Privacy & Security

1.0 General

  1. Pebble take the privacy of information very seriously, and our Privacy Policy is designed to inform you the user on how we collect and process data. 

  2. This policy applies to information provided by our account holders and
    also applies to information which is processed by us on individuals collected by our customers. 

  3. SF Software is registered under the Data Protection Act 1998 and from 25 May 2018 the General Data Protection Regulation (GDPR). 

  4. Please be aware that if your data is used by an account holder using our Service we have legal obligations as the data processor but we are not the data controller.  

  5. The GDPR provides the following rights for individuals:

    1. The right to be informed

    2. The right of access

    3. The right to rectification

    4. The right to erasure

    5. The right to restrict processing

    6. The right to data portability

    7. The right to object

    8. Rights in relation to automated decision making and profiling.

  6. Pebble will comply with all rights under “1.5” above upon request, and within a reasonable timescale.

2.0 Our Services

  1. This document outlines Pebble’s privacy policy for Fund Manager and Joinos for Parents. All references to MISapp will be covered alongside Fund Manager, where appropriate. 

  2. “Pebble” is the trading name of SF Software Limited, a company incorporated and registered in England & Wales with company number 05580540 whose registered office is at Media Exchange Three, Coquet Street, Newcastle upon Tyne, NE1 2QB. Pebble is entered in the Information Commissioner’s register of data controllers with Registration number ZA025278.

3.0 Privacy

  1. This Privacy Policy provides our policies and procedures for collecting, using, and disclosing your information. Users can access the Fund Manager service and Joinos service (the “Services”) through our websites at https://apps.mypebble.co.uk, https://my.joinos.com and/or  https://joinos.com applications on Devices, through APIs, and through third parties.  

  2. A “Device” is any computer used to access the Services, including without limitation a desktop, laptop, mobile phone, tablet, or other consumer electronic device. This Privacy Policy governs your access of the Services, regardless of how you access them, and by using our Services you consent to the collection, transfer, processing, storage, disclosure and other uses described in this Privacy Policy. All of the different forms of data, content, and information described below are collectively referred to as “information.” 

  3. Pebble is committed to ensuring that your privacy is protected. Should we ask you to provide certain information by which you can be identified when using this website, you can be assured that it will only be used in accordance with this privacy policy. Pebble may change this policy from time to time by updating this page. You should check this page from time to time to ensure that you are happy with any changes. This policy is effective from 25th May 2018.

4.0 Basis for Data Processing

  1. Personal data we hold about you will be processed either because:

    1. you have consented to the processing for the specific
      purposes described in this notice;

    2. the processing is necessary in order for us to deliver our Service (i.e. to comply with our obligations under the contract between us and our account holder);

    3. the processing is necessary in pursuit of a “legitimate interest”, a legitimate interest in this context means a valid interest we have or a third party has in processing your personal data which is not overridden by your interests in data privacy and security

5.0 Data we Collect

  1. Pebble may collect and process the following personal information or data about you

    1. log-in details and information you provide as an account holder when you register with the Service

    2. “Contact Information” (for example, names, addresses, contact addresses, telephone numbers and email address provided to us by you or by your employer) we collect from you as an account holder about you or your employees

    3. Contact Information submitted by the Data Controller (Account Holder) through the use of one of the Services provided on Pupils, Parents, Guardians, Sponsors, Suppliers, Customers or other interested parties.

    4. Records of correspondence between the Account Holder and Pebble in regards to the provision or request for Services.

    5. Information relating to payment transactions which is collected where we collect payment on behalf of our account holder (but we do not collect credit card information which is sent directly from the user to our payment processor) (“Payment Information”)

    6. Information we may require from you when you report a problem or complaint (“Complaints Information”)

    7. Information processed through one or more of the Services (this may be of a financial, personal, marketing or technical nature)

    8. Preferences for us contacting users with differing communications

    9. Information relating to your usage of the Pebble products you subscribe to (this may be how and when you login, how frequently you use particular features)

  2. We store the files you upload, download, or access with the Services. You may upload data from your MIS system for use in the Services.

