Educake Data and Privacy Policy

We take the privacy and data of our users very seriously. We only collect information we need to run the Educake service.

We require schools to share only students’ names, school years and classes. No other personally identifiable information, such as home addresses or email addresses, is required to use Educake.

Educake is fully compliant with the General Data Protection Regulation, also known as the GDPR, a European Union regulation, also adopted by the UK.

Educake Ltd is registered as a data controller with the ICO.

You can read our full policy below:

Educake Data and Privacy Policy

This privacy statement covers your use of the website and related services provided by Educake Ltd ("Educake").

Updated 21st Feb 2019

What information do you require schools to share with Educake?

We require schools to share only students’ names, school years and classes. We do not require email addresses or home addresses of students.

Teachers who wish to use Educake are required to share their names and email addresses.

We also store the address of the school.

How is this information gathered by Educake?

This information is shared either by uploading it to our secure servers by SSL 3.3 / TLS 1.2 encryption, or by email.

What is the lawful basis for storing this information?

This information is required for teachers and students to be able to use the Educake platform for online homework and revision, for the fulfilment of performance of the contract with the school.

How is this information stored?

The information is stored on Educake's servers in data centres in Ireland, provided by Amazon Web Services (AWS). AWS datacentres are compliant with the international information security standard, ISO 27001.

For more information about AWS's ISO 27001 certification, please visit this webpage:

https://aws.amazon.com/compliance/iso-27001-faqs/

For more information about AWS security, please visit this webpage:

https://aws.amazon.com/security/

Can you provide details of any backup data centre and frequency of backups?

Data is backed up in each day AWS Ireland data centres and are stored for 30 days. All backups are encrypted.

Is Educake registered as a data controller with the ICO?

Yes, Educake Ltd is registered as a data controller with the ICO under registration ZA155224.

Can you please provide details of the level of encryption provided between the clients and your servers and which versions of SSL/TLS and other encryption you support?

SSL 3.3 / TLS 1.2 encryption is used between clients and our servers.

Are your employees police or DBS checked (both those who may visit for consultancy or those with access to the datacentres)?

Yes, all employees and contractors with access to the servers or who may visit schools are DBS checked.

Do you require any extra information to be shared by teachers or students?

We may collect some information automatically about devices that access our website, such as the device used, IP address, MAC address and IMEI number. This automatically gathered information is used to enable us to provide you with a better service by helping us to understand how our website is used and by reporting any technical problems to us (anonymously). We do not collect precise real-time location information about devices.

In addition we have an optional two-factor authentication system to allow users to reset their passwords.
To do this, users can add their email address and/or their phone number to our system. To ensure absolute security, all phone numbers are stored with irreversible one-way encryption on our database. This means we never know the phone numbers.

Here is how the password reset function works:

  1. The user enters their username or email address
  2. If they have stored their phone number with us they are asked to enter the number
  3. We encrypt the number they have entered and check this code matches the encryption code stored on our database
  4. If the encrypted codes match, an automatic text message is sent to the number the user has just entered, containing the access code to allow them to change their password
  5. Alternatively, if the user has stored their email address with us, they can request an email to be sent containing a password reset link which allows them to change their password

Schools can disable this two-factor authentication system for all users.

From time to time we may ask users to take part in a competition. To benefit from these services users may be required to provide us with personal information such as their name and email address.

Do you share information about our school with any third-party organisations?

We share limited data with our customer support software, Intercom, including teachers’ names, school names and teacher email addresses. This allows us to help teachers with any technical problems quickly and easily, via email, or by an online chat system.

We do not share any student data with Intercom, unless a student emails us directly, in which case we store their email address.
Intercom is based in the USA and this data transfer is covered by the EU-US Privacy Shield. For more information please visit the following two pages:

https://ico.org.uk/media/1571/model_contract_clauses_international_transfers_of_personal_data.pdf

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en

For information Intercom’s GDPR compliance please visit this page:

https://docs.intercom.com/pricing-privacy-and-terms/how-were-preparing-for-gdpr

For the text messages for the two-factor authentication system to allow users to reset their passwords we use Twilio. Twilio is ISO 27001 registered and data exchanged between Educake and Twilio is covered by the US-EU Privacy Shield:

https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/eu-us-privacy-shield_en

For more information about Twilio’s data policy relating to GDPR please visit this page:

https://www.twilio.com/gdpr

Phone numbers are removed from Twilio as soon as the message has been sent.

For our accountancy system we use Xero and store school addresses and the name and email of our contacts, e.g. finance office.

How long will the information be kept?

All information on students is kept until the summer holidays after they leave the school. For schools that end their subscription with Educake, we destroy their data in the August after their subscription ends. For example, if a school were to end their subscription in May 2019, we would destroy their data in August 2019. We do this because many schools return to Educake after their trial and want to restore their old data.

On request, we can destroy a school’s data within 48 hours.

How will the information be destroyed?

Information will be deleted or anonymised by replacing all student and class names with random words. For example, John Smith would become by YMgb2sVp oY3vANu1. This is done so that we can continue to improve our understanding of how questions are answered, while ensuring anonymity.

On request we can delete all data, removing it from our servers completely.

What other information do you store about users once they use Educake?

We store information about their use of Educake. For example, for students we store all their answers to questions, the tests they have created and the time they last logged in, and other activity on the website.

For teachers, we store the tests they have created, comments on questions, and other activity on the website.

What is your policy for serious incidents such as data breaches?

Should any school suffer a serious incident we will notify the school as soon as reasonably possible and work closely with them to ensure it is resolved and minimize its impact.

Any user experiencing problems with Educake should contact the support team at support@educake.co.uk or 01865 241465. Support is available from 8am to 5pm weekdays. Should any issue not be resolved, they can be escalated to the Managing Director, Charley Darbishire, via 01865 241465. On-site support may be available, though additional charges will apply.

What are cookies and how do you use them?

Cookies are small text files, which are set by a website or app operator so that your browser or device may be recognised. They typically contain anonymous information such as a unique, randomly generated ID. We may use cookies in our website to provide certain functionality to you, such as push notifications, or to learn about your use of our website (as described below in usage reporting).

How do we delete members of staff?

Heads of department can delete members of staff to prevent them having access to Educake. This can be done within the Educake system.

How do we delete student data when they leave the school?

Teachers can delete student accounts using the Manage Students page of Educake, which prevents those students accessing Educake. Their data is then anonymised.

Can we transfer data between staff if someone leaves?

Yes, we can do this for you on request.

How do I get access to our data?

On request we can provide all data we hold on any individual or organisation, in a spreadsheet, within 7 days. Please submit your request by email to support@educake.co.uk