Privacy Policy
This Privacy Policy explains how OverToo ("we", "us", "our") processes personal data in connection with the provision of our online school management platform (the "Platform"). We are committed to protecting personal data in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and applicable national data protection laws. This Policy applies to all users of the Platform, including school administrators, teachers, students, and website visitors.
1. Roles and Responsibilities
1.1 Schools as Data Controllers
Where the Platform is used by a school or educational institution, that institution acts as the Data Controller for personal data of its students, teachers, staff, and other users managed within its account. The school determines what data is collected, for what purposes it is used, and how long it is retained.
1.2 OverToo as Data Processor
In providing the Platform to schools, OverToo acts as a Data Processor, processing personal data on behalf of and under the instructions of the school, in accordance with Article 28 GDPR. A Data Processing Agreement (DPA) governs this relationship and forms an integral part of our service terms. A copy is available on request at .
1.3 OverToo as Independent Controller
OverToo acts as an independent Data Controller for limited processing activities necessary to operate the business, including account creation and billing, platform security and fraud prevention, and legal compliance.
2. Personal Data We Process
Depending on how the Platform is used, we may process the following categories of personal data:
| Category | Examples |
|---|---|
| Identity Data | Name, surname, username, profile image |
| Contact Data | Email address, phone number |
| Account Data | Login credentials (hashed passwords), roles, school affiliation |
| Educational & Usage Data | Attendance records, session participation, course progress, materials accessed, session notes created by users, platform activity and interactions |
| Payment Data | Transaction records, payment status, payment method type (processed by third-party providers). We do not store full card details. |
| Communication Data | Messages exchanged within the Platform, notifications, support requests |
| Technical Data | IP address, browser type, device information, login timestamps, system logs |
3. Legal Bases for Processing
We process personal data only where a valid legal basis exists under GDPR:
Providing access to the Platform, managing user accounts, delivering educational services, processing payments, and issuing invoices.
Ensuring platform security and integrity, preventing fraud and misuse, and improving functionality and user experience. We ensure that such interests do not override users' fundamental rights and freedoms.
Compliance with tax, accounting, and legal requirements; responding to lawful requests from authorities.
Sending marketing communications and use of non-essential cookies. Consent can be withdrawn at any time.
4. Purpose of Processing
We use personal data to:
- Provide and maintain the Platform
- Manage user accounts and access rights
- Facilitate scheduling, attendance tracking, and communication
- Process payments and maintain financial records
- Provide customer support
- Ensure system security and prevent abuse
- Comply with legal and regulatory obligations
We do not use personal data for unrelated purposes.
5. Special Categories of Data
The Platform is not intended for the processing of special categories of personal data (as defined in Article 9 GDPR), such as health data, unless explicitly configured and controlled by the school.
If such data is processed, it is done solely under the responsibility of the school as Data Controller, and only where a valid legal basis exists under Article 9 GDPR.
6. Children's Data
The Platform may be used by educational institutions involving minors. In such cases:
- The school is responsible for ensuring a valid legal basis for processing children's data, including parental consent where required under applicable law.
- OverToo processes such data only on behalf of the school.
We do not knowingly collect children's data outside of a school-controlled environment.
7. Data Sharing
We do not sell personal data. Personal data may be shared only in the following circumstances:
Service Providers (Processors)
We engage trusted third-party providers for payment processing (Stripe, PayPal, Przelewy24), hosting and infrastructure, and email delivery services. These providers process data under appropriate contractual safeguards.
Schools (Controllers)
School administrators may access data of users within their organisation as part of the Platform's functionality.
Legal Requirements
We may disclose data where required by law or to protect rights, safety, or legal claims.
8. International Data Transfers
Personal data is primarily stored within the European Economic Area (EEA). Where data is transferred outside the EEA, we ensure appropriate safeguards including Standard Contractual Clauses (SCCs) or other legally approved transfer mechanisms.
9. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of account plus a limited retention period after closure |
| Educational data | As determined by the school (Data Controller) |
| Financial records | As required by applicable law (typically 5–7 years) |
| Technical logs | Short-term retention for security purposes |
After applicable retention periods, data is securely deleted or anonymised.
10. Data Subject Rights
Under GDPR, individuals have the right to:
- Access their personal data
- Rectify inaccurate data
- Request erasure (where applicable)
- Restrict processing
- Object to processing based on legitimate interests
- Data portability
- Withdraw consent at any time
Where OverToo acts as a Data Processor, requests should primarily be directed to the relevant school (Data Controller). We assist controllers in fulfilling such requests. Individuals also have the right to lodge a complaint with a supervisory authority.
To exercise your rights, contact us at .
11. Cookies
We use cookies and similar technologies:
- Essential cookies — required for core functionality
- Functional cookies — remember user preferences
- Analytics cookies — used only with consent
Users can manage preferences via the cookie banner or browser settings.
12. Data Security
We implement appropriate technical and organisational measures, including:
- Encryption in transit (TLS/HTTPS)
- Secure password hashing
- Access controls and authentication mechanisms
- Logical separation of tenant (school) data
- Monitoring and regular security reviews
In the event of a personal data breach, we will comply with GDPR Articles 33 and 34.
13. Automated Decision-Making
We do not use personal data for automated decision-making or profiling that produces legal or similarly significant effects.
14. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated via the Platform or other appropriate means.
15. Contact
For questions about this Privacy Policy or data protection matters, please contact us: