Data Protection

How we protect your data and comply with regulations

GDPR Compliance

PAG Tracker is fully compliant with the General Data Protection Regulation (GDPR) and UK data protection laws. We have implemented comprehensive measures to ensure your data is processed lawfully, fairly, and transparently.

Legal Basis for Processing

Student data is processed under Public Task (Article 6(1)(e) GDPR) - educational institutions have a public duty to provide education and assess student performance. Consent is not required for this processing.

Data Security Measures

🔒 Encryption

All data is encrypted in transit (TLS 1.3) and at rest using AES-256 encryption.

🛡️ Access Control

Role-based access ensures users only see data they're authorized to access.

📝 Audit Logging

Comprehensive audit trails track all data access and modifications.

🇬🇧 UK Data Residency

All data is stored and processed within the United Kingdom.

Your Data Rights

Under GDPR, you have the following rights regarding your personal data:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restrict Processing: Request limitation of how we use your data
  • Right to Data Portability: Receive your data in a machine-readable format
  • Right to Object: Object to certain types of processing

To exercise any of these rights, please contact your institution's administrator who can process your request through the admin portal.

Data Retention

We retain data only for as long as necessary:

  • Student Data: 5 years after the student leaves the institution
  • Staff Accounts: 1 year after account deactivation
  • Audit Logs: 7 years for compliance purposes

Data Breach Response

In the event of a data breach:

  • We will notify the ICO within 72 hours if required
  • Affected individuals will be notified without undue delay
  • Immediate containment and remediation steps will be taken
  • All incidents are documented and reviewed

Third-Party Processors

We use the following GDPR-compliant service providers:

  • Supabase: Database hosting (UK region) - Data processor agreement in place
  • Resend: Email delivery service - GDPR compliant

Contact the ICO

If you have concerns about how your data is being processed, you can contact:

For more information, see our Privacy Policy.

Back to Home