Introduction

This privacy policy explains what personal data we collect and how we process it. This policy may be updated from time to time without notice, and any changes will be reflected on this page. If you have any questions, please get in touch. Because we offer our services on a global basis, we have chosen to use the EU and UK GDPR model, often considered as the strictest model for user transparency, as the format for this policy. Consequently, based on the privacy and data protection laws that apply to you based on the location from which you access our services, you may not necessarily understand the meaning of some of the terms used in this privacy policy, we refer you to our Glossary of terms at the end of this policy to help you make better sense of this document.

This policy is issued on behalf of Epraise Limited, with an address with Firefly Learning Ltd, 167-169 Great Portland Street, 5th Floor, London, United Kingdom, W1W 5PF. It was last updated on 12th March 2024.

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing questions in relation to this privacy policy. If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact our DPO by email at privacy@epraise.co.uk

If you are based in the EU or the UK, please note that you have the right to make a complaint at any time to your national supervisory authority for data protection issues (the Information Commissioner's Office in the UK at https://ico.org.uk) We would, however, appreciate the chance to deal with your concerns before you approach the regulator, so please contact us in the first instance.

What data do we process?

  • Data from visitors to our public websites.

    Examples include IP addresses, browser versions, operating systems or pages visited.

  • Data that individuals provide in online forms.

    Examples include the contact or sign up forms.

  • Data that individuals provide via other means.

    Examples include when a parent emails us to ask a question about logging in, when a student leaves a note for us on social media about a problem or when a teacher calls us to find out how a certain feature works.

  • Data within the epraise platform, which may be provided via forms, files or using an automatic link such as our MIS link

    Examples include student names, teacher emails and parental phone numbers. In this instance, the school is the data 'controller' and has full control over what data we process. If you are a school and would like more detail, please see the Data Protection and Security Policy available via the Admin > Contracts and Compliance page.

What is the data used for?

  • The data we process is used to provide, maintain and improve the service we offer to our customers and visitors.

    Examples include monitoring page loading times in order to identify pages that are not running efficiently, or seeing how long users spend on certain pages in order to identify possible improvements to the user's experience of the site.

  • We may also use data such as visitor logs to help improve the safety and reliability of our services.

    For example, we may block visitors if they attempt to circumvent our security systems.

  • We may also use any contact information you provide, to provide you with details about epraise and keep you up to date with changes and improvements to our online platforms.

    For example, if you have provided us with your email address, we may send you information about a new feature using that address.

What is the lawful basis for processing under the General Data Protection Regulation (GDPR) (UK and EU users)?

Within the epraise platform

Within the epraise platform, schools are the data controllers and we are the processors. Whilst it is up to schools to define the lawful basis for this processing, we recommend schools use the following:

  • The processing is necessary because of a legal obligation that applies to you.

    Schools have a legal obligation to provide students with an education. Epraise are working on behalf of schools to help support them in providing this.

  • The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.

    Schools provide a public function and epraise are working on behalf of those schools.

  • The processing is in accordance with the 'legitimate interests' condition.

    Schools have asked epraise to process this data and there is no "prejudicial effect on the rights and freedoms, or legitimate interests, of the individual".

Other data

Outside of the epraise platform, including the public website areas and in communications with our team, Epraise Limited are the data controllers. We will process all data outside the epraise platform under at least one of the following:

  • The processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual's personal data which overrides those legitimate interests.

    In order to ensure we are complying with both the GDPR and Privacy and Electronic Communications Regulations (PECR) as well as ensuring a limited privacy impact on the individual, we will only send marketing communication to email addresses based on that individual's preferences. We will ensure that the individual has access to a process whereby they can change their communication preferences or request deletion of their details from our system.

  • The processing is necessary for us to comply with the law.

    There are limited circumstances where this applies and any requests from law enforcement agencies will be vetted to ensure they are both legal and genuine before complying with the request.

Is the data ever disclosed?

  • Students, parents and staff in the epraise platform may see data based around other users of the system when relevant.

    Examples include a teacher viewing a student's points or a parent viewing their child's attendance.

  • We do not disclose personal data to any other third parties that are not working for us (defined as 'processors' or 'sub-processors' in law), unless required to do so by law.

    These processors are listed below.

Who are your processors/sub-processors

As with most organisations, we work with a limited number of vetted third parties in order to facilitate our operations. Below is a complete list of third parties we currently work with or have worked with recently, with a link to their appropriate data protection documentation. Note that an individual user's data will only pass through a small subset of this list, for example we might receive their data via Wonde, host it on a server at AWS and send push notifications to them via Google.

Our parent companies

Hosting, infrastructure and storage

School data integration services

Apps, analytics and communications

What if the data is incorrect?

  • Where data is held within the epraise platform, it is the responsibility of the relevant school to keep it up to date.

    If you believe that any information we are holding on you is incorrect or incomplete, please notify the relevant school.

  • If you would like us to make changes to any other data belonging to you, because it is incorrect or incomplete, you will need to contact us directly.

    Please contact us if you would like us to amend data we hold about you.

How long is the data kept?

Within the epraise platform

  • Schools may delete their data on students, parents and staff at any time using the tools we have made available to them.
  • Where a school ceases to use epraise and they have not deleted the data themselves, we will ensure that all student, parent and staff data is deleted or anonymised within 30 days.
  • Any backups containing deleted information are automatically deleted within 30 days.

New customer enquiries

  • We will keep a history of all communication for a period of up to 5 years from your last action or communication.

