Carousel's approach to GDPR and Data Privacy

Carousel takes GDPR and Data Privacy very seriously. You can find out more about our approach in two documents, which are both available online:

• Our Privacy Policy
• Our Terms of Service

The Privacy Policy is a public-facing policy and covers our principles of data privacy, as well as any additional information we think a member of the public or interested party would want to know about Carousel's approach to GDPR and data privacy. The Terms of Service cover some of the same ground, but are broader and more detailed, and represent the contract between a user and Carousel. By signing up to the Terms of Service you are also agreeing to our Privacy Policy.

We do not have a separate Data Processing Agreement (DPA), but you will find all the information about our approach to data processing that you need in both of the above documents.

You may be required by your school to fill in a Data Protection Impact Assessment (DPIA) before you can use Carousel. We can't help you complete this document, as we're the data processor and it is important that the DPIA is completed by the Data Controller (i.e. the school). However, it is our job to make sure that you have all the information you need to complete one effectively. Please refer to the Privacy Policy and Terms of Service to fill in your DPIA. If you need to know something that you think is missing from our Privacy Policy and Terms of Service, contact us at help@carousel-learning.com and we'll be happy to answer your questions.

An abbreviated summary of the key principles of GDPR and Data Protection contained within our Privacy Policy is as follows:

We:

• Maintain a secure, cloud-based product, with all data hosted using Amazon Web Services in Ireland.

• Process the data received from schools for the purposes of education and school improvement ONLY, and we store and process the minimum data required to provide our services. For example, students access Carousel using a secure link plus their first name / last name as defined by a teacher. There is no other student data stored in the product. If you wish to keep student data out of the product entirely, you can do so by giving students nicknames or code words / numbers for their first name / last name.

• Transport and store all personal data originating from schools using modern and best practice encryption technologies. This includes Secure Socket Layers (SSL/TLS) for encrypted data transfer over the internet, encryption of all data at rest, and secure access for all end users.

• Only retain data for as long as required, and delete all your data if you ask us to do so.

• Ensure that all data is held securely by taking steps so that data is not corrupted or lost.

• Pledge to Report any significant breaches of security to the Data Controller, the Information Commissioner’s Office (ICO) and other authorities.

We DO NOT:

• Store or transport personal data outside of the EEA or outside of countries which are granted to have Adequate Levels of Protection as defined by the European Commission.
• Share your data with any third parties except where explicitly requested by you or required by law.
• Use Your data, made available via the Carousel platform, for the purposes of advertising or marketing, or for any purpose other than the service explicitly provided to You.
• Transport personal data originating from schools in an unencrypted format.
• Claim ownership or exclusive rights over any of the data processed or created as part of services provided to You.