(for the OTP Pick-Up Verification and Attendance System)

1. Introduction

This Privacy Policy explains how the Avidator Ltd (“AVIDATOR”, “we”, “us”, “our”) collects, uses and protects personal data when you use Avidator, our attendance management and one-time password (“OTP”) pick-up verification system.

Avidator is used in connection with children’s programmes to help staff:

• record attendance;
• verify that each child is collected by an authorised individual; and
• reduce the risk of unauthorised pick-up.

Because Avidator processes children’s personal data, we apply heightened safeguards and comply with UK data protection law, including the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

This Privacy Policy applies to:

• children whose information is recorded in Avidator;
• parents and legal guardians who register and manage their child’s details;
• authorised pick-up persons; and
• staff who use Avidator as part of programme delivery.

If you have any questions after reading this Policy, you can contact us using the details in section 10.

2. Important informationand who we are

AVIDATOR is the data controller in relation to personal data processed through Avidator. This means we decide how and why personal data is used for the purposes described in this Policy.

We also use carefully selected third parties to help us operate Avidator, including a technical support provider based in India who acts as our data processor. These third parties process personal data only on our documented instructions and are bound by confidentiality and security obligations. In addition to technical support providers, Avidator may also engage teaching assistants or teachers based outside the UK (including in India) to deliver online educational sessions to children. Where this occurs, such individuals access personal data only to the extent necessary to provide teaching services and are subject to confidentiality, safeguarding and data protection obligations.

If you have any questions about this Policy or how Avidator handles personal data, including any requests to exercise your rights, please contact us using the details in section 10.

Because Avidator is used in relation to children, this Policy is written primarily for parents and guardians, but we encourage older children to read it with the support of their parent or guardian where appropriate.

3. The personal data we collect

We only collect personal data that is genuinely needed to operate Avidator and keep children safe.

3.1 Child data

For each child registered on Avidator we may process:

• full name;
• date of birth;
• school name;
• year group and class;
• internal student/profile ID;
• attendance records (for example, present/absent, check-in/check-out times);
• pick-up status and time-stamped verification logs.
• Participation in online teaching sessions (including session attendance and interaction records).

3.2 Parent and legal guardian data

For parents and legal guardians we may process:

• full name;
• relationship to the child;
• mobile telephone number (used for sending OTP codes);
• email address;
• copies of messages and communications relating to attendance and pick-up.

3.3 Authorised pick-up person data

Where parents/guardians nominate authorised pick-up persons, we may process:

• full name;
• relationship to the child (if applicable);
• time-stamped records of OTP presentation and verification;
• notes recorded by staff about pick-up events (for example, issues raised at the time of collection).

3.4 Technical and system data

When Avidator is used, we may process:

• OTP codes generated and validated (including time, status and associated account);
• IP address and device identifiers;
• browser type and version;
• system logs, including log-in/log-out activity and error messages;
• usage analytics showing how the system is accessed.
• Identifiers associated with online teaching platforms used in connection with Avidator.

3.5 Special category data and images

Avidator does not collect or use:

• biometric data;
• photographs; or
• facial images.

We do not intentionally collect health or other “special category” data through Avidator. If such information is provided (for example, in a free-text field), we will only use it where strictly necessary for safeguarding, and in line with Article 9 of the UK GDPR.

3.6 Aggregated data

We may create aggregated or statistical data (for example, to understand system usage across all users). This information does not identify individuals and is not treated as personal data.

4. How we collect personal data

We collect personal data in a few different ways:

4.1 From parents and guardians

When you:

• register your child on the system;
• update your or your child’s details;
• confirm or change authorised pick-up persons; or
• respond to OTP messages or communications from us.

4.2 From staff or programme operators

When they:

• mark attendance;
• generate or confirm OTP codes;
• record that a child has been collected; or
• document any issues arising at pick-up.

4.3 Automatically via Avidator

When the system:

• generates single-use OTP codes;
• validates OTPs presented at pick-up;
• creates logs for security and audit purposes; or
• records technical information about how the system is used.

4.4 From authorised pick-up persons

When they:

• present an OTP code; or
• speak to staff in connection with pick-up, where details are recorded in Avidator.

5. How we use personal data and our legal bases

We will only use personal data where we have a lawful basis to do so under UK GDPR.

The main purposes and legal bases are:

We do not use children’s data for profiling, behavioural advertising or automated decision-making that produces legal or similarly significant effects.

We do not use children’s data for marketing. Any marketing to parents/guardians would be carried out separately and in accordance with PECR and our main AVIDATOR Privacy Policy.

6. Sharing personal data

We will only share personal data where necessary and appropriate for the purposes set out in this Policy.

We may share personal data with:

• Technical service providers, including our Indian support partner, who help host, maintain and support Avidator;

• Programme staff and management who need access to operate attendance and pick-up safely;

• Professional advisers, such as auditors or legal advisers, where required;

• Regulators, law enforcement or safeguarding bodies, where we are under a legal or regulatory duty to disclose information.

• Overseas-based teaching assistants or teachers engaged to deliver online educational sessions, who access personal data only as necessary for teaching, safeguarding and session management.

Whenever we share data with third parties who act as our processors, we:

• only allow them to use personal data for the purposes we specify;

• require them to implement suitable technical and organisational security measures; and

• put written contracts in place, including confidentiality and data protection obligations.

