What is the GDPR?

On May 25th, 2018, the General Data Protection Regulation (GDPR) (EU) 2016/679 came into force. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union and is intended to strengthen the safety and security of all data held within an organisation. This legislation is considered the most significant data protection legislation of the last 20 years. 

Post-Brexit in the UK, the EU GDPR was retained and embedded into UK domestic law, also now known as the UK General Data Protection Regulation (UK GDPR).  

The Information Commisioner’s Office (ICO) act as an independent supervisory authority for data protection in the UK. As such, they act as the enforcement agency of the UK GDPR and provide a great place to start should you wish to find out more about this piece of legislation. 

Our compliance

Eedi is committed to helping teachers, students and parents work together to improve overall student performance. We have standardised policies and procedures to manage and protect the data that we process on behalf of our schools, putting data security and compliance at the core of our operations. Our systems and processes are fully GDPR compliant.

We have partnered with an external organisation who we have engaged as our outsourced Data Protection Officer (DPO). Our DPO is here to ensure that Eedi aligns our procedures and processes to the requirements of UK Data Protection Legislation. 

If you wish to ask our DPO any questions about this GDPR page or our compliance, please reach out to them at dpo@eedi.co.uk

Data controllers and Data processors

Eedi collects basic contact details (e.g. name, email or phone number) from most users in order to facilitate normal use of the platform. Schools are the data controllers of staff and pupil data. The data controller is the person or organisation who determines what data is extracted, what purpose it is used for and who is allowed to process the data. The GDPR increases the responsibility schools have to inform students and parents about how their data is being used and by whom. Eedi acts a data processor of school staff and pupil data, wherein we are trusted by Schools with data, but we do not control it. Schools have ultimate control over their data and the consent to use it. 

Where a data controller and data processor engage one another, a data processing agreement is a legal requirement under Article 28 of the UK GDPR.  

Please see a copy of our data processing agreement here. 

Eedi will assume each school has received consent from appropriate parties before any data is shared with Eedi. In cases where students sign up directly, Eedi will ask for the e-mail address of the parent/guardian so we can seek verifiable parental/guardian consent to the collection and processing of personal data. Students do not have permission to use Eedi unless a parent/guardian first reads and agrees to the terms of use.

If you wish to learn more about what data we collect when you use Eedi, please read our privacy policy

How does Eedi protect personal data and where is it processed?

Our platform and customer data are stored on secure and compliant cloud infrastructure. Our servers are hosted by Microsoft Azure in the EU to ensure customer data is retained within the European Economic Area (EEA), and sensitive data is encrypted within the database. We store business data within selected cloud platforms, including services like Google Drive, Intercom and Zoho CRM. Through performing due diligence where necessary, we will only use platforms whose information security practices we approve. These are tools we use to operate our business, for purposes such as billing and invoice information, support cases, and marketing. For more information, please see our Terms and Conditions and Privacy Policy.

Who can access personal data?

Where it is necessary to access customer data, for example to investigate a support case, only approved Eedi support and technical staff can access it. If you wish to make a Data Subject Access Request and/or Right to be Forgotten request, or are looking for further information on our GDPR compliance, please contact dpo@eedi.co.uk.

Last updated March 2025.