GDPR – FREQUENTLY ASKED QUESTIONS

We have always treated your organisation's data with the utmost of respect and with the implementation of the General Data Protection Regulation (GDPR), we have conducted a robust audit to ensure we will be fully compliant by the time it is introduced into law - 25th May 2018.

As an organisation subscribing to Oddizzi, you are considered to be the data controller, and Little Travel Bug Ltd / Oddizzi, the data processor. The data subjects are your staff and students.

Here are the commonly asked questions on GDPR and our answers how we meet these obligations:

QuestionOur Answer
Will you be GDPR compliant?We are pleased to announce that following a full audit, actions have been put into place to ensure we will be compliant ahead of the 25th May deadline.
Are you registered with the ICO (Information Commission Office)?Yes, we have been registered since 2011. Our registration number is Z2632838.
Do you have a Data Protection Officer?As a small business, we are not obliged to have a Data Protection Officer, but Jennifer Cooke, CEO of Little Travel Bugs is the point of contact for all matters relating to data protection - info@oddizzi.com.
What data do you hold?

To enable us to provide you with the Oddizzi service, we request, store and process the following data relating to your organisation:

Organisational Data:

Purposes: account name, billing and contractual requirements (including trial account management, subscription renewal, account admin).

  • Organisational name
  • Address details
  • Main phone number
  • General email address
  • Number of students on roll

Purpose: research & development

  • Gender mix of each class created
  • Age range of each class created

Staff Data (Teachers):

Purposes: creation of staff user accounts, data that is required by the product to enable specific features, telephone support during trial and ongoing user support (product update newsletters).

  • Title, firstname and surname
  • Email address
  • Phone number for key contact
  • Class(es) they are associated with
  • Messages (text and images), sent and received via the ClassPals system

Purpose: research & development

  • Job role/ title
  • Usage statistics
  • Data collected through user surveys

Purposes: Marketing (product updates, follow-up to trial sign ups and promotional campaigns via email, mail and phone.)

  • Title, firstname and surname
  • Email address
  • Job role / title
  • Data collected through user surveys
  • Phone number

Student Data:

Purpose: creation of student user accounts and data that is required by the product to enable specific features

  • First name and surname
  • Their class

Purposes: customer support and on-going research & development

Usage statistics and performance data collected from Umbuzo quizzes played (e.g. quiz played, level, time taken, number of errors and score)

What is the process if data you hold is incorrect and needs to be updated?

User account data can be amended within Oddizzi by the school administrator, within the Profile Section

Otherwise to correct information relating to the organisation, simply email or write to us, instructing us on the data that needs to be amended.

Do you process data securely?

To keep your data safe, all data is encrypted at rest and in transit using industry standards.

We do sometimes store data in cloud storage services such as Dropbox, OneDrive and Google Drive.

Does your organisation have differentiated access to data depending on the sensitivity level?User restricted access is enforced for areas of data stored and process that is deemed to be sensitive.
Are your staff aware of the importance of data protection?All staff have been trained on the obligations required by GDPR and how it applies to them in their day to day role and the tasks that they fulfil.
Do you subcontract to 3rd party data processors?

We contract a small number of 3rd party data processors, to allows us to meet the contractual obligations for delivery of the Oddizzi service. These include:

  • Web hosting and data storage
  • Customer relationship management (CRM) system
  • Download management system
  • Email transmission platform
  • Email marketing platform
  • Accounting software

The list of 3rd party processors and their purposes is listed within our terms and conditions. Should these change, you will be notified, giving 14-days notice.

Are your 3rd party contractors GDPR compliant?We regularly conduct audits across all our 3rd party contractors and services we use, to ensure they satisfactorily meet GDPR obligations.
Where do you store your data?

Data is primarily held on secure servers within the European Economic Area (EEA).

Where data might be stored in the United States or other regions by our third party processors, this is under the EU-US Privacy Shield agreement (https://www.privacyshield.gov/) or EU model clauses. Where data might be stored elsewhere, this will be only under a model contract with the 3rd party processor.

Do you share our data with third parties?

We do not knowingly share or sell user's personal data to external 3rd parties.

We will only disclose personal information to other companies within the group, as well as specific 3rd party processors that are contracted to enable us to carry out our obligations arising from the terms and conditions entered into with our customers. These 3rd party processors as outlined in the Privacy Policy.

Do you hold financial information?We do not hold any financial information regarding individual users.
Can we stop getting emails from you?

On a regular basis we send product update news via email.

All recipients have the right to opt out of this communication by clicking on the unsubscribe link. Alternatively recipients can email us to opt out of receiving further newsletters.

How long do you keep data for?

We will only keep data whilst we have a legitimate reason to. Otherwise the data will be deleted.

For example if you terminate your subscription, any personal data is held for 12 months, should your organisation change its mind. Otherwise after this period, data relating to your organisation's users will be automatically deleted.

The ODDIZZI administrator and staff users at your organisation will be retained on our customer relationship management system and email system, as well as all staff users, to make it easy to re-activate your account should you change your mind and to continue receiving product newsletters and marketing updates. They will have the option to unsubscribe at any time.

We do reserve the right to retain and use personal data where required to comply with legal obligations, to resolve disputes, and/ or to enforce our terms and conditions.

Do you have a Privacy Policy and Terms of Conditions which meet GDPR requirements?

Yes we do. Please refer to:

www.oddizzi.com/privacy-statement/

www.oddizzi.com/terms-conditions/