The new General Data Protection Regulation, or GDPR, is set to overhaul how businesses process and handle personal data. Here at PebblePad, we take our responsibilities seriously, and we are committed to being transparent about our data policies.
Useful links and contact information
Any questions about our data policies and information requests should be sent for the attention of our Data Protection Representative to email@example.com.
What personal data do you store and why do you need it?
By default, we store the minimum amount of data possible to support access to the PebblePad platform, namely: First name, last name and email address. We may also store information passed over by a user’s organisation, such as postal code or telephone number.
Where is user data stored and how is it kept secure?
- Data is stored on secure servers in the cloud.
- Data is stored in as few places as possible.
- Our employees will not create any unnecessary additional data sets.
- Our employees are trained in data security and will take all reasonable steps to ensure user data is accurate and kept up-to-date.
- We strictly enforce a policy which ensures no customer data can leave the region in which it was created, thereby ensuring compliance with local data protection laws.
How long do you retain data for?
- PebblePad data is held for the lifetime of an account. When a user account is deleted, the user’s data is automatically purged after a period of 30 days. In the case of an organisation discontinuing their PebblePad licence, all associated account and user data is purged 150 days after the licence expiry date.
- Support tickets are held for 5 years.
- Contact details gathered as part of marketing activities through our websites will be retained until a user makes a request to have data held about them deleted. Users shall be able to update their preferences or revoke consent to the processing of their data for marketing purposes via the options contained within all PebblePad communications.
How do you destroy user data?
Individual user data is removed using standard OS and database calls. Provisioned storage containing sensitive data is wiped using the DoD 5220.22-M sanitising method before being returned to cloud storage pools if it is no longer required.
How can a user request information about the data you hold?
Any user can submit an information request to obtain an inventory of the data we hold about them. Requests should be sent for the attention of our Data Protection Representative at firstname.lastname@example.org. Upon receiving a request, we will provide information to the user about:
- The data we hold about them and how they can access it.
- Measures we undertake to keep their data up-to-date.
- The data policies and procedures we have in place to ensure GDPR compliance.
How can a user request the removal of their data?
Users accessing PebblePad through their university or another organisation should follow the steps outlined here:
- The user should first contact their organisation (typically a PebblePad administrator) and make a formal request for their data to be removed.
- The user’s organisation should then notify us of the request.
- Upon receiving a request for the removal of a user’s data, we will create an inventory of all the data we hold for that user. The inventory will include: User account details, all PebblePad assets created or collaborated upon, submitted work, shared assets, information in logged files, support tickets, and information in marketing databases.
- The inventory will be presented to the organisation who will enter into a conversation with the user about the implications of deleting the data within the inventory.
- Following agreement between the user and their organisation, we should be informed in writing of the user’s consent to have their data removed. Following receipt of consent, we will remove the user’s data as a priority and notify all parties when the removal is complete.
The process for removing data for users accessing PebblePad through Alumni or Personal Accounts is exactly the same as the above with the exception that requests for an inventory of the data we store and the consent to have data removed should come directly to us at email@example.com.