Privacy Policy

Please note, for definitions of capitalised terms used in this document, please refer to the Terms & Conditions, in particular section 1 Definitions.

Roles and responsibilities

Our role in your privacy

If you are a Customer of Equipple (either on a free or paid subscription) or User, this standard applies to you, in relation to all:

• use of the Equipple app accessed by Users or Customers through all webpages which start with the subdomain app.equipple.com;
• data (including Personal Data) or information shared in conversations with the Equipple team while logged into the Application – e.g. support conversations;
• data (including Personal Data) or information forwarded on to the Equipple team by Customers relating to Users or other Data Subjects (including students);
• data (including Personal Data) used to manage operational communications, support and service messages.

Under data protection legislation the Customer institution is the Data Controller and Equipple is the Data Processor.

Our responsibilities as Equipple

As the Data Processor, we process Personal Data on behalf of the Customer. This means that we provide the Customer with a service which involves processing Personal Data based on the purpose and means that they have decided on.

N.B. Where Equipple uses Personal Data of staff at the Customer institution or other persons for the management of the account and contract, or for business purposes including for marketing and sales, this is covered within the Equipple Privacy Policy and is not applicable to this document.

Your responsibilities as the Customer / User

• Read this Data Processing Standard.
• Check any contracts or agreements between us and any other documents we have asked you to look at, as these may also have relevant specific information.
• Read and update any of your own organisation’s policies and procedures which are relevant – for example, any privacy notice or data protection policy.
• Where our Customers have provided us with Personal Data in relation to our delivery of our Services, or where Users and Data Subjects (staff, pupils and parents) have provided us with Personal Data, it will only be used for the reasons authorised within your agreements with us. By submitting the information to us, you confirm that you have the right to authorise us to process it on your behalf in accordance with this Data Processing Standard.
• Customers should check this document to make sure that this is understood to be the instructions that You, as the Data Controller, give Us, Equipple, as the Data Processor.

What if I am using Equipple as a User (e.g. a teacher)?

If you are logging into Equipple because it is provided to you through your School or other organisation then this document will help you better understand how Equipple handles your information on behalf of your organisation. In addition, your organisation may be able to provide other relevant information such as their privacy notice or relevant policies. If you are being contacted by us as a Customer contact (e.g. processing your order information, or responding to your interest in our products and services), then we are the Data Controller and it is not covered within this guide. Please see our Privacy Policy for more information.

Purpose

Equipple processes personal data to deliver educational support services, facilitate school-home communication, and enhance pupil development. This includes:

• Collecting, storing, and displaying pupil learning data and progress;
• Supporting teacher-parent collaboration through performance insights;
• Providing educational tools to aid learning, development, and intervention;
• Using AI technologies (including large language models) to automatically generate personalised summaries of pupil performance and suggest actionable next steps for learning, to help parents and educators support the pupil’s development more effectively.

This processing is carried out under a lawful basis of legitimate interest (for educational support and service delivery). Data processed via AI tools is used solely for the benefit of the pupil’s education and to reduce teacher workload, and is not used for automated decision-making without human involvement.

The result of the above activities is to give teachers, senior leaders and parents visibility to the child’s progress and experience throughout their time in school.

Personal Data collection and processing

What types of data we collect

From the first moment Users interact with the Equipple Application, we are collecting data. Sometimes Users provide us with data, sometimes Customer organisations provide us with data and sometimes data about Users is collected automatically.

Users' Contact details & contextual information

• For all Users: Name, title, email address, school details.

• For Staff Users additionally: contact numbers; unique identifier; profile image; role in the organisation including subjects, classes, years taught.

• For Parents additionally: contact numbers; parental relationship to student(s); contact priority; parental legal responsibility for student(s); court order restriction (yes/no); translator required.

Technical data that identifies Users

• Usage Data including IP address, login information, browser type, time zone setting, browser plug-in types, geolocation information, device information, operating system and version, webpages accessed, and other activities within the Application.

Educational information

• Information about pupil’s assessment scores, grades, target or predicted grades, expected outcomes and progress and attendance. Information about which staff teach or support different groups of pupils.

What about sensitive data?

We know that Customers will be using Equipple to enhance their understanding, support and education of pupils. Where this information includes very specific groups, this may include areas that are sensitive information (like racial or ethnic origin, or health / Special Educational Needs or Disabilities data). This may also include other information that the School wishes to treat as sensitive data (like Looked-After Child status, Pupil Premium status, Free School Meals eligibility, or other funded or special groups status). Where sensitive information is shared with us, then it will be allowed based on how the Customer has agreed to it. We will process this information on the understanding that the Customer has a lawful basis for authorising us to process it. This may include explicit consent or substantial public interest, but this will likely need to be shared through the Customer’s own privacy notice. We will always provide routes for any sensitive data to be excluded from Equipple. This is normally through configuring data sharing through your data interface tool or training your staff on the kinds of qualitative notes that should be input into the Equipple Application.

What about students’ data?

Equipple is designed to provide organisations with information on students to help monitor and identify the progress of pupils. This means that both staff and student Personal Data will be used. We treat this data with great care.

International transfers

We have selected data processors and sub-processors that are certified by the US-EU Data Privacy Framework and are therefore committed to ensuring a similar degree of protection is afforded to data if and when it is transferred out of the UK or EEA.

Where this US-EU Data Privacy Framework certification is not possible, we do everything we can to make sure your data is treated securely and in accordance with our Privacy Policy and all applicable data protection law.

Why we collect Personal Data

Data protection legislation means that we can only use Personal Data for certain reasons, where instructed by the organisation and where they have a lawful basis to do so. We have taken this into account in the way Equipple has been designed. The data we collect and process is all necessary to allow us to provide the Services to our Customers and Users.

How we collect Personal Data

Data Subjects’ data is uploaded to the Equipple Application by the Customer School’s staff Users. This data can be updated as regularly as the customer requires.

The Customer School may also opt-in to use Wonde to automatically provide relevant data to Equipple which has been provided to Wonde from the School (MIS) Management Information System. This data allows Equipple to facilitate the Customer’s creation and management of User accounts, and the management of Data Subjects’ data including staff and students’ Personal Data. In order for Equipple to access your Data Subjects’ data through Wonde, the Customer School (the Data Controller) will need to first authorise what data can be accessed by Equipple; this will be done in Wonde’s setup for data sharing with Equipple. Equipple will run an automated data fetch daily (overnight) to fetch any data we have been authorised to access. We can also run additional data fetches on request or if required to provide additional support.

The following are lists of the Data Subjects’ Personal Data that you or your organisation are able to submit to Equipple, or can be fetched from the Wonde platform.

For students:

For students & staff:

For staff:

For parents:

Variations in how we process Personal Data

If there are any differences to how we process Personal Data, it is because the Customer has identified and instructed us to do something differently from our standard operating procedures, which Customers have the right to do as Data Controller, and where we have assessed that by doing so, we are maintaining all of our obligations and responsibilities, both in our Agreements with Customers as well as legal obligations, and are able to accommodate the requested differences.

Uses of Personal Data

Note: Where AI-generated summaries of pupil performance are provided, they are intended for human review and do not constitute automated decision-making.

Staff User access

We make sure that Equipple gives Customers and staff Users all the available tools which are part of the full service Equipple provides. This includes access to progress information, relationships between teachers, pupils and parents and scheduling capabilities. Some tools, especially those which allow the management of staff and student Personal Data records, are reserved for Administrative Users only.

Suggested lawful basis for this data usage: Public Task/Substantial Public Interest.

Improving Equipple

We make sure that Equipple continues to be the right tool for Customers and that it works as needed. The Equipple team will gather feedback and information related to any improvements needed to make sure Equipple continues to be the right tool for the School and that improvements which would enhance Users’ experience are identified and actioned. This will include analysis of technical support, usage, and analytical information.

This may also mean taking Personal Data and anonymising it so that when our staff use it we have protected it as much as we can.

Lawful basis for this data usage: Public Task/Substantial Public Interest.

