Privacy Policy

1. Introduction

TrackEDU Ltd ("we", "our", or "us") provides a school house points and operations system framework. This includes the Teacher App point workspace and gamified Student Portal, along with built-in basic behavior logs and space booking calendar modules (together, the "Platform"). TrackEDU Ltd is registered in England and Wales (Company Number: 17216557) with its registered office at 128 City Road, London, United Kingdom, EC1V 2NX.

This Privacy Policy explains how we collect, use, protect, and manage information when schools, educators, administrators, and students use TrackEDU.

For school-managed use of TrackEDU, the school or educational organisation will act as the data controller, and TrackEDU Ltd will act as the data processor, processing data on the school's instructions.

2. Our Privacy Principles

TrackEDU is built around data minimisation, role-based access, school control, and privacy-conscious design. We aim to collect only the information needed to operate the platform and support schools effectively.

• We do not sell student, teacher, or school data.
• We do not run advertising inside TrackEDU.
• We do not use student data to build commercial advertising profiles.
• We do not require student email addresses or student passwords.
• We use role-based access so users only see information appropriate to their role.
• Schools can export data and perform full database resets at any time.

3. Information We Collect

We collect different types of information depending on how a school uses TrackEDU.

A. Teacher and Administrator Data

• Account information: name, school email address, school affiliation, and professional role.
• Authentication information: TrackEDU uses Google sign-in for staff authentication. We do not process or store Google passwords.
• Platform activity: class management actions, points awarded, toolkit use, setup actions, and other operational activity needed to run the platform.
• Support information: messages, requests, or technical information provided when a school or educator contacts us for support.

B. Student Data

Schools may upload student rosters so that TrackEDU can operate house points, classroom tools, and built-in support modules.

• Student profile information: first name, last initial or last name, grade or year group, class assignment, house, or team assignment.
• Student Portal activity: points earned, badges unlocked, daily streaks, house power boost contributions, and poll participation.
• Basic behavior logs: incident types, severity levels, and follow-up notes logged by authorized teachers inside the active workspace ledger.
• Login access information: students access the Student Portal using auto-generated ID tokens and class passcodes provided by the school or teacher.

C. Technical and Usage Data

• Device type, browser type, error logs, performance information, and non-identifying interaction metrics used to maintain security, monitor uptime, and improve reliability.
• Basic website analytics may be used to understand how visitors use the public TrackEDU website, where enabled.

4. How We Use Information

We use information only for purposes connected to providing, securing, supporting, and improving TrackEDU.

• Teacher App Workspace: to operate house point tracking, classroom tools, class management, assembly displays, and basic behavior logs.
• Student Portal: to display points, badges, leaderboards, streaks, house progress, and other reward engagement features.
• To authenticate authorised teachers, administrators, and school leaders.
• To provide technical support, onboarding, training, and implementation assistance.
• To monitor platform reliability, prevent misuse, and improve security.

5. Legal Basis and School Instructions

Where data protection laws such as the UK GDPR or EU GDPR apply, schools are responsible for identifying the appropriate lawful basis for processing student and staff data within their educational context.

TrackEDU Ltd processes school-controlled data to provide the services requested by the school. For school deployments, a separate data processing agreement may be provided where required.

Schools are responsible for ensuring they have appropriate authority, notices, consents, or lawful bases for uploading and managing student data in TrackEDU.

6. Data Sharing and Subprocessors

We do not share school data except where necessary to operate TrackEDU, comply with legal obligations, protect the platform, or provide requested support.

• Cloud infrastructure providers: used for database hosting, authentication, real-time syncing, storage, and secure platform operation (Google Firebase).
• Support and onboarding tools: used for service messages, support ticketing, and account-related communications.

Subprocessors are selected with attention to security, reliability, and privacy safeguards. We do not permit subprocessors to use school data for their own advertising or unrelated commercial purposes.

7. Cookies and Local Storage

TrackEDU does not use third-party advertising cookies or tracking pixels inside the platform.

We use browser local storage for functional purposes, including authentication, session management, user preferences, preventing duplicate actions, daily login streaks, and temporary locks for gamification elements.

Functional local storage is not used to track students across the internet.

8. Data Security & Architecture

SSL Certificate Encryption

TrackEDU uses industry-standard SSL/TLS encryption (256-bit) to secure data in transit between users and our platform. All connections use HTTPS protocol with valid SSL certificates, indicated by the padlock icon in your browser.

