Privacy Policy

1.Introduction and Scope

1.1 Stratagem Education Ltd, trading as “Lens School Evaluation” (“we”, “us”, “our”, the “Supplier”), a company registered in England and Wales under company number 13792467 with its registered office at Cae Knovil, Llandenny, Usk, Monmouthshire, NP15 1DL, provides a self-evaluation SaaS platform for primary schools (the “Service”).

1.2 This Privacy Policy explains how we collect, use, store, share, and protect data when you use our Service. It should be read in conjunction with our Terms of Service.

1.3 This policy applies to all users of the Service, including headteachers, senior leaders, teaching staff, governors, and other authorised personnel (“Authorised Users”).

1.4 By accessing or using the Service, the Customer and its Authorised Users acknowledge that they have read, understood, and agree to the data practices described in this policy.

2.Data Protection Roles and Responsibilities

2.1 The subscribing school (the “Customer”) is the Data Controller for the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. The Customer determines the purposes and means of processing personal data entered into the Service.

2.2 Stratagem Education Ltd acts as a Data Processor, processing personal data on behalf of the Customer strictly in accordance with the Customer’s documented instructions, this policy, and our Terms of Service.

2.3 The Customer is solely responsible for: (a) ensuring it has a lawful basis for processing any personal data entered into the Service; (b) ensuring the accuracy and relevance of data entered; (c) informing its Authorised Users and any relevant data subjects about how their data will be processed; and (d) responding to any data subject access requests or other rights requests relating to data for which it is the Controller.

2.4 We shall assist the Customer in responding to data subject requests and meeting its obligations under the UK GDPR, to the extent reasonably practicable and at the Customer’s cost where such assistance requires significant effort.

3.Data We Collect and Process

3.1 We collect and process the following categories of data:

Category	Data Elements	Lawful Basis
Account Information	Name, email address, school name, role/job title of registering users	Performance of contract (Art. 6(1)(b) UK GDPR)
Self-Evaluation Content	Text, judgements, notes, reports, and other content created by Authorised Users within the Service	Performance of contract (Art. 6(1)(b) UK GDPR)
Usage Data	Login times, pages visited, feature usage, browser type, IP address, device information	Legitimate interests (Art. 6(1)(f) UK GDPR) — service improvement and security
Payment Data	Billing contact details, transaction history (card details handled solely by Stripe)	Performance of contract (Art. 6(1)(b) UK GDPR)
Support Data	Name, email, content of support enquiries	Legitimate interests (Art. 6(1)(f) UK GDPR) — customer support

3.2 We do not knowingly collect personal data directly from children or pupils. The Customer warrants that it shall not upload any personal data relating to identified or identifiable pupils or students to the Service.

4.Data We Do Not Collect

4.1 The Service is designed exclusively for school leadership self-evaluation purposes. It does not collect, store, or process: (a) individual student data or pupil-level information; (b) special category data within the meaning of Article 9 of the UK GDPR (including data concerning health, racial or ethnic origin, religious or philosophical beliefs, or biometric data); or (c) criminal conviction data within the meaning of Article 10 of the UK GDPR.

4.2 If the Customer or any Authorised User uploads data falling within any of the categories described in clause 4.1 in breach of this policy and our Terms of Service, the Customer shall bear sole responsibility for such processing and shall indemnify us against all liabilities, costs, expenses, damages, and losses arising from such breach, including any regulatory fines, penalties, or enforcement action.

5.Data Storage, Location, and Security

5.1 All Customer Data is hosted on DigitalOcean infrastructure located entirely within the United Kingdom. Customer Data does not leave UK servers for primary storage purposes.

5.2 Notwithstanding clause 5.1, the use of Third-Party Processors (as described in clause 6) may involve the transfer or processing of limited data outside the United Kingdom, subject to appropriate safeguards including Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms as required by the UK GDPR.

5.3 We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including:

1. encryption of data in transit (TLS) and at rest;
2. role-based access controls and multi-factor authentication for administrative access;
3. regular security reviews, vulnerability assessments, and penetration testing;
4. incident response procedures;
5. access logging and monitoring;
6. regular software updates and patch management; and
7. staff training on data protection and information security.

5.4 While we take all reasonable steps to protect data, no method of electronic transmission or storage is completely secure. We do not warrant or guarantee the absolute security of data transmitted to or stored within the Service, and the Customer acknowledges this inherent risk.

