Smart Revise is a product provided by CRAIGNDAVE Ltd; a private company registered in England and Wales. Company number 10442992. Our registered office is:
12 Tweenbrook Avenue
Gloucester
Gloucestershire
GL1 5JY
Directors and employees of CRAIGNDAVE Ltd are the only people with access to your personal data and are trained annually in their responsibilities for security, privacy and confidentiality.
If you have any questions about how we look after your personal data, you can contact us in writing, at the address above or by email: [email protected]
Our Data Protection Officer (DPO) is David Hillyard.
Smart Revise is an educational web-based course companion for teachers and students. It is a bank of thousands of examination style questions teachers can set and students can answer.
Smart Revise includes free content, but also purchasable “vouchers” to provide additional question content for students.
CRAIGNDAVE Ltd is a Data Controller with respect to personal data which we collect and process for our own purposes to be able to provide our product. As a controller we make decisions about processing activities. These are limited to the processing necessary for our legitimate interests to process orders.
We are a data controller for orders we receive for vouchers. Our lawful basis is consent.
When you purchase access to a Smart Revise course we collect and store only the necessary data to be able to process your order.
CRAIGNDAVE Ltd is a Data Processor when processing personal data on behalf of our customers.
Students can choose to join a class a teacher has created by consent. In doing so they give teachers of the class the right to determine the means of processing their data. This includes inviting other students and teachers to join the class, setting questions, assessing answers, and viewing data reports.
In the teacher-student data relationship described above, CRAIGNDAVE Ltd are processors of student data for the educational establishment because we are not determining the purpose and means of the data processing by the teacher, we are facilitating it. Our lawful basis for data processing as a processor is public task and legitimate interests of the teacher.
We are registered with the Information Commissioner’s Office. ico.org.uk
The full details of the data controller are:
CRAIGNDAVE LTD
12 Tweenbrook Avenue
Gloucester
Gloucestershire
GL1 5JY
ICO registration number: ZA462469
When an educational establishment invests in a new product, service or project that requires the handling of personal data, the Data Protection Officer at the establishment should undertake a Data Protection Impact Assessment (DPIA) to assess and minimise risks to data protection.
It is not the position of CraignDave Ltd to complete an educational establishment’s internal paperwork for DPIA because we should not be judging ourselves. This is often referred to ‘poacher turned gamekeeper’.
We consult with the ICO in order to conduct our own DPIA, but to assist Data Protection Officers in conducting their DPIA, CraignDave Ltd supply the agreement below.
This is an agreement between CRAIGNDAVE Ltd and you for data processing in the Smart Revise platform.
The Data Protection Act 2018 (DPA) controls how your personal information can be used. CRAIGNDAVE Ltd complies fully with all legal responsibilities under the DPA, the UK implementation of EU General Data Protection Regulation (GDPR).
CRAIGNDAVE Ltd complies with the Children’s Code.
CRAIGNDAVE Ltd adopt the PbD approach. This means we incorporate data privacy protections into the design of our product, and services. The goal of PbD is to prevent data privacy breaches and protect the privacy of individuals by proactively incorporating data privacy safeguards into systems and processes. PbD is an approach for the design and development of a digital solution that requires privacy to be embedded right from the design stage and then throughout the development.
We promise that your data is:
We will always tell you what personal data we are collecting from you, how we will collect it and how we will use it. We will only use your personal data for the purposes we originally told you about, stated below.
You can control the personal data that you provide to us. We see your personal data as just that: it’s yours. So, we will always be clear and upfront with you about what we do with your personal data.
We will only send you marketing communications if you have agreed that we can do so, and we will always offer you a clear and simple means of changing your preferences whenever you want to.
We collect, use, and store your personal data so that we can offer you the Smart Revise product and customer service you expect from us. We collect your personal data for three main reasons:
This processing is on your instruction as a data controller to provide to you the Smart Revise service. You have control over what happens to your personal data.
In addition, we collect, use, and store your personal data:
We collect your personal data in two main ways:
When you communicate with us or purchase vouchers, you choose to give us data. For example, you give us your name and email address when creating an account, and your address and contact details when placing an order.
When you use our product data is recorded automatically. This includes cookies (small text files sent by your computer each time you visit our product) but can also include personal data transferred by the electronic device you use to access our website and its settings. The manufacturer of your device, or the provider of the operating system, will have details about what information your device shares with us.
As students use Smart Revise it builds a data set about them including questions they have answered, the number of marks awarded and as a result, their assessment and progress.
Purpose | Data required |
---|---|
To register an account | Name Email address |
Provide the Smart Revise product to students and teachers. | Class name Answers to questions Marking feedback |
Invoicing Tax law compliance |
Name Address Email address Telephone number |
So that we can provide you with our product and service, we must share some of your personal data with third parties. We ensure that all our third parties we share your personal data with have an up-to-date privacy policy and to ensure that they will keep your personal data secure and confidential to the standards you and we would expect.
We will only send to third parties the personal data that is necessary for the purposes it is required for stated below.
