Data Protection

The Company known as SF Software Limited, trading as Pebble, is hereafter referred to as the Company.

The Purpose of the Data Protection Statement

We are SF Software Limited trading as Pebble (we). We provide cloud based software solutions, Tali, Trac and Till, for schools and other organisations (our Customers). This involves processing personal data of individuals (pupils, parents, guardians, and employees of our Customers) on behalf of our Customers.

This document serves as our public statement on data protection, and sets out how we process personal information of individuals in connection with the provision of our systems (Tali, Trac and Till) to our Customers as Data Processors on behalf of our Customers. It is mainly aimed at our Customers who use our Tali, Trac and Till systems, however, it may also be of interest to the individuals whose personal data we process on behalf of our Customers.

We also process certain personal data (for example, data of our website visitors and individuals who interact with us professionally) on our own behalf and for our own purposes. Such processing is not covered in this data protection statement. If you wish to learn about it, please read our Privacy Notice.

Data Protection Legislation

We are committed to protecting privacy of personal data of individuals whose information we process. Our use of personal data of individuals is subject to the data protection laws applicable in the United Kingdom, which on the data of publication of this statement includes the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 and other relevant UK and EU legislation concerning personal data (together Data Protection Legislation).

Who we are and how to contact us

When we say we, us, our or Pebble in this data protection statement, we mean SF Software Limited trading as Pebble, a company incorporated and registered in England and Wales with company number 05580540 and whose registered office is at Spaceworks, Benton Park Road, Newcastle upon Tyne, NE7 7LX.

If you have any questions about this data protection statement, please contact us either by:

1. email at data@mypebble.co.uk;
2. our online contact us form at https://www.mypebble.co.uk/;
3. phone on 0845 310 1788; or
4. post to: Pebble, Data Protection, PO Box 119, Stocksfield, NE43 7YH

Our relationships with our Customers

When a Customer (for example, a school or other organisation) chooses to engage Pebble by utilising one of our systems on offer, they remain the Data Controller of the personal data processed by Pebble (and its subcontractors). This means that the Customer is responsible for deciding how Pebble holds and uses personal information, and agrees for Pebble to perform certain processing activities (as a Data Processor) on their behalf and in accordance with their instructions.

The Data Protection Legislation specifies that processing of personal data by a Data Processor must be governed by a written contract with the Data Controller and comply with the provisions of Article 28 of the GDPR. Our data processing in connection with the provision of our systems (Tali, Trac and Till) to our Customers is governed by our Pebble Terms and Conditions which serve as a data processing contracts between Pebble and each of our Customers.

If you are an individual (data subject)

If you are a parent/guardian and our Customer (your child’s school or other organisation) uses our Tali, Trac or Till systems, we may have access to and process your personal information and that of your child as a Data Processor as part of delivering our services to that Customer. Similarly, if you are an employee or other individual authorised by our Customer to use our Tali, Trac or Till systems on their behalf, we will process your personal information as a Data Processor as part of delivering our services to that Customer.

This means that we do that on behalf of and under the instructions of our Customer who acts as the Data Controller of such personal data. We have a written contract in place with our Customers, which sets out how we must process such personal data. If you wish to exercise your data protection rights in respect of such data, you need to contact our Customer.

Personal data processed by Pebble within Tali, Trac or Till systems

• Personal data held within Tali, Trac or Till systems:
  • pupil, staff, or contact name
  • UPN (unique pupil number)
  • pupil’s class, year, and registration group
  • pupil's date of birth
  • parent/guardian contact name(s)
  • address
  • postcode
  • phone number
  • email address
  • MISID (the unique identifier in the Customer’s management information system)
  • GUID (the global unique identifier assigned by the user’s operating system)
  • school attendance
  • pupil’s premium
  • free school meals
  • contact group
  • staff contact details

• Purpose: Financial management and integrated accounting. Personal data listed above is processed to provide Customers with tools to reconcile and report upon transactional information. Personal data is required for reporting purposes and ensuring outstanding balances can be calculated, so that purchases can be applied to the correct persons.

