Privacy policy

This website and app is operated by EDUCAKE LTD

We take your privacy very seriously and we ask that you read this privacy policy carefully as it contains important information on:

  • the personal information we collect about you
  • what we do with your information, and
  • who your information might be shared with.

We may change this privacy policy from time to time. You should check this policy occasionally to ensure you are aware of the most recent version that will apply each time you access our website and app.

Who are we?

EDUCAKE LTD (‘we’ or ‘us’) are a ‘data controller’ for the purposes of the Data Protection Act 2018, the UK General Data Protection Regulation and any subsequent UK data protection legislation and we are responsible for, and control the processing of, your personal information.

Who does this privacy policy apply to?

This privacy policy applies to any individuals whose personal information we process during the course of business, which includes:

  • Our customers meaning someone who uses our services for or on behalf of a school, LA or similar organisation (‘School’) to administer a quiz and retrieve results – e.g. a school’s staff ;
  • Our prospective customers and recipients of our marketing communications;
  • Visitors to our website;
  • Our suppliers, service providers, agents, and subcontractors.

Whilst we also process personal data of students who engage with our website, app and services, we do this as a processor on behalf of that student’s School. This means that the School is the controller and as such this policy does not apply to students who use our app and services. Please see ‘How do we use Students’ Personal Data’ below.

If you are unsure how this policy applies to you, please contact us (see ‘How to contact us’ below) and we will be happy to help.

How do we use students’ personal data?

We process personal data of students who engage with our app and services. We do this as a processor on behalf of that student’s School. This means that the School is the controller and we only process students’ personal data in accordance with the School’s instructions.

As such, should a student (or their parent on their behalf) wish to enforce their rights in respect of how we process their data, this should be directed to their School who will instruct us accordingly. Still, we understand that it is important for you understand how and why we process students’ personal data. We have a ‘Student Privacy FAQs’ which provides you with further information about how we process students’ personal data and why.

What information do we collect and process?

Personal information provided by you

During the course of accessing our website, app, using our products and services, contacting us, providing services to us, or otherwise dealing with us, you may provide us with a range of personal data which we will use in the course of our business. This personal information may include:

  • Your name or another unique identifier;
  • Your address;
  • Your age and/or date of birth;
  • Your contact details (which may include your landline telephone number, mobile number, and/or email address);
  • Payment or other financial details (e.g. payment card information, bank information);
  • Professional information (e.g. job title and/or type, subject specialism, professional qualifications, industry); and
  • Other related information.

Information we collect automatically

Our website, app and services may collect certain information about you automatically (such as your IP address, MAC address and IMEI number, browser type and version, operating system, geo-location data based on your IP address).

Personal information provided by third parties

Occasionally we may receive information about you from other sources (such as our suppliers, customers, or group companies), which we will add to the information we already hold about you in order to help us operate our business effectively.

Personal information about other individuals

If you give us information on behalf of someone else, you confirm that the other person has appointed you to act on his/her behalf and has agreed that you can:

  • transfer the personal data and give consent on his/her behalf to the processing of his/her personal data;
  • receive on his/her behalf any data protection notices;
  • give consent to the transfer of his/her personal data abroad; and
  • give consent to the processing of his/her sensitive personal data (if applicable).

In addition to the data collected through standard registration processes, Educake may also collect and update personal data directly from a school’s Management Information System (MIS) via our integration with Wonde. This data may include, but is not limited to:

  • Student names
  • Year groups
  • Class lists

This data is collected for the specific purpose of facilitating accurate management of student and teacher accounts, efficient class enrolment, timely quiz assignments and correct allocation of students to groups, reflecting changes in school records.

How we use your data and our legal basis for processing your data

We may process your data for a variety of reasons, including because:

  • we are legally obliged to e.g. to confirm your identity;
  • the processing is necessary for the performance of the contract with you to provide our Services; or
  • it is in our legitimate business interests to do so.

In some instances, we will rely on your consent to process personal data and where we do this, it will be flagged to you at the time.

Through the integration with Wonde, Educake uses data synchronised from the school’s MIS to automatically update student and teacher accounts, ensuring all class and group information is current and reflects real-time changes made within the school’s internal systems. Schools may also opt to integrate additional data sets, such as school eligibility data. These optional integrations can enhance the ability to monitor student engagement and performance. 

The legal basis for processing this data is:

  • Legitimate interest 
  • Performance of Contract 

If any data processing requires explicit consent (e.g., optional integrations like attendance or behaviour data), Educake will ensure the school collects and provides that consent in accordance with GDPR.

Our main processing activities for personal data, and the legal basis on which we perform those activities are:

Prospective customers/marketing recipients:

We will process your personal data in order to contact you in relation to our products and services and keep a record of our communications (e.g. sales telephone calls, quotations and offers).

Our legal basis for doing so is our legitimate interests, which allows us to market our products and services to individuals provided there is a business case for doing so and our interests do not override the rights of the individuals in question. If you wish to object to direct marketing, you may do so by contacting us.

