Home / ÌÇÐÄVlog´«Ã½ 3: Platform Privacy and Data Protection Information

ÌÇÐÄVlog´«Ã½ 3: Platform Privacy and Data Protection Information

SJ3: Compliance Information
SJ3: Privacy and Data Protection Information
SJ3: Cookies, Local Storage and Similar Technologies
SJ3: Platform Security & Infrastructure
SJ3: Accessibility Statement
SJ3: Sub-processors and Technical Partners

Please note that the information on this page applies specifically to the ÌÇÐÄVlog´«Ã½ 3 suite of products only, including the school CMS and related mobile apps.

Platform Privacy and Data Protection Information

The ÌÇÐÄVlog´«Ã½ platform is provided by Webanywhere Ltd and is used by schools to publish information and communicate with parents, pupils, staff, and the wider school community.

Data Protection Roles

For the purposes of the relevant data protection legislation, including the UK GDPR and the Data Protection Act 2018:

  • The School acts as the Data Controller: The school determines the purposes for which personal data is processed and the categories of information made available through the platform.
  • Webanywhere Ltd acts as a Data Processor: We process personal data on behalf of the school and in accordance with their instructions. Requests relating to personal data rights should, therefore, be directed to the relevant school in the first instance.

Platform Accounts and Authentication

User accounts for the ÌÇÐÄVlog´«Ã½ website and its native mobile applications are managed through Google Firebase Authentication. Access is secured using password-based authentication, and users are responsible for keeping their login credentials confidential.

An account is not required to browse or navigate the public website, nor is an account required for the mobile app, if the school has chosen to deploy the app in public-mode.

Data Infrastructure and Hosting

The platform is hosted using Amazon Web Services (AWS) infrastructure.

  • Data Residency: Primary storage locations are London (UK) and Dublin (EU). This ensures data remains within the UK and EEA, supporting compliance with UK data protection requirements.
  • Encryption: Data is protected via industry-standard practices, including encryption in transit (HTTPS) and encryption at rest within AWS managed infrastructure.
  • International Transfers: Where data processing involves transfers outside the UK or EEA, appropriate safeguards such as Standard Contractual Clauses (SCCs) are utilised to ensure a comparable level of protection.

Categories of Personal Data Processed

The ÌÇÐÄVlog´«Ã½ platform is designed with flexibility in mind. The volume and categories of personal data processed within the platform vary depending on how the school configures and utilises the software.

Baseline Personal Data (Essential Processing)

To ensure the secure operation, security, and administration of the ÌÇÐÄVlog´«Ã½ platform, Webanywhere processes a baseline level of personal data for all customers.

  • Administrator & User Credentials: We process the names and email addresses of authorised school website administrators and users to facilitate secure logins, manage access controls, and provide technical support.
  • Security & Technical Logs:
    • Authorised Users: The system records the IP addresses of logged-in users for security auditing and access monitoring.
    • Public Visitors: The system records the IP addresses of website visitors to generate aggregated usage statistics and to detect, prevent, or mitigate malicious activity (such as DDoS attacks or system misuse).

Additional Personal Data (Optional Controller-Defined Processing)

As the Data Controller, the school may choose to input, upload, or sync additional personal data to support school communications and operations. This might include, but is not limited to:

  • User Profiles: This typically includes names, email addresses, roles (e.g., staff, parent, student), and structural relationships (such as parent-pupil linkages).
  • School Community Content: As a website and mobile platform, ÌÇÐÄVlog´«Ã½ is used to showcase school life. The school may choose to publish additional personal data on public or restricted pages, or on their mobile app, such as:
    • Photographs and videos of students, staff, and school activities.
    • Names of individuals within the school community, such as teaching staff, governors, or others associated with school news, events, or achievements.
  • School Responsibility: The school remains entirely in control of what content is published or stored. The school is responsible for ensuring it has the appropriate lawful basis (such as consent) for publishing images or names, in line with school guidance (such as that from DfE) guidance and applicable data protection laws (such as the UK GDPR).

Special Category Data

The ÌÇÐÄVlog´«Ã½ platform is not designed or intended to actively collect or process “Special Category” (sensitive) personal data as defined under the UK GDPR (e.g., health data, biometric data, ethnic origin, or religious beliefs).

  • If a school chooses to upload, collect, or store sensitive personal information within the platform (for example, in a blog post, newsletter, or custom form), this is at the school’s discretion and remains the sole responsibility of the school as the Data Controller.

