Data Processing Addendum

Introduction

This Data Processing Addendum ("DPA") forms part of the agreement between you and Classroom Hub when you use the Service and upload personal data about students or others. It is incorporated by reference into our Terms of Service.

This DPA applies where UK data protection law (including the UK GDPR and the Data Protection Act 2018) applies to personal data you submit to Classroom Hub through my.classroomhub.app.

Details of Processing

Subject matter

Provision of the Classroom Hub classroom management service.

Duration

For as long as you maintain an active account, plus the retention period described in our Privacy Policy after cancellation.

Nature and purpose

Storage, organisation, retrieval, display, and backup of personal data you enter to operate your classes (gradebook, attendance, behaviour, reports, and related features).

Types of personal data

Student first names; optional progress notes, grades, behaviour records, and class assignments; teacher and staff account data as described in our Privacy Policy.

Categories of data subjects

Students whose data you enter; teachers and school staff who use the Service.

We process personal data only to provide, maintain, and improve the Service. We do not use student personal data for advertising, profiling, or any purpose unrelated to delivering the Service to you.

Processor Obligations

Classroom Hub shall:

• Process personal data only on your documented instructions, except where required by UK or EU law
• Ensure that persons authorised to process personal data are bound by confidentiality obligations
• Implement appropriate technical and organisational measures to protect personal data (see Security below)
• Not engage another processor (sub-processor) without informing you, subject to the Sub-processors section below
• Assist you, taking into account the nature of processing, in responding to data subject rights requests where feasible
• Assist you with security obligations, breach notification, and data protection impact assessments where required and reasonable
• At your choice, delete or return personal data after the end of provision of the Service, subject to our retention policy and legal obligations
• Make available information necessary to demonstrate compliance with Article 28 UK GDPR and allow for audits on reasonable notice, subject to confidentiality and security constraints

You warrant that you have a lawful basis to upload personal data to the Service and that your instructions comply with applicable data protection law.

Sub-processors

You authorise Classroom Hub to use sub-processors to provide the Service. Our current sub-processors are listed in the Privacy Policy (including Supabase, Stripe, Cloudflare, and OpenWeatherMap where applicable).

We impose data protection obligations on sub-processors that are substantially similar to those in this DPA. We will notify account holders of material changes to sub-processors by updating the Privacy Policy and, where appropriate, by email.

If you object to a new sub-processor on reasonable data protection grounds, contact us at [email protected]. If we cannot reasonably accommodate your objection, you may terminate your account.

Security

We maintain appropriate technical and organisational measures to protect personal data, including:

• Encryption of data in transit (TLS/HTTPS)
• Encrypted database storage hosted within the European Union via Supabase
• Password hashing using industry-standard methods
• Access controls limiting staff access to production data
• Regular monitoring and incident response procedures

Further detail is set out in the Privacy Policy.

Data Subject Rights

Data subjects (including parents or guardians) should normally direct requests to exercise UK GDPR rights to you as Data Controller. Where a request is sent directly to Classroom Hub, we will promptly notify you unless prohibited by law.

We will provide reasonable assistance to help you respond to such requests. You may also contact us at [email protected] for support.

Deletion and Return

On account cancellation or termination, personal data is deleted in accordance with our data retention policy — typically within 90 days, unless a shorter period is required by law or you request earlier erasure.

You may export your data through the Service where export features are available, or request deletion at any time by emailing [email protected]. We will honour valid erasure requests without undue delay, and in any event within one month unless an extension is permitted by law.

International Transfers

Personal data is primarily stored in the European Union. Where sub-processors process data outside the UK, we ensure appropriate safeguards are in place as required by UK data protection law, such as UK adequacy regulations or Standard Contractual Clauses.

Term and Changes

This DPA remains in effect for as long as Classroom Hub processes personal data on your behalf. We may update this DPA to reflect changes in law or the Service. Material changes will be posted on this page with an updated date. Continued use of the Service after changes constitutes acceptance of the updated DPA.