Other data

  • We may keep a history of all emails, phone calls and other forms of communication for up to 5 years, after which we will delete or anonymise these.

I would like to view the data you process about me

Within the epraise platform

  • Each school has an epraise administrator who should be asked to fulfil this request.

    Epraise administrators can find the Subject Access Request feature in the Admin > Contracts and Compliance area

Other data

  • You may ask us to provide you with a list of information we have related to you.

    Please contact us for further information.

I would like you to delete the data you process about me

Within the epraise platform

  • Schools will not generally delete student or staff records when asked as they are required to process these as per the lawful basis' detailed above. If you are a parent, please ask the school directly to remove you from epraise.

Other data

  • You may ask us to delete personally identifiable information we have related to you, provided that the request is reasonable and legal.

US users only

California Residents

If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our App that are California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. To make such a request or to learn more about your California privacy rights, please contact us at privacy@epraise.co.uk.

Nevada Residents

Nevada residents who wish to exercise their sale opt-out rights under Nevada Revised Statutes Chapter 603A may submit a request to this designated address: privacy@epraise.co.uk. However, please know we do not currently sell data triggering that statute's opt-out requirements.

Virginia Residents

Virginia residents who wish to exercise their right under the Virginia Consumer Data Protection Act (VCDPA) to opt out of the processing of their personal data for targeted advertising, personal data sales, or automated decision-making, including profiling, may submit a request to this designated address: privacy@epraise.co.uk . However, please know we do not currently sell personal data triggering that statute's opt-out requirements.

International data transfers (UK and EU users only)

Please note that our parent company, Firefly Learning Ltd, was recently acquired by Veracross LLC (https://www.veracross.com/), a US company with an address at 401 Edgewater Place Suite 360, Wakefield, Massachusetts 01880.

For operational purposes, we now share your personal data within the Veracross Group. This will involve transferring your data outside the UK and European Economic Area (EEA).

Many of Veracross's external third-party vendors are also based outside the UK, so their processing of your personal data will also involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by using specific contracts approved by the UK Government which give Personal Information the same protection it has in the UK. For further details, see UK International data transfer agreement and guidance.

Please also note that Veracross LLC and its subsidiaries participate in and have certified their compliance with the EU-U.S. and Swiss-U.S. Data Privacy Framework (DPF) Programs administered by the US Department of Commerce. As a group we are committed to subjecting all personal data received from European Union (EU) member countries, the UK, and Switzerland, respectively, in reliance on each Data Privacy Framework, to the DPF Programs' applicable Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement, and Liability. To learn more about the Data Privacy Frameworks, and to view our certification, visit the U.S. Department of Commerce's Data Privacy Frameworks Participants List at https://www.dataprivacyframework.gov/s/participant-search

Veracross is responsible for the processing of personal data it receives, under each Data Privacy Framework, and subsequently transfers to a third party acting as an agent on its behalf.

Veracross complies with the Data Privacy Frameworks' Principles for all onward transfers of personal data from the EU, the UK, and Switzerland, including the onward transfer liability provisions.

With respect to personal data received or transferred pursuant to the Data Privacy Frameworks, Veracross is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission. In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

Under certain conditions, more fully described on the Data Privacy Framework Programs website at https://www.dataprivacyframework.gov/s/article/How-to-Submit-a-Complaint-Relating-to-a-Participating-Organization-s-Compliance-with-the-DPF-Principles-dpf, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

Tell me about your cookies

  • We use cookies to allow us to track our visitors, allowing us to see statistics such as the browsers and operating systems our visitors use, or how they found our website. These statistics help us improve the design of the website and improve the marketing of our products.
  • Cookies are used to allow users to log in to the system and stay logged in for a period of time.
  • Cookies may also be used to set defaults, such as the visitor's school, to make using the system easier for them to use.
  • Our service will not work without cookies enabled, as these are required in order to allow users to log in.
  • You are however free to browse our public website without cookies - simply switch them off in your browser.
  • For more information about cookies, please visit allaboutcookies.org.

Tell me about your security

  • We are committed to ensuring that your information is secure. In order to prevent unauthorised access or disclosure, we have put in place suitable physical, electronic and managerial procedures to safeguard and secure the information we collect online.
  • Epraise Limited is registered with the Information Commissioner's Office and is fully compliant with the Data Protection Act and the GDPR.
  • Our website may occasionally contain links to other websites. Please note that these websites are outside our control, and we cannot be responsible for the protection and privacy of any information which you provide whilst visiting such sites.

Glossary of terms

Lawful basis

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal information for our legitimate interests. We do not use your personal information for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you or the school on whose behalf we process your personal information to provide the Services, are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal information where it is necessary for compliance with a legal obligation that we are subject to.

Consent means any freely given, specific, informed and unambiguous indication of your wishes by which you, by a statement or by a clear affirmative action, signify agreement to the processing of personal information relating to you.

Your legal rights

You have the right to:

Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.

Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal information to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.

Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal information for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.

Request restriction of processing of your personal information. This enables you to ask us to suspend the processing of your personal information in the following scenarios:

  • If you want us to establish the data's accuracy.
  • Where our use of the data is unlawful but you do not want us to erase it.
  • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
  • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.

Request the transfer of your personal information to you or to a third party. We will provide to you, or a third party you have chosen, your personal information in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.

Withdraw consent at any time where we are relying on consent to process your personal information. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent.

When your personal information was collected by any of our schools and processed by us on behalf of such schools please contact your educational institution to exercise any of the above rights.