Data & Privacy Policy

Last Updated: June 7, 2025

Welcome to the Faculty application. This Privacy Policy outlines how your personal data is collected, used, and protected when you use our service. We are committed to protecting your privacy in accordance with UK data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Roles and Responsibilities (UK GDPR)

To comply with data protection regulations, it is important to define the roles of the parties involved in processing personal data within Faculty:

• Data Controller: The Course Centre (or Centre Administrator) acts as the Data Controller. The Centre is responsible for deciding why and how candidate and instructor data is collected, obtaining necessary explicit consent from users, and managing data subject access or deletion requests.
• Data Processor: The Faculty Application (MGECS) acts as the Data Processor. We process data strictly on behalf of the Data Controller and in accordance with their written instructions to provide the software service.

2. Information We Collect

We collect information to provide and improve our services to you. The types of data we collect include:

• Account Information: When a Centre Administrator registers, we collect their full name and email address to create and manage their account. Your password is encrypted and securely managed by Google Firebase Authentication.
• User-Generated Content: As you use the application, you create and input various data, including:
  • Centre Details: Names of training centres.
  • Course Templates: Definitions for course structures, including template names, descriptions, and "scoring criteria" or "sessions" (tasks) with their types (score, checkbox, text) and maximum scores.
  • Course Details: Names, descriptions, locations, start and end dates, and associated templates for courses.
  • Access Window Details: Names, expiry timestamps, unique shortcodes, and linked session names for access windows.
  • Candidate Information: Full names of candidates, their assigned teams, and uploaded photos (stored in Google Cloud Storage).
  • Scoring and Voting Data: Scores, text comments, checkboxes, nominations, and votes entered by instructors for candidates. This data is linked to specific sessions, candidates, access windows, and courses, and includes a timestamp of when the record was made.
• Instructor Information: For instructors using the "Join Session" feature, access is granted via temporary, single-use access codes. While we do not create permanent accounts for instructors, the shortcode and a temporary anonymous identifier (UUID) are logged for auditing and voting integrity purposes.

3. How We Use Your Information

We use the collected information for the following purposes:

• To Provide and Maintain the Service: This includes managing user accounts, facilitating access control for administrators and instructors, and enabling the core functionality of creating, managing, scoring, and voting on courses and candidates.
• To Personalise Your Experience: To display relevant course, candidate, and scoring data to authorised users based on their assigned roles and centre affiliations.
• For Internal Operations: This involves troubleshooting, data analysis, testing, research, statistical, and survey purposes to ensure the application's stability and performance.
• For Communication: To send password reset links and other essential service-related communications.
• For Security: To protect against fraudulent or illegal activity and to ensure the security of our application and data.

4. Data Storage and Security

All application data is securely stored on Google Cloud Platform's Firebase services. We rely on Google's robust security measures to protect your data from unauthorised access, alteration, disclosure, or destruction. Access to user data within the application is restricted to authorised individuals based on their roles (Super Admin, Centre Admin, Instructor) and is used solely for operating the service.

Third-Party Sub-Processors: We utilise trusted third-party services to deliver Faculty safely and securely. These sub-processors are compliant with strict data security standards:

• Google Cloud (Firebase): Used for secure database hosting, user authentication, and file storage (candidate photos).
• Stripe: Used to securely process and manage Centre Administrator subscription payments. Faculty does not store full credit card details on our servers.

5. Data Retention

Data retention policies vary depending on the Centre's subscription tier:

• Free Tier Centres: To minimise data footprint and protect candidate privacy, all course data (including candidate names, photos, and scores) is automatically and permanently deleted 7 days after the course End Date.
• Premium Tier Centres (Data Persistence): Paying centres have the option to enable "Data Persistence", bypassing the 7-day auto-deletion. In this case, the Data Controller (Centre Administrator) assumes full responsibility for manually deleting courses, candidates, and scores when they are no longer required for auditing or evaluation purposes, in compliance with their local data protection policies.

When a course or candidate is deleted (either automatically or manually), all associated data, including uploaded photos in our secure storage, are permanently purged.

6. Your Data Protection Rights

As a data subject in the UK, you have certain rights concerning your personal data:

• Right to Access: You have the right to request copies of your personal data.
• Right to Rectification: You have the right to request that we correct any information you believe is inaccurate or complete information you believe is incomplete.
• Right to Erasure: You have the right to request that we erase your personal data, under certain conditions.
• Right to Restrict Processing: You have the right to request that we restrict the processing of your personal data, under certain conditions.
• Right to Object to Processing: You have the right to object to our processing of your personal data, under certain conditions.
• Right to Data Portability: You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

To exercise any of these rights, please contact us using the details provided below. As the Data Processor, MGECS will forward data subject requests regarding candidate information to the appropriate Centre Administrator (Data Controller) for fulfilment.

7. Cookies

Our application uses essential cookies to ensure the website functions correctly and to keep you securely logged in. We use Google Firebase Authentication, which sets cookies for authentication purposes. We also use your browser's local storage to remember your consent to our policies, so you don't see the consent banner on every visit. We do not use cookies for advertising or third-party tracking. For more details, please refer to our Cookie Policy.

8. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. You are advised to review this Privacy Policy periodically for any changes.

9. Contact Us

If you have any questions about this Privacy Policy, please contact us at:

enquiries@mgecs.co.uk