All external services have extensive expertise in protecting data, championing privacy, and complying with regulations. All are committed to GDPR compliance across their cloud services.
We do not process or store credit/debit card details, this is solely done by Stripe from their plugin.
We are required to co-operate with regulators (like the Information Commissioner’s Office or HMRC) and law enforcement agencies (like the police or the Serious Fraud Office) in every country we operate in. Although it does not happen often, regulators and law enforcement agencies can require us to share information with them as part of an investigation; this may include your personal data. We would have to disclose your personal data where we believe that disclosure is reasonably necessary to comply with the regulator or crime enforcement agency’s demand.If it is reasonably necessary to protect you or us.
Businesses may be subject to attempted criminal activities; this can affect both us and you. We will take all reasonable steps to protect you and our business but sometimes we may need to share your personal data where we think it is reasonably necessary to:
We may sell or re-organise parts of our business. Sometimes these types of corporate transactions involve the transfer of your personal data solely for the purposes of assessing the transaction. If we sell or buy any business or assets, personal data which we hold about you may be one of the transferred assets. If this is likely to happen, we will inform you in advance.
We may use data in an aggregated format from which you cannot be personally identified but which does include data that relates to you (such as a testimonial, or AI marking).
We share your data with other companies or organisations listed below that help us to provide our products and services to you. We do not employ these companies as sub-processors, but we do use their services. Each of these organisations are bound by agreements to comply with our and their obligations. They all comply with EU GDPR. CRAIGNDAVE Ltd do not share, rent, or sell your information to any third party.
Service | Purpose | Data required | Their privacy statement |
---|---|---|---|
Microsoft Azure (required) |
Provide the Smart Revise product to students and teachers. Credentials for logging into the system. Platform for setting, answering, and marking questions. |
Name Email address Class name Answers to questions Marking feedback |
https://privacy.microsoft.com/en-gb/privacystatement |
Microsoft SSO (optional) |
Single sign-on using Microsoft account. | Microsoft account credentials. | |
Google SSO (optional) |
Single sign-on using Google account. | Google account credentials. | |
Cloudflare (required) |
Cyber-attack protection. | None. | https://www.cloudflare.com/en-gb/privacypolicy/ |
OpenAI (optional) |
Anonymous AI marking of student answers to questions. | No personal data that can be used to identify an individual. | https://openai.com/policies/privacy-policy |
Zoho.eu (optional) |
Incoming support email. Sending product update newsletters. |
Name Email address |
https://www.zoho.com/gdpr.html https://www.zoho.com/privacy.html |
Stripe Inc (optional) |
Process payments for vouchers made by debit/credit card. | Name Address Email address Telephone number Card number / expiry date / CVV |
https://stripe.com/gb/privacy |
Intuit QuickBooks (required) |
Invoicing and credit control. | Name Address Email address Telephone number |
https://quickbooks.intuit.com/uk/privacy-policy/ |
Our data servers are located in Ireland and the UK.
We will not keep your personal data for longer than is necessary.
Processing your data will cease:
We will not transfer your personal data to a third country or an international organisation, unless stated in the external service we use above, or required to do so by domestic law; and in such a case, we will inform you in advance.
When a teacher has access to student data and is no longer employed by an educational establishment, it is their responsibility to remove their access to that student data.
Existing teachers of a class can approve new teachers to join a class and then leave the class, removing their access. To transfer access from one teacher to another on your behalf, we will require confirmation and authorisation from a subject or senior leader within your establishment. We will not process these requests following receipt of an email from the new teacher.
All persons authorised to process your personal data (Directors and employees) of CRAIGNDAVE Ltd have committed themselves to confidentiality. CRAIGNDAVE Ltd do not have temporary or agency workers.
Confidentiality, integrity, availability and resilience of the data in Smart Revise is our responsibility.
Data is encrypted in transit between the client web-browser and server, and at rest on the server. A password is required to access student or teacher accounts. Two-factor authentication is required for administrator accounts and can optionally be applied to student and teacher accounts through single-sign-on.
Backup of data in Smart Revise is stored in Microsoft Azure for 90 days. CRAIGNDAVE Ltd has the ability to restore access to personal data in the event of an incident; and processes for regularly testing and assessing the effectiveness of the measures.
You have a number of rights under data protection laws; these are summarised below.
We will always help the educational establishment respond to requests from individuals to exercise their rights. You can contact us at: [email protected] or write to us at the address listed above in the “who we are” section or contact us by telephone: 020 4519 3010. We aim to respond to all enquiries within 48 hours, between Monday and Friday.
We need to be clear with you about how and why we process your personal data. We do this through our agreement above. We will notify you, and the Information Commissioner of any personal data breaches.
We will keep your personal data encrypted and secure.
You can submit a data subject access request by contacting us at: [email protected]
To process your request, we may ask you for proof of identity so that we can be sure we are releasing your personal data to the right person.
We will process your request within one month.
We will provide you with a copy of your personal data in electronic format or hard copy.
If we consider the frequency of your requests is unreasonable, we may refuse to comply with your request. In those circumstances, you have a right to complain to the Information Commissioner’s Office.