Infrastructure Security

• Secure cloud infrastructure: TrackEDU is built on Google Firebase, with data stored in secure, geographically distributed data centres.
• Firebase Security Rules: Database access is protected by configured security rules that verify authentication and role-based permissions before allowing read or write operations.
• Authentication: Staff access uses Google sign-in with OAuth 2.0. We do not store staff passwords.
• Student access: Students use auto-generated ID tokens and class passcodes — no email or password required.
• Access controls: Only authorised system administrators have production access, using secure multi-factor authentication methods.

Employee Security & Awareness

All TrackEDU personnel receive security and data protection training relevant to their role. Access to production systems and school data is strictly restricted to authorised technical staff.

Breach Notification

In the event of a data security issue affecting school data, TrackEDU Ltd will notify affected schools and, where required, the relevant supervisory authority (including the UK Information Commissioner's Office) in accordance with applicable data protection laws.

9. Data Retention, Export, and Deletion

Schools retain complete control over the student, roster, point, and operational data they enter into TrackEDU.

School-Controlled Data Management Tools

TrackEDU provides school administrators with direct self-service data management tools inside the Platform workspace dashboard under Settings → System Maintenance:

• Export Data (CSV): Download all student data, points, award history, and basic logs for secure records management or off-platform archiving.
• Reset All Points: Reset house points to zero while preserving student rosters and class structures — ideal for term or year transitions.
• Clear Students & Classes: Remove all student roster data while keeping your house configurations intact for quick new year setups.
• Clear Award History: Remove historical award logs while keeping current point balances unchanged.
• Full System Wipe: Complete factory reset of all school database entries, including students, classes, points, histories, and basic logs. This action is final and irreversible.
• Load Sample Data: Populate the platform with demo metrics for staff training and testing purposes (no real student data required).

Additional Deletion Options

• Deletion requests: Schools may contact us to request full removal of their space databases. We process deletion requests within a reasonable technical window, subject to basic security constraints.
• Backups and logs: Deleted data may persist temporarily in encrypted server backups or system logs before automated routine overwriting.

10. Children and Student Privacy

TrackEDU is designed for educational settings where schools manage student access. We do not allow students to create independent public accounts, and we do not require student email addresses or passwords.

Because TrackEDU may be used by or about children, schools should consider their own obligations under applicable child privacy, safeguarding, educational records, and data protection laws in their jurisdiction.

Parents, guardians, or students who wish to access, correct, or delete student information should contact the school first, as the school controls how student records are used within TrackEDU. We will assist schools in responding to appropriate requests where required.

11. International Use and Data Transfers

TrackEDU may be used by schools in different countries. Depending on where a school is located, data may be processed or stored in countries different from the school's location, through the cloud infrastructure and service providers used to operate TrackEDU. Where required by applicable law, we will work with schools to put appropriate safeguards in place for international data transfers.

12. School Responsibilities

Schools using TrackEDU are responsible for:

• ensuring they have appropriate authority to upload and manage student data;
• providing relevant notices to staff, parents, guardians, and students where required;
• assigning access only to authorised staff;
• reviewing which staff can access behavior or operational settings logs;
• keeping exported data secure after download;
• not uploading unnecessary sensitive data unless the school has a clear lawful basis and appropriate safeguards.

12.1. Publicity & Marketing Release

The Customer (the School) grants TrackEDU Ltd a non-exclusive, worldwide, royalty-free license to use the School's name and corporate logo on TrackEDU's website and marketing materials solely to identify the Customer as an active platform user, a participating institution in the TrackEDU Founding Schools Cohort, or an annual license holder.

TrackEDU agrees to cease all use of the Customer's name and logo immediately upon written request from the Customer.

13. Your Rights

Depending on your location and applicable data protection law, individuals may have rights to access, correct, delete, restrict, object to, or receive a copy of personal data.

Where TrackEDU processes data on behalf of a school, requests relating to student or school-controlled data should usually be directed to the school. We will support the school in responding to valid requests where required.

Staff users may contact us about their TrackEDU account information using the contact details below.

14. Changes to This Privacy Policy

We may update this Privacy Policy as TrackEDU develops, as our business structure changes, or as legal requirements evolve. When we make material changes, we will update the "Last updated" date and, where appropriate, notify active school users.

15. Contact Us

If you have questions about this Privacy Policy or TrackEDU's data practices, please contact us at: