School Leaders
Data Element | How is data collected and who is the source?
| How this information is used
| The purpose for Classroom Hero collecting this information
| Is Data shared or accessed by a service provider? (or processor)
| Where is this Data element stored or accessed by each third party/service provider that it is shared with or made available to? | Retention schedule
| Any other non-service provider third parties with access
| Technical and Security Measures
| Is Data transferred Outside of the EEA/UK and What are the transfer Mechanisms (or Safeguards)?
| What is the Article 6 lawful basis for processing this personal Data under GDPR
|
Account ID (User) | Provided by user at signup or via SSO; system-generated identifiers. | Authentication, authorization, account management. | Provide and secure access to Classroom Hero services. | Email/SSO providers as configured by the school; infrastructure hosting; support tools as needed. | Application databases; authentication/session storage as configured. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None, unless school-configured SSO provider. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract (provide core service); Art. 6(1)(f) Legitimate interests (service improvement, security). |
Profile (role, points/levels/progress, images, settings) | Entered by user/teacher; generated during use (points, levels); images uploaded by user. | Personalization, gamified progress, subscription/feature gating, avatar settings. | Deliver core classroom engagement features; manage tiers/settings. | Infrastructure hosting; email service (e.g., transactional messaging) if configured. | Application databases; media storage for photos/avatars. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract (provide core service); Art. 6(1)(f) Legitimate interests (service improvement, security). |
Class (name, description, teacher/assistants, currency settings, logos/icons) | Created by teachers/school staff. | Classroom management, reward configuration, roster association. | Operate class features and reward systems. | Infrastructure hosting; media storage for class images. | Application databases; media storage. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract (provide core service); Art. 6(1)(f) Legitimate interests (service improvement, security). |
Notifications (content, type, meta JSON, read status) and preferences | Generated by system; preferences set by user. | Communicate relevant updates; web/email/push. | Service notifications and user preferences. | Infrastructure hosting; push/email providers if enabled. | Application databases. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract; Art. 6(1)(a) Consent for optional channels where required. |
Payment metadata (customer/checkout IDs, has_paid flag) | Provided/returned by payment processor during checkout. | Manage subscriptions and access tier. | Billing and access control. | Payment processor (e.g., Stripe via dj-stripe). | Application databases (IDs only); no card numbers stored. | Financial records retained as required by law; otherwise per account lifecycle. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract; Art. 6(1)(c) Legal obligation (tax/records). |
ย
Did this answer your question?
๐
๐
๐คฉ