Sparkjar privacy and data protection statement

Overview

We take your privacy very seriously and base our business model on working with data according to fundamental data protection principles. This statement contains important information about how we handle data, especially those of Sparkjar users, and what your rights are.

Definitions

‘We/Us’ means Touch Fantastic at Werks Central, 15-17 Middle Street, Brighton, BN1 1AL;

‘Personal Data’ is any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

‘Controller’ is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

  • where Touch Fantastic Ltd works with a school to implement Sparkjar in the classroom, the School is the Controller;

‘Processor’ is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller;

  • where Touch Fantastic Ltd works with a school to implement Sparkjar in the classroom, Touch Fantastic is the Processor;

‘Data Subject’ is an identified or identifiable individual whose data is being processed and might be used to identify him or her; in the case of Sparkjar, typically a student or teacher, also referred to as ‘You/Your’ in this statement;

‘School’ is an education provider providing Touch Fantastic with data to enable students and teachers to use Sparkjar;

‘Apple’ is Apple Inc., an American multinational technology company that designs, develops, and sells consumer electronics hardware and software;

‘Wonde’ is an English software development company providing schools with a platform and tools to share their data and make sure only trusted suppliers have access to it;

‘Third Party’ means a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process personal data;

‘Process/Processing’ is any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

‘Services’ are the professional knowledge and specialist product(s) Touch Fantastic provides to clients who engage with the firm

‘Consent’ of the Data Subject means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the Processing of Personal Data relating to him or her;

‘Personal Data Breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Reasons and purposes of Processing

The following is a broad description of the ways we Process Personal Data.

Personal Data we process:

  • Personal details, such as email, full name and phone number
  • Education details, such as membership of classes within the School
  • Yearbook photographs, if supplied by the School
  • Data that users contribute within Sparkjar, such as chat messages, files, photos, assignments and feedback
  • Technical information, for example some very limited information about user devices, such as information about the type of mobile device being used, the operating system being used, WiFi network information, and the time zone setting

We collect this information from:

  • Schools that we work with
  • Third Party integration provider Wonde
  • iPads which Sparkjar operates on
  • Our business communication and transactions with clients

We process personal information about:

  • Students and teachers at the schools that we work with
  • Class-related activities, such as assignments and discussions

We use this information to:

  • Help us identify users and any accounts they hold with us;
  • Enable the core features of Sparkjar, such as assignments, chat, file sharing and feedback;
  • Help us debug issues and improve our product and services; and
  • Notify users of any changes to Sparkjar or to our services that may affect you.

We expose certain parts of this information to third parties in order to provide our service:

  • When sending emails (an insecure communication system), we necessarily have to disclose the recipient's name, email address, and contents of the message, to third-party servers that transfer the message to the recipient. Due to the fundamentally insecure nature of email, we minimise the information contained in emails and adopt security best practices such as time-limited secure tokens in password reset emails;
  • When sending iPad push notifications, we have to transmit the contents of the notifications to Apple for them to deliver to the iPad on our behalf;

Where necessary or required we share information:

  • In the event that a Third Party acquires Touch Fantastic Ltd or acquires substantially all of its assets, in which case user data would be securely transferred to the acquiring company;
  • With law enforcement and regulatory agencies in connection with any investigation to help prevent unlawful activity or as otherwise required by applicable law; In any other case, not without the Controller’s explicit permission

Legal basis for Processing

We only process Personal Data which has been collected by Schools on at least one of the legal bases listed in the General Data Protection Regulation. As part of our responsibilities, we never use the data for any other reason, and maintain its security at all times.

Security of Processing

We have built our product and business with data protection as a priority.

Although you acknowledge the use of the internet is never entirely secure, and for this reason we or any other service provider cannot completely guarantee the security or integrity of any data that is transferred to or from users via the internet, we will take all reasonable technical and organisational measures possible to safeguard user data. For example:

  • Access to your account is controlled by a username and password combination that is unique to you;
  • We store your data on secure servers, hosted in London by Amazon Web Services; and
  • We employ industry best-practices in encryption and security.

