1. Introduction
PAG Tracker ("we", "our", or "us") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal information in compliance with the General Data Protection Regulation (GDPR) and UK data protection laws.
This application is designed for use by educational institutions in the United Kingdom only. All data is stored within the UK to ensure compliance with data residency requirements. If you request a product demo via our website, Section 3 explains how we handle your personal data separately from institution use of the Service.
2. Data Controller
Who acts as data controller depends on how you interact with PAG Tracker:
- Educational institutions using the Service: Your school, college, or academy is the data controller for pupil and staff data processed through the application. PAG Tracker acts as a data processor on your institution's instructions. Sections 4–15 below describe that processing.
- Website visitors and demo users: PAG Tracker is the data controller for personal data you provide when requesting a demo or otherwise using our website before your institution registers. Section 3 sets out the full details.
For institution-specific questions, contact your institution's Data Protection Officer or administration team. For demo and other website queries, see Section 3 and Section 15.
3. Website Visitors and Demo Users
This section applies when you request access to the PAG Tracker demo or otherwise provide personal data to us via our website before your institution becomes a customer. It does not apply to pupil or staff data entered into the Service by a registered school.
3.1 What We Collect
- Email address (required to send your demo access link)
- Demo session identifiers (a secure access token and session metadata)
- Marketing preferences, if you choose to opt in (including the time you gave or withdrew consent)
- Technical data such as IP address, used temporarily for rate limiting and abuse prevention
3.2 How We Use Your Data
We use this information to:
- Send you a magic link to access the interactive demo
- Create and manage an isolated demo environment for your session
- Re-send your access link if you request it while your demo is still active
- Protect the demo service from abuse (for example, rate limiting by IP and email)
- Send you product news and tips about PAG Tracker, only if you opt in using the optional checkbox on the demo form
We do not use your demo email address for marketing or sales follow-up unless you tick the optional marketing checkbox when requesting demo access.
3.3 Legal Basis
We process demo data under the following legal bases under UK GDPR Article 6:
- Legitimate interests (Article 6(1)(f)): To let prospective users evaluate PAG Tracker before their institution registers. Our legitimate interest is promoting and demonstrating our product; this is balanced against your rights because we collect only your email address, use it only for demo access, and delete demo session data promptly after expiry.
- Steps at your request prior to entering a contract (Article 6(1)(b)): Where you are evaluating PAG Tracker on behalf of a school that may later subscribe, processing your email is a necessary step to provide the demo you requested.
- Consent (Article 6(1)(a)): For optional marketing emails about PAG Tracker. You can withdraw consent at any time by emailing privacy@pag-tracker.com or by submitting the demo form again with the marketing checkbox unticked.
3.4 Recipients and Storage
Demo data is stored within the United Kingdom. We share it only with service providers that help us operate the demo:
- Supabase — database hosting (UK region)
- Resend — email delivery (demo access links and, if you opt in, marketing emails)
These providers process data on our instructions under data processing agreements.
3.5 Retention
Demo sessions expire 7 days after you request access. When a session expires, we automatically delete your session token and any cloned demo data associated with your session.
If you do not opt in to marketing, we delete your email address when the demo session expires and do not retain it further.
If you do opt in to marketing, we retain your email address and consent record after your demo session expires so we can send you product updates. We retain this until you withdraw consent, unsubscribe from a marketing email, or ask us to delete your data — whichever comes first.
3.6 Your Rights
You have the same rights under UK GDPR as set out in Section 10, including the right to access, rectify, withdraw consent, and erase your data. To exercise these rights in relation to demo data, contact us at privacy@pag-tracker.com. We will respond within 30 days.
You may object to processing based on legitimate interests for demo access. If you have opted in to marketing, you may withdraw consent at any time without affecting your ability to receive your demo access link.
4. Legal Basis for Processing
For pupil and staff data processed on behalf of registered educational institutions, we process personal data under the following legal basis:
- Public Task (Article 6(1)(e) GDPR): Educational institutions have a public duty to provide education and assess student performance. Processing student data for assessment tracking is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
Consent is not required for processing student data as educational institutions can rely on their public task to process this information. This is in accordance with GDPR Article 6(1)(e) and UK data protection law.
5. Types of Data We Collect
5.1 Student Data
- Student name (first name and surname)
- Class assignments
- Assessment results (pass/fail/absent)
- CPAC (Common Practical Assessment Criteria) progress
- Subskill assessment data
5.2 Teacher/Administrator Data
- Name
- Email address
- Role (Teacher or Administrator)
- Organisation affiliation
5.3 Technical Data
- IP addresses (for security and audit purposes)
- Browser type and version
- Device information
- Usage logs and audit trails
6. How We Use Your Data
We use personal data for the following purposes:
- To track and record student practical assessment progress
- To generate analytics and reports for teachers and administrators
- To identify students who need additional support
- To manage user accounts and authentication
- To ensure system security and prevent unauthorised access
- To comply with legal obligations and educational requirements
7. Data Storage and Security
All data is stored securely within the United Kingdom using Supabase, a GDPR-compliant cloud database service. We implement the following security measures:
- Encryption of data in transit (TLS/SSL)
- Encryption of data at rest
- Secure authentication via Supabase Auth
- Row-level security policies
- Regular security audits
- Access controls and role-based permissions
- Comprehensive audit logging
8. Data Retention
We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy:
- Student Data: Retained for 5 years after the student leaves the institution, in accordance with standard educational record retention practices.
- Teacher/Administrator Data: Retained while the account is active and for 1 year after account deactivation.
- Audit Logs: Retained for 7 years for security and compliance purposes.
After the retention period, data is securely deleted or anonymized in accordance with GDPR requirements.
9. Data Sharing
We do not sell, rent, or trade your personal data. Data is only shared with:
- Your Educational Institution: Authorised staff members within your institution who have appropriate access rights.
- Third-Party Service Providers: We use the following GDPR-compliant service providers:
- Supabase (database hosting - UK region)
- Resend (email delivery service)
- Legal Requirements: We may disclose data if required by law or to protect our legal rights.
10. Your Rights Under GDPR
You have the following rights regarding your personal data:
- Right of Access: You can request a copy of all personal data we hold about you.
- Right to Rectification: You can request correction of inaccurate or incomplete data.
- Right to Erasure: You can request deletion of your personal data in certain circumstances.
- Right to Restrict Processing: You can request that we limit how we use your data.
- Right to Data Portability: You can request your data in a structured, machine-readable format.
- Right to Object: You can object to processing of your data in certain circumstances.
To exercise your rights in relation to pupil or staff data, contact your institution's administrator, who can process your request through the admin portal. For demo data, contact us directly at privacy@pag-tracker.com. We will respond to all requests within 30 days as required by GDPR.
11. Children's Privacy
This application is designed for use with students aged 13-17 (A Level students). Educational institutions process student data under their public task to provide education and assess student performance. Consent is not required as the legal basis for this processing.
However, institutions should inform students and parents about how their data is being used, which is why this privacy policy is made available.
12. Data Breaches
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will:
- Notify the Information Commissioner's Office (ICO) within 72 hours
- Notify affected individuals without undue delay
- Take immediate steps to contain and remediate the breach
- Document all breaches and remedial actions taken
13. International Transfers
All data is stored and processed within the United Kingdom. We do not transfer personal data outside the UK or European Economic Area (EEA) without appropriate safeguards.
14. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify users of any material changes via email or through the application. The "Last updated" date at the top of this page indicates when changes were last made.
15. Contact Information
For questions about this Privacy Policy or to exercise your data protection rights, please contact:
- PAG Tracker — privacy@pag-tracker.com — For demo access, website, and other queries where PAG Tracker is the data controller
- Your Institution's Data Protection Officer — For institution-specific queries about pupil and staff data in the Service
- Information Commissioner's Office (ICO) — For complaints about data protection
ICO Website: https://ico.org.uk