    1. You represent that you have the appropriate permissions and processes to transfer this data from your MIS system to Fund Manager.

  3. When you use the Service, we automatically record information from your Device, its software, and your activity using the Services. This may include the Device’s Internet Protocol (“IP”) address, browser type, the web page visited before you came to our website, information you search for on our website, locale preferences, identification numbers associated with your Devices, your mobile carrier, date and time stamps associated with transactions, system configuration information, metadata concerning your Files, and other interactions with the Service.

  4. Pebble will only ever collect any data as and when the account holder and/or users choose to supply it to us. There is no requirement for you to provide any personal information to us; however if you do it may be withdrawn or restricted upon request but our Service may not be operable in practice
    without providing such data to us.

  5. We regularly send out updates via email and other channels to help you make the most of our Service. Every now and then, we may also send you information about offers from our partners who can support your projects. We’re very careful not to send you irrelevant and annoying emails and you do have the opportunity at any time to unsubscribe.

6.0 What we do with the information we gather

  1. We require this information to understand your needs and provide you with a better service, and in particular for the following reasons:

    1. Internal record keeping.

    2. We may use the information to improve our products and services.

    3. If you agree we may periodically send promotional emails about new products, special offers or other information which we think you may find interesting using the email address which you have provided.

    4. If you agree we may also use your information to contact you for survey purposes from time to time. We may contact you by email, phone, fax or mail.

Activity

When you as the account holder register with Pebble for the provision of a Service.

Data: Login Information
Basis for Processing: Fulfilment of Service contract

Data: Contact Information
Basis for Processing: To establish necessary information to provide Service Reports

Data: Payment History
Basis for Processing: Fulfilment of Service contract

When you utilise the Fund Manager Service.

Data: Login Information
Basis for Processing: Fulfilment of Service contract

Data: User Contact Information
Basis for Processing: To establish necessary information to provide Service

Data: Pupil Information
Basis for Processing: To establish necessary information to provide Service

Data: Parent/Guardian Contact Information
Basis for Processing: To establish necessary information to provide Service

Data: Supplier/Customer Contact Information
Basis for Processing: To establish necessary information to provide Service

Data: Financial Information
Basis for Processing: To establish necessary information to provide Service

When you utilise the Joinos Service

Data: Login Information
Basis for Processing: Fulfilment of Service contract

Data: User Contact Information
Basis for Processing: To establish necessary information to provide Service

Data: Payment History
Basis for Processing: To establish necessary information to provide Service

Data: Payment Items
Basis for Processing: To establish necessary information to provide Service

Data: Financial account history
Basis for Processing: To establish necessary information to provide Service

7.0 User Content

  1. When you upload the User Content to the Services, you hereby grant Pebble (and its licensees, advertising agencies and promotion agencies) and the employees, agencies and authorized representatives of each and all of them (collectively, “Authorized Persons”), the unrestricted, perpetual, worldwide, non-transferable, royalty-free right and license to display, exhibit, transmit, reproduce, record, digitize, modify, alter, adapt, create derivative works, exploit and otherwise use and permit others to use the User Content (including, all copyrights in the User Content) in connection with the Company’s marketing, advertising and promotion of the Company and your school.

  2. By uploading User Content to the Services, you represent and warrant to Pebble that:

    1. you own all rights in the User Content or otherwise have the right to submit the User Content to Pebble;

    2. the User Content does not violate or infringe upon the rights of any third party (including, any rights of copyright, trademark, publicity or privacy);

    3. any persons identified in the User Content have consented to the submission of the User Content on the Page and further use of the User Content as contemplated herein; and

    4. the Authorised Persons’ use of the User Content in the manner contemplated above and the rights and licenses granted hereunder do not, and will not, violate any right of, or conflict with or violate any right or commitment made to, any third party and no consent or authorisation from any third party is required in connection with such use. You hereby agree to defend, indemnify and hold harmless the Authorised Persons from and against any and losses, and all claims by third parties, resulting from your breach of any of the foregoing representations or warranties.

