Educake Data and Privacy Policy

We take the privacy and data of our users very seriously. We only collect information we need to run the Educake service.

We require schools to share only the minimum personally identifying data of teachers and students to allow them to access and us to effectively run the Educake service. Collectively the staff and students at a school who hold Educake accounts are our ‘Users’.

Educake is compliant with the General Data Protection Regulation, also known as the GDPR, a European Union regulation, also adopted by the UK. The data controller is Educake Ltd. Our registered address is The Old Chapel, Union Way, Witney, Oxfordshire, OX28 6HD, and our office address is Unit 3 The Gallery, 54 Marston Street, Oxford, OX4 1LF. Our DPO is Claire Gilbert, clairegilbert@educake.co.uk. The legal basis for our processing of Users’ personal data is, as applicable, where it is necessary for the performance of a contract, in order to comply with our legal obligations and/or with Users’ consent.

Educake Ltd is registered as a data controller with the ICO. Our registration number is ZA155224.

You can read our full policy below, and refer to our Terms and Conditions (available at: www.educake.co.uk/aboutus/terms)

Educake Data and Privacy Policy

This privacy statement covers your use of the website and related services provided by Educake Ltd ("Educake").

Updated 11th January 2021

What information do you require schools to share with Educake?

We require schools to share only students’ names, school years, classes and subject. We recommend Unique Pupil Numbers (UPNs) are shared to manage accounts effectively. We recommend email addresses are attached to student accounts to help them log in to the platform. Additionally, students can add their mobile phone numbers, which has hashed when they enter our system, to help them log in. No other personally identifiable information, such as home addresses, is required to use Educake. We also collect names, email addresses and subject specialism of teachers and other school staff, to enable them to use the service.

How is this information gathered by Educake?

This information is shared either by uploading it to our secure servers by TLS 1.0-1.4 encryption, or by email.

What is the lawful basis for storing this information?

This information is required for teachers and students to be able to use the Educake platform for online homework and revision, for the fulfilment of performance of the contract with the school.

How is this information stored?

The information is stored on Educake's servers in data centres in Ireland, provided by Amazon Web Services (AWS). AWS datacentres are compliant with the international information security standard, ISO 27001.

For more information about AWS's ISO 27001 certification, please visit this webpage:

https://aws.amazon.com/compliance/iso-27001-faqs/

For more information about AWS security, please visit this webpage:

https://aws.amazon.com/compliance/data-privacy-faq/

From 01/01/21 data is transferred between the EEA and the UK under a Standard Contractual Clause (SCC) which is part of the AWS service agreement. See:

https://aws.amazon.com/compliance/gdpr-center/brexit/

Can you provide details of any backup data centre and frequency of backups?

Data is backed up each day at AWS Ireland data centres and are stored for 7 days.

Is Educake registered as a data controller with the ICO?

Yes, Educake Ltd is registered as a data controller with the ICO under registration ZA155224.

Can you please provide details of the level of encryption provided between the clients and your servers and which versions of SSL/TLS and other encryption you support?

TLS 1.0-1.4 encryption is used between clients and our servers.

Are your employees police or DBS checked (both those who may visit for consultancy or those with access to user data)?

Yes, all employees and contractors with access to the servers or who may visit schools are DBS checked.

Do you require any extra information to be shared by teachers or students?

We may collect some information automatically about devices that access our website, such as the device used, IP address, MAC address and IMEI number. This automatically gathered information is used to enable us to provide you with a better service by helping us to understand how our website is used and by reporting any technical problems to us (anonymously). We do not collect precise real-time location information about devices.

In addition we have an optional password recovery system to allow users to reset their passwords.
To do this, users can add their email address and/or their phone number to our system. To ensure absolute security, all phone numbers are stored with irreversible one-way encryption on our database. This means we never know the phone numbers.

