Legal · Privacy

Privacy Policy

Last updated: June 2026 · Applies to Ctrl Class Portfolios

Privacy at a glance

  • Your school is the data controller — you own and control the data
  • Files stay in your school's Google Shared Drives — Ctrl Class never stores student work
  • We only manage Google Drive permission grants — we never read file contents
  • Students are identified by Google account ID only — no extra personal data collected
  • Teachers sign in via Google OAuth — no separate password created or stored
  • We never sell, share, or use school data for advertising of any kind
  • We do not use tracking pixels, third-party analytics, or advertising cookies
  • We do not access file contents — only folder-level permission metadata
  • We do not transfer personal data outside the UK/EEA without adequate safeguards

01

Who we are

Ctrl Class Portfolios is a product of Ctrl Class ("we", "us", "our"). We provide a SaaS application that allows teachers in UK schools and Multi-Academy Trusts to lock and unlock student Google Drive portfolio folders for non-exam assessment and lesson-time access control.

This policy explains what personal data we collect when you or your school uses Ctrl Class Portfolios, why we collect it, who we share it with, and what rights you have under UK GDPR and the Data Protection Act 2018.

If you have questions about this policy or about data we hold, contact us at privacy@ctrlclass.co.uk — placeholder address; update before launch.

02

Who controls the data

Ctrl Class Portfolios operates as a data processor acting on behalf of your school or trust, which is the data controller. This means:

Data Controller
Your school or trust

Decides why data is processed, who has access, and determines retention. Retains ownership of all files and configurations. Signs the Data Processing Agreement.

Data Processor
Ctrl Class

Processes data strictly according to your instructions — to manage Google Drive folder permissions as directed by the teacher dashboard. Does not make independent decisions about the data.

A Data Processing Agreement (DPA) is available for all subscribing schools and trusts. This is required under UK GDPR Article 28. Contact us to obtain and sign a DPA before going live.

Sub-processors

Ctrl Class uses the following third-party sub-processors to deliver the service:

Sub-processor Purpose Data transfer basis
Google LLC Google OAuth sign-in; Google Drive API (folder and permission management); Google Shared Drives where portfolio folders are stored Google's Standard Contractual Clauses + UK Addendum; Google Workspace Terms of Service
Cloud hosting provider [to be named before launch] Application servers, database (stores configuration data, not file contents) UK/EEA data residency confirmed before launch

We will maintain and publish a complete sub-processor list. We will notify subscribing schools at least 30 days before adding a new sub-processor.

03

What data we collect and why

We collect the minimum data necessary to operate the service. Below is a full account of every category of personal data we process.

Teacher / staff accounts

Data item Source Purpose Legal basis (UK GDPR)
Google account ID Google OAuth at sign-in Uniquely identify the teacher's account within Ctrl Class Contract (Art. 6(1)(b)) — necessary to provide the service
Name and email address Google OAuth at sign-in Display in dashboard; send service notifications (e.g. onboarding, lock/unlock confirmations) Contract (Art. 6(1)(b))
Profile picture URL Google OAuth at sign-in Display in dashboard UI Contract (Art. 6(1)(b))
OAuth access and refresh tokens Google OAuth at sign-in Authenticate API calls to Google Drive on the teacher's behalf to manage folder permissions Contract (Art. 6(1)(b)); tokens are encrypted at rest

Student data

Ctrl Class processes the minimum student data needed to manage folder-level permissions. We do not collect, store, or access student work, files, or content.

Data item Source Purpose Legal basis (UK GDPR)
Google account ID School administrator (roster import or Google Directory API) Identify the specific Google account to which a folder permission grant should be applied or revoked Legitimate interests (Art. 6(1)(f)) — operating the controlled-assessment service the school has contracted for; or Contract where the student is the direct service recipient
Name and email address School administrator (roster import) Display in teacher dashboard so teachers can identify which student's folder they are viewing; confirm correct permission target Legitimate interests (Art. 6(1)(f))
Google Drive folder ID Google Drive API (generated when folder is created) Address the correct portfolio folder when applying or revoking a permission grant Contract (Art. 6(1)(b))
Google Drive permission ID Google Drive API (returned when a permission grant is created) Store the reference needed to revoke the grant on lock. Not linked to file contents. Contract (Art. 6(1)(b))

Student data is processed strictly on the school's instruction (through teacher actions in the dashboard). Students are never added as members of the school's Shared Drive — each permission is granted at the individual folder level only.

