Data Security and the GDPR

Under the GDPR, Sumdog is a data controller (see more below).

Sumdog is committed to data security and privacy, and complies with laws in all countries and territories in which we operate.

The following document addresses how we deal with data with respect to the GDPR and Data Protection Act 2018.

Our Privacy Code of Conduct:

  • At Sumdog we will ensure our users data is processed lawfully, fairly and in a transparent manner.
  • The data will only be collected and processed for legitimate purposes.
  • The amount and kind of data that we collect is limited to the data deemed necessary to use Sumdog.
  • We will ensure that the data is accurate and kept up to date.
  • If it comes to our knowledge that data is inaccurate or that we should no longer hold it then this will be erased or rectified without delay.
  • We will only keep your data for the amount of time that it is necessary. This is usually for as long as you hold a Sumdog account.
  • We ensure that we deal internally with data in a way that ensures protection against unauthorised or unlawful processing.
  • We will never transfer data outwith the EU to a third country without ensuring one of the appropriate safeguards is in place.


The below FAQs set out to answer any questions you may have about our data security and privacy procedures.

This page should not be considered as a legal document. Please consult our privacy policy for full information

Legal Backdrop

Is Sumdog a data processor or a data controller?

As we control the data we collect and how this is used, it transpires that Sumdog is a data controller. The processing is either carried out by an employee of Sumdog (who would then be the data processor), or a third party data processor (see more about third parties below).

In most cases we are a joint data controller with the school.

Our privacy policy clearly sets out the data that we collect from the data subjects and our reason for collecting it. By using Sumdog, our users agree to the privacy policy which sets out the data that Sumdog collects, controls and processes.

If we decide to change the type of data we collect and what we use the data for, we will communicate this to Sumdog’s user base.

Privacy Policy Information

What are the categories of personal data that Sumdog holds?

Our privacy policy sets out the personal data that we collect and hold.

What is the legal basis for holding this personal data?

Our legal basis for holding this personal data is through legitimate interest. The provision of the Sumdog service is intended to help children and parents or guardians with their child’s education and development. The Sumdog service also assists schools and teachers to educate their pupils.

Is the data held in the UK?

Some of the data is held in the UK. Our servers are based in the United States. We ensure that our contracts with these cloud service providers contain the standardised EU model clauses for international data transfer. This approach is recognised in the GDPR as an appropriate safeguard when internationally transferring data.

Is backup data held in the UK?

Our backup data is held on our servers which are located in the USA. We ensure that our contracts with these cloud service providers contain the standardised EU model clauses for international data transfer. This approach is recognised in the GDPR as an appropriate safeguard when internationally transferring data.

What is the retention period and when is data destroyed?

We only retain personal data for as long as it is necessary to fulfil the purposes in which we collected it. Our information surrounding data retention can be found in our privacy policy.

How does Sumdog ensure payment details are securely stored?

At Sumdog we never see any or hold any of your payment data. This data is collected and held by a company called Braintree. We have a data sharing agreement with them and we are convinced of their compliance with all of the applicable privacy laws. You can find out all about their commitment to data privacy here. They are a validated service provider at the highest level and are recognised by Visa and Mastercard for their

General Policy and Procedure

What data protection policies does Sumdog adhere to?

At Sumdog our staff adhere to a data privacy policy which sets out the expectations that Sumdog has on its employees when they are dealing with personal information of our users.

What procedures are used to manage the processing of personal data within Sumdog?

We consistently develop and update our procedures when it comes to processing personal data within Sumdog, to ensure that they are best practice and are compliant with all privacy law. We have procedures in place that govern the way we would deal with personal data, new processors, breaches, subject access requests and data audits.

Is personal data ever passed on to third parties?

We may share stastics derived from information accumulated through use of Sumdog to third parties. The data in this situation is anonymised and the third parties are not able to identify users from this data.

What technical and security measures do you have in place? Does Sumdog test the systems?

Sumdog encrypts user data using SSL when transferring data to our servers. This helps to protect it whilst in transit.

Do you have an information management accreditation?

AWS, who host our server, have ISO27001 accreditation. More information on their compliance can be found here. Sumdog does not currently hold an information management accreditation.

How do you ensure that your staff adhere to confidentiality?

Sumdog will be ensuring that all staff go through training to inform them of the responsibilities that the GDPR puts onto organisations who have data subjects within the EU. They will be made aware of the changes to policies and the importance of adhering to specific procedures that apply to the data privacy principles set out by the GDPR.


Does Sumdog undertake marketing?

Sumdog does undertake marketing. This is to allow us to communicate information, including features, offers, educational data and tips, to registered Sumdog users.

What type of marketing is carried out?

Sumdog undertakes marketing via email, post, social media and search engine. The marketing undertaken is only ever related to the Sumdog service. We do not market other services to our users.

What is the legal basis for marketing?

It is in Sumdog’s legitimate interest to communicate with our users. This is important to us because we rely on a subset of users who subscribe to our premium features. This allows us to maintain a free service to a larger user base. For our users this means they will receive information on how to use the service more effectively and data on the educational progress of their students. If you subscribe then you benefit from marketing information around subscriptions. If you do not subscribe then you will benefit from others who have, as a result of the same marketing communications. These pay to support your continued free use of Sumdog.

How can a user opt out of marketing? How is this process managed?

You can choose to opt out of marketing when you initially sign up to Sumdog. You may also do this via the link in our marketing emails or by signing in to your Sumdog account and changing your preferences. When you opt out of receiving these emails you will be taken off our marketing list.


Does the website use cookies and tracking technology? If yes, is there a notice?

Yes, we use cookies at Sumdog. This is to help make Sumdog easier to use and to help us improve the site for you. The cookies are stored on your computer. There is not a cookie notice. More information on the cookies we use and why we use them is available in the privacy policy.

How is consent acquired regarding cookies?

Our website will automatically store functional cookies.

For any remarketing cookies you will have the option to accept these when you first visit the website.

You can control which websites access cookies by activating a setting on your browser that allows you to refuse the setting of all or some cookies. This setting will allow you to accept, reject or modify your web browser to alert you of any new cookies. More information regarding cookies can be found on our privacy policy and at

Is any personal data published on the website? If yes, is permission sought? How is the permission gained?

Any personal data published on the website will only be posted when we have express permission from the person to whom the data belongs, either in writing or by email.

Bespoke Arrangements

Does Sumdog agree to gain the consent of their clients before engaging with another processor?

As a controller, Sumdog have the ability to decide which processors we engage with. When engaging with another processor we must ensure that we are satisfied with their compliance to all relevant data privacy laws. If that processor is located outwith the EU, we ensure we have model clauses for the international transfer of data in our data sharing agreements with them. It is not possible for Sumdog to gain the consent of all of their users before engaging with another processor and as a data controller this is not an obligation required by law.