Data Processing Agreement
Last updated: February 2026
Summary: This agreement sets out how Sear Education handles personal data on your organisation's behalf when you use Mr Sear's MTC. Your organisation remains in control of the data at all times. By using the Service, your organisation agrees to the terms of this Data Processing Agreement.
1. Parties
Data Controller ("the Organisation"): The school, tutoring practice, home educator, or other educational organisation or individual using the Service.
Data Processor ("we", "us", "Sear Education"): Daniel Sear trading as Sear Education, the operator of Mr Sear's MTC.
2. Scope and Purpose
This Data Processing Agreement ("DPA") applies to personal data processed by Sear Education on behalf of the Organisation through the Mr Sear's MTC service ("the Service"). It supplements our Terms of Service and Privacy Policy.
The purpose of processing is to provide an online multiplication tables practice tool for educational use.
3. Data Processed
Pupil data:
| Data type | Purpose |
|---|
| First names only (no surnames) | Identifying pupils within their class |
| Individual PIN codes | Secure login to the pupil's account |
| Display alias (e.g., "Star", "Moon") | Protecting pupil identity from other pupils |
| Test level and progress | Tracking which multiplication tables to practise |
| Test results and response times | Measuring progress and identifying areas for practice |
| Practice scores | Classroom leaderboard and motivation |
| Achievement data (crowns) | Gamification and motivation |
| Session status | Classroom management (who is logged in) |
Teacher/staff data:
| Data type | Purpose |
|---|
| Email address | Account login and invitations |
| Display name | Identification within the Service |
| IP address (teachers only) | Security auditing (retained 90 days) |
| Action logs (teachers only) | Security auditing (retained 90 days) |
Categories of data subjects: Pupils (typically aged 5–11) and their teachers/staff.
4. Our Obligations as Data Processor
Sear Education shall:
- Process data only on the Organisation's instructions — We will only process personal data for the purposes described in this agreement and as necessary to provide the Service. We will not use the data for any other purpose.
- Ensure confidentiality — Only authorised Sear Education personnel have access to personal data. This includes the developer, who may access data where necessary for service operation, maintenance, technical support, or legal compliance. We do not routinely access individual pupil data. Access is limited to what is necessary for operating and maintaining the Service.
- Implement appropriate security measures — We use industry-standard security measures including:
- Encrypted data transmission (HTTPS/TLS)
- Secure cloud infrastructure (Google Firebase)
- Hashed passwords (bcrypt)
- Individual pupil PIN codes for access control
- Privacy-protected display names to hide pupil identities
- Role-based access controls (teachers see only their class)
- Audit logging of teacher/admin actions
- Not engage sub-processors without authorisation — We use Google Firebase services for data storage and processing (see Section 6). We will inform the Organisation of any changes to sub-processors.
- Assist the Organisation with data subject requests — We will help the Organisation respond to requests from individuals exercising their rights under UK GDPR (access, rectification, erasure, etc.).
- Notify the Organisation of data breaches — In the event of a personal data breach, we will notify the Organisation without undue delay (and in any event within 72 hours of becoming aware).
- Delete or return data on termination — When the Organisation stops using the Service, we will delete all personal data in accordance with our data retention schedule (see Section 8).
5. The Organisation's Obligations as Data Controller
The Organisation shall:
- Ensure there is a lawful basis for processing pupil data through the Service (typically "public task" under UK GDPR Article 6(1)(e) for schools, or "legitimate interests" under Article 6(1)(f) for tutors and other educational settings)
- Where applicable, inform parents/carers about the use of the Service (e.g., through the school's privacy notice or by other appropriate means)
- Ensure that only appropriate data is entered into the Service (first names only, no surnames or sensitive data)
- Keep class passwords and pupil PINs confidential and only share them with authorised users
- Notify Sear Education promptly if a teacher leaves or should have their access revoked
6. Sub-processors
We use the following sub-processors to provide the Service:
| Sub-processor | Purpose | Location |
|---|
| Google Firebase Firestore | Main database (pupil names, scores, results) | London, UK (europe-west2) |
| Google Firebase Realtime Database | Live session data (who is logged in) | Belgium, EU (europe-west1) |
| Google Firebase Authentication | Teacher login accounts | May involve processing outside UK/EU with appropriate safeguards (SCCs + UK Addendum) |
| Google Cloud Functions | Server-side processing | US (us-central1) |
| Firebase Email Service | Sending invitation emails to teachers | Google infrastructure |
Google LLC is certified under the EU-US Data Privacy Framework and processing is subject to Standard Contractual Clauses with the UK Addendum where data may leave the UK.
7. International Transfers
The primary storage of pupil data is in the UK and EU (London and Belgium). Some processing may occur outside the UK/EU through Google's infrastructure. Where this happens, appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) with UK International Data Transfer Addendum
- EU-US Data Privacy Framework certification
8. Data Retention and Deletion
Automatic retention periods:
| Data type | Retention period |
|---|
| Detailed test/practice results (question-by-question) | 20 days, then automatically deleted |
| Summary statistics (scores, dates, levels) | Current academic year |
| Pupil names and test levels | Current academic year |
| Teacher audit logs and IP addresses | 90 days, then automatically deleted |
| Teacher accounts | Until deleted by organisation lead or account holder |
Soft deletion (30-day recovery period):
When an organisation lead deletes a class or teacher through the Service:
- The data is immediately hidden from view and the teacher's account is disabled
- All associated data is retained securely for 30 days to allow recovery in case of accidental deletion
- After 30 days, all data is permanently and irreversibly deleted by an automated process
- Organisations may request early permanent deletion by contacting info@mrsearmtc.uk
On termination:
When an organisation stops using the Service, all pupil data will be deleted within 30 days of the organisation's account being closed. Teacher accounts will be deleted immediately upon request or within 30 days of account closure.
9. Data Breach Notification
In the event of a personal data breach affecting the Organisation's data:
- We will notify the Organisation's designated contact without undue delay and within 72 hours of becoming aware of the breach
- We will provide details of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address it
- We will cooperate with the Organisation and the ICO (Information Commissioner's Office) as needed
10. Audit and Compliance
We will:
- Make available to the Organisation all information necessary to demonstrate compliance with this DPA
- Allow for and contribute to audits or inspections conducted by the Organisation or an auditor mandated by the Organisation (with reasonable notice)
- Maintain records of processing activities as required by UK GDPR Article 30
11. Duration and Termination
This DPA applies for as long as the Organisation uses the Service. It will automatically terminate when:
- The Organisation stops using the Service and all data has been deleted
- The Service is discontinued (with at least 30 days' notice)
Sections relating to data deletion, confidentiality, and breach notification survive termination.
12. Governing Law
This DPA is governed by the laws of England and Wales and is subject to the jurisdiction of the courts of England and Wales.
13. Contact
For any questions about this Data Processing Agreement or to report a data concern:
Sear Education
Email: info@mrsearmtc.uk
Back to Classroom