Parents
Data Element | How is data collected and who is the source?
| How this information is used
| The purpose for Classroom Hero collecting this information
| Is Data shared or accessed by a service provider? (or processor)
| Where is this Data element stored or accessed by each third party/service provider that it is shared with or made available to? | Retention schedule
| Any other non-service provider third parties with access
| Technical and Security Measures
| Is Data transferred Outside of the EEA/UK and What are the transfer Mechanisms (or Safeguards)?
| What is the Article 6 lawful basis for processing this personal Data under GDPR
|
Account ID (User) | Provided by user at signup or via SSO; system-generated identifiers. | Authentication, authorization, account management. | Provide and secure access to Classroom Hero services. | Email/SSO providers as configured by the school; infrastructure hosting; support tools as needed. | Application databases; authentication/session storage as configured. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None, unless school-configured SSO provider. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract (provide core service); Art. 6(1)(f) Legitimate interests (service improvement, security). |
Profile (role, points/levels/progress, images, settings) | Entered by user/teacher; generated during use (points, levels); images uploaded by user. | Personalization, gamified progress, subscription/feature gating, avatar settings. | Deliver core classroom engagement features; manage tiers/settings. | Infrastructure hosting; email service (e.g., transactional messaging) if configured. | Application databases; media storage for photos/avatars. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract (provide core service); Art. 6(1)(f) Legitimate interests (service improvement, security). |
Task (title, description, steps JSON, points, category, created_by) | Created by parents/guardians (or school) in app. | Reusable parent tasks for student assignment. | Home-school task workflows and motivation. | Infrastructure hosting. | Application databases. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract (provide core service); Art. 6(1)(f) Legitimate interests (service improvement, security). |
Task List (title, description, items/order, bonus points) | Created by parents/guardians; references Tasks. | Group tasks into lists for assignment. | Organize and deliver task routines. | Infrastructure hosting. | Application databases. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract (provide core service); Art. 6(1)(f) Legitimate interests (service improvement, security). |
Assignment (student, due_date, status, notes, timestamps) | Created by parents/guardians. | Deliver lists to students; track overall completion. | Parent-managed task workflows linked to student progress. | Infrastructure hosting. | Application databases. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract (provide core service); Art. 6(1)(f) Legitimate interests (service improvement, security). |
Completion (task, assignment, completed_by, status, notes, points_awarded, student_notes) | Submitted by student; reviewed by parent. | Review, approve/reject, and award points. | Evidence tracking and reward attribution. | Infrastructure hosting. | Application databases. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract (provide core service); Art. 6(1)(f) Legitimate interests (service improvement, security). |
Notifications (content, type, meta JSON, read status) and preferences | Generated by system; preferences set by user. | Communicate relevant updates; web/email/push. | Service notifications and user preferences. | Infrastructure hosting; push/email providers if enabled. | Application databases. | Retained for the life of the account/contract or as required by law; deletion upon request or account closure, subject to legal/financial retention. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract; Art. 6(1)(a) Consent for optional channels where required. |
Payment metadata (customer/checkout IDs, has_paid flag) | Provided/returned by payment processor during checkout. | Manage subscriptions and access tier. | Billing and access control. | Payment processor (e.g., Stripe via dj-stripe). | Application databases (IDs only); no card numbers stored. | Financial records retained as required by law; otherwise per account lifecycle. | None. | Access control, encryption in transit (TLS), role-based permissions, audit logs; least-privilege access for support. | May be processed/stored outside EEA/UK depending on hosting and third parties. Standard Contractual Clauses (SCCs) or equivalent safeguards where applicable. | Art. 6(1)(b) Contract; Art. 6(1)(c) Legal obligation (tax/records). |
ย
Did this answer your question?
๐
๐
๐คฉ