GDPR and Privacy Policy

Behaviour box recognises that privacy is important. This privacy policy applies to the data held within the behaviour box system and lets you know how any personal information is processed and used by us.

Our procedures covering the storage and disclosure of your information are designed to comply with the Data Protection Act 2018, the Applied General Data Protection Regulation 2018/EU679 (GDPR) and all other regulations applying to personal data use.

Our privacy principles

Behaviour box is committed to safeguarding the privacy of your information. By 'your information' we mean any information about you that you or third parties provide to us.

  • We will collect and use your information only as instructed by the Data Controller.
  • We will implement and adhere to information retention policies relating to your information and will ensure that your information is securely disposed of at the end of the appropriate retention period.
  • We will observe the rights granted to you under applicable privacy and data protection laws and will ensure that queries relating to privacy issues are promptly and transparently dealt with.
  • We will train our staff on their privacy obligations.
  • We will ensure we have appropriate physical and technological security measures to protect your information regardless of where it's held, complying with Article 28.

Data we process

Under instruction from the data controller, we process:

  • Personal details.
  • Family details.
  • Education details.

Data we collect

As instructed by the Data Controller, to ensure the technical functioning and security of the processing as we perform for the Data Controller, and to improve the processing over time, we may collect the following types of information:
  • Your communication preferences to help us provide only relevant communications.
  • Cookies - When you visit behaviour box, we send one or more cookies to your computer or other device that uniquely identifies your browser. We use cookies to improve the quality of our service, including for storing user preferences, and tracking user trends.
  • Log information - When you access behaviour box, our servers automatically record information that your browser sends whenever you visit our website. These server logs may include information such as your web requests, pages you visit, Internet Protocol address, browser type, browser language, the date and time of your request and one or more cookies that may uniquely identify your browser.
  • Email communications - When you send email communications to behaviour box, we may retain those communications in order to process your enquiries, respond to your requests and improve our services.
  • Links - behaviour box may present hyperlinks in a format that enables us to keep track of whether these links have been followed. We use this information to improve the quality of our product.

Our use of cookies

Cookies are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site.

The list below explains the cookies we use and why.

  • To record acceptance of cookies
  • To record session details. This includes both temporary and persistent sessions.

Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit

How we process data

The behaviour box system processes data provided by Data Controllers to allow them to:

  • Make data about a student available to the student and their parents/guardians to support the student's education, principally in the form of email communications.
  • Make data about students available to school/academy staff to help them support students' education and to work more efficiently.

The basis on which data is processed

Behaviour box acts as a Data Processor and the school/academy transferring data to us acts as a Data Controller.

The Data Controller has a legal basis for processing your data. You should refer to the Privacy Policy of your school/academy for details.

Disclosure of your information

We will not share, sell or distribute any of the information you provide to us without instruction from the Data Controller, except where disclosure is required by law.


Behaviour box will not sub-contract any processing to third parties without the written consent of the school/academy.

Cross-border transfers:

Behaviour box does not transfer data outside the European Economic Area (EEA) unless the data is being accessed by a behaviour box user outside the EEA.

If behaviour box becomes involved in a merger, acquisition, or any form of sale of some or all of its assets, we will ensure the confidentiality of any personal information involved in such transactions and provide notice before personal information is transferred and becomes subject to a different privacy policy.

Information security

We take appropriate security measures to protect against unauthorised access to or unauthorised alteration, disclosure or destruction of data. These include internal reviews of our data collection, storage and processing practices and security measures.

We restrict access to personal information to behaviour box employees, contractors and agents who need to know that information in order to operate, develop or improve our services. These individuals are bound by confidentiality obligations and may be subject to discipline, including termination and criminal prosecution, if they fail to meet these obligations.

Data retention

If a school ends their behaviour box subscription, data held within the live system and any backups will be deleted within 4 weeks of cancellation. Student data is deleted immediately following the first synchronisation between behaviour box and the school's Management Informaiton System (MIS) after its deletion on the school's MIS, unless instructed otherwise by the Data Controller. Behaviour data is deleted annually after one full academic year has passed during the school summer holidays; this means behaviour data recorded in September 2020-July 2021 would be deleted during August 2022 and therefore persists on the behaviour box system for a maxiumum of 23 months.

Your rights

The General Data Protection Regulation (GDPR) outlines several rights. More information about these rights, including the conditions under which they apply, can be found here.

You have the right to:

  • Ask for access to, or rectification or erasure of your data.
  • Restrict processing (pending correction or deletion).
  • Object to communications or direct marketing.
  • Lodge a complaint with the Information Commissioner's Office at

You should address such requests to your school/academy which acts as the Data Controller.

None of the data within the behaviour box system is subject to the right for data portability.

Questions and complaints

Behaviour box regularly reviews its compliance with this Privacy Policy. Please feel free to direct any questions or concerns regarding this Privacy Policy or behaviour box's treatment of personal information by contacting us via email:

Changes to this Privacy Policy

Please note that this privacy policy may change from time to time. We will not reduce your rights under this privacy policy without your explicit consent, and we expect most such changes will be minor. Regardless, we will post any privacy policy changes on this page and, if the changes are significant, we will provide a more prominent notice (including, for certain services, email notification of privacy policy changes).

Last modified: 22 May 2020