Free mode
Dashboard Privacy v1.3.0

Privacy policy


Smart Revise is a product provided by CRAIGNDAVE Ltd; a private company registered in England and Wales. Company number 10442992. Our registered office is:

12 Tweenbrook Avenue

Directors and employees of CRAIGNDAVE Ltd are the only people with access to your personal data and are trained annually in their responsibilities for security, privacy and confidentiality.

If you have any questions about how we look after your personal data, you can contact us in writing, at the address above or by email: [email protected]

Our Data Protection Officer (DPO) is David Hillyard.


Smart Revise is an educational web-based course companion for teachers and students. It is a bank of thousands of examination style questions teachers can set and students can answer.

Smart Revise includes free content, but also purchasable “vouchers” to provide additional question content for students.

No data is transferred from the educational establishment’s management information system (MIS). Accounts in Smart Revise are registered by individual teachers and students by consent.


CRAIGNDAVE Ltd is a Data Controller with respect to personal data which we collect and process for our own purposes to be able to provide our product. As a controller we make decisions about processing activities. These are limited to the processing necessary for our legitimate interests to process orders.

We are a data controller for orders we receive for vouchers. Our lawful basis is consent.

When you purchase access to a Smart Revise course we collect and store only the necessary data to be able to process your order.


CRAIGNDAVE Ltd is a Data Processor when processing personal data on behalf of our customers.

Students can choose to join a class a teacher has created by consent. In doing so they give teachers of the class the right to determine the means of processing their data. This includes inviting other students and teachers to join the class, setting questions, assessing answers, and viewing data reports.

In the teacher-student data relationship described above, CRAIGNDAVE Ltd are processors of student data for the educational establishment because we are not determining the purpose and means of the data processing by the teacher, we are facilitating it. Our lawful basis for data processing as a processor is public task and legitimate interests of the teacher.


We are registered with the Information Commissioner’s Office.

The full details of the data controller are:

12 Tweenbrook Avenue

ICO registration number: ZA462469


When an educational establishment invests in a new product, service or project that requires the handling of personal data, the Data Protection Officer at the establishment should undertake a Data Protection Impact Assessment (DPIA) to assess and minimise risks to data protection.

It is not the position of CraignDave Ltd to complete an educational establishment’s internal paperwork for DPIA because we should not be judging ourselves. This is often referred to ‘poacher turned gamekeeper’.

We consult with the ICO in order to conduct our own DPIA, but to assist Data Protection Officers in conducting their DPIA, CraignDave Ltd supply the agreement below.


This is an agreement between CRAIGNDAVE Ltd and you for data processing in the Smart Revise platform.


The Data Protection Act 2018 (DPA) controls how your personal information can be used. CRAIGNDAVE Ltd complies fully with all legal responsibilities under the DPA, the UK implementation of EU General Data Protection Regulation (GDPR).

CRAIGNDAVE Ltd complies with the Children’s Code.

Privacy by Design (PbD)

CRAIGNDAVE Ltd adopt the PbD approach. This means we incorporate data privacy protections into the design of our product, and services. The goal of PbD is to prevent data privacy breaches and protect the privacy of individuals by proactively incorporating data privacy safeguards into systems and processes. PbD is an approach for the design and development of a digital solution that requires privacy to be embedded right from the design stage and then throughout the development.

We promise that your data is:

  • Used fairly, lawfully and transparently.
  • Used for specified, explicit purposes.
  • Used in a way that is adequate, relevant and limited to only what is necessary.
  • Accurate and, where necessary, kept up to date.
  • Kept for no longer than is necessary.
  • Handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage.

Contact promise

We will always tell you what personal data we are collecting from you, how we will collect it and how we will use it. We will only use your personal data for the purposes we originally told you about, stated below.

You can control the personal data that you provide to us. We see your personal data as just that: it’s yours. So, we will always be clear and upfront with you about what we do with your personal data.

We will only send you marketing communications if you have agreed that we can do so, and we will always offer you a clear and simple means of changing your preferences whenever you want to.


We collect, use, and store your personal data so that we can offer you the Smart Revise product and customer service you expect from us. We collect your personal data for three main reasons:

  1. To process orders you make, and to deliver those orders to you.
  2. To provide the Smart Revise product.
  3. To answer support enquiries and to keep you up-to-date about product improvements.

This processing is on your instruction as a data controller to provide to you the Smart Revise service. You have control over what happens to your personal data.

