Data Processing Agreement

Last updated: February 2026

Summary: This agreement sets out how Sear Education handles personal data on your organisation's behalf when you use Mr Sear's MTC. Your organisation remains in control of the data at all times. By using the Service, your organisation agrees to the terms of this Data Processing Agreement.

1. Parties

Data Controller ("the Organisation"): The school, tutoring practice, home educator, or other educational organisation or individual using the Service.

Data Processor ("we", "us", "Sear Education"): Daniel Sear trading as Sear Education, the operator of Mr Sear's MTC.

2. Scope and Purpose

This Data Processing Agreement ("DPA") applies to personal data processed by Sear Education on behalf of the Organisation through the Mr Sear's MTC service ("the Service"). It supplements our Terms of Service and Privacy Policy.

The purpose of processing is to provide an online multiplication tables practice tool for educational use.

3. Data Processed

Pupil data:

Data type	Purpose
First names only (no surnames)	Identifying pupils within their class
Individual PIN codes	Secure login to the pupil's account
Display alias (e.g., "Star", "Moon")	Protecting pupil identity from other pupils
Test level and progress	Tracking which multiplication tables to practise
Test results and response times	Measuring progress and identifying areas for practice
Practice scores	Classroom leaderboard and motivation
Achievement data (crowns)	Gamification and motivation
Session status	Classroom management (who is logged in)

Teacher/staff data:

Data type	Purpose
Email address	Account login and invitations
Display name	Identification within the Service
IP address (teachers only)	Security auditing (retained 90 days)
Action logs (teachers only)	Security auditing (retained 90 days)

Categories of data subjects: Pupils (typically aged 5–11) and their teachers/staff.

4. Our Obligations as Data Processor

Sear Education shall:

Process data only on the Organisation's instructions — We will only process personal data for the purposes described in this agreement and as necessary to provide the Service. We will not use the data for any other purpose.
Ensure confidentiality — Only authorised Sear Education personnel have access to personal data. This includes the developer, who may access data where necessary for service operation, maintenance, technical support, or legal compliance. We do not routinely access individual pupil data. Access is limited to what is necessary for operating and maintaining the Service.
Implement appropriate security measures — We use industry-standard security measures including:
- Encrypted data transmission (HTTPS/TLS)
- Secure cloud infrastructure (Google Firebase)
- Hashed passwords (bcrypt)
- Individual pupil PIN codes for access control
- Privacy-protected display names to hide pupil identities
- Role-based access controls (teachers see only their class)
- Audit logging of teacher/admin actions
Not engage sub-processors without authorisation — We use Google Firebase services for data storage and processing (see Section 6). We will inform the Organisation of any changes to sub-processors.
Assist the Organisation with data subject requests — We will help the Organisation respond to requests from individuals exercising their rights under UK GDPR (access, rectification, erasure, etc.).
Notify the Organisation of data breaches — In the event of a personal data breach, we will notify the Organisation without undue delay (and in any event within 72 hours of becoming aware).
Delete or return data on termination — When the Organisation stops using the Service, we will delete all personal data in accordance with our data retention schedule (see Section 8).

5. The Organisation's Obligations as Data Controller

The Organisation shall:

Ensure there is a lawful basis for processing pupil data through the Service (typically "public task" under UK GDPR Article 6(1)(e) for schools, or "legitimate interests" under Article 6(1)(f) for tutors and other educational settings)
Where applicable, inform parents/carers about the use of the Service (e.g., through the school's privacy notice or by other appropriate means)
Ensure that only appropriate data is entered into the Service (first names only, no surnames or sensitive data)
Keep class passwords and pupil PINs confidential and only share them with authorised users
Notify Sear Education promptly if a teacher leaves or should have their access revoked

6. Sub-processors

We use the following sub-processors to provide the Service:

Sub-processor	Purpose	Location
Google Firebase Firestore	Main database (pupil names, scores, results)	London, UK (europe-west2)
Google Firebase Realtime Database	Live session data (who is logged in)	Belgium, EU (europe-west1)
Google Firebase Authentication	Teacher login accounts	May involve processing outside UK/EU with appropriate safeguards (SCCs + UK Addendum)
Google Cloud Functions	Server-side processing	US (us-central1)
Zoho Mail (via SMTP)	Sending invitation emails to teachers	EU (Zoho EU data centres)
jsDelivr / Cloudflare CDNs	Hosting open-source libraries (charts, PDF export, browser compatibility)	Global CDN (no pupil data sent)

Google LLC is certified under the EU-US Data Privacy Framework and processing is subject to Standard Contractual Clauses with the UK Addendum where data may leave the UK.

7. International Transfers

The primary storage of pupil data is in the UK and EU (London and Belgium). Some processing may occur outside the UK/EU through Google's infrastructure. Where this happens, appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) with UK International Data Transfer Addendum
EU-US Data Privacy Framework certification

8. Data Retention and Deletion

Automatic retention periods:

Data type	Retention period
Detailed test/practice results (question-by-question)	20 days, then automatically removed from the record
Summary statistics (scores, dates, levels)	Duration of school's active subscription
Pupil names and test levels	Duration of school's active subscription
Teacher audit logs and IP addresses	90 days, then automatically deleted
Teacher accounts	Until deleted by organisation lead or account holder

Soft deletion (30-day recovery period):

When an organisation lead deletes a class through the Service:

The class is immediately hidden from view
All associated data (pupil names, scores, results) is retained securely for 30 days to allow recovery in case of accidental deletion
After 30 days, all data is permanently and irreversibly deleted by an automated process
Organisations may request early permanent deletion by contacting info@mrsearmtc.uk

Teacher account deletion:

When an organisation lead removes a teacher, the teacher's account and access are deleted immediately and permanently.

On termination:

When an organisation's subscription ends or is not renewed, the school account is deleted by the service administrator. The school and all its classes are immediately hidden from view. Teachers are unassigned from the school but their accounts are retained. All associated data (classes, pupils, results) is retained securely for 30 days to allow recovery in case of error, after which it is permanently and irreversibly deleted by an automated process.

9. Data Breach Notification

In the event of a personal data breach affecting the Organisation's data:

We will notify the Organisation's designated contact without undue delay and within 72 hours of becoming aware of the breach
We will provide details of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken to address it
We will cooperate with the Organisation and the ICO (Information Commissioner's Office) as needed

10. Audit and Compliance

We will:

Make available to the Organisation all information necessary to demonstrate compliance with this DPA
Allow for and contribute to audits or inspections conducted by the Organisation or an auditor mandated by the Organisation (with reasonable notice)
Maintain records of processing activities as required by UK GDPR Article 30

11. Duration and Termination

This DPA applies for as long as the Organisation uses the Service. It will automatically terminate when:

The Organisation stops using the Service and all data has been deleted
The Service is discontinued (with at least 30 days' notice)

Sections relating to data deletion, confidentiality, and breach notification survive termination.

12. Governing Law

This DPA is governed by the laws of England and Wales and is subject to the jurisdiction of the courts of England and Wales.

13. Contact

For any questions about this Data Processing Agreement or to report a data concern:

Sear Education
Email: info@mrsearmtc.uk

Back to Classroom