Operational logs

Data item Purpose Retention
Lock / unlock event log — timestamp, teacher account ID, class ID, action taken (lock or unlock), number of folders affected Audit trail for teachers and school administrators; evidence of controlled-assessment compliance; debugging 12 months rolling, then deleted automatically
Application error logs — timestamp, anonymised user ID, error type Service reliability and debugging 30 days, then deleted

Waitlist / early access sign-ups

Data item Purpose Retention
Name, email address, school name, role — collected via the early-access form on the website Contact you about Ctrl Class Portfolios launch, onboarding, and updates. Not used for any other marketing. Until you unsubscribe, or until 24 months after your last interaction, whichever is sooner

Legal basis for waitlist processing: Consent (Art. 6(1)(a)). You can withdraw consent at any time by emailing privacy@ctrlclass.co.uk or clicking the unsubscribe link in any email we send you. Withdrawal does not affect lawfulness of processing before withdrawal.

04

What we never access or store

Data we do not collect, access, or store The following are explicitly out of scope for Ctrl Class Portfolios — by technical design, not just policy:
  • File contents. Ctrl Class interacts with the Google Drive Permissions API only. We request only the Drive permission scopes needed to create and revoke folder-level grants. We do not request read access to file contents, and no file data ever passes through our servers.
  • Other Drive files or folders. We operate only within the specific Shared Drive and portfolio folder structure set up for the service. We have no access to other files in the school's Google Drive environment.
  • Student browsing or activity data. We do not embed any tracking scripts in the student-facing dashboard or any page of the application.
  • Special category data. We collect no health, special educational needs, race, religion, or biometric data. If a student's name incidentally reveals protected characteristics, that data is never used or processed for any purpose beyond folder identification.
  • Passwords. Authentication is exclusively via Google OAuth. We never see, store, or transmit school Google account passwords.
  • Advertising or marketing profiles. We build no profiles about teachers or students for advertising or resale. We receive no revenue from data.

05

Google Workspace and data ownership

Ctrl Class Portfolios operates on top of your school's existing Google Workspace for Education environment. This means:

  • Files stay in your school's Shared Drives. Portfolio folders are created within Google Shared Drives owned and administered by your school. Ctrl Class does not host or mirror file storage — the files are Google's infrastructure, managed by your school's Google Workspace administrator.
  • Your school's Google Workspace terms apply to the files. Your school's agreement with Google (Workspace for Education Terms of Service and its associated Data Processing Amendment) governs how Google handles the file data. Ctrl Class's DPA governs how we handle the permission metadata we process.
  • Cancellation has no effect on files. If you cancel your Ctrl Class subscription, all portfolio folders remain intact in your school's Shared Drives exactly as before. The only thing removed is Ctrl Class's ability to manage their permissions. We will delete our configuration data (class setups, student rosters, event logs) within 30 days of cancellation, on request.
  • Google OAuth scopes we request. We request only the scopes necessary:
    • openid profile email — to identify the signed-in teacher
    • https://www.googleapis.com/auth/drive.file — limited access to files created by or opened with Ctrl Class, used to manage the portfolio folder permissions we create
    We do not request broad Drive access or any Admin SDK scope unless your school's IT administrator explicitly grants additional scopes for roster import.

06

Security measures

We apply technical and organisational measures appropriate to the risk:

  • Encryption in transit. All communication between your browser, our servers, and Google's APIs uses TLS 1.2 or higher. Connections are rejected below this standard.
  • Encryption at rest. All database data — including OAuth tokens and any personal data we store — is encrypted at rest using AES-256.
  • OAuth token handling. Refresh tokens are stored encrypted and are never logged or included in error reports. Access tokens are short-lived and not persisted beyond the immediate API call.
  • Access controls. Teacher accounts can access only the classes and students assigned to them. School administrators can access all classes within their school. No Ctrl Class employee accesses production data without explicit approval and logging — and then only to investigate a reported incident, never to view file contents (which we cannot access regardless).
  • Least-privilege principle. Our application requests only the Google API scopes it needs. Internal staff have role-based access to systems, with access reviewed regularly.
  • Data breach procedure. In the event of a personal data breach, we will notify the relevant school or trust without undue delay and, where required under UK GDPR, notify the ICO within 72 hours. We will co-operate fully with the school's own incident response obligations.