Customer/users:

We will process your personal data in order to provide our products/services to you and to provide you with information and updates regarding the same. Our legal basis for doing so is that the processing is necessary for the performance of a contract. We will also keep a record of your data and use it for related purposes, including account management, customer support, and audit purposes, on the basis that we have a legitimate interest in doing so.

We may also contact you in relation to our other products and services. Our legal basis for doing so will be the same as for prospective customers, as set out above.

Suppliers, service providers etc.:

We will process your personal data in order to receive goods and/or services from you and to manage our relationship, including making payments to you, dealing with accounts issues, placing orders etc. Our legal basis for doing so is that the processing is necessary for the performance of a contract.

Other processing activities

Monitoring and recording communications

We may monitor and record communications with you (such as telephone conversations and emails) for the purpose of preventing unauthorised access and modifications to our services, training, fraud prevention, and/or quality assurance. We may also retain copies of communications and details provided to us by you, for example support requests, account queries, complaints, for internal account management and auditing purposes. This is done on the basis of legitimate interests and to comply with our legal and regulatory obligations.

Storage of your information and who your information might be shared with

We store your personal data on servers in data centres in the UK, provided by Amazon Web Services (AWS). AWS datacentres are compliant with the international information security standard, ISO 27001.

For more information about AWS’s ISO 27001 certification, please visit this webpage:
https://aws.amazon.com/compliance/iso-27001-faqs/

We may disclose your personal data to:

  • other companies within our group (including Twinkl Ltd) to the extent that there is a legitimate interest in doing so to support out business aims;
  • law enforcement agencies in connection with any investigation to help prevent unlawful activity; and
  • a third party purchaser if we sell our business, in which case, customer and user information will be a transferred asset.

We also may disclose your personal data our agents and service providers, to the extent that they require access to the data in order to provide goods/services to us, in which case they will be bound by a contract requiring them to process personal data in accordance with the requirements prescribed by data protection law. Some of these agents and service providers may be based outside of the UK (or require the transfer of your personal data outside of the UK). In such cases, we only work with suppliers that transfer to territories which the UK has determined provides an adequate level of protection or otherwise ensure appropriate safeguards are in place to protect your personal data. In particular:

  • we share limited data with our customer support software, Intercom, including teachers’ names, school names and teacher email addresses. This allows us to help teachers with any technical problems quickly and easily, via email, or by an online chat system. Intercom is based in the USA. Following the ICO guidance that the EU-US Privacy Shield is no longer valid, we have signed a standard customer data processing addendum with Intercom so that Standard Contractual Clauses (SCC) are incorporated – https://www.intercom.com/legal/privacy
  • we use Twilio for the password recovery system (via text messages) to allow users to reset their passwords. Twilio is ISO 27001 registered and we have Standard Contractual Clause (SCC) in place as part of our agreement with Twilio – https://www.twilio.com/legal/data-protection-addendum
  • we use Xero for our accountancy system which stores School addresses and the name and email of our School contacts, e.g. finance officer. We have entered into a data processing addendum with Xero – https://www.xero.com/uk/about/legal/terms/data-processing-terms/
  • we use Google Firebase (which is based in the USA) for the purposes of usage analytics, crash reporting, provisioning push notifications to devices. We have signed a standard customer data processing addendum with Intercom so that Standard Contractual Clauses (SCC) are incorporated – https://firebase.google.com/support/privacy
  • we use the Dropbox file sharing system which may transfer personal data outside of the UK – https://aem.dropbox.com/cms/content/dam/dropbox/www/en-us/business/solutions/solutions/dfb_security_whitepaper.pdf
  • We also use Campus (provided by Sprint Education) for our email marketing to you which may transfer personal data outside of the UK. We have entered into their processing agreement – https://sprint-education.co.uk/legal/data-processing-agreement
  • We share pseudo-anonymised data with Twinkl Ltd for the purposes of data analytics. We have entered into a data processing agreement with Twinkl Ltd to ensure that data is processed in accordance with all relevant data protection laws.
Keeping your data secure

We will use technical and organisational measures to safeguard your personal data, for example:

  • Access to your account is controlled by a password and username that are unique to you
  • We encrypt your data both when it’s stored (at rest) and when transferring it (in transit)
  • All Educake employees and contractors with access to the servers or who may visit schools are DBS checked
  • All Educake staff use password protected computers that are locked when not in use
  • The Educake office is locked at all times, and protected by an alarm
  • Staff are trained regularly on security
  • All Educake employee accounts are password protected
  • When teachers and school staff create accounts, we verify their position with the school before giving them access to Educake
  • Our data backups are deleted after 7 days and until then are stored on secure AWS servers in the UK
  • The database is only accessible by Educake employees who need access

While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that are transferred from you or to you via the internet. If you have any particular concerns about your information, please contact us (see ‘How to contact us’ below).

Educake employs stringent security measures to protect personal data transferred via Wonde, including:

  • Encryption of data in transit and at rest
  • Regular security audits and assessments based on risk to ensure ongoing compliance with GDPR and other data protection regulations
  • Immediate measures to address any identified vulnerabilities and ensure data protection

In the event of a data breach that poses a risk to personal data, Educake will follow GDPR’s data breach notification requirements, informing both the school and the affected data subjects in a timely manner.