We welcome feedback from you to ensure data is as accurate and up-to-date as possible. If you think that the data we hold about you is inaccurate or incomplete, please ask us to correct it by contacting us at: [email protected] or by updating your details at any time through the “My Account” section in your Smart Revise account. We will process your request as soon as we receive it or within one month of receipt at the latest.
You can ask us to delete your personal data; however, this is not an absolute right. We can refuse to erase personal data which we need to keep (i) to comply with a legal obligation (for instance, we are required by HMRC to keep certain personal data for up to 6 years for VAT reporting purposes); and (ii) in relation to the exercise or defence of any legal claims.
If you are a student, your school and CRAIGNDAVE Ltd must not keep personal data for longer than it is needed. Typically for schools this could mean until you are 25 years old.
If you joined a class (thereby giving your consent), a voucher was purchased by an educational establishment and assigned to you, your data will not be deleted until the establishment no longer requires your assessment and progress data. We will contact your educational establishment to authorise this if you ask us to do so, but they may refuse. If they accept we will delete your account within 30 days.
When you ask us to delete your personal data, we assume that you do not want to hear from us again. To ensure that we do not send you any communication in the future, we will retain just enough of your personal data solely for suppression purposes.
Other than as described above, we will always comply with your request and do so promptly. We would also notify any third parties with whom we have shared your personal data about your request so that they could also comply.
You have the right to move, copy or transfer your personal data from one organisation to another. If you do wish to transfer your personal data, we would be happy to help.
If you ask for a data transfer, we will give you a copy of your personal data in a structured, commonly used and machine-readable form (for instance, in a CSV file format). We can provide the personal data to you directly or, if you request, to another organisation.
Please note that we are not required to adopt processing systems that are compatible with another organisation, so it may be that the recipient organisation cannot automatically use the personal data we provide.
When making a transfer request, it would be helpful if you can identify exactly what personal data you wish us to transfer.
We will comply with your request within one month or, if the request is complex or there are a number of requests from you, within two months.
If you would like us to stop processing your personal data for marketing purposes simply change your marketing preferences from your account or contact us: [email protected]
We will provide the educational establishment with the information that is needed to facilitate an audit to show that the obligations of the Data Protection Act have been met.
Cookies are tiny text files stored on your computer when you visit certain web pages. At smartrevise.online and all its sub domains we use cookies for security purposes and to analyse system usage, health and performance.
To order products and for the operation of our products, you need to have cookies enabled.
Please note that cookies can’t harm your computer. We don’t store personally identifiable information such as credit card details in cookies we create, but we do use encrypted information gathered from them to help improve your experience of the site. For example, they help us to identify and resolve errors.
We’re giving you this information as part of our initiative to comply with the Data Protection Act, and to make sure we’re honest and clear about your privacy when using our product and services.
For more information on cookies, visit the official ICO website at https://ico.org.uk or www.whatarecookies.com.
We promise to always act within the standards set out by the Information Commissioner’s Office.
The best interest of the child is always the primary consideration when we design and develop online services likely to be accessed by a child.
We undertake our own DPIA to assess and mitigate risks to the rights and freedoms of children who are likely to access our services, which arise from your data processing. We consider differing ages, capacities and development needs and ensure that our DPIA builds in compliance with this code.
We take a risk-based approach to recognising the age of individual users and ensure we effectively apply the standards in this code to child users. We apply the standards in this code to all our users.
Access to this document is prominent within Smart Revise at the footer of every page and in clear language suited to the age of the child. We provide additional specific prompts about the sharing and use of personal data at the point that use is activated. For example, when joining a teacher’s class.
We never use children’s personal data in ways that have been shown to be detrimental to their wellbeing, or that go against industry codes of practice, other regulatory provisions or Government advice.
We uphold your the teaching standards in the UK.
Settings are always “high privacy” by default.
We collect and retain only the minimum amount of personal data needed to provide the service in which a child is actively and knowingly engaged. We give children separate choices over which elements they wish to activate. Although some autonomy is delegated to their teacher when they join a class, children can leave a class at any time.
We do not disclose children’s data unless it is in the best interests of the child. E.g., to the police to facilitate their investigations.
We do not use geolocation options other than to ascertain the date and time of day a child is using Smart Revise for the purposes of making tasks available and controlling access to data according to task deadlines.
We do not provide parental controls, but these are not necessary. There is no inappropriate or age restricted material in Smart Revise.
We do not undertake any profiling other than to determine which questions that are being answered incorrectly the most to inform teachers and for quality assurance purposes for the content of the Smart Revise platform.
We do not use nudge techniques to encourage children to provide unnecessary personal data or weaken or turn off their privacy protections.
Children may access Smart Revise on any computing device such as desktop PC, laptop, tablet or smart phone. We do not connect to any toys.
We provide prominent and accessible tools to help children exercise their data protection rights such as being able to contact us by email to delete their account and report concerns.
We may update this policy from time to time to take account of any new business activity or to reflect any changes in law or best practice in relation to data protection. We will notify you if we do so. This policy was last updated on 09/03/2024.