6.Third-Party Sub-Processors

6.1 We use the following third-party sub-processors in delivering the Service. The Customer hereby provides general authorisation for the use of these sub-processors:

Processor	Purpose	Data Processed	Location
OpenAI	AI-powered document processing and advisory content generation	Self-evaluation content submitted for AI processing only	USA (with SCCs)
Stripe	Payment processing, subscription management, and invoicing	Payment card details, billing address, transaction history	USA/EU (with SCCs)
Zoho	Customer support desk and enquiry management	Name, email, support enquiry content	EU/USA (with SCCs)
QuickBooks (Intuit)	Accounting, financial record-keeping, and invoicing	Billing contact details, invoice data, payment records	USA/EU (with SCCs)
Google Workspace	Internal business operations, communications, and file management	Customer contact details, correspondence, operational documents	Global (with SCCs and adequacy decisions)
DigitalOcean	Cloud hosting and infrastructure	All Customer Data (as host)	United Kingdom (US-based provider operating UK-resident infrastructure)

6.2 Where data is sent to OpenAI for processing, it is limited to the specific content being analysed at the time of the request. We do not permit OpenAI to use Customer Data for model training purposes. All AI-generated suggestions are presented to the Authorised User for review and approval before being committed.

6.3 Payment card details are handled entirely by Stripe and are never stored on our servers or infrastructure.

6.4 Each sub-processor’s processing is governed by their respective data processing agreements, which incorporate appropriate safeguards for international data transfers where applicable.

6.5 We shall notify the Customer of any intended changes to our sub-processors, giving the Customer the opportunity to object to such changes. If the Customer objects on reasonable data protection grounds and we cannot accommodate the objection, either party may terminate the Agreement in accordance with the Terms of Service.

6.6 We shall remain liable to the Customer for the acts and omissions of our sub-processors to the extent required by the UK GDPR, but subject to the limitations of liability set out in our Terms of Service.

7.How We Use Data

7.1 We process data solely for the following purposes:

1. providing and operating the Service as described in our Terms of Service;
2. generating self-evaluation reports and AI-powered insights on behalf of the Customer;
3. communicating with Customers about their account, subscription, billing, and Service updates;
4. providing customer support;
5. improving the Service through aggregated, anonymised usage analytics that do not identify any individual or school;
6. ensuring the security and integrity of the Service; and
7. complying with our legal and regulatory obligations.

7.2 We shall not process Customer Data for any purpose other than those set out in this policy and as instructed by the Customer, unless required to do so by applicable law, in which case we shall (to the extent permitted by law) inform the Customer of that legal requirement before processing.

8.Data Sharing and Disclosure

8.1 We do not sell, rent, trade, or share Customer Data with third parties for marketing, advertising, or any commercial purpose unrelated to the provision of the Service.

8.2 We may disclose Customer Data: (a) to our sub-processors as described in clause 6, solely as necessary to operate the Service; (b) if required by law, regulation, court order, or governmental or regulatory authority; (c) to enforce our Terms of Service or protect our rights, property, or safety; or (d) in connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case we shall notify the Customer.

8.3 We may share anonymised and aggregated data that does not identify any individual or school for the purposes of analytics, benchmarking, research, and product improvement.

8.4 For the purposes of this Policy, “anonymised” means processed in such a way that the data no longer relates to an identified or identifiable natural person and re-identification is not reasonably possible, in line with guidance issued by the Information Commissioner’s Office on anonymisation.

9.Data Retention

9.1 Customer Data is retained for the duration of the active Subscription.

9.2 Upon termination or expiry of the Subscription, the Customer may request an export of their Customer Data in a standard machine-readable format within sixty (60) days of termination.

9.3 After the sixty (60) day post-termination period, we shall securely delete or anonymise all Customer Data in our primary systems. Residual copies in encrypted backups shall be overwritten in the normal course of backup rotation and shall not be actively processed.

9.4 We may retain limited data (such as billing records and correspondence) for longer periods where necessary to comply with legal, tax, or regulatory obligations, or to establish, exercise, or defend legal claims.

9.5 Usage data and anonymised analytics data may be retained indefinitely as it does not constitute personal data.

10.International Data Transfers

10.1 Where the use of sub-processors involves the transfer of personal data outside the United Kingdom, we ensure that appropriate safeguards are in place in accordance with Chapter V of the UK GDPR, including: (a) transfers to countries subject to an adequacy decision by the UK Secretary of State; (b) the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or (c) other lawful transfer mechanisms.

10.2 The Customer may request a copy of the relevant transfer safeguards by contacting us at the address set out below.

11.Data Breach Notification

11.1 In the event of a personal data breach (as defined in the UK GDPR), we shall notify the Customer without undue delay upon becoming aware of the breach, and in any event within seventy-two (72) hours where feasible.