What can I do to keep my information safe?

If you want detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.

Transfers of your information out of the UK

We may transfer your personal data outside of the UK. We will only do this if appropriate safeguards are place in accordance with data protection legislation. For example, where relevant, we have entered into Standard Contractual Clauses (SCC) that will safeguard your privacy rights and give you remedies in the unlikely event of a security breach.

How long do we keep your personal information?

We will keep user data as long as it is evident to us the user may still need it to use Educake. Educake uses a 2-step process for deleting user data: deactivation and then anonymisation.

Deactivation is flagging a user as inactive in the database. When this happens, the user can no longer log in and use the website, and staff at the user’s school can no longer see the user or their activity. The data is still associated with the user’s name and username. It is possible to reverse a deactivation, for example when teachers want to reactivate a student account.

An individual’s data is deactivated in these situations, whichever comes first:

  • When a staff member at the user’s school deletes the user’s account
  • When a staff member at the user’s school asks us to delete the user’s account
  • When all of a school’s trials and subscriptions with Educake have been expired for 180 days, we will delete all the users within the school
  • Other related situations

Anonymising a user’s data involves removing any identifying information. We keep information such as the user’s activity in Educake, whether they were a student or a teacher, and their school, but we permanently delete their name, username, password, email address, mobile number, and UPN. This is not reversible. We retain the anonymised data in order to learn about and improve our service.

We will anonymise a user’s data in these situations, whichever comes first:

  • When the user has been deleted for 90 days
  • When a staff member at the user’s school asks us to anonymise the user
  • Other related situations

Schools often provide Educake with spreadsheets containing students’ information in order for us to set up their accounts. We delete these spreadsheets after 6 months.

On request, we can anonymise an individual’s or school’s data in 48 hours.

With the integration of Wonde, Educake relies on the school’s instructions to delete students’/teachers’ data.  The schools will also have the capacity to delete students’/ teachers’ accounts themselves. Data retention follows our broader policy, which aligns with GDPR’s storage limitation principle. Specifically:

  • Data is retained only for as long as necessary to fulfil the purposes for which it was collected
  • Once required, the school can delete (or request that Educake delete) personal data.

The exact retention period may vary depending on the nature of the data, but all data is managed in compliance with GDPR’s requirements for data minimisation and retention limitations.

What rights do you have?

You are responsible for ensuring that information you provide to us is accurate, complete and up-to-date. You can review and change your information by contacting us.

You have a number of rights in relation to your personal data, these include the right to:

  • find out how we process your data;
  • request that your personal data is corrected if you believe it is incorrect or inaccurate;
  • obtain restriction on our, or object to, processing of your personal data;
  • if we are relying on consent, you can withdraw your consent to our processing of your personal data (including any direct marketing);
  • if we are relying on legitimate interests for direct marketing, you can object to receiving such direct marketing;
  • obtain a copy of the personal data we process concerning you. We will take steps to verify your identity before responding to your request. Once we have verified your identity we will respond as soon as possible and in any event within one month.
  • lodge a complaint with the UK supervisory body, the Information Commissioner’s Office (the ICO) here https://ico.org.uk/. If you have a concern or complaint about the way we handle your data, we ask that you contact us in the first instance to allow us to investigate and resolve the matter as appropriate.

If you would like to exercise any of your rights or find out more, please visit our Data, Privacy and GDPR Help Page (here: https://help.educake.co.uk/en/collections/102774-data-privacy-and-gdpr) for details of how you can manage your data through your account or contact us.

Schools retain control over the specific data shared with Educake via Wonde. If you wish to exercise your GDPR rights, you should first contact your school, as they serve as the data controller for the data integrated via Wonde. Schools have the authority to manage these requests, but Educake will assist where necessary.

Personal Data Breach Policy

We collect the minimum personal information necessary to offer our service, and we have taken every reasonable precaution to prevent personal data breaches and to regularly monitor for signs of security events. However, if a personal data breach does occur, our policy is to take the following steps:

1. Escalate

At the first indication that there may have been a personal data breach, the incident will be immediately escalated to the Educake management team.

2. Assess

The Educake management team will assess the consequences of the data breach and take action to contain it if needed.

3. Notify the affected party

The Educake management team will notify the affected party of the data breach within 48 hours. For schools, this is the relevant staff member. For individual subscribers, this is the person who purchased the subscription.

4. Mitigate

Educake will then work with the affected school or person who purchased the subscription to mitigate any consequences of the personal data breach.

5. Document

Educake will internally document all data breaches, including the causes, consequences, and actions taken.

6. Report to the ICO

If the data breach was likely to result in a high risk to a user’s rights and freedoms, Educake will report it to the Information Commissioner’s Office within 72 hours of discovering it.

How to contact us

Please contact us if you have any questions about this privacy policy or the information we hold about you. If you wish to contact us, please send an email to support@educake.co.uk or write to us at FAO: Educake Ltd, 30 St. Giles, Oxford, England, OX1 3LE or call us on 01865 800 808

Use of cookies

For information on the cookies we use and how to control your cookie settings, please visit our Cookie Policy www.educake.co.uk/aboutus/cookiepolicy.