Privacy Policy (APP)

Link to Synergy App End User License Agreement (EULA)

1. Introduction

1.1 This privacy policy applies between you, the User of our Website/App, and School Synergy
Limited, the owner and provider of this Website/App. School Synergy Limited takes the privacy
of your information very seriously.

1.2 This privacy policy applies to our use of any and all Data collected by us or provided by you in
relation to your use of the Website/App. School Synergy Limited acts as a Data Processor on
behalf of the Data Controller (school) for almost all data. School Synergy performs the role of
Data Controller with minimal data to facilitate access to the Website/App which is detailed in the
Data Categories section.

2. Definitions

2.1 Service, we or us: School Synergy Service.

2.2 Data: All personal data collected, generated or otherwise processed by the Processor as a result
of, or in connection with, the provision of the Service.

2.3 Data Protection Laws:

(a) General Data Protection Regulation (EU 2016/679) (GDPR) and any legislation which amends,
re-enacts or replaces it in England and Wales.

(b) Electronic Communications (EC Directive) Regulations 2003, together with any legislation
which replaces it.

(c) The UK’s third generation of data protection (Data Protection Act 2018).

2.4 Data Subject: An individual who is the subject of personal data.

2.5 Supervisory Authorities: Any Data Protection authority with jurisdiction over the processing of
data.

2.6 User or You: Any third party that accesses the Website and is not either (i) employed by School
Synergy Limited and acting in the course of their employment or (ii) engaged as a consultant or
otherwise providing services to School Synergy Limited and accessing the Website in connection
with the provision of such services.

2.7 Website or App www.schoolsynergy.co.uk and any sub domains including the Synergy APP.

3. Scope

3.1 This privacy policy applies only to the actions of School Synergy Limited and Users with respect
to this Website/App. It does not extend to any websites that can be accessed from this
Website/App.

3.2 For purposes of the applicable Data Protection Laws, School Synergy Limited is the "Data
Controller" for managing the login and security elements of the Website/App for data listed in
the “Data Categories” section. This means that School Synergy Limited determines the purposes
for which, and the manner in which, your Data is processed. School Synergy Limited acts as a
“Data Processor” for any data that is controlled and served by each individual school.

4. Data Processing

4.1 The Processor will comply with the requirements of the Data Protection Laws in respect of the
activities which are the subject of the Agreement and shall not knowingly do anything or permit
anything to be done which may lead to a Data Breach or breach of the Data Protection Laws.

4.2 The Processor will only process Data to the extent it relates to the nature and purpose and the
categories of Data Subject as set out in the Schedule and only for the duration of the contract.

4.3 The Processor will

(a) Only process the data in accordance with solution and service provided and on
agreement with the Controller.

(b) Inform the Controller if it believes that the Controller’s instructions infringe the Data
Protection Laws.

(c) Have in place and maintain throughout the terms at all times in accordance with the then
current good industry practice, all appropriate technical and organisational security
measures against unauthorised or unlawful processing, use, access to or theft of the data
including loss or destruction or damage to the data.

(d) Ensure that all persons authorised by the Processor to process data are bound by
obligations and contracts.

(e) Ensure that data is limited to those personnel who need to access the data as part of the
processing duties and to log all requests by the Controller for the Processor to view data
when requested for support purposes.

4.4 The Processor will assist the Controller with appropriate audits, inspections and other information
access requests in order for the Controller to meet their obligations.

4.5 The Processor will assist the Controller with appropriate audits, inspections and other information
needed to ensure that both the Controller and the Processor are meeting their Article 28
obligations from the GDPR Data Protection Laws. Requests beyond standard requests such as
data or security forensics beyond the expected level may incur a charge to cover this cost.