As with any system, the least secure part of Sparkjar is the password chosen by users. For this reason we strongly recommend that users, particularly teachers who will be able to use Sparkjar to communicate with young people, use a unique password with a combination of letters, numbers and symbols without reference to personal information or common words.

Response to a Personal Data Breach

We do not underestimate the seriousness of a potential Personal Data Breach. Touch Fantastic has a detailed response plan to be followed by all employees and contractors in such an event.

Data retention and disposal

Sparkjar is a communication tool that, amongst other things, allows one-to-one communication between a teacher and a student. We hope it never happens, but we are conscious that in the event of a safeguarding investigation undertaken by a School, we would want to be able to supply historical messages to those investigating.

Our policy under ongoing usage by a School is therefore to archive, rather than delete, data. If and when a School were to choose to stop working with us, we would offer a copy of data held by us, and then securely delete all data on our servers. This deletion would take place as soon as is practicably possible, and certainly within 14 days.

Supervision of chats

By default, every class in a School is set up with an ‘entire class’ group chat and individual chats between each student and the teacher(s) of the class. Teachers are then free to create more group chats within a class, each group chat containing the teacher(s) of the class and students of the teacher’s choosing. Students cannot create group chats and there is no way for students to send messages to one another that are not visible to a teacher.

Furthermore, teachers have the ability to hide from students any offensive messages they discover in group chats. For repeat offenders, a teacher can temporarily or permanently remove the ability for particular students to use the chat facility in their class.

Your rights

Right of confirmation: to ask the Controller whether or not Personal Data concerning you is being processed.

Right of access: to obtain from the Controller information about your Personal Data stored at any time, a copy of the information, whether it is transferred to a third country or an international organisation. If this is the case, you have the right to ask for the safeguards employed to protect it.

Right to rectification: to ask the Controller for rectify inaccurate Personal Data without undue delay.

Right to erasure (right to be forgotten): to ask the Controller to erase Personal Data without undue delay where it is no longer necessary for processing, you have objected to processing, there are no overriding legitimate interests, consent has been withdrawn, it has been unlawfully processed, has to be erased for compliance with a legal obligation in European Union or Member State law to which you are a subject.

Right of restriction of processing: to ask the Controller to restrict processing where a statutory reason applies.

Right of data portability: to receive Personal Data concerning you, which was provided to a controller in a structured commonly used and machine-readable format.

Right to object: to object to the processing of Personal Data concerning you on grounds relating to your particular situation at any time.

Automated individual decision-making, including profiling: to you have the right not to be subject to a decision based solely on automated processing, including profiling.

Right to withdraw consent: to withdraw consent to the processing of your Personal Data, where consent forms the basis for processing, at any time. You can contact the Controller or any other employee to withdraw consent.

Right to complain to the supervisory authority: to lodge a complaint with a supervisory authority that the Processing of Personal Data relating to you infringes the General Data Protection Regulation.

General

You may not transfer any of these rights under this Statement to any other person. We may transfer our rights and obligations under this Statement where we reasonable believe your rights won’t be affected.

If any court or competition authority finds that any provision of this Statement (or part of any provision) is invalid, illegal or unenforceable, that provision or part-provision will be considered deleted to the extent required. The validity and enforceability of the other provisions of this Statement will not be affected.

Unless otherwise agreed, no delay, act or omission by a party in exercising any right or remedy will be deemed a waiver of that or any other right or remedy.

This Statement will be governed by and interpreted according to the law of England and Wales. All disputes arising under the Statement will be subject to the exclusive jurisdiction of the English and Welsh courts.

Changes to this Statement

This Statement was updated on 16 April 2018. We may change it from time to time. You should check this page frequently to ensure you are aware of the most recent version that will apply each time you use Sparkjar.

Contact us

We welcome your feedback and questions. You are welcome to send an email to data-protection@sparkjarapp.com, call us on +44 1273 921233, or write to us at Werks Central, 15-17 Middle Street, Brighton, BN1 1AL. Our registered office is 21 Langham Road, Bowdon, Altrincham, WA14 2HX.