What is Smartgrade?

Smartgrade is a secure, cloud-based platform that helps schools and MATs to create, share and analyse more reliable assessments.

1. Introduction

Privacy and security are at the heart of everything we do at Smartgrade, and our approach incorporates data protection by design and default. This statement explains the key measures we’ve put in place to ensure that a school’s data is kept secure and processed appropriately at all times. It also covers our commitments to you, and what we expect from schools in terms of privacy and data protection.

2. Our Principles

We:

• Process the data received from schools for the purposes of education and school improvement only, and only for those purposes necessary to provide the service explicitly offered to schools.
• Adhere strictly to the terms of the General Data Protection Regulation (GDPR) as it applies in the UK, tailored by the Data Protection Act 2018.
• Only store and process the minimum data required to provide our services.
• Transport and store all personal data originating from schools using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, password-protected identities for all end users, and variable permissions according to the user's role.
• Comply with all Subject Access Requests made relating to the data We store.
• Ensure the data We hold about you is correct.
• Only retain data for as long as required, and delete all your data if you ask us to do so.
• Ensure that all data is held securely by taking steps so that data is not corrupted or lost.
• Aggregate and analyse anonymised data for the purposes of standardising assessments, to improve the quality of assessments on the platform, to offer benchmarking information to other schools, or to contribute to important assessment research.
• Always maintain adequate liability insurance.
• Audit our services against this pledge periodically and provide evidence of compliance to the other party whenever requested.
• Report any significant breaches of security to the Data Controller, the Information Commissioner’s Office (ICO) and other authorities, and, in co-operation with the Data Controller, to Data Subjects without undue delay and within 72 hours.
• Make this Privacy Policy clearly and publicly available on our website.

We DO NOT:

• Store or transport personal data outside of the EEA or outside of countries which are granted to have Adequate Levels of Protection as defined by the European Commission.
• Share your data with any third parties except where explicitly requested by you or required by law.
• Use Your data, made available via the Smartgrade platform, for the purposes of advertising or marketing, or for any purpose other than the service explicitly provided to You.
• Transport personal data originating from schools in an unencrypted format.
• Claim ownership or exclusive rights over any of the data processed or created as part of services provided to You.
• Share information with other third parties except where specifically agreed by the Data Controller or where required by law.
• Change any applicable terms of service without giving You the opportunity to opt-out of such changes.

3. Security and Encryption

We take every reasonable measure to ensure we store data securely. The Smartgrade platform is developed using secure technologies, which include, but are not limited to the following:

• All personal Smartgrade data is stored and transported within the EEA or countries which are granted to have Adequate Levels of Protection as defined by the European Commission.
• All internal and external data transmissions to and from the Smartgrade Platform are encrypted using modern SSL/TLS protocols and ciphers via secure REST APIs.
• Data is encrypted at rest (i.e. when stored on a disk or laptop).
• We use encrypted passwords with variable permissions according to the user’s role for access to all sensitive information.

4. Staff access to data

Smartgrade does not look "under the hood" or inspect any of the data we store. The only exceptions to this are where a school has explicitly given us permission to inspect their data; to provide technical support following an enquiry from a school; or to correct a technical problem.

All our staff and subcontractors are required to agree that they will abide by a Security and Data Protection Policy at all times.

5. Deleting and Retaining Data

We retain personal data on our platform for as long as necessary to provide the Smartgrade service. If a school ceases to use Smartgrade, we delete their personal data within 4 months of the contract concluding, or within 5 working days of a request to delete personal data, whichever is sooner. We will also delete all personal and sensitive data relating to former students automatically on their 25th birthday, regardless of whether a school has asked us to do so. We keep point-in-time backups for up to 30 days and weekly backups for up to 150 days. We also keep logs of user interactions with the platform for up to 18 months.