5. Transfers Outside of the EU

5.1 The Processor will not process or transfer any data outside of the EU for processing.

6. Sub-Processors

6.1 The Processor will not engage any third party to carry out processing in connection with the
Service except for those listed below

a) Microsoft for provision of sending email

b) SendGrid for provision of sending email

c) Text Messaging Carrier

d) Google Play Services (Access to the APP)

e) Apple Play Store

f) Expo (Development platform for the APP https://expo.dev/privacy)

g) Sentry (Code management https://sentry.io/privacy/ )

7. Supervisory Authorities

7.1 The Processor will promptly provide assistance and information which is requested by any
Supervisory Authority as per required under legal obligations.

7.2 The Processor will notify the controller of any such request unless prohibited by law.

8. Records

8.1 The Processor will maintain records of all processing activities carried out on behalf of the Data
Controller including:

(a) the name of the Data Protection Officer

(b) the different types of processing being carried out

(c) a description of the technical and organisational security measures in place

9. Data Subjects

9.1 On request the Processor will assist where the Controller is unable to complete tasks to comply
with their obligations under the Data Protection Laws in relation to:

(a) the provision of information to Data Subjects

(b) the rectification of inaccurate Data in relation to a Data Subject

(c) the erasure of a Data Subject’s Data

10. Data Breaches

10.1 The Processor will comply with the requirements of the Data Protection Laws in respect of the
activities which are subject to the Agreement and will not knowingly do anything or permit
anything to be done which might lead to a breach by the Controller of the Data Protection Laws.

10.2 The Processor will immediately inform the Controller if it believes that the Controller infringes the
Data Protection Laws.

10.3 The Processor will make any appropriate notifications to the Supervisory Authorities where
as per the steps in the accompanied Data Breach Policy.

10.4 The Processor will make any appropriate notifications to the Supervisory Authorities where
legally required to do so.

11. Warranties

11.1 The Processor warrants that

(a) It will process the Data in compliance with all applicable laws, regulations, orders and
standard including the Data Protection Laws.

(b) It will take appropriate technical and organisational measures against the unauthorised or
unlawful processing of Data and against the accidental loss or destruction or damage to
Data to ensure the Controller’s compliance with the Data Protection Laws.

(c) The Processor will notify the Controller immediately if it becomes aware of any
unauthorised or unlawful processing, loss, damage of destruction of the data.

12. Data Categories

12.1 Personal Data from the Controllers Management Information System is processed by the
Processor. This is transparent within the Service and includes information such as identifiable
student, staff and parent information dependent on what module has been enabled by school.
The Processor aims to only process the minimum fields for the Controller to perform their
functions whilst using the Service. Example: Name, behaviour details/points, attendance and mail/messages.

12.2 The list of fields will vary throughout the Agreement in part due to the Controller selecting their
own user defined fields to be processed. The Processor makes the data transfer transparent.
Authorised members of the Controller’s Data Protection team or Administrator can inspect and
audit these directly through the Service.

12.3 Processor: Data such as

a) IP address, browser type and O/S or device

b) log-in data and cookies (to manage a session only)

c) name, email, telephone

is stored to provide the user with access to the Service and will be logged for purposes of
security and auditing in order for the Processor to maintain expected security measures. These
will be periodically deleted once those functions have been completed.

12.4 Controller: Data submitted by users such as mail/messages to teachers and homework including supporting documents such as
images and files is passed to and stored with the Controller/School MIS.
Data that is processed from and to the Controller is not accessible/used by the Processor.

Link to the Synergy APP End User License Agreement (EULA)

Please use the Contact section if you have any queries or require further information.

Signed on behalf of School Synergy Limited

Authorised Name	Alan Cree
Position	Managing Director
Date	10/01/2024

School Synergy, Suite F19, Preston Technology Centre, Marsh Lane, Preston, PR1 8UQ. 01772 36 76 30. REGISTERED ADDRESS: 7 STATION ROAD, HESKETH BANK, PRESTON, UK, PR4 6SN COMPANY NUMBER: 10593365.

Cookies

We use cookies to help analyse usage anonymously and improve our website.