Data Processing Agreement

1. Purpose and Scope

This Data Processing Agreement ("DPA") explains how TrackEDU Ltd (Company Number: 17216557, Registered Office: 128 City Road, London, United Kingdom, EC1V 2NX) processes school-controlled personal data when providing the Teacher App, Student Portal, and Behavior Tracker (together, the "Platform").

This DPA is intended as a practical framework for school pilots and early access use. It outlines the data protection commitments TrackEDU Ltd makes when processing personal data on behalf of schools.

A separate signed data processing agreement may be provided where required for formal school deployment, procurement, or regulatory compliance. Schools should contact us to request a signed copy.

2. Controller and Processor Roles

For school-managed use of TrackEDU, the school or educational organisation will generally act as the Data Controller, and TrackEDU Ltd will generally act as the Data Processor, processing school data on the school's instructions.

This means the school determines the purposes and means of processing student and staff data within TrackEDU, and TrackEDU Ltd processes that data only to provide the Platform as instructed by the school.

The allocation of controller and processor roles may vary depending on the applicable jurisdiction, contract, implementation arrangement, or specific feature use. Where TrackEDU Ltd determines the purposes and means of processing (for example, for its own operational analytics or security logs), TrackEDU Ltd acts as a controller for that specific processing activity.

3. Categories of Data Processed

TrackEDU Ltd may process the following categories of data on behalf of schools:

• Staff account information: name, school email address, professional role, school affiliation, and authentication records.
• Student profile information: first name, last initial or last name, grade or year group, class assignment, house, group, or team assignment.
• House point records: points awarded, point history, leaderboard positions, and point-related activity.
• Student Portal activity: badges earned, daily streaks, house power boost contributions, poll participation, mystery word mission progress, and engagement metrics.
• Behavior Tracker records: incident logs, behaviour types, severity levels, tier progression, action notes, follow-up notes, and parent or guardian communication records entered by authorised school staff.
• Technical and operational data: device type, browser type, error logs, performance information, and non-identifying interaction metrics needed to secure, maintain, and improve the Platform.

4. Processing Instructions

TrackEDU Ltd processes school-controlled data only to provide, secure, support, and improve the Platform, and in accordance with the school's instructions as expressed through normal use of TrackEDU.

Processing activities include:

• operating the Teacher App, Student Portal, and Behavior Tracker;
• authenticating staff and managing role-based access;
• storing and displaying student point records, badges, leaderboards, and engagement features;
• storing and displaying behaviour records, tier interventions, and pastoral information;
• providing export, deletion, and support functions requested by the school;
• monitoring platform reliability, preventing misuse, and improving security;
• improving TrackEDU based on aggregated, non-identifying usage patterns and school feedback.

Schools are responsible for ensuring they have appropriate authority, notices, consents, or lawful bases for uploading and managing student and staff data in TrackEDU.

5. Data Security

TrackEDU Ltd uses technical and organisational measures designed to protect school data against unauthorised access, loss, misuse, alteration, and disclosure.

• Secure authentication: staff access is managed through Google sign-in where available. We do not store staff passwords.
• Role-based access: teachers, counsellors, administrators, and school leaders have different permission levels based on role.
• Student access controls: students use auto-generated ID tokens and class passcodes rather than email/password accounts.
• Protected infrastructure: TrackEDU uses cloud infrastructure (Google Firebase) with database security rules, access controls, and encrypted transmission where supported.
• Privacy-conscious display: where appropriate, student names may be displayed in shortened form, such as first name and last initial.
• Employee security training: all TrackEDU personnel receive security and data protection training relevant to their role.

No online service can guarantee absolute security. Schools should also follow appropriate internal access, device, staff training, and safeguarding procedures when using TrackEDU.

6. Subprocessors

TrackEDU Ltd may use trusted subprocessors to provide cloud hosting, authentication, email, scheduling, video hosting, analytics, and technical support services.

Current categories of subprocessors include:

• Cloud infrastructure providers: for database hosting, authentication, real-time syncing, and secure platform operation.
• Email and communication services: for essential service messages, support, onboarding, and account-related communications.
• Scheduling and demonstration tools: for booking demos or consultations.
• Video hosting services: for hosting demonstration and tutorial videos.

Subprocessors are selected with attention to security, reliability, and privacy safeguards. They are not permitted to use school data for their own advertising, marketing, or unrelated commercial purposes. TrackEDU Ltd remains responsible for the data protection compliance of its subprocessors.

7. International Data Transfers

TrackEDU may be used by schools in different countries. Depending on where a school is located and which infrastructure and subprocessor services are used, data may be processed or stored in countries different from the school's location.

Where required by applicable law (including UK GDPR and EU GDPR), TrackEDU Ltd will work with schools to put appropriate safeguards in place for international data transfers, such as Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms.

8. Data Breach Notification

If TrackEDU Ltd becomes aware of a confirmed personal data breach affecting school-controlled data that is likely to result in a risk to the rights and freedoms of individuals, we will:

• notify the affected school without undue delay (and generally within 72 hours where feasible);
• provide available information about the nature of the breach, the categories of data affected, and the measures taken or proposed to address the breach;
• support the school in meeting its own breach notification obligations where required by applicable law.

Where a specific legal deadline applies, we will work with the school to support timely compliance.

9. Data Export, Deletion and Return

Schools retain control over the student, behaviour, and operational data they enter into TrackEDU.

• Export: Schools may export relevant data, such as student rosters, point records, and behaviour records, where export features are available.
• Deletion controls: Authorised school administrators may use available deletion controls to remove school data from the active Platform.
• Deletion requests: Schools may contact TrackEDU Ltd to request deletion of school-controlled data. We will respond and process deletion requests within a reasonable period, subject to legal, security, backup, and technical constraints.
• Backups and logs: Deleted data may persist temporarily in backups or technical logs before routine deletion, where necessary for security, reliability, or legal reasons.
• End of use: At the end of a pilot or agreement, we will make reasonable efforts to enable data export and deletion in accordance with school instructions.

10. Assistance to Schools

TrackEDU Ltd will provide reasonable assistance to schools to help them meet their data protection obligations, including:

• responding to appropriate data subject access requests directed to TrackEDU Ltd where the school is the controller;
• supporting data portability, rectification, restriction, and erasure requests as instructed by the school;
• providing available information to support data protection impact assessments (DPIAs) conducted by the school;
• assisting with breach notification and security incident responses where required.

Any assistance will be provided in a commercially reasonable manner and may be subject to agreement on any associated costs where requests are excessive or frequent.

11. School Responsibilities

When using TrackEDU, schools are responsible for:

• deciding whether TrackEDU is suitable for their legal, safeguarding, procurement, and policy requirements;
• ensuring they have appropriate authority, lawful basis, notices, and consents to upload and manage student and staff data;
• assigning staff permissions appropriately and reviewing them regularly;
• reviewing which staff can access behaviour and pastoral information;
• ensuring exported data is stored securely outside TrackEDU;
• avoiding unnecessary sensitive data unless the school has a clear lawful basis and appropriate safeguards;
• using the Behavior Tracker responsibly and in line with safeguarding, pastoral, disciplinary, and data protection policies;
• responding to parent, guardian, student, or staff requests relating to data the school controls within TrackEDU.

12. Contact

For data protection enquiries, DPA requests, or to request a signed copy of this agreement: