Data Protection Policy

When schools use Fixturr, they are responsible for managing and controlling the data that is being used by the software. Fixturr is responsible for processing this data on behalf of the schools. To clearly define the roles and responsibilities of both parties when handling data, we have established standard terms of use. These terms outline the liabilities and responsibilities of each party when it comes to data processing.

General Provisions:

By continuing to use our product and providing us with school data, the school agrees to the terms of this policy. 

Under data protection laws, the company is considered a "processor" of the school data, which includes personal data, and the school is considered a "controller" of this data.

Both the company and the school will follow all data protection laws when handling the school data. 

The company will process the school data on behalf of the school, as instructed and authorised by the school, to provide the product to the school and for the purposes outlined in this policy. 

The school confirms that it has a legal reason, as defined by data protection laws, for providing the company with the necessary data and allowing the company to legally process this data for specified purposes. If the school does not have a legal reason for doing this, the school will be responsible for any costs, claims, damages, expenses, losses, or liabilities that the company incurs as a result.

International Transfers

The company will not send or allow the school data to be sent outside of the European Economic Area ("EEA") without first ensuring that the data is protected. This may involve using standard data protection clauses that the European Commission or other measures have approved that data protection authorities have approved.

Confidentiality of Processing

The company will make sure that any person it allows to process the data (including its staff, agents, and subcontractors) (called an "authorised person") has a strong obligation to keep the data confidential, whether through a contract, a legal requirement, or any other means. The company will not allow anyone who does not have this obligation to process the data. The company will also ensure that all authorised persons only process the data for the permitted purpose.

Security

The company will implement appropriate technical and organisational measures to protect the school data from unauthorised or illegal processing and accidental loss, destruction, or damage. The level of security applied to the data and the nature of the processing will be taken into consideration when determining these measures.

Sub-processors:

The company may use other companies or organisations (called "sub-processors") to process school data on our behalf. The company will ensure that sub-processors follow the same data protection standards and will be held responsible if they do not. 

The company will also help the school respond to requests from individuals (called "data subjects") to exercise their rights as specified by data protection laws.

Cooperation and Data Subjects Rights

The company will provide all necessary and timely assistance (including appropriate technical and organisational measures) to the school (at the school's expense) to help the school respond to the following:

  • Any requests from a data subject to exercise their rights under applicable data protection laws (including their rights to access, correction, objection, erasure, and data portability, as applicable).
  • Any other correspondence, inquiries, or complaints received from a data subject, regulator, or third party related to the data processing. If the company receives any of these requests, correspondence, inquiries, or complaints directly, the company will promptly inform the school and provide full details. The school will then provide all necessary and timely assistance to the company to enable the company to take appropriate action.

Data Protection Impact Assessment

If the company believes or becomes aware that processing of the data may pose a high risk to the data protection rights and freedoms of data subjects, it will promptly inform the school and provide the school with all necessary and timely assistance to conduct a data protection impact assessment and, if necessary, consult with the relevant data protection authority. 

Security Incidents

If either party becomes aware of a security incident, they must promptly inform the other party and provide all necessary and timely information and cooperation to help the other party fulfil their data breach reporting obligations under applicable data protection laws. Both parties must also take all necessary measures and actions to address or minimise the effects of the security incident and keep the other party informed of any related developments.

Deletion of Data

Upon request from the school, the company will destroy all data (including all copies of the data) in its possession or control (including any data that has been subcontracted to a third party for processing). 

This requirement does not apply if the company is required by EU or EU member state law to retain some or all of the data. In this case, the company will isolate and protect the data from further processing, except as required by law.

Audit

The company will allow the school (or its appointed third-party auditors) to audit the company's compliance with this schedule and will provide the school with all necessary information, systems, and staff to conduct the audit. 

The school will not exercise its audit rights more than once in a 12-month period unless instructed by a competent data protection authority or if the school believes a further audit is necessary due to a security incident suffered by the company. 

As described in this paragraph, the school's information and audit rights apply only to the extent required by applicable data protection laws. 

The school will give the company reasonable notice of any audit or inspection that it plans to conduct and will (and will ensure that any nominated auditor will) avoid or minimise any damage, injury, or disruption to the company or its subcontractors' business.

Indemnity

Each party (the "indemnifying party") will protect the other party (the "indemnified party") from any loss, cost, harm, expense (including reasonable legal fees), liabilities, or damage ("damage") that the indemnified party suffers or incurs as a result of the indemnifying party's violation of the provisions of this schedule. This protection is subject to the following conditions: 

  • The indemnified party promptly informs the indemnifying party of any circumstances that may give rise to an indemnity claim under this clause; and
  • The indemnified party takes reasonable steps to mitigate any ongoing damage it may suffer as a result of the indemnifying party's violation.

Liability

The company will not be liable to the school, whether for breach of contract, tort (including negligence), breach of statutory duty, or any other reason, for or in connection with the following:

  • Loss, interception, or corruption of any data resulting from the negligence or default of any telecommunications service provider for the company or the school
  • Any loss resulting from the default or negligence of any supplier to the school
  • Damage to reputation or goodwill
  • Any indirect or consequential loss.

However, the company's liability for death or personal injury caused by its negligence, fraud, or fraudulent misrepresentation, or any other matter for which liability cannot be limited or excluded by law, is not limited by this clause.

Data Processing Description

This part of our terms and conditions explains how we will handle data for the school. The data we will process is called "school data", and it relates to the following groups of people:

  • Pupils
  • Parents and guardians
  • Staff

The types of data we will process are:

  • School name and contact information (such as the school's address, phone number, and email address), teachers' names and contact information (including phone numbers and email addresses), pupils' names, dates of birth, classes, year groups and school houses.
  • Information about interactions between the school, its people (called "data subjects"), and us regarding our product, as well as any other information that the school and its data subjects choose to share with us (for example, through communication with our customer and technical support teams)
  • Information we automatically collect about our product, including a user's IP address, device type, unique device identification numbers, login information, browser type and version, time zone setting, operating system and platform, general location (like the country or city), and other technical information.
  • Information we automatically collect about how a user's device interacts with our website, including the pages they access and the links they click, download errors, how long they spend on certain pages, information about their interactions with pages, and the methods they use to leave pages

We will use the school data to help us fulfil our obligations to the school under the terms and conditions for using our product, which includes all Fixturr websites, apps and services.