Privacy Policy

Last updated: 1 January 2025

1. Introduction

PAG Tracker ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the General Data Protection Regulation (GDPR) and UK data protection laws.

This application is designed for use by educational institutions in the United Kingdom only. All data is stored within the UK to ensure compliance with data residency requirements.

2. Data Controller

Your educational institution (school, college, or academy) is the data controller for the personal data processed through this application. PAG Tracker acts as a data processor on behalf of your institution.

For questions about how your institution handles your data, please contact your institution's Data Protection Officer or administration team.

3. Legal Basis for Processing

We process personal data under the following legal basis:

  • Public Task (Article 6(1)(e) GDPR): Educational institutions have a public duty to provide education and assess student performance. Processing student data for assessment tracking is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Consent is not required for processing student data as educational institutions can rely on their public task to process this information. This is in accordance with GDPR Article 6(1)(e) and UK data protection law.

4. Types of Data We Collect

4.1 Student Data

  • Student name (first name and surname)
  • Class assignments
  • Assessment results (pass/fail/absent)
  • CPAC (Common Practical Assessment Criteria) progress
  • Subskill assessment data

4.2 Teacher/Administrator Data

  • Name
  • Email address
  • Role (Teacher or Administrator)
  • Organisation affiliation

4.3 Technical Data

  • IP addresses (for security and audit purposes)
  • Browser type and version
  • Device information
  • Usage logs and audit trails

5. How We Use Your Data

We use personal data for the following purposes:

  • To track and record student practical assessment progress
  • To generate analytics and reports for teachers and administrators
  • To identify students who need additional support
  • To manage user accounts and authentication
  • To ensure system security and prevent unauthorized access
  • To comply with legal obligations and educational requirements

6. Data Storage and Security

All data is stored securely within the United Kingdom using Supabase, a GDPR-compliant cloud database service. We implement the following security measures:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Secure authentication via Supabase Auth
  • Row-level security policies
  • Regular security audits
  • Access controls and role-based permissions
  • Comprehensive audit logging

7. Data Retention

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:

  • Student Data: Retained for 5 years after the student leaves the institution, in accordance with standard educational record retention practices.
  • Teacher/Administrator Data: Retained while the account is active and for 1 year after account deactivation.
  • Audit Logs: Retained for 7 years for security and compliance purposes.

After the retention period, data is securely deleted or anonymized in accordance with GDPR requirements.

8. Data Sharing

We do not sell, rent, or trade your personal data. Data is only shared with:

  • Your Educational Institution: Authorized staff members within your institution who have appropriate access rights.
  • Third-Party Service Providers: We use the following GDPR-compliant service providers:
    • Supabase (database hosting - UK region)
    • Resend (email delivery service)
  • Legal Requirements: We may disclose data if required by law or to protect our legal rights.

9. Your Rights Under GDPR

You have the following rights regarding your personal data:

  • Right of Access: You can request a copy of all personal data we hold about you.
  • Right to Rectification: You can request correction of inaccurate or incomplete data.
  • Right to Erasure: You can request deletion of your personal data in certain circumstances.
  • Right to Restrict Processing: You can request that we limit how we use your data.
  • Right to Data Portability: You can request your data in a structured, machine-readable format.
  • Right to Object: You can object to processing of your data in certain circumstances.

To exercise these rights, please contact your institution's administrator, who can process your request through the admin portal. We will respond to all requests within 30 days as required by GDPR.

10. Children's Privacy

This application is designed for use with students aged 13-17 (A Level students). Educational institutions process student data under their public task to provide education and assess student performance. Consent is not required as the legal basis for this processing.

However, institutions should inform students and parents about how their data is being used, which is why this privacy policy is made available.

11. Data Breaches

In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner's Office (ICO) within 72 hours
  • Notify affected individuals without undue delay
  • Take immediate steps to contain and remediate the breach
  • Document all breaches and remedial actions taken

12. International Transfers

All data is stored and processed within the United Kingdom. We do not transfer personal data outside the UK or European Economic Area (EEA) without appropriate safeguards.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify users of any material changes via email or through the application. The "Last updated" date at the top of this page indicates when changes were last made.

14. Contact Information

For questions about this Privacy Policy or to exercise your data protection rights, please contact:

  • Your Institution's Data Protection Officer - For institution-specific queries
  • Information Commissioner's Office (ICO) - For complaints about data protection

ICO Website: https://ico.org.uk

Back to Home