Privacy Policy & GDPR

Privacy Notice for BlueRunner Solutions Ltd Users 

ParentPay (Holdings) Limited (“ParentPay Group”) through its subsidiaries ParentPay Limited, BlueRunner Solutions Ltd and Just Education Limited is engaged in the design, development, sales, marketing, supply, operation and maintenance of, in the case of ParentPay Limited (“PPL”) and Bluerunner Solutions Ltd , payment collection, payment processing, school meal management, parent communication and management information systems and services for the education market, and, in the case of Just Education Limited, education recruitment services (together the “Group Products and Services”). 

This notice explains to BlueRunner Solutions Ltd Customers and Users (“you/your”) how BlueRunner Solutions Ltd and ParentPay Group (“we/us”) use your personal information. 

This privacy notice covers: 

  • Why we use your personal information 
  • The legal basis for processing 
  • What personal information we use 
  • How we use your personal information 
  • Your rights under data protection legislation 
  • Sharing personal information with third parties 
  • How long we may keep your information 
  • Changes to our privacy notice 
  • Contact details for our Data Protection Officer 

Why we use your personal information 

The PPL payment solutions, catering systems and communication platforms (“PPL Products and Services”), which are marketed in the UK under the ParentPay, Schoolcomms, BlueRunner Solutions Ltd and Cypad brands, are provided to customers governed by a contract between us and the schools, Multi-Academy Trust, Local Education Authority, Catering Provider or Service Organisation (“Customer”), and any Terms and Conditions that you agree with when you sign up (“User”). 

BlueRunner Solutions Ltd provides tablet and web-based solutions for school catering, cleaning, local authorities and service organisations. BlueRunner Solutions Ltd includes suite of software applications that support the process of providing a school meals service: selecting meals; managing production; recording meals taken; paying for them; providing performance indicators and monitoring the service. 

We process your personal data for the following purposes: 

  • to provide you with the service activated and registered for 
  • the verification of your identity where required 
  • for the prevention and detection of crime, fraud and anti-money laundering 
  • for the ongoing administration of the service 
  • to allow us to improve the products and services we offer to our customers 
  • to ask for your opinion about our products and offer surveys 
  • for research and statistical analysis including payment and usage patterns  
  • We only use the data in an anonymized manner when we use your data for this purpose. 
  • to enable us to comply with our legal and regulatory obligations 
  • to offer new products and services to you which are relevant and appropriate, and only to the extent that would be reasonably expected. 

If we plan to introduce further processes for the use of your information, we will provide information about that purpose prior to such processing. 

The legal basis for processing 

Under Data Protection Law, there are various grounds which are considered to be a ‘legal basis for processing’.
The legal basis for processing should be determined by the Data Controller. 

Where we are the Data Processor, the legal basis is determined by the Customer. Typically, the legal basis in this scenario is: 

‘processing is necessary for the purposes of legitimate interests pursued by the controller’ 

Where we are the Data Controller, the legal basis for processing is based on: 

‘processing is necessary for the purposes of legitimate interests pursued by the controller’ 

It should be noted that in some circumstances this legal basis may vary, however, we always operate in full compliance with Data Protection Law and will only process data with a fair and reasonable legal basis for doing so. 

Special categories of data 

We may process two types of special category information; 

  • Allergens 
  • Dietary information 

Cypad Customers will typically process special category data on the legal basis of: 

processing is necessary for reasons of substantial public interest’. 

The processing of allergen and dietary information is necessary for reasons of substantial public interest, to safeguard the health of data subjects. 

What personal information we process 

In order to carry out these services, we obtain (either from the Customer and/or from Users directly) and process the following information: 

Data Subject (Who)  Data Category (What)  Description 
Pupil \ Student  Forename  This is the forename of the pupil. 
Pupil \ Student  Surname  This is the surname of the pupil. 
Pupil \ Student  DOB  This is the date of birth of the pupil. 
Pupil \ Student  Year  The year the pupil is in 
Pupil \ Student  Class  The name of the pupil’s registration class 
Pupil \ Student  Site  The site that the pupil attends 
Pupil \ Student  Meal Selections and spend history  This is a history of a pupil’s meal selections and spends for school meals or non-meal-related items. 
Pupil \ Student  Diet Types  This is the pupils special dietary requirements 
Pupil \ Student  Allergens  This is what the pupil is allergic to 
Pupil \ Student  Meals consumed  For parents to view meals taken 
     
Parent  Parent Name   This is the parents’ full name. 
Parent  Username  Username for authentication 
Parent  Email   This is the parents’ email address. 
Parent  Address1   The first line of the address 
Parent  Address2  The second line of the address 
Parent  City   The city / town entered as the parents’ city. 
Parent  Postcode   The text entered as the parents’ post code. 
Parent  Home Telephone   The parents’ home telephone number. 
Parent  Mobile Telephone   This is the parents’ mobile telephone number. 
Parent  Pupils associated with the adult  The pupil(s) who relate(s) to the parent 
Parent  Meal Selections and transaction history  This is the parents’ history of payment transactions, including reversals, refunds and withdrawals of funds. 
     
Catering Staff  Name   This is the staff member’s full name. 
Catering Staff  Address  The staff member’s address 
Catering Staff  Phone Number  The staff member’s contact number 
Catering Staff  Email  The staff member’s contact email 
Catering Staff  Payroll Number  The staff member’s payroll number 
Catering Staff  Employee Number  The staff member’s employee number 
Catering Staff  Timesheet Number  The staff member’s timesheet number 
Catering Staff  Workbook Number  The staff member’s workbook number 
Catering Staff  Position  The staff member’s level of authority 
Catering Staff  Qualifications  The staff member’s qualifications 
Catering Staff  DOB  The staff member’s date of birth 
Catering Staff  NI Number  The staff member’s National Insurance number 
Catering Staff  DBS Number & Expiry Date  The staff member’s DBS clearance information 
Catering Staff  Rate of Pay  How much the staff member is earning 
Catering Staff  Contract hours  The staff member’s contract hours 
Catering Staff  Employment start & end date  When the staff member’s employment started and finished 
Catering Staff  Emergency contact name  The staff member’s emergency contact 
Catering Staff  Emergency contact relationship  How the emergency contact relates to the staff member 
Catering Staff  Emergency contact phone number  The contact number of the emergency contact 
     
Other  Trouble ticket data  When users submit trouble ticket information, this gets stored. 
     
Website Access  IP Address  The network address of your device or internet connection 
Website Access  Browser Type and Version  The type of Web Browser your device is using 
Website Access  Cookies  Special records in your browser to help the website operate 
Website Access  Web Analytics  Generalised information about browsing behaviour and page statistics 

 

How we process your personal information 

We use your personal information, and some of our employees have access to such information, only to the extent required to carry out the services for you and on behalf of the Customer. 

We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal information during storage, processing and transit. 

PPL operate an ISO 27001 certified security programme to help protect your data at all times. PPL are also a Level 1 PCI-DSS certified organisation and are subject to regular and comprehensive security audits. We are also Cyber Essentials Plus certified. 

Cypad and PPL platforms only store personal information in the UK. 

Some of our supporting services might use cloud platforms that operate from Third Countries outside of the EEA (for example ZenDesk, and SendGrid). Where this is the case, we ensure that adequate safeguards are established to protect your data. 

Limited data may also be processed by staff operating outside the EEA who work for PPL. Such staff maybe engaged in, among other things, the provision of support services or software upgrades. 

Your rights under Data Protection Law 

Right to Access 

You have the right of access to your personal information that we process and details about that processing.
You can usually access that information directly within the PPL Products and Services (self-service). However, should this not be possible, you can raise a Data Subject Access Request (DSAR) to receive this information in another format. 

Right to Rectification 

You have the right to request that information is corrected if it’s inaccurate.  You can usually update your own information using the PPL Products and Services (self-service). However, should this not be possible, you can contact us to make the changes on your behalf. In some circumstances, you may have to contact your child’s school, to correct the data held by them and provided to us for processing. 

Right to Erasure (Right to be Forgotten) 

You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request. 

Right to Object 

You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request. 

Right to Restriction of Processing 

You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request. 

Right to Data Portability 

You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine readable format suitable for transferring to another controller. 

Right to lodge a complaint with a supervisory authority 

If you think we have infringed your privacy rights, you can lodge a complaint with the relevant supervisory authority. You can lodge your complaint in particular in the country where your live, your place of work or place where you believe we infringed your right(s). 

You can exercise your rights be sending an e-mail to dpo@parentpay.com. Please state clearly in the subject that your request concerns a privacy matter, and provide a clear description of your requirements. 

Note: We may need to request additional information to verify your identity before we action your request. 

Sharing personal information with third parties 

We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations, and in full compliance with Data Protection Law. 

These service providers include: 

  • Hosting Providers – to manage our secure enterprise datacentres 
  • Email Providers – to send out our email notifications or messages sent by Customers using PPL Products and Services 
  • SMS Providers – to send out our SMS notifications or messages sent by Customers using PPL Products and Services 
  • Security Providers – to protect our systems from attack 
  • Telephony Providers – we might record calls for training, quality and security purposes 
  • Training Platforms – to train school staff on the use of our services 
  • Support Portal (ZenDesk) – so that you can easily ask for help 
  • Cloud Hosting and Recovery – working with AWS and Azure 
  • Security insight and system logging – working with Rapid7 
  • Cloud email delivery – working with Sendgrid (USA hosted) 
  • Anonymous Web Analytics – working with Google and Hotjar 
  • Feedback Platforms (Optional) – working with SurveyMonkey 

We may also have access to your personal information as part of delivering the service. If we need to change or add additional third parties, we will always update our Privacy Notice accordingly. We will only disclose your information to other parties in the following limited circumstances 

  • where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities 
  • where there is a duty to disclose in the public interest 
  • where disclosure is necessary to protect our interest e.g. to prevent or detect crime and fraud 
  • where you give us permission to do so e.g. by providing consent within the PPL Products and Services or via an online application or consent form 

How long we may keep your personal information 

We will only retain information for as long as is necessary to deliver the service safely and securely. We may need to retain some records to maintain compliance with other applicable legislation – for example finance, taxation, fraud and money laundering law requires certain records to be retained for an extended duration, in some cases for up to seven years. 

All database records are removed 1 month after a customer terminates their contract. 

Specific records may be removed more frequently once they are redundant. Automated mechanisms are established to anonymise personal information under certain circumstances. 

Changes to our Privacy Notice 

This policy will be reviewed regularly and updated versions will be posted on our websites. 

Contact details for our Data Protection Officer 

We have appointed a Data Protection Officer (DPO); their contact details are as follows: 

dpo@parentpay.com 

or 

Data Protection Officer
ParentPay
Coventry Building Society Arena
Phoenix Way
Coventry
CV6 6GE