BounceTogether and Privacy

Last Updated: 31st July 2023

Our commitment to data protection

We are committed to protecting the data of our customers and of individuals. Bounce Together Ltd have taken several steps, including organisational and technical measures to ensure the data we are processing on behalf of our customers is secured at all costs and doesn't fall into the wrong hands. This page summarises our ongoing commitment to GDPR and data protection.

How do we protect customer data

Organisational Measures

  • Conduct reviews around the legal basis for all personal data processing to make sure that have any appropriate consent in place
  • Embedding 'data protection by design' into our business and development practices
  • Define and execute a schedule for reviewing our standardised policies and procedures to ensure that we are complaint with GDPR
  • Training schedules for staff to ensure knowledge of cyber security, data protection and UK law is kept up to date
  • We have a named, in-house Data Protection Officer

Technical Measures

  • We use a reputable, SOC2 and ISO:27001 accredited hosting provider - Microsoft Azure
  • Encryption is applied to every incoming/outgoing connection and the database is encrypted at rest and in transit
  • We support industry methods of Single-sign-on
  • Access control, auditing and authorisation policies
  • Continuous network/security monitoring
  •  Microsoft Azure, who physically secure the data, employ industry standard techniques to keep it safe and secure (read more in their technical documentation)
  • All personal data that we store is held within the United Kingdom and will never leave the European Economic Area (EEA)

Controllers, Processors and Personal Data

It was a positive step forward when GDPR was introduced on the 25th May 2018. It requires Data Controllers and Data Processors, by law, to ensure that processes and technologies meet specified requirements and gives organisations and individuals transparency around the use of their own data. There are 3 key terms used frequently within our policy documentation and this page.

Personal Data is any type of data that can be used to directly or indirectly identify an individual. Some examples include a name, address, as well as IP address or user name.

Data Controller is a person, company or other entity that determines the purpose and means of processing personal data. They determine what data is extracted, the purpose it is used for and who is allowed to process the data. In the case of BounceTogether, the school is the data controller.

A Data Processor is a person, company or other entity which processes personal data on the data controller's behalf. Bounce Together Ltd is the data processor of the data made available in our software products purchased by the school. We are trusted with this personal data but do not control what happens with it.

Subject Access Requests and The Right to be Forgotten

The right of access (commonly referred to as "subject access") gives an individual the right to obtain a copy of their personal data to help them understand how and why you are using their data. In the product provided by Bounce Together Ltd, we provide a means of authorised individuals to supply this directly. For any assistance concerning a Subject Access Request, please get in touch.

The Right to be Forgotten (also known as the "right to erasure") is a right given to an individual under the GDPR to have their personal data erased upon request. If you require assistance with a right to erasure request that concerns Bounce Together, please contact us.

Documentation Index

We appreciate that our customers take their own due diligence concerning the review of software that they use. We aim to support our customers with these reviews and make our information/documentation as available and as readable as possible.

Document
Description
Link
Privacy policy
This document explains how and why we use the data collected from our customers, when you sign up to use BounceTogether.
Terms of use
This document covers the terms under which you use the BounceTogether platform. It also includes a great amount of detail/information concerning data protection and security.
Data sharing agreement
The data sharing agreement applies to every customer using Groupcall Xporter on demand and details the terms under which they will share this data with BounceTogether.
Cookie policy
Our cookie policy detailing the types of cookies we use and how/why we use them.

Frequently Asked Questions

What is your purpose for processing data?

BounceTogether collects personal data to provide a school with what it requires in order to be able to run unlimited digital surveys across school. We only collect the minimum data that's necessary allowing us to fulfil the contract and deliver the solution to the school. The data collected is used to provide the customer with:

Provisioning user accounts on the platform
Reporting on year, class and demographics
User identification
Identification and set up

The entire set of fields is disclosed to you as part of the set up process/data sharing and you have granular access in controlling who is provisioned on BounceTogether (i.e. down to pupil level through a consent process). See more information in our data-sharing agreement.

Are you a data controller or processor?

Bounce Together Ltd is the data processor of the data made available in our software products purchased by the school. We are trusted with the data but do not control it. The school is the data controller.

What data do you require from our school management system (MIS)?

We require a small set of data enabling us to set up BounceTogether for you to use. You are able to see the full set of data/fields that we require when you share your data. We use GroupCall Xporter On-demand to faciitate this data sharing, which gives you full visibility on the data that is shared and enables you to revoke access at any time.

How long do you store this information for and when is it deleted?

We only retain personal data on behalf of the school for the duration of their contract with us. In most cases the contract term is 12 months. In the event the contract ends, all personal data is deleted.

Where is the data stored?

The data is securely stored in Microsoft’s Azure data centres (UK – South and West).

What is your lawful basis for processing?

Our lawful basis for processing is granted to Bounce Together through a consent/data sharing process, which enables us to deliver the service/platform to you as detailed in the contract/terms of use.