School-Specific Data Collection

Authorised school administrators may have the ability to create custom web forms, surveys, or similar tools to collect information directly from parents, pupils, and the wider school community.

  • Content & Structure: The school is solely responsible for defining the content, questions, and purpose of these forms.
  • Compliance & Consent: The school must ensure that a valid lawful basis for processing exists for any data collected via custom forms, and that appropriate privacy notices are provided to respondents at the point of collection.
  • Data Access: Access to submitted form data is strictly restricted to authorised administrative users within the school’s secure ÌÇÐÄVlog´«Ã½ administration interface.
  • Webanywhere Access: Webanywhere technical personnel will only access form submissions when strictly necessary to provide technical support, troubleshoot issues, or perform system maintenance at the school’s request.

MIS Integration

Schools may optionally integrate ÌÇÐÄVlog´«Ã½ with their Management Information System (MIS) using Groupcall Xporter.

This synchronises selected information to establish parent-child relationships, allowing for relevant, filtered communications (e.g. year-group specific updates).

Mobile App Push Notifications

To ensure parents and staff receive timely updates (such as class-specific news or urgent notices), the platform utilises secure system services for message delivery:

  • iOS Notifications: Delivered via the Apple Push Notification service (APNs).
  • Android Notifications: Delivered via Firebase Cloud Messaging (FCM).
  • Data Privacy: These services utilise unique, anonymised device tokens to route messages to the correct handset. The notification providers do not have access to the private content of the communications sent by the school.

System Monitoring, Analytics and Security

The platform maintains system logs, including IP addresses, to ensure security, stability, and performance.

  • Internal Analytics: Schools are provided with reporting tools to understand usage trends (e.g. page visits and document downloads).
  • Inspection Readiness Alerts: The platform provides high-level alerts when traffic is identified from official inspection body network ranges. This is reported at an organisational level to help schools manage their inspection workflows.
  • Audit Logs: Activity by authorised administrative users is logged for security monitoring and to detect unusual behaviour.

Data Sharing and Third-Party Services

Webanywhere Ltd does not sell personal data. Information is only shared where necessary to provide the service or where disclosure is required by law.

    • Infrastructure Providers: This includes trusted partners such as AWS (Hosting), Google Firebase (Authentication), and Groupcall (MIS Integration).
    • Webanywhere Group: Authorised personnel within Webanywhere Ltd or its group companies (including subsidiaries) may access system data where necessary for technical support, system maintenance, or operational administration.
    • Legal Disclosure: Personal data may be disclosed in response to lawful requests from regulatory authorities or law enforcement bodies.
  • Further Information: please review our Sub-processors and Technical Partners list for more information on the purpose of processing, data residency and safeguards.

Marketing and Service Communications

    • Parents and Pupils: Data relating to parents and pupils is never used for marketing or advertising purposes by Webanywhere.
    • Administrative Users: School staff may see service updates or product information relating to other Webanywhere software within the secure administrative dashboard.
  • Webanywhere Customers: Key contacts at the school such as teachers and other administrative staff may receive marketing communications about relevant services inside and outside of the ÌÇÐÄVlog´«Ã½ platform.

Data Retention and Disposal

Personal data is not retained for longer than is necessary for its intended purpose.

  • Retention Policy: In most cases, account data is retained while the relevant account remains active or while the school continues to use the platform, and then retained for a period of time after account suspension, in order to allow for restoration of service or to service school queries.
  • No Guarantee of Storage: Webanywhere Ltd reserves the right to delete data immediately upon the termination of a service or once it is no longer required for operational purposes. We provide no guarantee of long-term data archiving.
  • Legal Necessity: In specific circumstances, such as for the establishment or defence of legal claims, certain data may be retained for longer periods of time.

Data Protection Rights

Under the UK Data Protection Act 2018 and UK GDPR, you have specific rights regarding your personal information. These include the right to Access your data, Rectify inaccuracies, request Erasure (the “right to be forgotten”), Restrict or Object to processing, and the right to Data Portability.

  • How to exercise these rights: As the individual school is the Data Controller for your personal information, you should contact the school directly to make a request. The school will then liaise with Webanywhere Ltd to fulfill any relevant technical requests.
  • Subject Access Requests (SARs): If you wish to make a subject access request, please contact the school in writing. Once the school has verified your identity, they will work with our technical team to provide the relevant data within a reasonable timeframe.
  • Complaints: If you remain unsatisfied with how your data is handled, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) (www.ico.org.uk).