GDPR Policy

Dragons Teaching GDPR Policy 2022

Dragons Teaching Ltd uses technology to provide access to teaching through an interactive online classroom by connecting students with specialist language tutors and giving access to online learning platforms.

Dragons Teaching provides tools and reports that enable teachers and schools to analyse assessment and attainment data for students and groups of students.

Together these comprise the “service” as “we” (the company) use the term in this document.

When we talk about “you” we mean, depending upon the context, either you as an individual or the school for which you work.

Data controller v processor

We are, in line with the UK Information Commissioner’s guidance, a controller and not a processor in relation to the personal data that we collect and process in the course of providing our service (including the personal data relating to children that we collect and process in relation to the provision of tutoring sessions).

Although the principal purpose of our processing of personal data is to deliver the service and, to that extent, is agreed with you (the school), we determine the manner in which the data is processed as part of (or in relation to) service delivery, and we exercise a significant degree of interpretation, professional judgement and decision making in doing so. This means that we fall into the category of controller rather than that of processor – the activities of a processor are, per data protection guidelines, limited to the more ‘technical’ aspects of an operation such as processing only in accordance with defined instructions, data storage, retrieval, or erasure.

Our contract with you

The Terms of Service on our website form the terms of our contract with you for the delivery of the service. In addition, our Data Protection & Privacy Policy and Safeguarding policies provide information (in accordance with relevant guidelines) about the personal data processing we carry out.

Our data subjects (the individuals we collect data on)

We collect data from two main categories of data subjects within a school: students and school employees (mainly teachers, although we will collect personal data of other individuals involved in either the set-up or delivery of the service – IT managers and teaching assistants, for example).

The type of personal data we process

Under GDPR, “processing” means any operation or set of operations which is performed on personal data and includes collection, recording, storage, retrieval, use and transfer (making accessible either physically or electronically). The personal information we process includes (but is not limited too):

Students: First name, last name, school name, year group, name of class teacher.

Lessons are, in line with our Terms of Service, recorded for the purposes of teacher training, safeguarding protection and, on occasion and with explicit consent of all parties, marketing. This is a form of data processing as they have the potential to capture personal information.

Staff: First name, last name, email address, school name, contact telephone number.

The personal information of staff involved in delivery of the service will exist on financial and other systems and are processed for fulfilling a contract and will be held for the retention period applicable to that purpose.

Special categories of personal data

Provision of information about any relevant medical or learning needs or other special needs is voluntary and not necessary for delivery of the service although it does allow our teachers to adapt to the student’s needs for specific learning abilities (for example, autism, dyslexia or colour blindness). Dragons Teaching therefore uses Consent rather than Legitimate Interests for the processing of special categories of personal data.

As previously outlined, provision of this information is not required in order to use the service, but if you choose to provide it to us then it will be incumbent upon you to obtain consent from the relevant student’s parents before you do so.

Why we need to process this personal data

We limit the information collected to the minimum necessary to deliver the service and ensure that the student receives the best possible educational outcome from our service.

For members of staff, personal data is necessary to identify users, communicate via email/phone for sales, retention, student progress, analysis purposes etc.

We only collect data required for functions required in the system; data gathering points that are no longer required are removed and/or archived where necessary. Where information is not required by a user or an employee, we mask or remove it from their view of the data.

Where the personal data we process is stored

We are established in the UK and the systems which we use to process your personal data are hosted here or elsewhere in the EU.

All Dragons Teaching Ltd software where students’ personal data is stored are hosted either here in the UK on our server, or on our cloud-based ‘Digital Ocean’ accounts,

Third-party service providers

We use a number of third-party providers for services such as hosting, backup, communication platforms, storage, virtual infrastructure, payment processing and analysis, which may require them to access or use information about our customers. The main third-party providers we use are Google, Intercom, Pardot, Salesforce, Slack, Stripe, Xplenty, Mixpanel, and Xero. If a service provider needs to access information about a customer to perform services on our behalf, they do so under instruction from us, including abiding by policies and procedures designed to protect customer information.

We have UK GDPR compliant contracts with the third-party service providers we use and only engage with those that are well known and respected in their field, but only to the extent necessary in order to provide the services concerned. We only share the minimum amount of personal data necessary for the purpose of processing and, where possible, we share the personal data in a pseudo-anonymised or anonymised form (i.e. by referring to data subjects by ID rather than name when providing personal data to third parties providing data monitoring and analytic tools).

Internal personal data regulations: our teachers

The measures we put in place to ensure the privacy of your data include:

  • Only providing our teachers with the students’ first names, last names, school names and class names
  • Managing a teacher induction and training framework, which includes data protection and safeguarding training
  • Limiting the tasks teachers can undertake on the Platform, including not being able to independently set-up or start sessions, and blocking the upload or download of content or data (i.e. session recordings)

Internal personal data regulations: our employees

We ensure that our staff deal with personal data in accordance with the policies and procedures that we have put in place. Failure to comply with policies and procedures in place or breaching data privacy will be dealt with through our disciplinary procedures.

Where personal data has been provided but is not required by the person accessing the platform, the Company masks or removes it from their view of the data.

Other instances where we may use personal data

Lessons are recorded in certain instances as outlined above and the recordings are used by us to:

  • monitor and track progress,
  • provide feedback on progression and performance,
  • assess the quality of teaching provided,
  • assess compliance by teachers with guidelines,

and other factors relevant to the teaching.

Recordings are also a tool for on-going continual professional development for teachers enabling us to improve the services provided and enhance educational outcomes through conducting analysis and research into sessions and outcomes.


We take online safety seriously and are committed to ensuring that children using our services do so in a safe educational environment. Our recruitment processes, safeguarding policies and procedures, safeguarding training and the features built into our delivery platform are all designed to provide a safe educational environment for children.

Please view our Safeguarding and Child Protection policy for further information.

Your responsibilities

The accuracy of personal data supplied to us is the responsibility of the school as it is provided by the employees of the school purchasing the service. Personal data provided (either about staff or students) can be updated or amended by you at any stage.

We are established in the UK and the systems which we use to process your personal data are hosted here or elsewhere in the EU.