MATHS CIRCLE LIMITED - PRIVACY NOTICE FOR TEACHERS, PARENTS, CARERS AND TUTORS Last updated: November 2023 ABOUT OUR PRIVACY NOTICE Maths Circle Ltd ("we" or “us”) is committed to protecting and respecting the privacy, safety and security of our registered (and prospective) users, including pupils, teachers, school administrators and parents (together “Users”). This notice (together with our terms and conditions of use) explains in plain language who we are, how we collect, share and use personal information about you, and how you can exercise your privacy rights whilst using our products. Please read this notice carefully to understand how any personal information is used. If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Privacy Notice. Depending on the circumstances, we may process Personal Information either as a Service Provider/Processor or as a Controller, as defined in the UK GDPR, EU GDPR and CCPA. A child-friendly version of this Privacy Notice is also available on our website. ABOUT MATHS CIRCLE LTD Maths Circle Ltd (Company Number: 09861676) is a UK based company which produces maths resources (both online and paper based programmes) for schools and families. We currently have two products; Times Tables Rock Stars and NumBots. Times Tables Rock Stars is a carefully sequenced programme to boost times tables recall and maths confidence (comprising a website, app, worksheets and teacher resources). For more information about Times Tables Rock Stars, please see our website at www.ttrockstars.com (the “TTRS Site”). NumBots is a website and app that helps build an understanding in and recall of addition and subtraction facts. For more information about NumBots, please see our website at www.numbots.com (the “NumBots Site”). Other products are in development and this Privacy Notice will be updated as necessary to reflect these as soon as they are available. Each resource created by Maths Circle Ltd, together with the TTRS Site and the NumBots Site and any other website created for national and regional competitions and/or events (together the “Sites”), is owned and operated by Maths Circle Ltd. References to the Sites in this Privacy Notice therefore includes all related Maths Circle Ltd owned websites. WHAT PERSONAL INFORMATION DOES MATHS CIRCLE LTD COLLECT WHEN YOU USE OUR PLATFORMS? We collect the following categories of personal information: School Users In the case of school/educational institution subscriptions (including on a trial basis) (“School Users”) we may collect: • School’s name, address (for billing purposes and account name) • Teachers’ names, email addresses (so we can provide you with an account and contact you) • Pupils’ names, year groups and maths classes (to administer accounts) Home Users and Tutors In the case of home or family subscriptions (“Home Users”), or tutor subscriptions, we may collect: • Address (for billing purposes) • Parents’/Tutors’ names and email addresses (so we can provide you with an account and contact you) • Children’s names (to administer accounts) If you contact us We may also collect details of other interactions that you and/or your Users have with us, together with any other information that you and/or your Users choose to provide us with, for example, through correspondence and interactions with our customer support, finance and technical support teams. This information is required in order to fulfil our contractual obligations to you as it is necessary to correctly identify each registrant as a site User, manage their account and for other purposes identified below. It is impractical in most circumstances for Users to remain anonymous, as we may not be able to interact with you, provide access to the Sites, or answer your enquiry if we are not able to identify Users or collect your personal information. Please note that by registering with any of the Sites and providing the requested personal information, whether on a trial, subscription or gifted basis, the School is deemed to have a lawful basis (pursuant to all applicable data protection laws) for supplying such data and information for and on behalf of all Users (to include both teachers and pupils). It is the school's responsibility to ensure that they have a sufficient lawful basis for supplying all data to us. Where the lawful basis that the school is relying on is “consent”, it is the School’s responsibility to seek and confirm all necessary parental consent for all pupils. If a school does not have (or in the future no longer has) a sufficient lawful basis for supplying us with such personal data, any User to which this applies must not use the Sites, and the School must promptly inform us so any relevant data can be deleted from our Sites. Please note that by registering with either of the Sites and providing the requested personal information, whether on a trial, subscription or gifted basis, the Home User’s or Tutors’ consent to provide us with information for and on behalf of all Users (to include parents, tutors and children) is deemed to be given. Users who do not wish to give this consent must not use the Sites. Where applicable, the Tutor is deemed to have a lawful basis (pursuant to all applicable data protection laws) for supplying such data and information for and on behalf of its tutees. Where the lawful basis that the Tutor is relying on is “consent”, it is the Tutor’s responsibility to seek and confirm all necessary parental consent for all tutees. If a Tutor does not have (or in the future no longer has) a sufficient lawful basis for supplying us with such personal data, any User to which this applies