School IT & data protection pack
Last updated: 17 June 2026
See also: Terms of service · Privacy statement · Privacy statement · Terms of service
Summary for IT and data protection leads
JunoClass is a homework and quiz platform for schools. Pupil and staff data is processed on the school's instructions. This pack summarises roles, data categories, sub-processors, security, retention, and access — for IT, data protection, and safeguarding leads.
Forward this page to your data protection officer, IT team, or trust central services. Use Print / save as PDF above to attach it to an approval request.
1. Roles under UK GDPR
Data controller (school): The school is the data controller for pupil and staff educational data processed when using JunoClass for teaching, homework, and assessment.
Data processor (JunoClass): JunoClass acts as a data processor for that educational data, processing it only to provide the service the school has signed up for.
Platform operator: JunoClass may act as a data controller for school registration, billing, and platform operation data (for example, when you contact us as a prospective customer).
The school must have a lawful basis to use JunoClass with pupils and should provide appropriate privacy notices to staff and pupils.
2. Categories of personal data
| Category | Examples | Purpose |
|---|---|---|
| Identity & account | Name, school email address, role (teacher or pupil), user ID from school sign-in | Sign-in, role assignment, and access control |
| Class & membership | Class names, join codes, teacher and pupil class membership | Organise teaching groups and assign work |
| Educational activity | Quiz responses, scores, grades, teacher feedback on short answers, attempt history | Homework, AFL, marking, and analytics |
| AI quiz generation (optional) | Teacher-written prompts, selected question types, department name, and department topic labels sent when a teacher uses Generate with AI | Draft quiz questions for teacher review before publish |
| School administration | School name, allowed email domains, staff registry, admin settings | School tenancy, staff onboarding, and configuration |
| Technical & security | IP address, browser/device type, application logs | Operate, secure, and troubleshoot the service |
We do not intentionally collect special category data unless a school includes it in free-text quiz content. Schools should avoid collecting unnecessary sensitive information in questions.
3. Sub-processors
| Provider | Role | Data | Location / notes |
|---|---|---|---|
| Google Firebase / Google Cloud | Authentication, application database (Firestore), and secure storage of school data | Account, educational, and school administration data described above | May process in the UK, EEA, United States, or other regions per Google’s infrastructureSub-processor under Google’s terms; UK IDTA/SCCs or equivalent where required |
| Google (Sign-in) | School identity provider when users sign in with Google | Authentication tokens and basic profile (name, email) from the school account | Per Google’s sign-in serviceOnly used when the school uses Google Workspace sign-in |
| Vercel | Hosting and delivery of the web application | Technical data (requests, IP addresses) and application traffic | Global edge network; primary processing may include US/EEADoes not store quiz content separately from Firebase |
| Stripe | Subscription billing for school licences | School admin billing contact, payment metadata (not pupil data) | Per Stripe’s terms; may include USUsed only when a school admin subscribes; pupils do not interact with Stripe |
| Google (Gemini API) | Optional AI-assisted quiz question generation for teachers | Teacher-entered prompts, question-type choices, department name, and department topic labels. Pupil personal data is not sent. | May process in the United States or other regions per Google’s infrastructureUsed only when a teacher chooses Generate with AI; API calls are made server-side. Output is draft content for teacher review before publish. |
International transfers may occur where sub-processors operate outside the UK. We rely on appropriate safeguards (for example UK IDTA, Standard Contractual Clauses, or adequacy regulations) where required.
4. Security measures
- HTTPS encryption for all traffic
- School sign-in via the school’s email domain (no public pupil self-registration)
- Role-based access (teacher, pupil, school admin)
- Firestore security rules enforcing school-level tenant isolation
- Sensitive writes (quiz publish, grading, admin changes) validated server-side via API routes
- Optional AI quiz generation is teacher-initiated only; pupil data is not sent to the AI provider
- No sale of personal data; no advertising based on pupil activity
5. Who can access pupil data?
| Role | Access |
|---|---|
| Pupils | Their own attempts, scores, and assigned quizzes; classmates are not visible beyond class membership |
| Teachers | Classes and pupils they teach (including co-taught classes); quiz responses, marking, and analytics for those classes |
| School admins | Staff registry, school settings, billing, and capacity — not other teachers’ personal classes unless also assigned as a teacher |
| JunoClass operator | Limited access for support, security, and platform operation under confidentiality; no advertising use of pupil data |
| Other schools | None — data is isolated per school (tenant separation by school ID) |
6. Retention and export
- Data is retained while the school account is active and needed to provide the service.
- Schools may export quiz results (CSV) before closure where the feature is available.
- After a school stops using JunoClass, data is deleted or anonymised within a reasonable period unless law, security, or dispute resolution requires longer retention.
- Schools may request information about export or deletion by contacting us (see below).
7. IT approval checklist
- Confirm the school is the data controller and will issue privacy notices to staff and pupils.
- Verify allowed email domain(s) match your school’s Google Workspace or Microsoft accounts.
- Review sub-processors and international transfer safeguards (sections above).
- Request a Data Processing Agreement if your policy requires a signed Art. 28 contract.
- Confirm staff registry / admin access aligns with your internal safeguarding policy.
- If using Generate with AI, remind teachers not to include pupil names or other unnecessary personal data in prompts.
- Plan CSV export before offboarding if you need an archive of results.
8. Data Processing Agreement (DPA)
Schools that require a signed Data Processing Agreement (UK GDPR Article 28) should email hello@junoclass.com with your school name, contact details, and any standard DPA template your local authority or trust requires. We will respond with our DPA or discuss alignment with your documentation.
9. Contact
Privacy and data protection enquiries: hello@junoclass.com
Full privacy statement: junoclass.com/privacy