The new General Data Protection Regulation, or GDPR, is set to overhaul how businesses process and handle personal data. Here at PebblePad, we take our responsibilities seriously, and we are committed to being transparent about our data policies. In the guide below you'll find a jargon-free overview of everything you need to know about our approach to GDPR compliance and how we handle information about you and your end-users.

View our GDPR guide

Useful links and contact information

Our full Privacy Policy is available at here.

Any questions about our data policies and information requests should be sent for the attention of our Data Protection Representative to datasecurity@pebblepad.co.uk.

What personal data do you store and why do you need it?

By default, we store the minimum amount of data possible to support access to the PebblePad platform, namely: First name, last name and email address. We may also store information passed over by a user's organisation, such as postal code or telephone number.

Where is user data stored and how is kept secure?

How long do you retain data for?

How do you destroy user data?

Individual user data is removed using standard OS and database calls. Provisioned storage containing sensitive data is wiped using the DoD 5220.22-M sanitising method before being returned to cloud storage pools if it is no longer required.

How can a user request information about the data you hold?

Any user can submit an information request to obtain an inventory of the data we hold about them. Requests should be sent for the attention of our Data Protection Representative at datasecurity@pebblepad.co.uk. Upon receiving a request, we will provide information to the user about:

How can a user request the removal of their data?

Users accessing PebblePad through their university or another organisation should follow the steps outlined here:

  1. The user should first contact their organisation (typically a PebblePad administrator) and make a formal request for their data to be removed.
  2. The user's organisation should then notify us of the request.
  3. Upon receiving a request for the removal of a user's data, we will create an inventory of all the data we hold for that user. The inventory will include: User account details, all PebblePad assets created or collaborated upon, submitted work, shared assets, information in logged files, support tickets, and information in marketing databases.
  4. The inventory will be presented to the organisation who will enter into a conversation with the user about the implications of deleting the data within the inventory.
  5. Following agreement between the user and their organisation, we should be informed in writing of the user's consent to have their data removed. Following receipt of consent, we will remove the user's data as a priority and notify all parties when the removal is complete.

The process for removing data for users accessing PebblePad through Alumni or Personal Accounts is exactly the same as the above with the exception that requests for an inventory of the data we store and the consent to have data removed should come directly to us at datasecurity@pebblepad.co.uk.

Last updated: 24 May 2018