must not use the Sites, and the Tutor must promptly inform us so any relevant data can be deleted from our Sites. We do not however collect any unnecessary personal information from Users (for instance, information about religious beliefs, medical history etc). Children signing up to our Sites and Consent Please note that children (under the age of 18 years) cannot register to use the Sites themselves, as they are not lawfully able to agree to our Terms and Conditions. A teacher, tutor, parent or guardian must register for them (either as part of a school subscription, tutor subscription or home subscription) and it is the teacher, tutor, parent or guardian’s responsibility to ensure that any consent to use the Sites has been collected (including on a trial basis). HOW DOES MATHS CIRCLE LTD COLLECT PERSONAL INFORMATION? The personal information collected about Users broadly falls into the following categories: Information that you provide voluntarily o We may obtain personal information directly from you (unless it is unreasonable or impracticable to do so) or from our School Users or Home Users about you and/or other Users voluntarily by filling in forms on our Sites, or by corresponding with us via phone, email or otherwise. This includes information that you provide when you register an account with us, enter a competition or survey, subscribe to marketing communications from us, and/or to submit enquiries to us. o The personal information that you are asked to provide, and the reasons why you are asked to provide it, will be made clear to Users at the point we ask you to provide such personal information. Information that we collect automatically o When Users visit our Sites, we may collect certain information automatically from their device. In some countries, including countries in the European Economic Area, this information may be considered personal information under applicable data protection laws. o Specifically, the information we collect automatically may include information like a User’s IP address, device type, unique device identification numbers and login information, browser-type and version, time zone setting, operating system and platform, broad geographic location (e.g. country or city-level location) and other technical information. We may also collect information about how a User’s device has interacted with our Sites, including the pages accessed and links clicked, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from any page. o Collecting this information enables us to better understand the Users who come to our Sites, where they come from, and what content on our Sites is of particular interest to them. We use this information for our internal analytics purposes and to improve the quality and relevance of our Sites to our Users. o We will also collect the answers provided by Users to the questions raised on each programme and the length of time taken to respond in each case. This information is required to enable us to provide statistical feedback to teachers and parents on the performance and progress of pupils, a facility which is an integral part of our products. o Some of this information may be collected using cookies and similar tracking technology, as explained further under the heading “Maths Circle Ltd’s Cookie Policy” below. Information that we obtain from third party sources o From time to time, we may receive information about you if you use any of the other Sites that we operate or the other services and products that we provide. In this case we will have informed you when we collected that personal information that it may be shared internally and combined with data collected on the relevant Sites. o From time to time, we may receive personal information about you from third party sources (including for example, distributors, business partners, affiliates, sub-contractors, payment and delivery services, analytics providers, search information providers), but only where we have checked that these third parties either have your consent or are otherwise legally permitted or required to disclose your personal information to us. WHAT DOES MATHS CIRCLE LTD DO WITH YOUR PERSONAL INFORMATION? The personal information of Users, including any prospective Users, may be used for the following purposes: o To carry out our obligations arising from any contracts entered into between you and us and to provide access to our products and services including the Sites; o To send a confirmation notice to the User of the registration; o To administer and manage accounts, including username and password resetting, responding to enquiries raised by Users, to contact Users about any problems with their accounts, or the use of our products and services, or their conduct on the Sites; o To provide quotes or offers for, and updates about, our products and services; o To calculate the User’s recall speeds; o To provide results data for each User, school class, or school as a whole, including the preparation of statistical reports and data analysis to assist us in enhancing the learning from our Sites; o To provide you with tips on how to use parts of the product or service, information about new features on our Sites; o To notify you about changes, improvements, and upgrades to our products and services and the Sites; o To ensure that content from our Sites is presented in the most effective manner for Users and for their computers or devices; o To keep our Sites safe and secure; o To publish names of winners and high performers on the Sites and send prizes or certificates for progress of Users on the Sites; o To administer