Privacy Policy

Last updated: 7 May 2025

1. Who we are

CPAC Tracker is an online platform for A-Level science practical endorsement record keeping, operated by CPAC Tracker (“we”, “us”, “our”). We are the data controller for the personal data described in this policy.

You can contact us regarding data protection matters at: admin@cpactracker.co.uk

2. What data we collect and why

Teachers and school staff

  • Account data: name, work email address, school name, department — used to create and manage your account.
  • Usage data: classes created, assessments recorded, practical sessions logged — used to provide the service.
  • Payment data: billing information is processed by Stripe. We do not store card details directly.
  • Communications: emails you send us for support purposes.

Students

  • Account data: name, email address — entered by their teacher or by the student themselves when joining a class.
  • Assessment records: CPAC competency scores, attendance records, practical completion data — entered by teachers in the course of using the platform.
  • Lab book evidence: files uploaded by students (e.g. photographs, PDFs of practical work) — stored securely and only accessible to the student and their teacher.
  • Reflections: written reflections submitted by students as part of their lab book.

Note for schools: Where student data is entered by a teacher on behalf of a school, the school acts as data controller and CPAC Tracker acts as data processor. Schools should ensure they have appropriate basis to share student data with us under UK GDPR.

3. Legal basis for processing

  • Contract: processing your account data and usage data is necessary to provide the service you have signed up for.
  • Legitimate interests: we may process certain data to improve the platform, detect abuse, and ensure security — where this does not override your rights.
  • Legal obligation: we may process data where required to comply with applicable law.

4. How we store and protect your data

All data is stored on servers located within the European Economic Area (EEA). We use the following measures to protect personal data:

  • All connections to the platform are encrypted in transit using TLS (HTTPS).
  • Student lab book files are stored in Cloudflare R2 object storage with private access — files are only accessible via short-lived authenticated URLs.
  • Passwords are hashed using bcrypt and are never stored in plain text.
  • Access to student data is restricted to the teacher(s) responsible for that student's class and authorised department/faculty leads within the same school.
  • We do not sell, rent or share personal data with third parties for marketing purposes.

5. Third-party services

We use the following third-party processors to operate the platform:

StripePayment processingUSA (Standard Contractual Clauses)
Cloudflare R2File storage for lab book evidenceEEA
SMTP mail providerSending account emails (verification, password reset)UK

6. How long we keep your data

  • Teacher accounts: retained while the account is active. On deletion, account data is removed within 30 days.
  • Student records: retained while the associated class exists. Teachers can delete student records at any time.
  • Lab book files: deleted from storage when the submission is deleted.
  • Payment records: retained for 7 years as required by UK financial regulations.

7. Cookies

We use only essential cookies required for the platform to function:

session token (teacher)Keeps you signed in to your teacher accountSession
student_tokenKeeps a student signed in to their portal30 days

We do not use analytics, advertising or tracking cookies. No third-party cookies are set by our platform.

8. Your rights under UK GDPR

You have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Rectification: ask us to correct inaccurate or incomplete data.
  • Erasure: request deletion of your personal data in certain circumstances.
  • Restriction: ask us to restrict how we use your data.
  • Portability: receive your data in a structured, machine-readable format.
  • Objection: object to processing based on legitimate interests.

To exercise any of these rights, contact us at admin@cpactracker.co.uk. We will respond within one month.

9. Complaints

If you believe we have not handled your data lawfully, you have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

10. Changes to this policy

We may update this policy from time to time. We will notify registered users of any material changes by email. Continued use of the platform after changes take effect constitutes acceptance of the updated policy.