and resolve disputes. All admin access is logged.
We may disclose data to comply with legal obligations, court orders, regulatory requests, or lawful subpoenas; to enforce our Terms or investigate violations; to protect the rights, property, safety, or wellbeing of users (especially children), Myharambee, or others, including reporting safeguarding concerns to relevant authorities; and in connection with a corporate transaction subject to confidentiality and to this Privacy Policy continuing to apply.
Our primary servers are located in the United Kingdom and European Economic Area. Some of our processors are based outside the UK/EEA. Where personal data leaves the UK we rely on UK adequacy decisions where applicable, the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or other appropriate safeguards required by UK GDPR Chapter V. You can request a copy of the relevant transfer mechanism by writing to privacy@myharambee.com.
We retain personal data only as long as needed for the purposes set out above and the periods set by law. Our standard schedule:
| Category | Retention |
|---|---|
| Account and profile data | While your account is active, plus 12 months after closure |
| KYC verification outcome and metadata | 6 years after account closure |
| DBS certificate references | 6 years after account closure |
| Booking, escrow, and points history | 7 years after the booking (UK accounting records) |
| Messages and community posts | While account is active, plus 12 months after closure (longer if subject to a live moderation case) |
| Session location traces (heartbeats and geofence events) | 30 days after the session ends, then automatically deleted |
| Incident records (where session monitoring triggered an alert) | 7 years after the incident (safeguarding) |
| Support tickets and appeal correspondence | 6 years after closure |
| Marketing consent records | While consent is active, plus 3 years after withdrawal |
| Server access logs and security audit logs | 12 months |
When the retention period ends, data is deleted or irreversibly anonymised, except where we are required by law to keep it longer.
Under UK GDPR you have the following rights:
To exercise any right, write to privacy@myharambee.com. We will respond within one calendar month, extendable to three months for complex requests.
You also have the right to lodge a complaint with the UK Information Commissioner's Office (ICO):
We would appreciate the chance to address any concern with us first.
Myharambee is for adults (18+) acting as parents/guardians or as childcare providers. We do not provide services directly to children, and children may not register accounts.
Information about a child placed in care (such as first name, age, dietary or medical notes, or a photograph chosen by the parent) is provided to us by the parent in the booking context and shared only with the assigned provider for the purpose of that booking. We follow the principles of the ICO Age Appropriate Design Code (Children's Code) when handling any data relating to people under 18, including data minimisation, retention limits, and refraining from any profiling.
If you believe we have inadvertently collected data directly from a child without parental authorisation, contact privacy@myharambee.com and we will delete it promptly.
We implement technical and organisational measures appropriate to the risk:
In the event of a personal data breach posing a risk to your rights, we will notify the ICO within 72 hours and you without undue delay where required by Art. 34. No system is perfectly secure, but we work to make ours strong, and we expect the same of our processors.
We may update this policy as the platform evolves or as the law changes. When we make a material change we will post the revised policy on the website and in the app, and where the change materially affects how we use your data, give you advance notice by email or in-app banner so you have a chance to review before the change takes effect. Continued use of the Service after a change becomes effective indicates acceptance.
Data controller: Grain Rain Holdings Ltd. trading as Myharambee.
Registered office: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ
ICO registration: ZB987100
General enquiries: support@myharambee.com
Privacy and data rights: privacy@myharambee.com
Data Protection Officer: dpo@myharambee.com