Here is what each of the “lawful bases” means:

Public Task

This states:

“…processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”

This means that the organisation, as a public authority, has many things it does with children’s Personal Data. It has to do these things as it has been told that it needs to do it (by laws, regulations or statutory guidance) or it does the task as it is in the best interest of the children.

Substantial Public Interest

This states:

“…processing is necessary for reasons of substantial public interest, on the basis of Domestic Law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”

This means that the organisation has taken extra measures to ensure that any information is safe (including having the appropriate policy documents). It also means that the organisation has taken the approach that the use of any ‘sensitive data’ is part of its work on safeguarding children and helping to identify and work with any who are at risk.

Other Lawful Bases

It may be that your organisation has decided it cannot use Public Task and/or Substantial Public Interest. This could be for a variety of reasons. If your organisation is an independent School, then it may be that it is using the contract between the parent and the School as the reason, or the parent/child has been asked for their consent (which has been freely given). Where ‘sensitive data’ is used, then it may be that explicit consent has been given.

Other options are available, and the Schools or organisations will have checked to see which is most appropriate in order to maintain the appropriate safety and security of Data Subjects’ data.

Data processing responsibilities

We shall process Personal Data only on documented instructions from the Customer.

We shall inform the Customer without undue delay of any request or complaint received directly from a Data Subject, any data security issues and any Data Breach incidents.

We shall respond promptly to enquiries relating to data processing, including providing documentation relating to data security arrangements, sub-processing arrangements and relevant data protection documentation.

We will assist the Data Controller in meeting its obligations to notify Data Breaches to the Information Commissioner’s Office (ICO), respond to ICO interventions, notify data breaches to Data Subjects, to carry out Data Protection Impact Assessments (DPIA) when required and consult with the ICO where a DPIA indicates there is a high risk that cannot be mitigated.

This includes supporting the Customer in completing any necessary Data Protection Impact Assessments (DPIAs) for features involving AI-generated pupil summaries.

Ensuring your data's security

How secure is the data we process?

We have organisational and technical measures in place to safeguard and secure the information we hold, based on standard industry practices. These include (but are not limited to):

• Data encryption at rest
• Secure data transmission over SSL
• UK-based servers
• Passwordless user authentication (to defend against cyberattacks)

More information can be provided about this on request, as we prefer not to publicly publish too much security information as a measure to protect our Services and Customers.

What can I do as a User to help maintain security?

Please remember:

• Follow your organisations data protection policy and procedures
• Only share personal data where you need to
• You are responsible for your username and login credentials, so keep them secret and safe
• If you believe that your privacy has been breached, then contact your Data Protection Officer or follow the guidance your School or organisation provides

How do we ensure our staff are aware of their data protection responsibilities?

All our staff and management are fully aware of their responsibilities to protect Personal Data and are subject to a duty of confidentiality, through a contractual duty or a statutory duty or otherwise.

All staff follow an induction procedure, have a regular review and security & data protection updates are delivered as required through our regular meetings. If any issue is raised relating to data security, then this is reviewed and directly addressed with the individual/s involved and builds on our current practice.

The Data Processor shall not permit any person to process the data who is not under a duty of confidentiality.

Where do we store your data?

The Personal Data we collect is uploaded to and stored on servers that are maintained by third party providers, Xano, in London, UK. Personal Data is processed on our Application, which is hosted by Bubble in the United States of America.

Subject to us complying with Data Protection Legislation and ensuring appropriate safeguards are in place, we may transfer your personal data to third parties providing services to us who are based outside of the UK without obtaining your specific written consent. This may include parties providing IT administration services and hosting services, and parties providing assistance with managing our marketing databases.

We have selected data processors and sub-processors that participate in and are subject to the US-EU Data Privacy Framework. Where this is not possible, whenever we transfer personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• the Personal Data is transferred to or processed in a territory which is subject to adequacy regulations under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
• we participate in a valid cross-border transfer mechanism under Data Protection Legislation, so that we (and, where appropriate, the school) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required under the UK GDPR; or
• the transfer otherwise complies with Data Protection Legislation.

By contacting our support team we may transfer data related to you and your communication outside of the EEA. This will only be done where an agreement with the sub-processor provides adequate safeguards.

