Carousel Privacy Policy

This policy underpins the promises and contracts we make with schools, teachers and students relating to the education data that Carousel processes.

Glossary of Terms

  • Data Controller: the person, or organisation, who determines the purposes for which and the manner in which any personal data is processed. With respect to Carousel, the Data Controller is the account-holder using the product. This could be a natural person or a School or MAT or group of schools.
  • Data Processor: the person, or organisation, who processes the data on behalf of the Data Controller. Carousel is a Data Processor of school data.
  • Data Subject: the individual who is the subject of the personal data.
  • Data Processing: operations performed on data, such as collecting, recording, organising, adapting, retrieving, disclosing or deleting.
  • Data Protection Legislation: the Data Protection Act 2018 ("DPA") and any relevant data protection legislation and regulations that supersede the Data Protection Act. The DPA enshrines in law the UK's General Data Protection Regulations (UK GDPR).
  • School Data: all data generated by parents and teachers while using Carousel.
  • Personal Data: data we hold which relates to an identified or identifiable individual
  • Sensitive Personal Data: data we hold which is deemed sensitive under the DPA (for example ethnicity).
  • Carousel Platform: the software application that we provide via the Website, accessible from app.carousel-learning.com.
  • Question Bank: a compiled data set of educational content comprising questions in written or visual form and accompanying answers uploaded to the Carousel platform as a Question Bank.
  • Dashboard: the section of the Carousel Platform from which users retrieve content they have created or curated.
  • Service: the Carousel Platform.
  • IP Address: a unique computer address that identifies you to the Internet, or your local network.
  • School: all references to a school may refer either to an individual school or academy, or to multiple schools, where those schools are joined together in a legal entity such as a MAT.
  • MAT: a Multi Academy Trust, or group of academies.
  • MIS: tour School's Management Information System which is used to record information about students and staff.
  • Wonde : A school data syncing service used by Carousel to access certain data stored on Your School's MIS.
  • Student-level account: an optional account created at Your direction on the Carousel Platform for an individual student that is accessed by the student using an email address and password.
  • User: a teacher, school or MAT which has contracted with Us to use the Service to set up quizzes, study packs or otherwise make use of the tools and software that are available on the Carousel Platform.

What is Carousel?

Carousel is a secure, cloud-based platform that helps teachers to set quizzes drawing questions from across a curriculum, and gives students an easy-to-use way of taking those quizzes.

Privacy and Data Protection Statement

1. Introduction

Privacy and security are at the heart of everything we do at Carousel, and our approach incorporates data protection by design and default. This statement explains the key measures we've put in place to ensure that school data is kept secure and processed appropriately at all times. It also covers our commitments to you, and what we expect from schools in terms of privacy and data protection.

2. Our Principles

We:

  • Process the data received from schools for the purposes of education and school improvement only, and only for those purposes necessary to provide the service explicitly offered to schools.
  • Adhere strictly to the terms of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
  • Only store and process the minimum data required to provide our services
  • Transport and store all personal data originating from schools using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, password-protected identities for all end users, and variable permissions according to the user's role.
  • Comply with all Subject Access Requests made relating to the data We store.
  • Ensure the data We hold about you is correct.
  • Only retain data for as long as required, and delete all your data if you ask us to do so.
  • Ensure that all data is held securely by taking steps so that data is not corrupted or lost.
  • Always maintain adequate liability insurance.
  • Audit our services against this pledge periodically and provide evidence of compliance to the other party whenever requested.
  • Report any significant breaches of security to the Data Controller, the Information Commissioner's Office (ICO) and other authorities, and, in co-operation with the Data Controller, to Data Subjects without undue delay and within 72 hours.
  • Make this Privacy Policy clearly and publicly available on our website.