  3. By uploading User Content to the Services, you hereby waive, release and forever discharge Pebble and each Authorised Person and each of their subsidiaries, affiliates, officers, directors, managers, members, shareholders, employees, representatives and agents from any and all rights, claims and liability relating to the use of the User Content in the manner contemplated above including, without limitation, any claims based on the invasion of privacy, commercial use of name or likeness and the right of publicity.

8.0 Security 

  1. Fund Manager is able to store pupil names, school information, address, contact details, MISID, GUID, and UPN. All of this is optional and dependent on school policy. In practice, the value of Fund Manager increases with the amount of information it processes on behalf of the school. 

  2. MISApp provides a link between your MIS system and Fund Manager only. It is designed to pull the information detailed above. At the school’s request, we can configure it to not pull:

    1. Contact Information

    2. MISID

    3. GUID

    4. UPN

    5. Contact Groups

    6. School Attendance

    7. Staff Contact Details

    8. Normally, we would recommend that MISapp is configured to pull all of this information. Current and future functionality of Fund Manager and Joinos may be dependent on this information. As stated above, this is at the school’s discretion and under your control.

  3. Joinos only stores the name and year group of pupils from Fund Manager. If parents choose to store additional personal information, then they must enter this manually into Joinos. Responsibility for this lies with the parent, and not with the school, but schools may remove this information if they consider it appropriate to do so. Parents are able to pay for trips, uniforms, school dinners etc. through Joinos. All bank details are provided to, and payments processed by, Secure Trading. Please see Further Information for details.

9.0 Confidentiality

  1. Once we receive a confirmation, we will schedule the setup and training with the school. The school’s data will be uploaded as part of this process. 

  2. The Services may store accounting information, as well as keeping a copy for auditing purposes. Schools may request a backup copy from us promptly after the end of the contract. Please see the Terms and Conditions for details. 

  3. Most reports provide a CSV export feature, which provides the data in a readable format that may be migrated into third party applications if desired, and depending of course on the functionality of the third party system in question. 

  4. When decommissioning hardware, our procedure includes wiping the disks of all data before returning them to our hardware provider for secure deletion. 

  5. All communication with all of our servers uses SSLv3 or TLSv1.0 or higher. We recommend our users use a browser that supports the strongest protocols possible for maximum security. For reference, our Qualys SSL Reports may be found at the links below:

    1. Fund Manager

    2. Joinos

  6. We share data with Google Analytics, Nochex, AWS, Stripe and Isotoma. We may share your information with another organisation in the context of any merger, including in any preceding discussions or negotiations that may or may not lead to a sale. We may disclose your information to law enforcement or regulatory bodies if required to so by them and to our auditors. We may disclose your information to a third party in the context of actual or threatened legal proceedings or if otherwise required to do so by law. We do not share any data with other third parties unless a school explicitly asks us to do this. Fund Manager and Joinos for Parents data is stored on UK based Amazon Web Services (AWS), specifically:

    1. SQS: Temporal Storage

    2. Elasticache: Temporal Storage

    3. RDS: Secured Database Service

    4. S3: File Storage

  7. Payments made to Joinos are processed by Nochex or Stripe, PCI DSS certified payment service providers. Neither Joinos for Parents or Fund Manager process or store any credit/debit card details. All transactions made through the Nochex or Stripe gateways are secure. 

  8. Please see the “Further Information” section at the end for details of these providers.  

  9. SF Software t/a Pebble takes security and data protection seriously and as a result of our dedication to online security, we recently met the payment card industry data security standard 2.0 for E-commerce. 