6. Assessments created on our platform

Assessment Publishers retain ownership of all assessments and/or assessment templates they create and share using our platform. All users creating assessments on the site are responsible for ensuring that they have the necessary rights and permissions to use and share those assessments. Assessment owners may withdraw their assessments from the Marketplace at any time, in which case they will cease to be available to users from that point onwards. However, any assessments that had already been assigned to classes by a user at the point of removal will remain available to that user indefinitely for marking and analysis.

7. Security Breaches

We take all reasonable and necessary precautions to ensure that your data is secure and to recognise and then mitigate the risks to security and privacy. However, it is not possible to 100% guarantee the security of any data transmitted or stored electronically. In the event that a significant breach of security or privacy did occur, Smartgrade will contact the Data Controller of the affected data, and inform the Information Commissioner's Office (ICO), and other authorities without undue delay and within 72 hours.

8. Purpose of data processing and legal basis for processing

As the Data Controller, it is Your responsibility to ensure that You can engage with Smartgrade in accordance with the Data Protection Act and that Data Subjects are suitably informed about Data Processing services such as Smartgrade, that the school chooses to use. This should include an explanation of how personal and sensitive personal data is processed lawfully, fairly and in a transparent manner. You should also be clear on Your basis for collecting and sharing data, and must satisfy the relevant legal basis and permission standards in each case.

The categories of personal data we process and the purposes for doing so are as follows:

‍Staff names

• To provision accounts.
• To distinguish between teachers in school and MAT accounts.
• To assist with the provision of an education to students.
• To contact you with important updates regarding the product.

Staff contact information

• To provision accounts.
• To distinguish between teachers in school and MAT accounts.
• To assist with the provision of an education to students.
• To contact you with important updates regarding the product.

Student names

• To distinguish between students in a teacher's class.
• To assist with the provision of an education to students.

Student date of birth (optional)

• To calculate age related attainment and progress.

Student emails

• To provision online student accounts and allow students access to accounts.

Student demographic information: Gender, English as an Additional Language, FSM, Pupil Premium, SEN status, Ethnicity (optional), LAC status (optional)

• To allow for grouping and analysis in the markbook and analytics module.
• Ethnicity and LAC status are considered sensitive categories of data, and extra controls on use are therefore in place. Analysis is only available to those users who have the requisite permission applied to their account by a system administrator’.
• To assist with standardisation.

Student teaching group / Year Group / Subject

• To allow for grouping and analysis in the markbook and analytics module.

Student UPN / MIS ID

• To allow for matching of students in the Smartgrade database with school records on export.

Student Prior Attainment

• To allow for grouping and analysis in the markbook and analytics module.
• To assist with standardisation.

IP addresses

• To identify trusted and frequently used devices.
• To track a user’s interaction with the website for analytics, support and product optimisation.
• To assist with the provision of an education to students.
• To monitor and prevent malicious usage or attacks.

9. Data sharing

We may share data with the following companies if such a need arises and within the terms laid out by this policy:

• Amazon Web Services (cloud hosting) for the purposes of application hosting.
• Aircury (software development agency) for the purposes of product development and support.
• Google Analytics (marketing website analytics) for the purposes of analysing website traffic.
• Zendesk (product support) for the purposes of supporting users.
• Pipedrive (CRM and communications) for the purposes of managing and contacting current and potential customers.
• Clarity (marketing website analytics) for the purposes of analysing website traffic.

We access MIS information from schools via Wonde, the third party MIS integration service.

We may share anonymised, aggregated results data linked to the school name with Assessment Publishers, to assist them with managing and developing their programmes. No personally identifiable or pupil level data will ever be shared with Assessment Publishers.

Providing an administrator has enabled the feature, you can log in to Smartgrade via School or MAT account with Google or Microsoft. We will not collect the password that you use for the relevant platform, but we may send and receive access details from your account with the platform, such as username and email address.

If your organisation has requested the feature, students can also access Smartgrade via our iPad app. The only data collected by the app is test responses.

10. Information for students and parents/guardian

Smartgrade, as the Data Processor, only has access to Personal Data or Sensitive Personal Data as requested by the school, as Data Controller, and only for the purposes of performing services on a school's behalf.