We do not sell or rent personal data to third parties.

7. International transfers

Our main technical support partner is based in India. On occasion, they may need limited access to Avidator data (for example, to investigate errors, support an upgrade or resolve a system incident). Personal data processed through Avidator may be accessed outside the UK not only by our technical support partner, but also by overseas-based teaching assistants or teachers (including in India) who deliver online sessions as part of the Avidator programme.

Because India does not currently benefit from a UK data protection “adequacy decision”, we put in place specific safeguards to protect personal data during such access, including:

• UK-approved Standard Contractual Clauses (SCCs);

• the UK Addendum to those SCCs;

• a Transfer Risk Assessment (TRA) assessing Indian law, potential access risks and available safeguards;

• role-based access controls so only appropriate support staff can access data, and only for the time needed to resolve the issue;

• encryption and secure connectivity; and

• strict confidentiality and security obligations in the contract with our Indian partner.

If you would like more information about these safeguards, you can contact us using the details in section 10.

8. Data security

We recognise that children’s data requires particular care. We use a combination of organisational and technical measures to protect it, including:

• limiting access to Avidator to staff and processors who have a genuine need to know;

• role-based permissions within the system (for example, staff cannot see more than is necessary for their role);

• encrypted transmission of data, and secure storage environments;

• one-time, time-limited OTP codes that cannot be reused;

• system logging, audit trails and security monitoring;

• strong authentication controls for administrative users, such as multi-factor authentication;

• Overseas-based teaching staff are granted role-based access only, receive safeguarding and data protection guidance, and are subject to contractual confidentiality and access restrictions.

• staff training on data protection and safeguarding; and

• incident response procedures, including notifying you and the relevant regulator where we are legally required to do so.

No system is completely risk-free, but these measures are designed to reduce the risk of unauthorised access, loss or misuse of personal data.

9. How long we keep personal data

We keep personal data only for as long as needed for the purposes described in this Policy, and to comply with legal or safeguarding guidance. We then securely delete or anonymise it.

In particular, we currently apply the following retention periods:

• Child and parent/guardian profiles: kept for the duration of the programme, plus up to 12 months after the child’s last recorded attendance;

• Attendance records: kept for 12–24 months after the relevant session, depending on the nature of the programme and safeguarding expectations;

• OTP verification logs: kept for 12–24 months to evidence authorised pick-ups and to investigate any concerns raised;

• System logs and technical analytics: normally kept for up to 12 months;

• Safeguarding or legal records: where a concern, incident or complaint has been raised, certain records may be retained for up to 6 years, or longer if required by law or regulatory guidance.

We review these retention periods periodically and may adjust them if legal or regulatory expectations change. When data is no longer needed, we either anonymise it (so it no longer identifies individuals) or delete it securely.

10. Rights of parents,guardiansand children

Because Avidator is used in relation to children, parents and legal guardians usually exercise data protection rights on the child’s behalf. Older children may also be able to exercise certain rights themselves where appropriate.

Under UK data protection law, you have the right to:

• Access: request a copy of the personal data we hold about you or your child, and information about how we use it;

• Rectification: ask us to correct inaccurate or incomplete data;

• Erasure: in some circumstances, ask us to delete personal data where there is no longer a good reason for us to keep it;

• Restriction: ask us to limit how we use personal data in certain situations (for example, while we are checking its accuracy);

• Objection: object to our use of personal data where we rely on legitimate interests as our lawful basis;

• Data portability: request that we provide certain data to you or another controller in a structured, commonly used, machine-readable format;

• Withdraw consent: where we rely on consent (which we generally avoid in this context), you can withdraw it at any time;

• Complaint: lodge a complaint with the Information Commissioner’s Office (ICO), as explained in section 11.

These rights are not absolute. For example, we may not be able to delete certain safeguarding records immediately if we are required to keep them by law or to protect a child’s vital interests. If we cannot fully meet a request, we will explain why.

Before we act on any rights request, we may ask for information to verify your identity and your relationship to the child. This is to ensure we do not disclose personal data to anyone who is not authorised to receive it.

We aim to respond to all valid requests within one month. If a request is complex or you have made several requests, we may extend this period, and we will let you know if we do so.

To exercise any of these rights, please contact us using the details in section 10.

11. Contact details

If you have any questions about this Privacy Policy, about how Avidator uses personal data, or if you want to exercise your rights, you can contact us at:

Email: [email protected]
Postal address: Office 3002, 182-184 High Street North, East Ham, London, England, E6 2JA
Telephone: +44 (0) 20 3151 2082

Please state that your query relates to Avidator so we can direct it to the right team.

12. Complaints

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection, via www.ico.org.uk.

We would, however, appreciate the chance to address your concerns before you approach the ICO. If something is unclear or you are unhappy with how your or your child’s data is being used, please contact us first using the details above and we will do our best to resolve the issue.

13. Changes to this Privacy Policy

We keep this Privacy Policy under regular review and may update it from time to time, for example if the law changes or if we introduce new features in Avidator.

This version was last updated on 12th December 2025.

If we make significant changes, we will take reasonable steps to bring them to your attention (for example, by updating our website or notifying programme operators), so that you can review the updated Policy.