In addition, we collect, use, and store your personal data:

  • To detect and prevent fraud and other illegal activities (and to assist regulators, trade bodies and law enforcement agencies in relation to the same).
  • To carry out research to better understand your views on our products and services.
  • Improve our existing range of associated products and services and develop new ones.
  • Understand your likes and dislikes, what products you want to hear about and how best to contact you to inform you about them.
  • Taking legal action against any party in breach of its obligations to CRAIGNDAVE Ltd, and handling any legal claims or regulatory enforcement actions taken against CRAIGNDAVE Ltd.

How we collect your personal data

We collect your personal data in two main ways:

  1. When you give it to us directly.
  2. When Smart Revise creates new data as you use the product.

When you communicate with us or purchase vouchers, you choose to give us data. For example, you give us your name and email address when creating an account, and your address and contact details when placing an order.

When you use our product data is recorded automatically. This includes cookies (small text files sent by your computer each time you visit our product) but can also include personal data transferred by the electronic device you use to access our website and its settings. The manufacturer of your device, or the provider of the operating system, will have details about what information your device shares with us.

As students use Smart Revise it builds a data set about them including questions they have answered, the number of marks awarded and as a result, their assessment and progress.

Personal data we collect

Purpose Data required
To register an account Name
Email address
Provide the Smart Revise product to students and teachers. Class name
Answers to questions
Marking feedback
Tax law compliance
Email address
Telephone number

When we share your personal data

So that we can provide you with our product and service, we must share some of your personal data with third parties. We ensure that all our third parties we share your personal data with have an up-to-date privacy policy and to ensure that they will keep your personal data secure and confidential to the standards you and we would expect.

We will only send to third parties the personal data that is necessary for the purposes it is required for stated below.

All external services have extensive expertise in protecting data, championing privacy, and complying with regulations. All are committed to GDPR compliance across their cloud services.

We do not process or store credit/debit card details, this is solely done by Stripe from their plugin.

We are required to co-operate with regulators (like the Information Commissioner’s Office or HMRC) and law enforcement agencies (like the police or the Serious Fraud Office) in every country we operate in. Although it does not happen often, regulators and law enforcement agencies can require us to share information with them as part of an investigation; this may include your personal data. We would have to disclose your personal data where we believe that disclosure is reasonably necessary to comply with the regulator or crime enforcement agency’s demand.

If it is reasonably necessary to protect you or us.

Businesses may be subject to attempted criminal activities; this can affect both us and you. We will take all reasonable steps to protect you and our business but sometimes we may need to share your personal data where we think it is reasonably necessary to:

  • Detect, monitor, investigate or prevent any suspected illegal activities, fraud, or security issues.
  • Enforce our terms and conditions and to protect your and our rights and property.
  • Investigate and defend any third-party claims or allegations.
  • As part of a business sale or purchase, merger or reorganisation.

We may sell or re-organise parts of our business. Sometimes these types of corporate transactions involve the transfer of your personal data solely for the purposes of assessing the transaction. If we sell or buy any business or assets, personal data which we hold about you may be one of the transferred assets. If this is likely to happen, we will inform you in advance.

We may use data in an aggregated format from which you cannot be personally identified but which does include data that relates to you (such as a testimonial, or AI marking).

External services we use

We share your data with other companies or organisations listed below that help us to provide our products and services to you. We do not employ these companies as sub-processors, but we do use their services. Each of these organisations are bound by agreements to comply with our and their obligations. They all comply with EU GDPR. CRAIGNDAVE Ltd do not share, rent, or sell your information to any third party.

Service Purpose Data required Their privacy statement
Microsoft Azure
Provide the Smart Revise product to students and teachers. Credentials for logging into the system.
Platform for setting, answering, and marking questions.
Email address
Class name
Answers to questions
Marking feedback
Microsoft SSO
Single sign-on using Microsoft account. Microsoft account credentials.
Google SSO
Single sign-on using Google account. Google account credentials.
Cyber-attack protection. None.
Anonymous AI marking of student answers to questions. No personal data that can be used to identify an individual.
Incoming support email.
Sending product update newsletters.
Email address
Stripe Inc
Process payments for vouchers made by debit/credit card. Name
Email address
Telephone number
Card number / expiry date / CVV
Intuit QuickBooks
Invoicing and credit control. Name
Email address
Telephone number
  • Microsoft Azure (required)
    Used to provide the Smart Revise product to students and teachers, including credentials for logging into the system and a platform for setting, answering, and marking questions. The data required includes name, email address, class name, answers to questions, and marking feedback. Their privacy statement can be found at
  • Microsoft SSO (optional)
    Offers single sign-on using a Microsoft account and requires Microsoft account credentials.
  • Google SSO (optional)
    Enables single sign-on using a Google account and requires Google account credentials.
  • Cloudflare (required)
    Utilized for cyber-attack protection and does not require any data. Their privacy statement is accessible at
  • OpenAI (optional)
    Used for anonymous AI marking of student answers to questions. It does not require personal data that can identify an individual. Their privacy statement is available at
  • (optional)
    Used for incoming support email and sending product update newsletters, requiring name and email address. Their privacy information can be found at and
  • Stripe Inc (optional)
    Processes payments for vouchers made by debit/credit card, requiring name, address, email address, telephone number, and card number / expiry date / CVV. Their privacy statement is available at
  • Intuit QuickBooks (required)
    Used for invoicing and credit control, requiring name, address, email address, and telephone number. Their privacy statement is available at