Your child's school remains the Data Controller of any pupil data we process. If you have questions about your or your child’s data or how your school is making use of our service, please contact the school directly. Any pupil or parent/guardian enquiries we receive will be directed to the relevant school as the Data Controller for that child’s or parent's/guardian's data.

General Website Privacy

11. Cookies

A cookie is a string of information that a website stores on a visitor’s computer. Smartgrade uses cookies for purposes such as helping us to identify and track visitors’ usage and preferences. You can disable cookies in your browser if you wish to, although this may mean that some features of our website do not work as they should.

12. Communication

If you have expressed interest in Smartgrade on the Smartgrade website or signed up as a Smartgrade customer, and have supplied your email address, we may occasionally send you an email to tell you about new features, ask for feedback or keep you up to date with our products. If you no longer wish to be included on these communications, then You can opt out using the links on those communications, or email hello@smartgrade.co.uk and we will remove you from the list.

13. Third Party Websites

We cannot be responsible for the privacy policies and practices of other sites even if you access them using links on our website. We recommend that you check the policy of each site you visit and contact the owner or operator if you have any questions or concerns.

If you access our Website from a third party site, we cannot be responsible for the privacy policy and practice of that third party site and recommend that you check the policy of that third party site and contact the owner or operator if you have any questions or concerns.

14. Questions and Grievances

If you have any questions or grievances in relation to security or privacy, please email us on hello@smartgrade.co.uk.

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

‍

This Change Log records all changes made since October 31st 2022. It was last updated on 30th April 2025. We review this policy regularly (and at least annually).

30th April 2025

• Section 5 was updated to add the following text:
  • We keep point-in-time backups for up to 30 days and weekly backups for up to 150 days. We also keep logs of user interactions with the platform for up to 18 months.

24th January 2025

• Section 9 updated to clarify Google Analytics and Clarity use for marketing website (www.smartgrade.co.uk) only.
• Section 9 removal of Mailchimp as the communications platform.
• Section 9 amended the following text: Pipedrive (CRM and communications) for the purpose of managing and communicating with current and future customers.

21st November 2024

• Section 9 updated to add the following text: Clarity (Website Analytics) for the purposes of monitoring website traffic.

1st February 2024

• Section 5 updated to add the following text:
  • We retain personal data on our platform for as long as necessary to provide the Smartgrade service. If a school ceases to use Smartgrade, we delete their personal data within 4 months of the contract concluding, or within 5 working days of a request to delete personal data, whichever is sooner. We will also delete all personal and sensitive data relating to former students automatically on their 25th birthday, regardless of whether a school has asked us to do so.
  • Previously data deletion was always within 5 days of the contract concluding. However, we have found that some customers change their mind about cancellation, and so this updated policy provides more flexibility to reinstate school data in such circumstances, while still allowing for deletion within 5 days should that be desired.
• Section 9 updated to add the following text: Pipedrive (CRM) for the purposes of managing customer relations.

7th September 2023

• Section 9 updated to add the following text:
  • We may share anonymised, aggregated results data linked to the school name with Assessment Publishers, to assist them with managing and developing their programmes. No personally identifiable or pupil level data will ever be shared with Assessment Publishers
  • If your organisation has requested the feature, students can also access Smartgrade via our iPad app. The only data collected by the app is test responses.

16th February 2023

• Privacy policy website area updated to split the Glossary of Terms and Privacy Policy to separate tabs and add this Change Log
• Glossary of Terms updated to add the following:
  • Assessment Publisher. Any School, MAT or Third Party Vendors creating an assessment on the Smartgrade platform.
• Section 6 updated from:
  • Schools and MATs retain ownership of all assessments to Assessment Publishers retain ownership of all assessments

• Section 9 updated to add the following text:
  • We may share anonymised, aggregated results data linked to the school name with Assessment Publishers, to assist them with managing and developing their programmes. No personally identifiable or pupil level data will ever be shared with Assessment Publishers

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.

‍