Privacy Notice

Wonde Limited has created a way for students to log into their devices once, and access all their classroom apps at school or home quickly and securely which we operate either through our MyLogin Website (https://mylogin.com/) and our platform, collectively known as (“MyLogin Software”) or manually. This Privacy Notice governs those that access and use our MyLogin Software as an authorised user (“Authorised User”), those that are visitors to the MyLogin website and those that use our MyLogin services (“MyLogin”) generally.

At Wonde, we take privacy very seriously. We have prepared this privacy notice (“Privacy Notice”) to ensure that we communicate to you, in the clearest way possible, how we treat your personal information. We encourage you to read this Privacy Notice carefully as it governs the use of MyLogin. Our services are therefore provided on an ‘as is available’ basis.

We are committed to ensuring that your personal information remains confidential and secure in accordance with applicable Data Protection Legislation.

This notice sets out how we look after your personal data if you are a:

• Student;
• Member of staff of education establishment such as a school or college;
• An Authorised User;
• Visitor to our MyLogin Website;
• Supplier or business contact of Wonde;
• Third party education application;
• A local authority;
• A national or government body

This Privacy Notice (together with our Data Processing Agreement, any Licence Terms and Conditions, Website Terms of Use and any other documents or terms incorporated by reference) describe the types of information that we collect from you, through the use of our products and services (“Services”), or the use of MyLogin, and how that information may be used or disclosed by us and the safeguards we use to protect it. The personal information that we collect is used for providing and improving our Services. We will not use or share your information with anyone except as described in this Privacy Notice.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.

We may update this notice from time to time, and you can find our latest notice on our website or by asking us for a copy.

1. Who is MyLogin

Wonde has several different trading names, including MyLogin. Wonde Limited is a company incorporated in England and Wales, with company number 08645640 (referred to as “we” “us” “our” and “Wonde” in this notice).

This Privacy Notice applies to any personal data we collect through our MyLogin business and the MyLogin Software to enable us to deliver our services.

Our address is Furlong House, 2 Kings Court, Newmarket, Suffolk, England, CB8 7SG.

We have appointed a Data Protection Officer who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact the Data Protection Officer as follows:

Address: Furlong House, 2 Kings Court, Newmarket, Suffolk, England, CB8 7SG

Email address: data@wonde.com

Our ICO registration number is ZA118834

We will only process personal information about you in accordance with the UK Data Protection Legislation which for the purposes of this Privacy Notice shall mean: all applicable data protection and privacy legislation in force from time to time in the UK including without limitation the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder) (DPA 2018); and the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended; and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data (including, without limitation, the privacy of electronic communications); and the guidance and codes of practice issued by the Commissioner or other relevant regulatory authority and which are applicable to a party (“Data Protection Legislation”).

For the purposes of this notice ‘data processor’ and ‘data controller’ shall be interpreted and construed by reference to the term ‘processor’ and ‘controller’ as defined in the Data Protection Legislation.

2. What does MyLogin do?

We provide applications and platforms to help schools better manage and securely control their data. MyLogin provides an Identity Provider (IDP) service to allow simple login to devices and applications for students and teachers. We provide an API to allow third-party applications to integrate with us and grant one-click access to their applications from our student portal.

In most cases, Wonde acts as a data processor. This means we assist the school and the application provided to transfer your personal data, and that of pupils, to and from each other. In these cases, the school will be the data controller and the entity responsible for deciding how and when your personal data is collected and used, whilst we follow the instructions of the school. The school, and, in some circumstances, the third party application provider, will be data controllers. The school should provide you with their privacy policy or privacy notice, setting out how the school uses your personal data and the lawful basis for doing so.

Where we act as a data processor, we have legally binding agreements in place with the school (and third party application provider) which restrict how we process your personal data, in accordance with the Data Protection Legislation. This includes personal data processed through our Site and any applications we supply.

When you log in to our platform through our Site, visit our Site generally, or contact Wonde support, we will receive certain data directly from you, such as your name and login details. For this limited data only, we will be the person responsible for deciding how and when your data is used, and we will be the data controller.

We are a data controller when we collect personal information from suppliers and other third parties who interact with us.

3. The purpose of this privacy notice

The purpose of this Privacy Notice is to set out how we collect and use your personal data when we directly control the personal data as a data controller in respect of MyLogin and the MyLogin Software.

This notice does not apply when we act as a data processor. In those cases, our private agreement with the school will apply and you should read the school’s privacy policy or privacy notice to understand what personal data is collected and how it is used and shared.

4. The data we collect and how we collect it

Depending on your relationship with us (for instance, whether you are a parent or a professional contact), we may collect, use, store and transfer some or all of the following data from the users of MyLogin or users of Wonde support:

• Identity Data: your name.
• Contact Data: your email address.
• Cookies Data: like many websites, we may use some "cookies" to enhance your experience and gather information about the visitors and number of visits to our Site. Please refer to our Cookie Policy about cookies, how we use them and what kind.
• Technical Log Data: includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access MyLogin;

You can withhold your personal data from us, but we may not be able to provide our services to you if you do so.

We may collect your personal data from different sources:

• We collect all of the types of data listed above directly from you when you interact with us. This includes when you register with the MyLogin Website Site, and when you log in to the MyLogin Website or use Wonde support.
• We collect Identity Data, Contact Data from the school(s) you are connected to.
• We collect Technical Log Data automatically when you interact with the MyLogin Website or platform, by using cookies and other similar technologies.

5. How we use your personal data

We will only use your personal data when the law allows us to. We (or third party data processors, agents and sub-contractors acting on our behalf) may collect, store and use your personal information by way of different methods to collect data from and about you including through:

Direct interactions. This is information (including Identity, Contact and Financial Data) you consent to giving us about you when you fill in forms through the Site or by corresponding with us (for example, by email or chat). It includes information you provide when you register or subscribe to any of our Services, visit or use the Site when you create an account with us and finally when you report a problem with our Services, or the Site generally. If you contact us, we will keep a record of that correspondence.

Information we collect about you and your device either automated or otherwise. Each time you visit our Site or use our Services, we will automatically collect personal data including Technical Log Data. We collect this data using cookies and other similar technologies including server logs. We may also receive technical data about you if you visit other Sites employing our cookies.

Information we receive from other sources including third parties and publicly available sources. We may receive personal data about you from various third parties such as government bodies, local authorities or schools, but we will only use and process the personal data where we are allowed to do so.

We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions, which include strict confidentiality and contractual terms.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

We will only use your personal data when the law allows us to. Most commonly we will use your personal data in the following circumstances:

• Where you have consented before the processing.
• Where we need to perform a contract we are about to enter into, or have entered into with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.
• Where it is a public task i.e. the processing is necessary for us to perform a task in the public interest or for any official functions, and the task or function has a clear basis in law.

When we are acting as a data controller, we will use your personal data for the purposes set out in the table below.

The law sets out a number of different reasons for which we can collect and use your data. The legal grounds on which we collect and use your data are also set out in the table below.

Purpose for using your data	Legal ground for using your data for this purpose
To allow you to access your account on the MyLogin Website.	Necessary for our legitimate interests (to allow Authorised Users on the MyLogin Website to use it)
To provide support to you when you contact us	Necessary for our legitimate interests (to respond to support calls as our users would expect).
To manage our relationship with you, which will include notifying you about changes to our Privacy Notice.	To enter into and/or perform a contract with you. To comply with a legal obligation. Necessary for our legitimate interests (to provide important updates to our users). To enable a public task to be performed.
Where you are a third party application, to register you as a third party application and to facilitate the provision of such services to any school or education establishment.	To enter into and/or perform a contract with you. Necessary for our legitimate interests (to provide our Services).
Where you are an organisation, to facilitate the provision of any services through our MyLogin Website and/or our applications.	To enter into and/or perform a contract with you. Necessary for our legitimate interests (to provide our Services through the MyLogin Website). To enable a public task to be performed.
To administer and protect our business and MyLogin, Services and/or our applications (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data).	Necessary for our legitimate interests (to protect our business and MyLogin Website; to keep our Services updated).
To use data analytics to improve MyLogin, products/services, marketing, customer relationships and experiences. To create anonymous aggregated data, as set out below.	Necessary for our legitimate interests (to continuously improve our Services for our customers and users).
To create anonymous aggregated data, as set out below.	Necessary for our legitimate interests (to provide additional benefits and functionality to our customers and users without disclosing personal data).
To comply with applicable laws and regulatory obligations.	To comply with a legal obligation.
To provide details of offers and other available products.	Where you have provided explicit consent.

Aggregated Data

We may aggregate and use non-personally identifiable data we have collected from you and others. This data will in no way identify you or any other individual.

We may use this aggregated non-personally identifiable data to:

• assist us to better understand how our users are using MyLogin and services;
• provide users with further information regarding the uses and benefits of MyLogin and services;
• enhance school productivity, including by creating useful school insights from that aggregated data and allowing benchmarking of performance against aggregated data; and
• otherwise to improve MyLogin and services.

Cookies when using our website

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly. For more information about the cookies we use, please see cookie notice .

6. Sharing your personal data

We may need to share your personal data when using your personal data as set out in the table above. We may share your personal data with the following third parties:

• Our professional advisers, including lawyers, auditors and insurers.
• Service providers who provide IT and system administration services, or who store data on our behalf.
• Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

MyLogin's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

7. International Transfers

We may transfer your personal data to third parties providing services to us who are based outside of the UK. This includes parties providing IT administration services and hosting services, and parties providing assistance with managing our marketing databases.

Whenever we transfer your personal data outside of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• transferring data to countries that have been deemed to provide an adequate level of protection for personal data; or
• using specific contracts approved for use in the UK which give personal data the same protection it has in the UK.

8. Retention period

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

For more details of our specific retention periods, please contact our Data Protection Officer.

9. Data Security

Data security is of great importance to us, and to protect your data we have put in place suitable physical, electronic and managerial procedures to safeguard and secure data collected and processed through our Site.

We have implemented significant security measures to maintain a high level of security.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Notwithstanding the security measures that we take, it is important to remember that the transmission of data via the internet may not be completely secure and that you are advised to take suitable precautions when transmitting to us data via the internet and you take the risk that any sending of that data turns out to be not secure despite our efforts.

If we give you a password upon registration on our Site, you must keep it confidential. Please don't share it.

10. Your rights as a data subject

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These rights are set out below. If you wish to exercise any of the rights set out below, please contact our Data Protection Officer.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

Your rights are as follows:

• Right of access – you have the right to request a copy of the personal data that we hold about you and to check that we are lawfully processing it.
• Right of rectification – you have a right to request that we correct personal data that we hold about you that is inaccurate or incomplete.
• Right to be forgotten / erasure – in certain circumstances you can ask for the data we hold about you to be erased from our records.
• Right to restriction of processing – where certain conditions apply, you have a right to restrict the processing.
• Right of portability – you have the right to have the data we hold about you transferred to another organisation.
• Right to object – you have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms.
• Where we are relying on your consent to process your personal data, you may withdraw consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent, or to processing carried out on other legal grounds. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

All of the above requests will be forwarded on should there be a third party involved in the processing of your personal data.

11. Children and/or Special Category Data

We do not obtain any personal data relating to children or special category data when we act as a data controller through the provision of our Services. In the circumstances where we do collect and process personal data relating to children or special category data in our role as data processor, we recognise that we need to have further justification for the collection, storing and use of this information. In those circumstances, we do so only on the careful instructions of the data controller and solely in accordance with the Data Protection Legislation.

We have in place appropriate policies and safeguards when processing such data as referred to in this Privacy Notice.

12. Complaints to the Information Commissioner’s Office

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.