11.2 Such notification shall include, to the extent available: (a) the nature of the breach, including the categories and approximate number of data subjects and records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to address the breach; and (d) the name and contact details of our designated point of contact.

11.3 The Customer, as Data Controller, is responsible for assessing whether a breach is notifiable to the Information Commissioner’s Office (ICO) and/or affected data subjects, and for making any such notifications. We shall provide reasonable assistance to the Customer in meeting these obligations, at the Customer’s cost where such assistance requires significant effort.

12.Data Subject Rights

12.1 Data subjects (including Authorised Users) have the following rights under the UK GDPR, exercisable against the Customer as Data Controller:

1. the right of access to their personal data;
2. the right to rectification of inaccurate personal data;
3. the right to erasure of their personal data (subject to lawful grounds for continued processing);
4. the right to restriction of processing;
5. the right to data portability;
6. the right to object to processing; and
7. rights related to automated decision-making and profiling.

12.2 The Customer is responsible for responding to data subject requests. We shall provide reasonable technical assistance to enable the Customer to fulfil such requests, to the extent that the request relates to data processed within the Service.

12.3 If we receive a data subject request directly, we shall promptly redirect the request to the Customer and shall not respond to the data subject without the Customer’s prior authorisation, unless required by law.

13.Cookies and Similar Technologies

13.1 The Service itself (the Lens platform accessed at app.schoolevaluation.co.uk) uses only strictly necessary cookies for authentication, session management, and security purposes. These cookies are essential for the operation of the Service and do not require prior consent under the Privacy and Electronic Communications Regulations 2003 (PECR).

13.2 The Service does not place any third-party advertising cookies, tracking cookies, or analytics cookies on its users.

13.3 Our marketing website (schoolevaluation.co.uk) uses Google Analytics to understand how visitors interact with our public pages. The Google Analytics cookies are third-party cookies that require prior consent under PECR. Consent is requested via a cookie consent banner the first time a visitor lands on the site, and the cookies are not set until the visitor accepts. Visitors who decline consent are not tracked by Google Analytics and no third-party analytics or advertising cookies are placed on their device.

13.4 The cookie consent banner on our marketing website is provided by CookieYes. Visitors can review or change their cookie preferences at any time via that banner.

14.Data Protection Impact Assessments

14.1 We shall provide reasonable assistance to the Customer in conducting data protection impact assessments (DPIAs) and prior consultations with the ICO, where required by the UK GDPR in relation to the Customer’s use of the Service, at the Customer’s cost where such assistance requires significant effort.

15.Audit Rights

15.1 We shall make available to the Customer, on reasonable written request and subject to appropriate confidentiality obligations, such information as is reasonably necessary to demonstrate our compliance with our obligations under this policy and the UK GDPR.

15.2 The Customer’s audit rights are subject to the following conditions: (a) the Customer shall provide at least thirty (30) Business Days’ written notice; (b) audits shall be conducted no more than once per calendar year; (c) audits shall be conducted during normal business hours and shall not unreasonably disrupt our operations; and (d) the Customer shall bear all costs of the audit. We may, at our discretion, satisfy audit requests by providing certifications, audit reports, or third-party attestations.

16.Limitation of Liability for Data Processing

16.1 Our liability in respect of data processing under this policy is subject to the limitations of liability set out in our Terms of Service. In particular, we shall not be liable for any loss or damage arising from: (a) data uploaded by the Customer in breach of this policy or the Terms of Service; (b) the Customer’s failure to maintain adequate security of its account credentials; or (c) the Customer’s failure to comply with its obligations as Data Controller. For the avoidance of doubt, our liability for the acts and omissions of our Third-Party Sub-Processors is governed by clause 6.6 and applicable law.

17.Changes to This Policy

17.1 We may update or amend this policy at any time. We shall notify the Customer of material changes at least thirty (30) days before they take effect.

17.2 Continued use of the Service after such notice period shall constitute acceptance of the amended policy. If the Customer does not agree to any material changes, the Customer’s sole remedy is to terminate the Subscription in accordance with the Terms of Service.

17.3 We recommend that the Customer reviews this policy periodically to remain informed of any updates.

18.Complaints

18.1 If the Customer or any data subject has a concern about our data processing practices, they should contact us using the details set out below.

18.2 Data subjects also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk or by calling 0303 123 1113.

19.Contact

For questions about this policy, to exercise data rights, or to report a data concern, please contact us at: