Yipiyap’s Privacy Policy

Our contact details

Name: Yipiyap (Yipiyap Ltd)

Address: Yipiyap, The Warrant House, 1 High Street, Altrincham, Cheshire, WA14 1PZ

Phone Number: 01619145522

E-mail: gdpr@yipiyap.co.uk

What personal information do we collect and use?

The amount and types of personal information we gather will vary depending on your relationship with Yipiyap.

For example, if you are a visitor to our website, a Peerscroller user, a Yipiyap Aspire user, or a contact at a prospective partner school, the information we gather will be minimal; or, if you are applying to work with us, we will need to ask a little more about you.

We only ever collect information with a good reason, having balanced the benefits against the risks to your personal freedoms – our default option is always to gather no data at all.

Information you provide us

Usually, if we are processing your information, it’s because you’ve agreed to give it to us. Most of the personal information we process is provided to us directly by you for one of the following reasons:

  • Collaborating with our partner schools, colleges, and other organisations to deliver live or digital support

  • Recruiting new team members, Yipiyap tutors, Peerscroller content creators and members of our Leadership Team

  • Supporting you if you’re a member of our team

  • Responding to an enquiry you’ve made, some feedback you’ve left, or a suggestion you’ve made

  • Finding new schools and colleges to work with, or keeping in touch with schools or colleges who might want to work with us

  • Keeping in touch with you if you’re a Yipiyap alumni

  • Communicating with you if you’ve engaged us for private support

Information provided by a third party

Sometimes, somebody else will put us in touch with you.

  • An applicant to work at Yipiyap may put you down as their referee

  • If you are a member of staff at one of our partner schools or colleges, being able to contact you will likely be key to supporting your students

  • If you are a student taking part in the Yipiyap Upgrade programme, your college may have told us what we need to know to deliver your support: who you are, how to contact you, and what you’ve been studying

Publicly available information

From time to time, we make contact with institutions who might be interested in working with Yipiyap, using publicly available contact details. This might be to deliver support to their students or to find opportunities at Yipiyap for their Key Stage 5 leavers.

Information we get from your use of and website

We keep a record of how and website are used, to help us improve our services. We do this through the use of cookies and similar technologies. Overall, cookies help us provide you with a better website by enabling us to monitor which pages and features you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.

Some of our cookies and app data collection methods are essential to operating the website and app and therefore cannot be disabled. Our analytics cookies are disabled until you agree to their use.

Information we get when you use Peerscroller

Your use of Peerscroller, whether as a staff member, a learner, or a parent, is also governed by the terms of this policy.

Annex 1 details how we process your data when you use Peerscroller in full detail.

Legal Basis for Processing

We will only ever process personal data where we have a legal basis under the General Data Protection Regulation (GDPR). For Yipiyap, these bases are:

(a) We have your consent. You are able to remove your consent at any time. You can do this by contacting gpdr@yipiyap.co.uk.

(b) We need your data to fulfil a contractual obligation we’ve made with you.

(c) We have a legal obligation – for example, where we follow laws requiring taxes, pensions, employment, immigration, or any other requirements we have as a company.

(d) We have a legitimate interest in doing so, or we believe you have a legitimate interest in us doing so. We always balance the benefits of processing data in this way against the risks to your rights as an individual and will only ever do so if we believe it to be reasonable.

Who do we share your information with?

Yipiyap engages third-party processors to help deliver our services: this usually means a digital service provider, such as our cloud storage processors or our website and app hosts. These processors handle your data only under the explicit instruction of the company, and we have contracts in place with them to ensure your data is safeguarded.

Some of these processors are outside of the UK or the EEA. Where this is the case, our contracts ensure your data is handled with a level of protection equivalent to a processor within the UK or the EEA, through the use of Standard Contractual Clauses.

How do we store your personal information?

Your information is securely stored in the cloud, by one of our providers. We also have an on-site backup, kept securely on our premises.

We keep your personal information only for as long as it is necessary to achieve the specific purpose for which we collected it. Some laws require us to keep different data for different periods of time; for example, we keep data regarding our employees for as long as is required by HM Revenues and Customs.

For each type of data, we process it only for the period set out in our retention policy. After that, we will either delete or anonymise your data so it can no longer be traced back to you, or seek your permission to retain it for longer if there is a good reason to do so.

Your data protection rights

Under data protection law, you have rights including:

  • Your right of access - You have the right to ask us for copies of your personal information.

  • Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

  • Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

  • Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

  • Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

  • Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us by one of the following methods if you wish to make a request:

By e-mail: gdpr@yipiyap.co.uk

By phone: 01619145522

By post: Yipiyap, The Warrant House, 1 High Street, Altrincham, Cheshire, WA14 1PZ

Data security

The security of your personal data is paramount, and we take our duty to protect it seriously. We partly do this by minimising the amount of data we ask you for – we only ever ask for what is needed. We have policies in place to make sure your data is not lost, accidentally destroyed, misused, or disclosed, and to ensure it is only ever accessed by our employees in the performance of their duties or other authorised parties.

We have the following measures in place to help protect your data:

Confidentiality

“Confidentiality means that personal data is protected against unauthorised disclosure.”

Physical Security

  • Physical access control systems in place

  • Surveillance systems including alarms and, as appropriate, CCTV monitoring

  • Clean desk policies and controls in place (Locking of unattended computers, locked cabinets etc.)

  • Destruction of data on physical media and documents

Access Control & Prevention of Unauthorised Access

  • User access restrictions applied and role-based access permissions provided/reviewed based on segregation of duties principle

  • Strong authentication and authorisation methods

  • Centralised password management and strong/complex password policies (minimum length, complexity of characters, expiration of passwords etc.)

Encryption

  • Encryption of cloud storage at rest and during communication via strong cryptographic protocols

Data Minimisation

  • Pseudonymisation of personal data to prevent direct identification of an individual wherever suitable

  • Segregation of databases by function

  • Logical segregation of databases by role-based access rights

  • Defined data retention periods for personal data

Integrity

“Integrity refers to ensuring the correctness (intactness) of data and the correct functioning of systems. When the term integrity is used in connection with the term "data", it expresses that the data is complete and unchanged.”

Logging & Monitoring

  • Logging of access and changes on data

Availability

  • “The availability of services and IT systems, IT applications, and IT network functions or of information is guaranteed if the users are able to use them at all times as intended.”

  • Critical data either replicated or backed up (Cloud Backups/Hard Disks/Database replication etc.)

  • Planned software, infrastructure and security maintenance in place (Software updates, security patches etc.)

  • Alarm, security systems in place

  • Physical Protection measures in place for critical sites (e.g. fire and/or smoke detectors)

Data Processing Instructions

"Data Processing Instructions refers to ensuring that personal data will only be processed in accordance with the instructions of the data controller and the related company measures."

  • Privacy and confidentiality terms in place within employee contracts

  • Regular data privacy and security trainings for employees

  • Appropriate contractual provisions to the agreements with sub-contractors to maintain instructional control rights

  • •Regular security audits

Complaints or queries

If you have any concerns about our use of your personal information, you can make a complaint to us by one of the following methods:

By e-mail: gdpr@yipiyap.co.uk

By phone: 01619145522

By post: Yipiyap, The Warrant House, 1 High Street, Altrincham, Cheshire, WA14 1PZ

The Information Commissioner’s Office (the ICO) is the UK’s regulatory body for information. If you wish to lodge a complaint about this privacy notice, the procedures set out within it, or how we handle your data, you can contact the ICO at:

By post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Helpline number: 0303 123 111

ICO website: https://www.ico.org.uk

Annex 1: Data Privacy and Peerscroller

Peerscroller is PSHE and PD focused edtech service provided by Yipiyap, delivered via a web portal for school and college staff, and an iOS and Android app for learners and parents.

When you use Peerscroller, we process your data according to the terms set out in the rest of this Privacy Policy. Information about Yipiyap’s data processing as a whole apply to Peerscroller as well.

However, this section provides specific information, to add further detail to the rest of the policy.

Usage Data

When you create and use your Peerscroller account, we gather certain Usage Data about you to facilitate your use of the service:

a) Authorise your access to the Peerscroller account,

b) Tailor the service to you, your age, and your interests,

c) Provide support

d) Gather statistics about how Peerscroller is being used

For this information, we play the role of Data Processor, following the instructions of the organisation you belong to which is providing Peerscroller. This organisation retains overall control of your data, as the Data Controller.

Contact Data

For consenting users over the age of 13, we also gather a small amount of Contact Data. For this data, we are the Data Controller.

We use this data to remain in contact with you outside of your relationship with your school, college, or whichever other kind of organisation is providing access to Peerscroller.

We collect this information so that when you leave that organisation, we can get in touch about the ways you can keep using Peerscroller.

Sharing with third parties

In order to provide the Peerscroller service, we rely on a number of third-parties, who provide services like hosting our app or providing the database that hosts your user data.

Because of this, your data will be processed by these third-parties.

The exact details of this processing change from time to time, but we will always let you know before we work with any new third-party data processors, so you are able to decide whether to keep using Peerscroller or not.

Some of these third parties are based outside of the UK or the European Union. To ensure your data is treated with an equivalent level of protection, we always have contracts in this place containing Standard Contractual Clauses. These are terms that the UK’s data rights body, the ICO, considers to provide a suitable level of protection for UK citizens.

Who owns the data you provide?

The data you provide to us in order to use Peerscroller always remains yours, and you retain all of your data protection rights detailed elsewhere in this policy.

You are always able to contact Yipiyap to enact those rights and to ensure we are using your data in a way that you’re comfortable with.

However, data processing is required to use the service. Enforcing certain rights, such as the right to have your data deleted, might mean you’re unable to user Peerscroller.