• Data location: London, UK

• Host: Amazon Web Services (AWS). Data is held in a secure data centre in London hosted by AWS.

• Security information: Access to the system is available via https and ssh. Https is used for our clients to connect to the application. Ssh is used to enable our developers to build and improve the system.

  All communication with all of our servers uses SSLv3 or TLSv1.0 or higher. We recommend our Customers use a browser that supports the strongest protocols possible for maximum security. For reference, our Qualys SSL Reports may be found at the this link.

  Tali, Trac and Till systems **keep a daily data backup which is replicated off-site. In the event of a major loss, we are able to provision a new server and restore it with at worst one day’s data loss. The timescale for recovery depends on the exact nature of the loss of service.

  It is not possible for a user to physically remove data from Tali, Trac or Till systems. We provide the ability to “cancel” incorrect data, and provide the Customer with the reports to audit these cancellations.

  When decommissioning our hardware, our procedure includes wiping the disks of all data before returning them to our hardware provider for secure deletion.

• Data protection roles: The data in Tali, Trac and Till systems **is controlled by the Customer and Pebble is acting as a Data Processor of such data on behalf of the Customer.

  Where the Customer requires software solutions of the Customer’s other software providers to be integrated into Tali, Trac or Till systems **(for example, ParentPay or sQuid), the Customer instructs Pebble (as a Data Processor) to share the necessary personal data with the Customer’s third party provider. Such third party providers are not acting as Pebble’s subcontractors in relation to the personal data within Tali, Trac or Till systems.

• Duration of processing: Our Customers may require certain personal data within Tali, Trac and Till systems **to be held for 7 years in order to comply with their financial audit obligations. We can facilitate such storage, if the Customer requests so and continues to pay us our subscription charges. If the Customer does not renew their service subscription before its expiry, we will first contact the Customer to inform them of our intention to anonymise the personal data 30 days after the expiry or termination of their subscription. During that 30 days' grace period, the Customer will continue to have a view only access to the data and the option to use the data export feature of Tali, Trac and Till systems **to download a copy of the data. Most of the data can be exported in CSV format which might be migrated into third party applications if required, depending on the functionality of the system of the relevant third party. If the Customer does not renew their subscription before the end of the 30 days' period, we will anonymise the personal data on its expiry.

• Sub-processors: Sub-processors of personal data are third party providers, which we use to operate our business, and which may carry out specific data processing activities in connection with the provision of our services to our Customers. Our use of the Sub-processors is governed by our Pebble Terms and Conditions (our contract with the Customers). We use the following Sub-processors:

  • AWS who provide hosting services to us (as mentioned above). AWS are a US company but host personal data for us in the UK.
  • Isotoma Limited based in UK who provide IT services to us.
  • Zoom for online training for our Customers. Zoom is provided by a US company Zoom Video Communications, Inc.
  • Intercom as a messaging tool within our systems for two-way communication with our Customers, as a ticketing system for support issues raised by our Customers via email, or through telephoning our helpline, and for provision of our help articles. Intercom is provided by a US company Intercom, Inc.

  Transfers of data outside the European Economic Area are subject to special rules under the Data Protection Legislation. Those of our providers who are based in the US subscribe to the EU-US Privacy Shield framework. Transfers of personal data to US companies who subscribe to the EU-US Privacy Shield framework are deemed by the European Commission to provide an appropriate level of protection.

About integrations and third party providers

Our systems integrate with the following third party software solutions used by our Customers:

• ParentPay
• Schoolcomms
• sQuid
• GoodTill
• Capita SIMS
  
• Groupcall Xporter
  
• Nochex
• Stripe
• GoCardless

The above third party providers are not Pebble’s Sub-processors. Our Customers will have direct contracts with them which should identify the data protection roles and responsibilities of the parties. Please see each organisation link above for their data protection information.

Integrations are used to enhance the products and services we offer and improve the ways our customers transfer their data between different systems:

• ParentPay, Schoolcomms and sQuid are providers of cashless payment solutions which allow schools to send out payment offers (such as school meals and trips) to parents and parents to pay for such offers;
• GoodTill is a point of sale system that integrates with Tali and Trac systems;
• Capita SIMS is a management information system for schools; and Groupcall Xporter is a integration system for multiple management information systems;
• Nochex, Stripe and GoCardless are payment service providers that process payments. Tali, Trac and Till systems **do **not process or store any credit/debit card details.

Frequently Asked Questions

Below we have outlined key questions that our Customers will have regarding Pebble and our data protection compliance, many of which may address topics required for you to complete your data register or privacy notices.

Is Pebble the Data Processor or the Data Controller?

Primarily, Pebble is the Data Processor when our Customer engages our products to manage its customers (e.g. parents/guardians) and perform data processing tasks using Tali, Trac and Till systems. Such processing is covered by this data protection statement and our Pebble Terms and Conditions.

Pebble is also the Data Controller regarding certain data we collect on our Customers as set out in our Privacy Notice.

Where does data processed by Pebble come from?

Data processed by Pebble comes from the Data Controller (our Customer), or from other Data Processors or Data Controllers (agreed third parties) who also provide services to our Customer.

What data is used by Pebble?

Pebble processes data of both a personal and financial nature (as detailed elsewhere in this statement).

Why is this data held?

Pebble holds and processes this data to allow our Customers (Data Controllers) the ability to utilise software services purchased by them from Pebble.

Where is data held by Pebble?

Personal data processed by Pebble as Data Processors of our Customers (Data Controllers) is held by Pebble in the United Kingdom, and is not transferred outside of the European Economic Area.

Can the data be shared with others?

Data processed by us as Data Processor of our Customers (Data Controllers) will only be shared with third parties with the consent of the Customer.

For how long will the data be retained?

Pebble will not hold data for longer than is necessary according to the Information Commissioner's Office guidelines, as detailed elsewhere in this statement.

Can Pebble provide subject access?

Yes, if a data subject (e.g. parent/guardian) submits a personal data access request to our Customer in respect of data processed within Tali and Trac systems, we will provide our Customer with the required information (including a confirmation on whether or not a subject’s data is being processed, and the extent to which it is being processed).

Does the system contain personal data?

Pebble processes personal data including but not limited to names, identification numbers and location data, as detailed elsewhere in this statement.

Does the system contain sensitive data (special categories of data)?

Pebble does process information concerning minors. However, Pebble does not process “special categories of data” as defined in the Data Protection Legislation (such as data related to health or racial origins).

Can a child or teacher’s data be anonymised/erased?

Data can be anonymised upon request.

How is data anonymised/erased?

Data can, first and foremost, be easily anonymised by the Data Controller who has access to the software, any further removal of data can be done by Pebble upon request of the Customer as per guidelines of the Information Commissioner’s Office (ICO).

What should our school be doing for data protection compliance?

Specific guidance for schools and educational bodies implementing data protection compliance is available on the ICO website, however below are a few key points you will want to assess sooner rather than later:

• register with the ICO;
• appoint a Data Protection Officer (DPO), or have one appointed by your local authority;
• conduct a data audit to identify what data you hold, and where it came from;
• identify how and when data is transferred, shared or processed, and whether this operates internationally;
• review how data consent is gained, held and managed, how you verify individuals’ ages, and when you are required to obtain parental or guardian consent;
• identify how data breaches are detected, managed and reported to the ICO;
• implement procedures to comply with individuals’ rights, such as the right to erasure and access to personal data;
• implement appropriate measures to integrate data protection into your processing activities;
• identify and document the legal basis for you to process data and update any privacy policies to include this;
• ensure all Data Processors you collaborate with are data protection compliant.

For further information visit https://ico.org.uk/for-organisations/education/.

Changes to this data protection statement

This data protection statement was last updated on 20th February 2020.

We may change this statement from time to time. When we do, we will publish the new version of the policy on our website. We may also inform you via email or post.