our Sites and for internal operations, including troubleshooting, data analysis, testing, research, product development, quality control, statistical and survey purposes; o To send out newsletters and emails about our products and services, including the Sites including information about upcoming events, competitions, and rules of the Sites; and/or o To send you information about third party services that we feel may be of interest to you, but only where we have express or implied consent to contact someone or we are otherwise permitted by law to do so. If you do not want to receive these updates, Users may opt out at any time by following the specific opt out instructions within the communications that we send, or by updating their details on the “My Details” page of our Sites. Please note that our Sites do not provide pupils with any means to communicate directly with each other. There are no chat rooms connected with our products and services. Users are required to choose a “Rock Name” (for Times Tables Rock Stars) or “Bot Name” (for NumBots) which is displayed by default in place of real names at the end of multi-player games, in-school competition results and leaderboards. Pupils also have the option (in “My Settings”) on Times Tables Rock Stars to appear as “Anonymous” to their classmates for additional privacy, albeit teachers will always have full access to all pupil data. LEGAL BASIS FOR PROCESSING PERSONAL INFORMATION Our legal basis for collecting and using the personal information described above will depend on the personal information concerned and the specific context in which we collect it. Ordinarily, we collect personal information from Users either because it is needed to enable us to fulfil and perform our contractual obligations with you as regards the provision of our products and services, and/or where we have the consent of the Users to do so. We may also process personal data where the processing is in our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. WHO DOES MATHS CIRCLE LTD SHARE MY PERSONAL INFORMATION WITH? Users have the right to know whether or not their personal data is shared with third parties. We do not have targeted advertising on our platforms and we do not sell Users’ personal data. We will keep personal information confidential and will not knowingly share or divulge Users’ data or information to advertisers or any external third parties, however the following categories of recipients may access, process or be transferred your data: o our group companies; o our sub-contractors who assist us in making, improving and delivering the Sites (these are notified to Users in advance as are listed in our standard Terms and Conditions, and any material changes to this list are notified to Users by email); o third parties who provide services on our behalf to help with our business activities (these are notified to Users in advance as are listed in our standard Terms and Conditions, and any material changes to this list are notified to Users by email). These parties are authorised to process your personal information only as necessary to provide these services to us. Such services may include payment processing, providing customer service, sending marketing communications, those who help to enhance the security of our Sites, and those who otherwise process personal information for purposes that are described in this Privacy Notice or notified to you when we collect your personal information. o Government education departments, universities, bodies managing or representing schools, or schools themselves, to help enhance the learning from our Sites through the preparation of statistical reports and analysis. Any data provided to such establishments for their own analysis will always be provided as aggregated (non-personal) or de-personalised data, in such a way that they are unable to identify any individual child directly or indirectly. It is lawful for us to de-personalise this data as we rely on legitimate interest as our lawful basis to do so and it is lawful for us to share this de-personalised data and any associated reports as we are not sharing any data that can be identified as personal; o any competent law enforcement body, regulatory, government agency, court or other third party where we believe disclosure is necessary (i) as a matter of applicable law or regulation, (ii) to exercise, establish or defend our legal rights, (iii) to enforce our terms and conditions, or (iv) to protect your vital interests or those of any other person; o a potential buyer (and its agents and advisers) in connection with any proposed purchase, merger or acquisition of any part of our business, provided that we inform the buyer it must use your personal information only for the purposes disclosed in this Privacy Notice; and/or o any other person with your consent to the disclosure. MATHS CIRCLE LTD’S COOKIE POLICY A cookie is a little piece of information handed to a web browser from a web server that contains information that can be retrieved from the server later. When you visit the Sites the server may attach a cookie to your computer’s memory. We use cookies only to remember what language is set, which school last logged into the machine and the session cookie for knowing who is logged in. You should be able to configure your browser so that it disables cookies. You will find a full copy of our Cookie Policy on our website. HOW DOES MATHS CIRCLE LTD KEEP MY PERSONAL INFORMATION SECURE? We use appropriate technical and organisational measures to protect the personal information that we collect and process about you whilst you use our products. The data that we collect from you is stored on secure servers located in Europe through Hetzner, Amazon Web Services and Heroku. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. Security measures include data encryption, multi-factor authentication for systems, firewalls, anti-virus malware protection, staff training and security controls over physical access. As part of our privacy compliance processes we regularly review these security procedures to consider appropriate new technology and methods. We also have both Cyber Essentials accreditation and Cyber Essentials Plus accreditation. We do not carry paid advertisements on our websites and there are no in-app purchases within our applications. Pupils are not able to chat or communicate via our platforms. Our platforms do not allow children to publicise their personal information. We use a third party payment processor, Stripe, to process credit card payments made to us. Transactions are encrypted using SSL technology. We do not retain any credit card numbers ourselves. Stripe's use of your personal information is governed by their privacy policy, which may be viewed at https://stripe.com/us/privacy. For invoice payments, we use a third party accounting service, FreeAgent, to create and send the invoices. Transactions are encrypted using SSL technology. The information sent to FreeAgent is limited to the billing person's name and email address, the organisation's name and postal address and what you've ordered. Use of your personal information is governed by FreeAgent's privacy policy, which may be viewed at https://www.freeagent.com/website/privacy/. We use a third party customer service platform, Intercom, to handle all customer service and finance queries sent to us either via email or via help pop ups within our Sites. Intercom’s use of your personal information is governed by their privacy policy, which may be viewed at https://www.intercom.com/legal/privacy. For merchandise payments by credit card, we use a third party payment processor, Shopify, to process credit card payments made to us. Transactions are encrypted using secure technology. We do not retain any credit card numbers ourselves. Shopify’s use of your personal information is governed by their privacy policy, which may be viewed at https://www.shopify.com/legal/privacy. You and your pupils/children are responsible for keeping your passwords confidential. We ask Users not to share their passwords with anyone. Users should be aware that unfortunately the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our Sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We also expect all our employees and contractors to comply with this Privacy Notice, and we will take appropriate actions to address breaches by employees and contractors of the obligations imposed by this Privacy Notice. Where we use third party services to run and administer our Sites and our services to you, we will only provide them with the minimal amount of information needed for the purposes of delivering the service to us and to meet our requirements. We always carry out due diligence against all our third-party suppliers for the purposes of ensuring their compliance with data protection, maintaining adequate security of your data and ensuring they apply adequate data protection principles to the processing of the data we supply. We also make sure a legally binding contract (sometimes called a Data Processing Agreement or DPA) is also in place to protect your data. INTERNATIONAL DATA TRANSFERS Your personal information may be transferred to, and processed in, countries other than the country in which you are resident. These countries may have data protection laws that are different to the laws of your country. Specifically, our Sites servers are located in Europe through Hetzner, Amazon Web Services and Heroku. However, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Privacy Notice and application data protection laws. DATA RETENTION We retain personal information we collect from Users where we have an ongoing legitimate business need to do so (for example, to provide you with a service you have requested or to comply with applicable legal, tax or accounting requirements). When we have no ongoing legitimate business need to process User’s personal information, or where you ask us to delete Users’ information, we take reasonable steps to either delete or anonymise it. If this is not possible immediately (for example, because your personal information has been stored in backup archives), then we will securely store Users’ personal information and isolate it from any further processing until deletion is possible, but will endeavour to do so as soon as reasonably practicable. It will take up to 10 days to allow for the personal information to be deleted from all our back-up systems. Should we need to recover our services from a backup that would ordinarily contain User’s information and account information that has been deleted, we will use best endeavours to ensure that deleted information is not restored into the live services. We may also have to retain and use personal information as necessary to comply with our legal and regulatory obligations, to resolve disputes, and to enforce our terms and conditions. Our policy is to automatically delete all pupil/child data from school accounts, tutor accounts and family accounts 90 days after expiry of a free trial or expiry of a subscription, where no renewal or pending subscription has been requested by that school, tutor or family to either of our platforms. Please