  10. If personal data we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to the Information Commissioner’s Office (ICO). 

  11. If a breach is likely to result in a risk to your data rights and freedoms, we will notify you as soon as possible

10.0 Integrity

  1. The Services keep a daily backup which is replicated off-site. In the event of a major loss, we are able to provision a new server and restore it with at worst one day’s data loss. The timescale for recovery depends on the exact nature of the loss of service.  

  2. We will endeavour to inform users once we have the information. It is not possible for the user to physically remove data from the service. We provide the ability to “cancel” incorrect data, and provide the school with the reports to audit these cancellations. 

11.0 Availability

  1. We aim to make the Services available between the hours of 9am and 4pm, when most of our users are accessing it. Wherever possible, we schedule software updates to occur outside these hours.  

  2. As long as the school is able to access https://apps.mypebble.co.uk , https://my.joinos.com and/or  https://joinos.com and/or they are able to fully utilise the Services. All hardware and operational costs are included in the licence, which is quoted to the school. There is no additional cost incurred for accessing the Services away from your school.

12.0 Legal

  1. Our terms and conditions can be found on the Pebble website. We communicate changes on the Services dashboards. This will be covered as part of the training. All data is stored and processed in the UK.

  2. All Joinos data is stored and processed by AWS in the UK. Please see ‘Further Information’ section for details. No personal information is sent to Joinos from Fund Manager. All personal information must be explicitly inserted by the parent themselves.

13.0 Cookies

  1. Cookies are used for a variety of things to help improve your online experience which are as follows:

    1. make login faster by remembering your customer details

    2. make the page load quickly by sharing the workload across computers

    3. make sure our pages are optimised for your browser or device by giving us technical information about the device or browser you are using

14.0 Personal preferences

  1. Cookies can help give you content that matches your preferences. We might provide you with relevant offers because we know what other offers you liked. They also allow you to customise a page.

15.0 Safety and security

  1. Some cookies help make sure your information is secure when using our services while keeping our forms and shopping site easy to use.

16.0 Improving our service

  1. We also use cookies to measure and analyse how visitors use the site. This helps us develop it and make it easier to use.

17.0 Third party cookies

  1. Mypebble.co.uk uses Google Analytics to analyse the use of this website. Google Analytics generates statistical and other information about website use by means of cookies, which are stored on users’ computers. The information generated relating to our website is used to create reports about the use of the website. Google will store and use this information. Google’s privacy policy is available at: http://www.google.com/privacypolicy.html .

  2. We use the free Google Analytics tool (see http://www.google.com/intl/en_uk/analytics/ ) to collect and analyse site statistics. Google Analytics uses persistent cookies (named _utma, _utmb, _utmc and _utmzto) to track data. These cookies do not collect any personally identifiable information and are only used for the statistical collection of data such as visits and page hits. Google Analytics’ cookies store IP addresses but we cannot link those addresses to any individual or path through the website. Google uses the cookies to read information and evaluate visitors’ use of our websites in the form of statistical reports that we can access. 

  3. The Google Analytics’ code is incorporated into our websites’ code so that our sites serve the cookies, but Google has access to the cookies. You can stop being tracked by Google Analytics across all websites by going to Google’s site at: http://tools.google.com/dlpage/gaoptout .

 

18.0 Further information

  1. For details of how Nochex or Stripe uses your data, please see the respective privacy policies at https://stripe.com/gb/privacy or https://www.nochex.com/privacy-policy/

  2. Google Analytics’ privacy policy and details of Google Analytics cookie may be found at http://www.google.com/analytics/learn/privacy.html.

  3. For details of how AWS uses your data, please see section 3 (security and data privacy) of the AWS customer agreement at http://aws.amazon.com/agreement/ and the AWS privacy policy at http://aws.amazon.com/privacy/.

  4. For details of how Secure Trading uses your data, please refer to Secure Trading’s Privacy Policy.