GDPR Compliance Statement

Last updated: 6th August 2018

We take data protection very seriously, especially because Mega Seating Plan deals mostly with children's data. On this page you can learn about what data is collected and stored, how it is used and how it relates to the terms of the General Data Protection Regulation (GDPR).

Rob Cowen Ltd, trading as Mega Seating Plan, ("we", "us") acts under the terms of the GDPR as the "data processor". Schools and school staff ("you", "your") retain responsibility under the GDPR as the "data controller".

The basis for processing data under the GDPR is 'legitimate interests'. The processing is necessary for the purpose of generating classroom seating charts (and other similar tools, described below) for teachers, and these tasks could not otherwise be performed. Processing of personal student data is limited to the purposes described below.

What data is collected and stored?

User data

This is data collected by Mega Seating Plan about visitors to the website. We use Google Analytics and Facebook Pixel tools to monitor website visits (these are anonymous tracking tools that are very common on websites) - there is a little more detail about this on the Privacy Policy page.

Aside from this, during registration I collect your name, school, country, email address, password (for non-Google sign-in users only) and your IP address, to be used as follows:

Student data

The student data that is uploaded to the servers is flexible, although the default column headings include name, form, gender, SEN, EAL, more able, target, grade, reading age and pupil premium. This level of data is clearly personal. In order to protect student privacy, student data is pseudonomised. This is achieved by encrypting student names, photographs and email addresses when stored in the database; only the owner of the data (and colleagues that they have chosen to share it with) have access to the decryption key.

Data that would be considered sensitive under the the GDPR (for example, ethnicity) should not be uploaded.

Student data is stored in a database, with data only accessible to the user that has created it, when logged in via their password. Student data will never be sold to or shared with third parties. Encryption keys are unique to each user, meaning that even if a bug allowed one user to see another's data without permission, it would be impossible to read that data.

How is the data used?

The data collected about website users is used only to improve the experience of website visitors.

Student data is used only for the purposes required by the website:

How is the data stored?

Written data is stored in a MySQL database hosted by Heroku and ClearDB. Larger pieces of data (such as photographs) are stored on an Amazon Web Services cloud server. All servers are located in the European Union. Student names, email addresses and photographs are encrypted with a key specific to the user that uploaded them.

How is the data disposed of?

On deletion of a user account, all data imported by that user is also deleted.

Registration with the ICO

Rob Cowen Ltd. (trading as Mega Seating Plan and Mega Teacher) is registered with the Information Commissioner's Office (registration number ZA331933).