This policy may be updated from time to time, and any changes will be reflected on this page. This policy was last updated on 15th May 2018.
What data do we process?
- Data from visitors to our public websites.
Examples include IP addresses, browser versions, operating systems or pages visited.
- Data that individuals provide in online forms.
Examples include the contact or sign up forms.
- Data that individuals provide via other means.
Examples include when a parent emails us to ask a question about logging in, when a student leaves a note for us on social media about a problem or when a teacher calls us to find out how a certain feature works.
- Data within the epraise platform, which may be provided via forms, files or using an automatic link such as our MIS link
Examples include student names, teacher emails and parental phone numbers. In this instance, the school is the data 'controller' and has full control over what data we process. If you are a school and would like more detail, please see the Data Protection and Security Policy available via the Admin > Contracts and Compliance page.
What is the data used for?
- The data we process is used to provide, maintain and improve the service we offer to our customers and visitors.
Outside of the epraise platform, examples include monitoring page loading times in order to identify pages that are not running efficiently, or seeing how long users spend on certain pages in order to identify possible improvements to the user's experience of the site.
- We may also use data such as visitor logs to help improve the safety and reliability of our services.
For example, we may block visitors if they attempt to circumvent our security systems.
- We may also use any contact information you provide, to provide you with details about epraise and keep you up to date with changes and improvements to our online platforms.
As in the section below, this applies only to individuals who have a school/business email address we have verified.
What is the lawful basis for processing under the General Data Protection Regulation (GDPR)?
Within the epraise platform
Within the epraise platform, schools are the data controllers and we are the processors. Whilst it is up to schools to define the lawful basis for this processing, we recommend schools use the following:
- The processing is necessary because of a legal obligation that applies to you.
Schools have a legal obligation to provide students with an education. Epraise are working on behalf of schools to help them support them in providing this.
- The processing is necessary for administering justice, or for exercising statutory,
governmental, or other public functions.
Schools provide a public function and epraise are working on behalf of those schools.
- The processing is in accordance with the 'legitimate interests' condition.
Schools have asked epraise to process this data and there is no "prejudicial effect on the rights and freedoms, or legitimate interests, of the individual".
Outside of the epraise platform, including the public website and welcome areas, Epraise Limited are the data controllers. We will process all data outside the epraise platform under at least one of the following:
- The processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
In order to ensure we are complying with both the GDPR and Privacy and Electronic Communications Regulations (PECR) as well as ensuring a limited privacy impact on the individual, we will only send marketing communication to business/school addresses based on that individual's preferences. We will ensure that the individual has access to a process whereby they can change their communication preferences or request deletion of their details from our system.
- The processing is necessary for us to comply with the law.
There are limited circumstances where this applies and any requests from law enforcement agencies will be vetted to ensure they are both legal and genuine before complying with the request.
Is the data ever disclosed?
- Students, parents and staff in the epraise platform may see data based around other users of the system when relevant.
Examples include a teacher viewing a student's points or a parent viewing their children's attendance.
- We do not disclose personal data to any other third parties that are not working for us (defined as 'processors' or 'sub-processors' in law), unless required to do so by law.
Examples of third parties that work for us are Rackspace, AWS, Wonde, GroupCall, Apple, Microsoft, Google, Mailgun and Mailchimp.
What if the data is incorrect?
- Where data is held within the epraise platform, it is the responsibility of the relevant school to keep up to date.
If you believe that any information we are holding on you is incorrect or incomplete, please notify the relevant school.
- If you would like us to make changes to any other data belonging to you, because it is incorrect or incomplete, you will need to contact us directly.
Please use the contact form to tell us if you would like us to amend data we hold about you.
How long is the data kept?
Within the epraise platform
- Schools may delete their data on students, parents and staff at any time using the tools we have made available to them.
- Where a school ceases to use epraise and they have not deleted the data themselves, we will ensure that all student, parent and staff data is deleted or anonymised within 30 days.
Within the welcome area and new customer enquiries
- We will keep a history of all communication for a period of up to 5 years from your last action or communication. Individuals with access to our welcome area can request the deletion of their data from the epraise site via the 'request deletion' link.
- We may keep a history of all emails, phone calls and other forms of communication for up to 5 years, after which we will delete or anonymise these.
I would like to view the data you process about me
Within the epraise platform
- Each school has an epraise administrator who should be asked to fulfil this request.
Epraise administrators can find the Subject Access Request feature in the Admin > Contracts and Compliance area
- You may ask us to provide you with a list of information we have related to you.
Please detail your request on the contact form.
I would like to you to delete the data you process about me
Within the epraise platform
- Schools will not generally delete student or staff records when asked as they are required to process these as per the lawful basis' detailed above. If you are a parent, please ask the school directly to remove you from epraise.
- You may ask us to delete personally identifiable information we have related to you, provided that the request is reasonable and legal, via our contact form.
Tell me about your cookies
- Cookies are used to allow users to log in to the system and stay logged in for a period of time.
- Cookies may also be to set defaults, such as the visitor's school, to make using the system easier for them to use.
- Our service will not work without cookies enabled, as these are required in order to allow users to log in.
- You are however free to browse our public website without cookies - simply switch them off in your browser.
- For more information about cookies, please visit allaboutcookies.org.
Tell me about your security
- We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
- Epraise Limited is registered with the Information Commissioner's Office and is fully compliant with the Data Protection act and the GDPR.
- If you have access to our welcome area or subscribe to epraise, you can see more details about how we process your data securely in our Data Protection and Security Policy.
- Our website may occasionally contain links to other websites. Please note that these websites are outside our control, and we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites.