Privacy Policy

Privacy and Data Protection Policy

1. Introduction

This Privacy and Data Protection Policy outlines how People Tracking Limited ("we", "our", "us") collects, uses, shares, and protects personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We are committed to ensuring the security and privacy of your information and upholding your rights.

2. Who We Are

Pupil Tracking Limited provides data processing services to local authorities and educational institutions. In most instances, we act as a Data Processor on behalf of our clients (Data Controllers). In some circumstances (e.g. client account management and communications), we act as a Data Controller.

3. Contact Details

  • Company Name: Pupil Tracking Limited
  • Address: 11C Alma Road, Snettisham, Kings Lynn, PE31 7NY
  • Data Protection Officer: Sally O'Neill
  • Contact: via details on our contact page.

4. Scope of This Policy

This policy applies to:

  • Clients and their representatives (e.g. local authority staff)
  • Users of our service (e.g. schools, teachers, parents, pupils)
  • Visitors to our website (note: we do not collect or store data from general website visitors)

5. Legal Basis for Processing

We process personal data based on:

  • Contractual necessity (e.g. to deliver services to clients)
  • Legitimate interests (e.g. to maintain system functionality)
  • Legal obligations (e.g. tax and regulatory requirements)
  • Consent, where explicitly obtained (e.g. testimonials or case studies)

6. Types of Data We Collect

Clients:

  • Organisation details
  • Job titles, contact emails, direct and general phone numbers
  • Records of factual communication notes

Service Users (Teachers, Parents, Pupils, LA staff):

  • Parents: Title, forename, surname, email address, authentication credentials and optionally mobile number; system usage logs and login activity
  • Pupils: Forename, surname, academic and support data input by schools (e.g. SEN, FSM, clothing grants, club participation) and primary key necessary to facilitate integration with school MIS system.
  • Teachers: Title, forename, surname, email address and authentication credentials; system usage logs and login activity
  • Local authority staff: Title, forename, surname, email address and authentication credentials; system usage logs and login activity

Website Visitors:

We do not use cookies or store information from visitors to our website.

7. Purposes of Processing

We process data to:

  • Deliver services and maintain system operations
  • Track user activity for troubleshooting and audit purposes
  • Manage accounts and communication
  • Create case studies or collect testimonials (with consent)

8. Automated Decision-Making and Profiling

We do not use data for profiling or automated decision-making.

9. Data Sharing and Sub-Processors

We do not sell or share data with third parties for marketing. We do:

  • Host client data securely on Amazon Web Services (UK)
  • Use Zendesk for secure support requests
  • Use Capsule CRM, which stores contact data on AWS (USA) under Standard Contractual Clauses (SCCs)

10. International Transfers

Only Capsule CRM involves international transfers, governed by SCCs as required by UK GDPR.

11. Data Retention

  • Data for clients and users is retained for up to 7 years in line with statutory requirements and client instruction.
  • Schools are responsible for removing obsolete user data.
  • Website visitors: no data retained.

12. Data Subject Rights

Under UK GDPR, individuals have the right to:

  • Be informed
  • Access their data (Subject Access Requests - SARs)
  • Rectification and erasure
  • Restrict or object to processing
  • Data portability
  • Withdraw consent
  • Lodge complaints with the ICO

SARs can be submitted via:

  • Email
  • Zendesk support system
  • Phone

We typically respond within 24 hours.

13. Security Measures

We implement:

  • TLS 1.3 encrypted communications
  • Encrypted data at rest and in transit
  • Role-based access control
  • ISO 27001-compliant infrastructure
  • User activity logging for audit and troubleshooting

14. Data Breaches

We report qualifying breaches to the ICO and affected parties as required by law.

15. Changes to This Policy

We review and update this policy regularly. Major updates will be communicated via our website.

16. Contact Us

If you have questions or wish to exercise your rights, please contact us.