Data centres

Our data servers are located in Ireland and the UK.

Duration of processing and data retention / end of agreement

We will not keep your personal data for longer than is necessary.

  • We will keep personal data while your account is active.
  • We may keep certain categories of personal data after your account is closed to meet any legal or regulatory requirements, or to resolve a legal dispute, and because of this, we may keep different types of personal data for different lengths of time (for instance, we may need to keep certain personal data relating to your purchases in order to comply with HMRC’s VAT reporting requirements).
  • We will delete your data in a secure manner when you tell us you no longer require us to keep a backup.

Processing your data will cease:

  • When you ask us to delete your account (see conditions in “The right to erasure” below).
  • Two years after you last logged into Smart Revise.
  • If you are a student who has joined a class, and your teacher gives consent for your data to be deleted.

Transfer of access to data

We will not transfer your personal data to a third country or an international organisation, unless stated in the external service we use above, or required to do so by domestic law; and in such a case, we will inform you in advance.

When a teacher has access to student data and is no longer employed by an educational establishment, it is their responsibility to remove their access to that student data.

Existing teachers of a class can approve new teachers to join a class and then leave the class, removing their access. To transfer access from one teacher to another on your behalf, we will require confirmation and authorisation from a subject or senior leader within your establishment. We will not process these requests following receipt of an email from the new teacher.


All persons authorised to process your personal data (Directors and employees) of CRAIGNDAVE Ltd have committed themselves to confidentiality. CRAIGNDAVE Ltd do not have temporary or agency workers.


Confidentiality, integrity, availability and resilience of the data in Smart Revise is our responsibility.

Data is encrypted in transit between the client web-browser and server, and at rest on the server. A password is required to access student or teacher accounts. Two-factor authentication is required for administrator accounts and can optionally be applied to student and teacher accounts through single-sign-on.

Backup of data in Smart Revise is stored in Microsoft Azure for 90 days. CRAIGNDAVE Ltd has the ability to restore access to personal data in the event of an incident; and processes for regularly testing and assessing the effectiveness of the measures.


You have a number of rights under data protection laws; these are summarised below.

Assisting the controller

We will always help the educational establishment respond to requests from individuals to exercise their rights. You can contact us at: [email protected] or write to us at the address listed above in the “who we are” section or contact us by telephone: 020 4519 3010. We aim to respond to all enquiries within 48 hours, between Monday and Friday.

The right to be informed

We need to be clear with you about how and why we process your personal data. We do this through our agreement above. We will notify you, and the Information Commissioner of any personal data breaches.

The right to data security

We will keep your personal data encrypted and secure.

The right of data access

You can submit a data subject access request by contacting us at: [email protected]

To process your request, we may ask you for proof of identity so that we can be sure we are releasing your personal data to the right person.

We will process your request within one month.

We will provide you with a copy of your personal data in electronic format or hard copy.

If we consider the frequency of your requests is unreasonable, we may refuse to comply with your request. In those circumstances, you have a right to complain to the Information Commissioner’s Office.

The right to rectification

We welcome feedback from you to ensure data is as accurate and up-to-date as possible. If you think that the data we hold about you is inaccurate or incomplete, please ask us to correct it by contacting us at: [email protected] or by updating your details at any time through the “My Account” section in your Smart Revise account. We will process your request as soon as we receive it or within one month of receipt at the latest.

The right to erasure (known as right to be forgotten)

You can ask us to delete your personal data; however, this is not an absolute right. We can refuse to erase personal data which we need to keep (i) to comply with a legal obligation (for instance, we are required by HMRC to keep certain personal data for up to 6 years for VAT reporting purposes); and (ii) in relation to the exercise or defence of any legal claims.