note that subscriptions are not automatically renewed at expiry. The main contact will be notified by us of our deletion policy prior to expiry of the subscription, and again prior to deletion of the pupil data. Deleted pupil/child data cannot be retrieved following deletion. We recommend that schools and tutors delete the pupil data and accounts once that particular pupil has left the school or tutor organisation. YOUR DATA PROTECTION RIGHTS Pursuant to UK GDPR, the CCPA, COPPA, VCDPA, and other application state legislation and data protection laws, Users have the following data protection rights: o Users have the right to know how we process their personal information. This is why we try to maintain transparency about what information we collect and how we use it, as explained elsewhere in this Privacy Notice. These rights can be exercised by contacting us using the contact details provided under the “How to contact us” heading below. o If a User wishes to access, correct, update or delete their personal information, or that of their school (in the case of teachers), they can do so at any time by contacting us using the contact details provided under the “How to contact us” heading below. Users can also delete all of their personal data by navigating to “Subscription Details” and pressing “Delete”. o Parents, guardians and caregivers have the right to access, review, correct, update, delete or refuse collection of their child’s personal information. Please note that these requests are handled together with the child’s school or tutor, unless they are part of a family subscription. This is in line with UK GDPR, COPPA and FERPA. These rights can be exercised by contacting us using the contact details provided under the “How to contact us” heading below. o Parents, guardians and caregivers have the right to stop the collection and use of their child’s personal information. Please note that these requests are handled together with the child’s school or tutor, unless they are part of a family subscription. This is in line with UK GDPR, COPPA and FERPA. These rights can be exercised by contacting us using the contact details provided under the “How to contact us” heading below. o In addition, Users can object to processing of their personal information, ask us to restrict processing of their personal information or request portability of their personal information. Again, Users can exercise these rights by contacting us using the contact details provided under the “How to contact us” heading below. o Users have the right to opt-out of the sharing of data for targeted marketing communications we send at any time. Users can exercise this right by either clicking on the “unsubscribe” or “opt-out” link in any marketing e-mails we send, or by updating their details on the “My Details” page of our Sites. Alternatively, Users can contact us using the contact details provided under the “How to contact us” heading below. o Users have the right to opt-out of the sale of their personal data, however we do not sell the personal data of our Users. If Users have any questions about this they can contact us using the contact details provided under the “How to contact us” heading below. o Similarly, if we have collected and process Users’ personal information with their consent, then Users can withdraw their consent at any time. Withdrawing consent will not affect the lawfulness of any processing we conducted prior to withdrawal, nor will it affect processing of personal information conducted in reliance on lawful processing grounds other than consent. Users can withdraw their consent by contacting us using the contact details provided under the “How to contact us” heading below. o If you want to make a complaint about the way we have processed your personal information, we’d rather you brought it to use in the first instance (using the contact details provided under the “How to contact us” heading below), but of course Users have the right to complain to a data protection authority. For more information, please contact your local data protection authority. (Contact details for data protection authorities in the European Economic Area, Switzerland and certain non-European countries (including the US and Canada) are available here.) We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws. UPDATES TO THIS PRIVACY NOTICE We may update this Privacy Notice from time to time in response to changing legal, technical or business developments. We will always inform you of any material changes we make to our Privacy Notice (ordinarily by email communication or at point of login). We will obtain your consent to any material Privacy Notice changes if and where this is required by applicable data protection laws. Users will be deemed to have consented to any such changes by their continued use of the Sites following any changes being made. You can see when this Privacy Notice was last updated by checking the “last updated” date displayed at the top of this Privacy Notice. HOW TO CONTACT US If you have any questions or concerns about our use of your personal information, please contact our Data Protection Officer using the following details: [email protected]. The data controller of your personal information is Maths Circle Ltd which is registered with the Information Commissioner’s Office (“ICO”) with registration number ZA250537. EU Data Representative We have also appointed DataRep as our EU Representative. For any enquiries, issues, etc. if you are based within the EU, you can contact them: DataRep, 77 Camden Street Lower, Dublin, D02 XE80, Ireland [email protected]