Platform Privacy Notice
This notice covers Sotara's own data controller activities: school contacts, account holders, website visitors, and Sotara staff. It does not cover processing carried out as a data processor on behalf of schools (e.g. image processing under Anonymé).
Who we are
Sotara Ltd is a company registered in England and Wales (Company No. 17162223). We build and operate software applications for UK schools. For the purposes of this notice, Sotara is the data controller.
What personal data we collect and why
School contacts and account holders
When a school signs up or an individual creates an account, we collect: name, job title, school name and address, email address, and phone number. We use this to administer the contract, provide support, and send product updates.
Lawful basis: UK GDPR Article 6(1)(b) (contract) for account administration; Article 6(1)(f) (legitimate interests) for support communications and product updates.
Website visitors
Our website collects technical data (IP address, browser type, pages visited, time on page) via cookies and analytics tools.
Lawful basis: UK GDPR Article 6(1)(a) (consent) for non-essential cookies; Article 6(1)(f) (legitimate interests) for essential analytics.
Marketing and communications
With your consent, we may send emails about new products, updates, or events. You can unsubscribe at any time using the link in any email.
Lawful basis: UK GDPR Article 6(1)(a) (consent).
Sotara staff and contractors
We process employment and engagement data (name, contact details, bank details, NI number, DBS certificate reference, payroll data) to manage our employment relationships and comply with legal obligations.
Lawful basis: UK GDPR Article 6(1)(b) (contract); Article 6(1)(c) (legal obligation). For DBS data: DPA 2018 Schedule 1 Part 1 (employment and safeguarding).
International transfers
All school customer data is stored on AWS servers in London (eu-west-2) and does not leave the United Kingdom. For sub-processors whose infrastructure is outside the UK, we rely on UK adequacy decisions or UK International Data Transfer Agreements (IDTAs). Details are available on request.
Retention
| Data | Retention period | Basis |
|---|---|---|
| School contact / account data | Duration of contract + 6 years | Limitation Act 1980 (potential contract claims) |
| Website analytics | 13 months rolling | Standard analytics retention |
| Marketing contacts | Until unsubscribe + 1 year | Consent withdrawn; records kept to evidence withdrawal |
| Staff employment records | Employment + 6 years | Legal obligation (HMRC, ERA 1996) |
| DBS certificate references | See Safeguarding Policy | DBS Code of Practice |
Your rights
Under UK GDPR you have the right to:
- AccessRequest a copy of personal data we hold about you.
- RectificationAsk us to correct inaccurate or incomplete data.
- ErasureAsk us to delete your data in certain circumstances.
- RestrictionAsk us to restrict processing in certain circumstances.
- PortabilityReceive your data in a structured, machine-readable format (where processing is based on consent or contract and carried out by automated means).
- ObjectObject to processing based on legitimate interests or public task.
- Withdraw consentWhere processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at dpo@sotara.co.uk. We will respond within one calendar month.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
Contact us
Data Controller
Sotara Ltd
Company No. 17162223
43 Harwood House
London SW6 4QP
Data Protection Enquiries
dpo@sotara.co.ukIf you are a pupil or parent with a question about your school's use of Sotara products, please contact your school in the first instance. The school is the data controller for pupil and parent data.