Privacy Policy / GDPR - GCSEPod


Office Address: UK Office:
Newcastle Enterprise Centres,
6 Charlotte Square, Newcastle upon Tyne NE1 4XF

Privacy Policy / GDPR

Who we are

Our website address is:

Privacy and Cookie notice

Click here to view our Privacy and Cookie Notice.

Click here to view out Webinar Privacy Notice.

That notice applies to personal information of which we’re a “controller” including:

  • personal information of individuals who’ve bought a subscription to GCSEPod, and
  • the contact points we have at our corporate customers such as schools.

The notice doesn’t apply to our corporate customers’ use of personal information or to our use of that personal information on the customer’s behalf, for which we’re a “processor”. Please see the next section for that.

How we process our customers’ data under GDPR

Full details on how we process data on schools’ behalf can be found in our data sharing agreement (see downloads section), but here are some technical details:

  • All student data is held within the EU (see 6.3.1 of the data sharing agreements)
  • You retain full control over what bits of data we can access
  • All data in transit is encrypted using SSL/TLS
  • Data at rest is encrypted with AES
  • All personal data is returned or destroyed (your choice) at the end of your license – if you don’t make a choice, your instructions are that we destroy it after 6 months (see 6.3.7 of the data sharing agreements).

Additionally, we are a CyberEssentials certified provider.





What’s GDPR?

GDPR is the ‘General Data Protection Regulation’ – a European-wide law with some deliberate gaps which are plugged by the UK Data Protection Act 2018. It’s very complicated, but in basic terms, it is a strengthening of individuals’ rights in terms of what can be done by whom to their personal data. After Brexit, the GDPR will be replaced by the UK GDPR, a UK version of the GDPR.

Do I have to do anything about it?
If you’re a parent, you don’t really need to worry as the GDPR doesn’t cover purely personal or household use of data. If you’re a school or an institution that holds personal data in any form, absolutely. You need to take steps to ensure the data you hold on people is secure and minimised, and that the person in question is aware of what data you have on them for what purpose. You also need to ensure that any organisations you use to process (that is to say, interact with in any way) that data is up to scratch. Like us!

So, what are you allowed and not allowed to do in principle?
There are lots of requirements. A key one is that you need to tell people exactly what’s going to happen to their data and make sure you have consent or another legal basis for using it. If the data is sensitive, you need a second legal basis on top of the first one.

So if a school wants to use GCSEPod, GCSEPod needs to ask every student for consent?
No. We don’t control the data, we process it on your behalf. If you use GCSEPod, it is your responsibility to identify which legal basis you will rely on, whether that’s consent or another legal basis from GDPR. We can’t advise you on that.

Is there a document that lays out what you do with data in full?
Yes! It’s called a data sharing agreement or a DSA, and you get one as part of the setup process. This FAQ is intended only as a primer before you read the more in depth version. You can download a copy from this page.

How and where is our data stored and what security used to ensure its safety
Your data is stored in an Amazon Web Services (AWS) datacentre in Dublin, Ireland. Here’s a link to the AWS white paper on security:

Here’s some of our general security measures:

  1. access to administrative functions is restricted to authorised individuals in the office and operatives in specific remote locations through the firewall
  2. database access restricted to internal servers only with a proxy for remote management
  3. web traffic is transferred over HTTPS
  4. passwords are stored using one-way encryption
  5. Servers are kept up to date with the latest security fixes

How long is personal data kept?
At the end of your subscription, we can destroy or return the data as you choose. The data sharing agreement says that if you don’t make that choice, your instructions are that we are to destroy the data after 6 months.

How is the data destroyed when no longer needed?
All personal data is anonymised so that it’s completely impossible to tie an individual to any remaining data (like number of Pods watched). This renders it inert for GDPR’s purposes.

How do schools access the relevant data sharing agreements
Your data integration service (Wonde/XoD) displays the data sharing agreement during the setup process. Or you can download it from this page.

What data does GCSEPod need from Wonde and XoD?
GCSEPod needs user data: some of it mandatory (e.g. to set up user accounts) and other data optional depending on what schools want to measure: it may be useful for the school for marking and reporting on usage but not necessary. The data sharing agreement has a list of data and how it’s used in GCSEPod.

What else do I need to know about you?

Office Address: UK Office:
Newcastle Enterprise Centres,
6 Charlotte Square, Newcastle upon Tyne NE1 4XF


ICO registration number: Z1442893