If you are a student, your school and CRAIGNDAVE Ltd must not keep personal data for longer than it is needed. Typically for schools this could mean until you are 25 years old.

If you joined a class (thereby giving your consent), a voucher was purchased by an educational establishment and assigned to you, your data will not be deleted until the establishment no longer requires your assessment and progress data. We will contact your educational establishment to authorise this if you ask us to do so, but they may refuse. If they accept we will delete your account within 30 days.

When you ask us to delete your personal data, we assume that you do not want to hear from us again. To ensure that we do not send you any communication in the future, we will retain just enough of your personal data solely for suppression purposes.

Other than as described above, we will always comply with your request and do so promptly. We would also notify any third parties with whom we have shared your personal data about your request so that they could also comply.

The right to transfer your personal data (known as data portability)

You have the right to move, copy or transfer your personal data from one organisation to another. If you do wish to transfer your personal data, we would be happy to help.

If you ask for a data transfer, we will give you a copy of your personal data in a structured, commonly used and machine-readable form (for instance, in a CSV file format). We can provide the personal data to you directly or, if you request, to another organisation.

Please note that we are not required to adopt processing systems that are compatible with another organisation, so it may be that the recipient organisation cannot automatically use the personal data we provide.

When making a transfer request, it would be helpful if you can identify exactly what personal data you wish us to transfer.

We will comply with your request within one month or, if the request is complex or there are a number of requests from you, within two months.

The right to object

If you would like us to stop processing your personal data for marketing purposes simply change your marketing preferences from your account or contact us: [email protected]


We will provide the educational establishment with the information that is needed to facilitate an audit to show that the obligations of the Data Protection Act have been met.


Cookies are tiny text files stored on your computer when you visit certain web pages. At and all its sub domains we use cookies for security purposes and to analyse system usage, health and performance.

To order products and for the operation of our products, you need to have cookies enabled.

Please note that cookies can’t harm your computer. We don’t store personally identifiable information such as credit card details in cookies we create, but we do use encrypted information gathered from them to help improve your experience of the site. For example, they help us to identify and resolve errors.

We’re giving you this information as part of our initiative to comply with the Data Protection Act, and to make sure we’re honest and clear about your privacy when using our product and services.

For more information on cookies, visit the official ICO website at or


We promise to always act within the standards set out by the Information Commissioner’s Office.

Best interests of the child

The best interest of the child is always the primary consideration when we design and develop online services likely to be accessed by a child.

Data protection impact assessments

We undertake our own DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access our services, which arise from your data processing. We consider differing ages, capacities and development needs and ensure that our DPIA builds in compliance with this code.

Age-appropriate application

We take a risk-based approach to recognising the age of individual users and ensure we effectively apply the standards in this code to child users. We apply the standards in this code to all our users.


Access to this document is prominent within Smart Revise at the footer of every page and in clear language suited to the age of the child. We provide additional specific prompts about the sharing and use of personal data at the point that use is activated. For example, when joining a teacher’s class.

Detrimental use of data

We never use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.

Policies and community standards

We uphold your the teaching standards in the UK.

Default settings

Settings are always “high privacy” by default.

Data minimisation

We collect and retain only the minimum amount of personal data needed to provide the service in which a child is actively and knowingly engaged. We give children separate choices over which elements they wish to activate. Although some autonomy is delegated to their teacher when they join a class, children can leave a class at any time.

Data sharing

We do not disclose children’s data unless it is in the best interests of the child. E.g., to the police to facilitate their investigations.


We do not use geolocation options other than to ascertain the date and time of day a child is using Smart Revise for the purposes of making tasks available and controlling access to data according to task deadlines.

Parental controls

We do not provide parental controls, but these are not necessary. There is no inappropriate or age restricted material in Smart Revise.


We do not undertake any profiling other than to determine which questions that are being answered incorrectly the most to inform teachers and for quality assurance purposes for the content of the Smart Revise platform.

Nudge techniques

We do not use nudge techniques to encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.

Connected toys and devices

Children may access Smart Revise on any computing device such as desktop PC, laptop, tablet or smart phone. We do not connect to any toys.

Online tools

We provide prominent and accessible tools to help children exercise their data protection rights such as being able to contact us by email to delete their account and report concerns.


We may update this policy from time to time to take account of any new business activity or to reflect any changes in law or best practice in relation to data protection. We will notify you if we do so. This policy was last updated on 09/03/2024.