07

Data retention

Data category Retention period
Teacher account data (name, email, Google ID, OAuth tokens) Retained while the subscription is active. Deleted within 30 days of subscription cancellation or account deletion request.
Student roster data (name, email, Google ID, folder/permission IDs) Retained while the class exists in the system. Deleted when a teacher removes a student or class, or within 30 days of subscription cancellation.
Lock/unlock event logs 12 months rolling. Deleted automatically after this period.
Application error logs 30 days. Deleted automatically.
Waitlist / early-access sign-up data Until unsubscribe, or 24 months after last interaction, whichever is sooner.
Portfolio files in Google Drive Not applicable — these are your school's files in your school's Shared Drives. Ctrl Class has no control over their retention; they follow your school's Drive management policies.

You may request earlier deletion of any data we hold about you or your school at any time by contacting privacy@ctrlclass.co.uk. We will respond within 30 days.

08

Your rights under UK GDPR

Where we act as data controller (e.g. for waitlist data), the following rights apply to you directly. Where we act as data processor on your school's behalf, requests from individual teachers or students should in the first instance go to the school as data controller — we will support the school in fulfilling any data subject request.

Right of access

Request a copy of the personal data we hold about you and information on how it is used.

Right to rectification

Request correction of inaccurate or incomplete personal data.

Right to erasure

Request deletion of personal data where there is no compelling reason for its continued processing.

Right to restrict processing

Request that we limit how we use your data in certain circumstances.

Right to data portability

Receive your data in a structured, machine-readable format (applies to data processed by consent or contract).

Right to object

Object to processing based on legitimate interests. We will stop unless we can demonstrate compelling legitimate grounds.

Right to withdraw consent

Where processing is based on consent (e.g. the waitlist), you can withdraw at any time without affecting prior processing.

Right to complain

Lodge a complaint with the ICO (Information Commissioner's Office) at ico.org.uk if you believe we have mishandled your data.

To exercise any of these rights, contact us at privacy@ctrlclass.co.uk. We will respond within one calendar month (the UK GDPR deadline). We may need to verify your identity before acting on a request.

09

Children's data

Ctrl Class Portfolios is intended for use by schools with students who may be minors. We take extra care with this data:

  • Student data is processed strictly on the school's instruction — schools are responsible for obtaining any parental consent required under their own policies and applicable law.
  • We collect only the minimum student data needed to identify a Google account and manage a folder permission. We do not build profiles of student behaviour, track engagement, or use student data for any purpose beyond operating the service.
  • Student data is never sold, shared with advertisers, or used to train AI/ML models.
  • The student-facing dashboard contains no advertising, no tracking, and no third-party scripts.
  • Schools using Google Workspace for Education Fundamentals or Plus operate under Google's additional commitments regarding children's data under their Education Terms of Service.

10

Cookies and tracking

The Ctrl Class Portfolios marketing website (the site you are currently browsing) uses no analytics cookies, no advertising cookies, and no third-party tracking scripts. The only external request made is to Google Fonts for typeface delivery.

The Ctrl Class Portfolios application (the teacher and student dashboards) uses a session cookie strictly necessary to maintain your signed-in state via Google OAuth. No third-party cookies are set by the application. No analytics, advertising, or tracking cookies are used in the application.

Because we use only strictly necessary cookies, no cookie consent banner is required under the UK PECR. If we add any non-essential cookies in the future, we will update this policy and implement an appropriate consent mechanism.

11

Changes to this policy

We will update this policy when we make material changes to how we handle personal data. For subscribing schools, we will notify the school's primary contact by email at least 14 days before a material change takes effect. For waitlist sign-ups, we will notify by email. Continued use of the service after the effective date constitutes acceptance of the updated policy.

The "Last updated" date at the top of this page reflects the most recent revision.

12

Contact us

For data protection enquiries, subject access requests, or to request a Data Processing Agreement:

Ctrl Class — Data Protection

Email: privacy@ctrlclass.co.uk

We aim to respond to all data protection enquiries within 5 working days, and to formal subject access requests within one calendar month as required by UK GDPR.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully. The ICO can be reached at ico.org.uk or on 0303 123 1113.