By submitting Personal Data, you agree to this transfer, storing or processing by us.

International Data Transfers

The data that we collect from you may be transferred to, or stored at, a destination outside the UK or the European Economic Area (EEA). If we transfer personal information outside of the UK or the EEA, we will take all legally required steps to make sure that appropriate safeguards are in place to protect personal information in accordance with GDPR, the Data Protection Act 2018 and the US-EU Data Privacy Framework. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy and all applicable data protection law.

We have selected data processors and sub-processors that participate in and are subject to the US-EU Data Privacy Framework. Where this is not possible, whenever we transfer personal data out of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission or the UK government;
• We may use specific contracts approved by the European Commission and the UK government which give personal data the same protection it has in Europe; or
• In certain circumstances, we may rely on exceptions set out in the GDPR to make an international data transfer (such as where the transfer is necessary for the performance of a contract or where it is for our compelling legitimate interests).

Please contact us by emailing privacy@equipple.com if you want further information on the specific mechanism used by us when transferring your personal data out of the UK or the EEA.

For how long do we store your data?

We continue to hold all ‘active’ data (data that has been provided and is linked to active accounts on a verified licence) until the following:

• If your subscription licence has run out and accounts are no longer active, Personal Data is kept for 3 months and then securely deleted from the live Application.

We provide a way for you to download a complete copy of all Personal Data held on Equipple before termination.

If you request it, we will provide written certification that all Personal Data has been completely deleted.

Security of Data Processing

We will implement appropriate technical and organisational measures against unauthorised or unlawful processing of Personal Data and against accidental loss or destruction or damage to Personal Data.

We will inform the Data Controller of any unlawful processing of Personal Data and any loss, destruction or damage to Personal Data.

Notification of Personal Data Breach

Upon becoming aware of a Personal Data Breach, we shall inform the Data Controller without undue delay providing all necessary information and shall cooperate as reasonably required to fulfil Data Breach reporting obligations under data protection legislation.

Our procedures assess all security incidents and then report relevant breaches to the Information Commissioner’s Office within the statutory timeframe.

Partners (sub-processors) who process your data

Edtech businesses often use contractors and outside companies to help them host their applications, power their support tools, etc. Any company or individual that we use when processing information under this standard is a “sub-processor”. This means that any agreement or contract we have with them is, at least, as strict as this standard. We make sure that we are happy that they will also take the same level of care of the Personal Data Customers and Users are trusting us with, including checking if they hold any certificates for their work. The agreement we have with our Customers is also an agreement on the part of Customers to work with our sub-processors. 

We may use trusted AI service providers (e.g., OpenAI) to support the generation of summaries. These providers act as sub-processors, and data shared with them is limited, anonymised where possible, and subject to strict contractual safeguards.

Here are the details of the main sub-processors and service providers; the range of data they can collect, process and store; and a general explanation of why.

You agree that we have general permission to, from time to time, make changes to who our sub-processors are, or what they will be doing in order to provide you with an improved service. Any agreement or contract we have with new sub-processors will be, at least, as strict as your agreement with us.

If we do, we will notify you beforehand.  This will give you a chance to check any of the changes and raise any possible objections. If there are any objections, we will happily discuss these with you and address any concerns.

Wonde

Equipple offers the option to Customers to use Wonde (data exchange tool) as the method of how they as Data Controller of the Personal Data described in this Data Processing Agreement transfer the data to Equipple for the purpose of the delivery of the Services in line with the Agreement.

Wonde connects with the Customer’s Management Information System (MIS) and runs regular (usually overnight) syncs which pull authorised data from the MIS and then makes this available to Equipple.

For the sake of clarity, by using Wonde in this way, Wonde is not a sub-processor of data for Equipple, rather it is processing data on behalf of the Customer as a Data Processor. As such the Customer should satisfy themselves of all data protection requirements in relation to Wonde separately and additionally to Equipple.

Wonde’s own data sharing agreement can be found at: https://www.wonde.com/security-and-privacy/

Or they can be contacted directly at: https://www.wonde.com/contact/

Clever

Equipple offers the option to Customers, based in the United States of America to use Clever (data exchange tool) as the method of how they as Data Controller of the Personal Data described in this Data Processing Agreement transfer the data to Equipple for the purpose of the delivery of the Services in line with the Agreement.