Here is how the password reset function works:

  1. The user enters their username or email address
  2. If they have stored their phone number with us they are asked to enter the number
  3. We encrypt the number they have entered and check this code matches the encryption code stored on our database for that user
  4. If the encrypted codes match, an automatic text message is sent to the number the user has just entered, containing the access code to allow them to change their password
  5. Alternatively, if the user has stored their email address with us, they can request an email to be sent containing a password reset link which allows them to change their password

Schools can disable this system for all users.

From time to time we may ask users to take part in a competition. To benefit from these services users may be required to provide us with personal information such as their name and email address. Full terms and conditions of these competitions are shared with the competition information and are available on our help desk.

Do you share information about our school with any third-party organisations?

We share limited data with our customer support software, Intercom, including teachers’ names, school names and teacher email addresses. This allows us to help teachers with any technical problems quickly and easily, via email, or by an online chat system.

We do not share any student data with Intercom, unless a student emails us directly, in which case we store their email address.

Intercom is based in the USA. Following the ICO guidance that the EU-US Privacy Shield is no longer valid we have signed a standard customer data processing addendum with Intercom so that Standard Contractual Clauses (SCCs) are incorporated.

For the text messages for the password recovery system to allow users to reset their passwords we use Twilio. Twilio is ISO 27001 registered and has updated their data protection addendum here:

https://www.twilio.com/legal/data-protection-addendum

For more information about Twilio’s data policy relating to GDPR please visit this page:

https://www.twilio.com/gdpr
Phone numbers are removed from Twilio as soon as the message has been sent.

For our accountancy system we use Xero and store school addresses and the name and email of our contacts, e.g. finance officer. Xero’s data policy can be found here:

https://www.xero.com/uk/about/legal/terms/data-processing-terms/

When using the Educake app, we may also collect and share certain anonymous data with Google Firebase (which is based in the USA), for the purposes of usage analytics, crash reporting, provisioning Push Notifications to devices. Data transferred between Educake and Google Firebase is covered by Standard Contractual Clauses (SCCs). For more information about Privacy and Security in Google Firebase, please visit this webpage:

https://firebase.google.com/support/privacy

Educake stores data using the Dropbox file system and the file data is stored with the European Union.

How long will the information be kept?

If a school has had zero active subscriptions for the previous 180 days it is deemed to have lapsed and all the Users are flagged as deleted. This process happens weekly.

All User accounts which have been flagged as deleted for 90 days are then anonymised. This process happens daily, and removes all personally identifying information permanently.

On request, we can destroy a school’s data within 48 hours.

What other information do you store about users once they use Educake?

We store information about their use of Educake. For example, for students we store all their answers to questions, the tests they have created and the time they last logged in, and other activity on the website.

For teachers, we store the tests they have created, comments on questions, and other activity on the website.

We use information about student tests to inform our content creation. We use information about teacher activity to understand how best to support our customers.

What is your policy for serious incidents such as data breaches?

Should any school suffer a serious incident we will notify the school as soon as reasonably possible and work closely with them to ensure it is resolved and minimize its impact.

Any user experiencing problems with Educake should contact the support team at support@educake.co.uk or 01865 800808. Support is available from 8am to 5pm weekdays.

What are cookies and how do you use them?

Cookies are small text files, which are set by a website or app operator so that your browser or device may be recognised. They typically contain anonymous information such as a unique, randomly generated ID. We may use cookies in our website to provide certain functionality to you, such as saving settings that you have chosen, or to learn about your use of our website.

How do we delete members of staff?

Heads of department can delete members of staff to prevent them having access to Educake. This can be done within the Educake system; for more information see https://help.educake.co.uk/en/articles/1763157-can-we-delete-members-of-staff-and-students-from-educake-when-they-leave-the-school

How do we delete student data when they leave the school?

Teachers can delete student accounts using the Manage Students page of Educake, which prevents those students accessing Educake. Their data is then anonymised, as described above in ‘How long will the information be kept?’.

Can we transfer data between staff if someone leaves?

Yes, we can do this for you on request.

How do I get access to our data?

On request we can provide all data we hold on any individual or organisation, in a spreadsheet, within 7 days. Please submit your request by email to support@educake.co.uk