We DO NOT:

  • Store or transport personal data outside of the UK or EEA or in countries that do not have Adequate Levels of Protection as determined by the EU under the EU GDPR prior to 31st December 2020, except for the United States of America but only when such data is protected by appropriate safeguards namely standard contractual clauses as defined by Art. 46 UK GDPR/EU GDPR. (Please note, however, that only data relating to teachers may be transferred to the United States; no student data is transferred outside the UK or EEA.)
  • Share your data with any third parties except where explicitly requested by you or required by law.
  • Use Your data made available via the Carousel platform for the purposes of advertising or marketing or for any purpose other than the service explicitly provided to You.
  • Transport personal data originating from schools in an unencrypted format.
  • Claim ownership or exclusive rights over any of the data processed or created as part of services provided to You.
  • Share information with other third parties except where specifically agreed by the Data Controller or where required by law.
  • Change any applicable terms of service without giving You the opportunity to opt-out of such changes.

3. Security and Encryption

We take every reasonable measure to ensure we store data securely. The Carousel platform is developed using secure technologies, which include, but are not limited to the following:

  • All personal Carousel data is stored and transported within the UK or EEA or in countries that have Adequate Levels of Protection as determined by the EU under the EU GDPR prior to 31st December 2020, except for the United States of America but only when such data is protected by appropriate safeguards namely standard contractual clauses as defined by Art. 46 UK GDPR/EU GDPR.
  • All internal and external data transmissions to and from the Carousel Platform are encrypted using modern SSL/TLS protocols and ciphers via secure REST APIs.
  • Data is encrypted at rest (i.e. when stored on a disk or laptop).
  • We use encrypted passwords with variable permissions according to the user's role for access to all sensitive information.

4. Staff access to data

Carousel does not look "under the hood" or inspect any of the data we store. The only exceptions to this are where a school has explicitly given us permission to inspect their data; for example, to provide technical support to correct a technical problem.

All our staff and subcontractors are required to agree that they will abide by a Security and Data Protection Policy at all times.

5. Deleting and Retaining Data

We retain personal data on our platform for as long as necessary to provide the Carousel service. If a user requests that we delete their data , we delete their data within 5 working days. We will also delete accounts and all associated data if a user account has been dormant for 24 months.

6. Question banks created on our platform

The Carousel platform and any Question Banks created by Carousel are the property of Carousel. Question Banks created by users will remain the user's property. By giving a Question Bank the sharing status of GLOBAL, you are agreeing to grant us a global, perpetual, royalty free license to use, reuse, sub-license, modify, display and distribute the content in any format we choose.

Question Banks may be withdrawn from the Community by their creators any time, from which point they will cease to be available for users to add to their Dashboard. However, any Question Bank already added to their Dashboard by a user at the time of withdrawal by its creator will remain indefinitely available to that user, and all quizzes created using that Question Bank will continue to exist and be unaffected by its withdrawal from the Community.

7. Privacy or Security Breaches

We take all reasonable and necessary precautions to ensure that your data is secure and to recognise and then mitigate the risks to security and privacy. However, it is not possible to 100% guarantee the security of any data transmitted or stored electronically. In the event that a significant breach of security or privacy did occur, Carousel will contact the Data Controller of the affected data, and inform the Information Commissioner's Office (ICO), and other authorities without undue delay and within 72 hours.

8. Information for students and parents/guardian

Carousel, as the Data Processor, only has access to Personal Data or Sensitive Personal Data provided or authorised to Us by users, who remain the Data Controller, and only for the purposes of performing services on a user's behalf.

If you have questions about how a student's data is being used or how a user is making use of our service, please contact the user directly. Any student or parent/guardian enquiries we receive will be directed to the relevant school as the Data Controller for that student's data.

The categories of personal data we process and the purposes for doing so are as follows:

CategoryPurpose
Staff names
  • To provision accounts
  • To distinguish between teachers in school and MAT accounts
  • To assist with the provision of an education to students
Staff contact information
  • To provision accounts
  • To distinguish between teachers in school and MAT accounts
  • To assist with the provision of an education to students
IP addresses
  • To prevent DDoS attacks
  • To identify trusted and frequently used devices
  • To track a student or user's interaction with the website for analytics, support and product optimisation
  • To assist with the provision of an education to students

The categories of personal data we may process if such data is provided by the Data Controller and the purposes for doing so are as follows:

CategoryPurpose
Student names
  • To provision accounts
  • To distinguish between students in a teacher's class
  • To assist with the provision of an education to students
Student email addresses
  • To provision accounts when We provide student-level accounts with personalised logins
  • To distinguish between students in school and MAT accounts when We provide student-level accounts with personalised logins
  • To assist with the provision of an education to students
Student identifiers
(including UPN and admission number)
  • To distinguish between students in school and MAT accounts when We provide student-level accounts with personalised logins
  • To offer users the ability to extract student data from the system using a unique identifier when We provide student-level accounts with personalised logins
  • To assist with the provision of an education to students

We receive personal data in one of two ways:

  1. Manual input or CSV upload by You; or
  2. With Your approval, direct sync with Your MIS using Wonde.

General Website Privacy

9. Cookies

A cookie is a string of information that a website stores on a visitor's computer. Carousel uses cookies for purposes such as helping us to identify and track visitors' usage and preferences. You can disable cookies in your browser if you wish to, although this may mean that some features of our website do not work as they should.

10. Communication

If You are a registered user of the Carousel website, or have expressed interest in Carousel on the Carousel website and/or have supplied Your email address and not opted out of receiving email communications, we may occasionally send You an email to tell you about new features, ask for feedback or keep You up to date with our products. When you register for or attend a webinar, forum or other event hosted by Us You do so in your capacity as an employee of a school, MAT, group of schools, local authority or other corporate subscriber and any communication sent by us to you in relation or subsequent to any such event will be considered a communication between Us and a corporate subscriber as defined by the Privacy and Electronic Communications (2003). If You no longer wish to be included on these communications, then You can opt out using the links on those communications or email
hello@carousel-learning.com
and We will remove You from the list within 15 days.

11. Third Parties

Carousel Learning Ltd may share user and student data with our development partners, Aircury Ltd (a company registered in England and Wales with Company No. 10641335) and Aircury SL (a company registered in Spain with Company No. B19713437) for the development and improvement of the Platform and to process technical queries and solve technical problems that are raised with us. We do not share your data with any other third parties except where explicitly requested by you or required by law. We will never rent or sell Your data for marketing purposes.

12. IP Addresses and Third Party Websites

We cannot be responsible for the privacy policies and practices of other sites even if you access them using links on our website. We recommend that you check the policy of each site you visit and contact the owner or operator if you have any questions or concerns. If you access our Website from a third party site, we cannot be responsible for the privacy policy and practice of that third party site and recommend that you check the policy of that third party site and contact the owner or operator if you have any questions or concerns.

We may collect users' full IP addresses for essential security management (for example, the prevention of Distributed Denial of Service attacks) and essential user support (for example, browser session tracking in order to spot and fix errors). We may also use IP addresses to assist with security and recognising trusted user devices.

In some limited circumstances We may collect data through third party services. For example, we may use website analytics traffic providers to analyse metadata such as platform usage. Where We do this, We audit the service to ensure they have a similarly high level of commitment to security and privacy, and comply with all Data Protection Legislation. Carousel may also collect, analyse or make available non-personal and non-sensitive data (for example aggregated or non-identifiable data) to third parties for school improvement or research purposes. We do not use or analyse this aggregate data in any way that would make data identifiable at an individual or school level.

13. Deleting and Retaining Data

We retain data on Our platform for as long as necessary to provide Our services. If a User requests deletion of their Carousel account, we will delete their data within 5 working days. We reserve the right to retain anonymised data for the purposes of research and development. (Note: data may remain stored in our backup system for up to three months following deletion from the platform.)

14. Cookies

A cookie is a string of information that a website stores on a visitor's computer. Carousel uses cookies for purposes such as helping us to identify and track visitors' usage and preferences. You can disable cookies in Your browser if you wish to, although this may mean that some features of our website do not work as they should.

15. Privacy or Security Breaches

We take all reasonable, necessary precautions to ensure that your data is secure and to recognise and then mitigate the risks to security and privacy. In the unlikely event that a significant data or security breach were to occur, Carousel will contact the Data Controller and comply with all statutory reporting duties.

16. Questions and Grievances

If you have any questions or grievances in relation to security or privacy, please email us on
hello@carousel-learning.com
.

17. Precedence

Where You have entered into a signed agreement with Us, in the event of a conflict with this policy the contents of that agreement shall take precedence over this policy.
Creative Commons License
This work is licensed under a
Creative Commons Attribution-ShareAlike 4.0 International License
.