Clever connects with the Customer’s Student Information System (SIS) and runs regular (usually overnight) syncs which pull authorised data from the SIS and then makes this available to Equipple.

For the sake of clarity, by using Clever in this way, Clever is not a sub-processor of data for Equipple, rather it is processing data on behalf of the Customer as a Data Processor. As such the Customer should satisfy themselves of all data protection requirements in relation to Clever separately and additionally to Equipple.

Clever’s own data processing agreement can be found at: https://www.clever.com/trust/europe-data-processing-addendum

Or they can be contacted directly at: legal@clever.com

Data Subjects’ privacy choices and rights

All Data Subjects including Users and students have various rights about their Personal Data. These are all managed by the Data Controller (in the case of use of the Equipple Application, this is the Customer School as above) and any questions about these rights would normally be dealt with by the organisation. Rights may vary depending on the lawful bases mentioned previously above.

We will only use the Personal Data provided to us by Customers or Users. 

There is no need to ask us not to use your Personal Data for marketing. Any such data provided to us in using the Equipple Application is only ever used as part of giving access to the full Equipple Services. We do not use it for any marketing or anything else, unless permission is specifically given.

Exercising Data Subject rights including Subject Requests / Subject Access Requests

Exercising rights under the Data Protection Act 2018 as amended or other related legislation as a Data Subject including making any Subject Request / Subject Access Request should always be addressed to the Data Controller in the first instance (in relation to use of our core Application, the Customer School or organisation is the Data Controller).

As an individual, this means please refer to your School or organisation’s Privacy Notice for how you can exercise your rights or make contact with the School’s or organisation’s Data Protection Officer.

We will provide reasonable assistance to the Data Controller (including by technical and organisational measures) to enable the Data Controller to respond to complaints from Data Subjects and requests from Data Subjects to exercise any of their rights under Data Protection legislation.

If requested by the Data Controller we will:

• provide a complete copy of all Personal Data held on Equipple for that Data Subject, or instructions of how to access all this information;
• update any Personal Data for that Data Subject to correct its accuracy;
• provide written certification that all Personal Data for that Data Subject has been completely deleted.

To ask for assistance with responding to a Subject Request / Subject Access Request as the Data Controller, simply email us at privacy@equipple.com stating the request.

In the event that we receive any complaint or request directly from a Data Subject where the Customer organisation is the Data Controller, we shall inform the Data Controller, promptly and provide full details to enable appropriate action to be taken.

Information on cookies and similar technologies

We use cookies and similar technologies. For information, see our Cookie Policy at:  https://equipple.com/cookie-policy

Multi-Academy Trusts

Data processing within Multi-Academy Trusts

Where Multi-Academy Trusts, Education Authorities or similar affiliated bodies of connected Schools are setting up Equipple accounts for Schools and Users, they may wish to share some data between schools within the Trust. For example, they may want staff at one School or within the central Trust team to have access to the Equipple account of another school within the Trust. Wherever such instruction is given to us by a suitable person within a Trust we will act on the basis that the instructing party has the authority to instruct our processing of data which may include sharing data within the Trust or body in this way.

About this standard

Checking our processes

We shall provide information necessary to demonstrate our compliance with this Data Processing Standard.

As part of our obligations, we will support Customers with audits in relation to the processing of Personal Data by Equipple and its sub-processors.

To support us with this, Customers must provide reasonable notice in writing of any audit and the scope and purpose of that audit. Any audit will take place within our normal Business Hours and will not occur more than once in any calendar year.

Changes to this standard

We may revise this document at any time. For any substantive changes we will provide advanced notice to Customers then post the new version to this webpage. Customer agrees to and accepts any modified terms by continuing to use the Services after the changes are posted and effective. For any minor readability edits which do not effect and substantial changes, we may make such minor changes directly to this webpage without providing advanced notice. In any such cases we will update the Version history section below.

For more information

If you have any questions about the contents of this document, please email us at privacy@equipple.com