Privacy Policy

Last Updated: 2 August 2025

1. Who We Are

Ganes Academy Ltd (“we”, “us”) is the data controller for the personal information you provide via ganesacademy.co.uk.
ICO Registration No.: Z123456

2. What Data We Collect

  • Account Data – name, email address, school year and subjects of interest.
  • Attendance & Performance Data – attendance logs, school scores and grades.
  • Homework Records – uploaded files, scores, feedback and related analytics.
  • Technical Data – IP address, browser type, device identifiers and log info.
  • Audit Logs – comprehensive records of who accessed data, when, and why.
  • Communication Logs – emails, SMS, and WhatsApp messages sent through our platform.

3. Legal Bases

We process your data under UK GDPR Article 6(1)(b) (performance of a contract) and 6(1)(f) (legitimate interests in running an educational Platform). Consent is sought only where strictly required (e.g. optional marketing).

4. How We Use Your Data

  • To provide and personalise learning resources.
  • To record homework scores, attendance and track progress.
  • To monitor Platform performance and detect misuse.

5. Data Retention

We retain your data according to the following schedule:

  • Active students: For the duration of your educational services.
  • Inactive students: Educational records retained for 7 years after last service for administrative purposes.
  • Financial records: Retained for 7 years for tax and accounting purposes.
  • Communication logs: Retained for 2 years.
  • Audit logs: Retained for 2 years with automatic archiving.
  • Alumni program: With your consent, we may retain educational records indefinitely to maintain our alumni network, track educational outcomes, and manage referral programs.
  • Anonymized data: May be retained indefinitely for educational research and service improvement.

Automated deletion: Data is automatically deleted after retention periods expire. Upon request we will delete personal data without undue delay (typically within 30 days), subject to any legal retention requirements.

6. Disclosure to Third Parties & Processors

Your data is stored in Google Firebase (EU region europe-west2). Firebase acts as our data processor under Google’s Data Processing Agreement. GitHub is used solely for private source-code hosting and does not process personal data. Future tools such as Google Analytics 4 or Sentry will process only pseudonymised or aggregated data and will be added to this section before activation.

7. Cookies & Tracking

We currently set only essential cookies for authentication and session security. In light of the Data (Use and Access) Act 2025 (“DUA Act”) amendments to PECR, purely statistical analytics cookies may be placed without consent provided users are informed. Should we enable GA4 or similar tools we will:

  1. Audit cookies against the DUA Act exceptions.
  2. Display a banner explaining purposes and offering opt-out for any non-exempt cookies.
  3. Update this Policy with a full cookie table.

8. Your Rights

Under UK GDPR, you have the following rights regarding your personal data:

  • Right to Access (Article 15): Obtain a copy of all personal data we hold about you in both PDF (human-readable) and JSON (machine-readable) formats.
  • Right to Rectification (Article 16): Request correction of inaccurate personal data.
  • Right to Erasure (Article 17): Request deletion of your personal data with automatic cascading deletion of all related records. A backup is created before deletion unless you opt out.
  • Right to Restrict Processing (Article 18): Request limitation of data processing.
  • Right to Data Portability (Article 20): Receive your data in a structured, commonly used format suitable for transfer to another service.
  • Right to Object (Article 21): Object to processing based on legitimate interests.
  • Rights Related to Automated Decision-Making (Article 22): Not to be subject to decisions based solely on automated processing.

8.1 How to Exercise Your Rights

  • Submit requests to gdpr@ganesacademy.com
  • We will respond within 30 days (may extend to 90 days for complex requests with notification)
  • Identity verification required for security
  • First request in any 12-month period is free

8.2 Audit Trail Access

As part of your access rights, you can request comprehensive audit logs showing:

  • Who accessed your data (user/system identification)
  • When data was accessed (timestamp)
  • What operations were performed (view, modify, delete)
  • Why data was accessed (purpose/reason)

9. Children's Privacy & UK GDPR Compliance

Accounts for learners under 18 must be created or approved by a parent/guardian. If we learn we have collected data from a minor without consent, we will delete it promptly.

10. Student & Parent Data Protection

10.1 Student Data Processing

  • Lawful Basis: Article 6(1)(b) & (1)(f) as above.
  • Data Minimisation: We only collect data necessary for educational purposes.
  • Purpose Limitation: Data is used solely for providing educational services and improving the Platform.
  • Accuracy: Procedures ensure data remains accurate and up to date.

10.2 Parent/Guardian Rights

Parents/guardians may exercise the data-protection rights listed in §8 on behalf of learners.

10.3 Student Data Security

  • All data is encrypted in transit and at rest.
  • Sensitive fields (medical notes, addresses, phone numbers) receive additional encryption.
  • Access is restricted to authorised personnel only.
  • All access is logged with comprehensive audit trails.
  • Regular security audits and updates are performed.
  • Automated security monitoring for unusual access patterns.

10.4 Data Retention for Students

  • Data is retained while the account is active.
  • Upon closure, most data is deleted within 30 days unless longer retention is legally required.

10.5 International Transfers

Data is stored within the EEA. Any transfers outside the EEA will be subject to appropriate safeguards under UK GDPR.

10.6 Data Breach Notification

In the event of a breach affecting student data we will notify the ICO within 72 hours and affected individuals without undue delay, where required by law.

10.7 Alumni & Historical Educational Records

For former students, we offer an opt-in alumni program allowing extended retention of educational records. This enables us to:

  • Provide references for university or job applications
  • Track long-term educational outcomes
  • Maintain referral connections within our educational community
  • Share alumni success stories (with additional consent)

Participation is voluntary and consent can be withdrawn at any time. Non-participants' data will be anonymized or deleted according to our standard retention schedule.

11. Changes

We may update this Policy from time to time. Significant changes will be flagged on the Platform and communicated to users via email where appropriate.

12. Contact & Data Protection Officer

You may also lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data-protection rights have been violated.

13. Technical Implementation

We have implemented comprehensive technical measures to ensure GDPR compliance:

  • Automated Data Export: Generate complete data exports in multiple formats.
  • Automated Data Deletion: Complete erasure with cascading deletion of related records.
  • Audit Logging: Every data access and modification is logged with encrypted details.
  • Backup Before Deletion: Optional secure backup creation before data erasure.
  • Desktop Application: Ion Desktop includes built-in GDPR management tools for authorised staff.