The School Jotter platform is provided by Webanywhere Ltd and is used by schools to publish information and communicate with parents, pupils, staff, and the wider school community.
Data Protection Roles
For the purposes of the relevant data protection legislation, including the UK GDPR and the Data Protection Act 2018:
- The School acts as the Data Controller: The school determines the purposes for which personal data is processed and the categories of information made available through the platform.
- Webanywhere Ltd acts as a Data Processor: We process personal data on behalf of the school and in accordance with their instructions. Requests relating to personal data rights should, therefore, be directed to the relevant school in the first instance.
Platform Accounts and Authentication
User accounts for the School Jotter website and its native mobile applications are managed through Google Firebase Authentication. Access is secured using password-based authentication, and users are responsible for keeping their login credentials confidential.
An account is not required to browse or navigate the public website, nor is an account required for the mobile app, if the school has chosen to deploy the app in public-mode.
Data Infrastructure and Hosting
The platform is hosted using Amazon Web Services (AWS) infrastructure.
- Data Residency: Primary storage locations are London (UK) and Dublin (EU). This ensures data remains within the UK and EEA, supporting compliance with UK data protection requirements.
- Encryption: Data is protected via industry-standard practices, including encryption in transit (HTTPS) and encryption at rest within AWS managed infrastructure.
- International Transfers: Where data processing involves transfers outside the UK or EEA, appropriate safeguards such as Standard Contractual Clauses (SCCs) are utilised to ensure a comparable level of protection.
MIS Integration
Schools may optionally integrate School Jotter with their Management Information System (MIS) using Groupcall Xporter.
This synchronises selected information to establish parent-child relationships, allowing for relevant, filtered communications (e.g. year-group specific updates).
Categories of Personal Data Processed
The categories of data processed are determined by the school as the Data Controller. Common examples of functional data include:
- Names and Email addresses.
- Parent and pupil relationships.
- User account details, IP addresses, and device type information.
- Other data that the school specifically chooses to include.
Special Category Data
The School Jotter platform is not designed to actively request “Special Category” (sensitive) data, such as health information, ethnic origin, or religious beliefs. If a school chooses to upload, collect, or store sensitive personal information through the platform, this remains the sole responsibility of the school as the Data Controller.
School Created Forms and Data Collection
Authorised school administrators may create custom web forms to collect information for operational purposes.
- School Responsibility: The school defines the content, structure, and questions within these forms. The school is responsible for ensuring a lawful basis for processing exists and that appropriate privacy information is provided to respondents.
- Access: Access to submitted form data is restricted to authorised users within the school’s administration interface. Webanywhere personnel only access this data when necessary for technical support.
Mobile App Push Notifications
To ensure parents and staff receive timely updates (such as class-specific news or urgent notices), the platform utilises secure system services for message delivery:
- iOS Notifications: Delivered via the Apple Push Notification service (APNs).
- Android Notifications: Delivered via Firebase Cloud Messaging (FCM).
- Data Privacy: These services utilise unique, anonymised device tokens to route messages to the correct handset. The notification providers do not have access to the private content of the communications sent by the school.
System Monitoring, Analytics and Security
The platform maintains system logs, including IP addresses, to ensure security, stability, and performance.
- Internal Analytics: Schools are provided with reporting tools to understand usage trends (e.g. page visits and document downloads).
- Inspection Readiness Alerts: The platform provides high-level alerts when traffic is identified from official inspection body network ranges. This is reported at an organisational level to help schools manage their inspection workflows.
- Audit Logs: Activity by authorised administrative users is logged for security monitoring and to detect unusual behaviour.
Data Sharing and Third-Party Services
Webanywhere Ltd does not sell personal data. Information is only shared where necessary to provide the service or where disclosure is required by law.
-
- Infrastructure Providers: This includes trusted partners such as AWS (Hosting), Google Firebase (Authentication), and Groupcall (MIS Integration).
- Webanywhere Group: Authorised personnel within Webanywhere Ltd or its group companies (including subsidiaries) may access system data where necessary for technical support, system maintenance, or operational administration.
- Legal Disclosure: Personal data may be disclosed in response to lawful requests from regulatory authorities or law enforcement bodies.
- Further Information: please review our Sub-processors and Technical Partners list for more information on the purpose of processing, data residency and safeguards.
Marketing and Service Communications
-
- Parents and Pupils: Data relating to parents and pupils is never used for marketing or advertising purposes by Webanywhere.
- Administrative Users: School staff may see service updates or product information relating to other Webanywhere software within the secure administrative dashboard.
- Webanywhere Customers: Key contacts at the school such as teachers and other administrative staff may receive marketing communications about relevant services inside and outside of the School Jotter platform.
Data Retention and Disposal
Personal data is not retained for longer than is necessary for its intended purpose.
- Retention Policy: In most cases, account data is retained while the relevant account remains active or while the school continues to use the platform, and then retained for a period of time after account suspension, in order to allow for restoration of service or to service school queries.
- No Guarantee of Storage: Webanywhere Ltd reserves the right to delete data immediately upon the termination of a service or once it is no longer required for operational purposes. We provide no guarantee of long-term data archiving.
- Legal Necessity: In specific circumstances, such as for the establishment or defence of legal claims, certain data may be retained for longer periods of time.
Data Protection Rights
Under the UK Data Protection Act 2018 and UK GDPR, you have specific rights regarding your personal information. These include the right to Access your data, Rectify inaccuracies, request Erasure (the “right to be forgotten”), Restrict or Object to processing, and the right to Data Portability.
- How to exercise these rights: As the individual school is the Data Controller for your personal information, you should contact the school directly to make a request. The school will then liaise with Webanywhere Ltd to fulfill any relevant technical requests.
- Subject Access Requests (SARs): If you wish to make a subject access request, please contact the school in writing. Once the school has verified your identity, they will work with our technical team to provide the relevant data within a reasonable timeframe.
- Complaints: If you remain unsatisfied with how your data is handled, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) (www.ico.org.uk).