GPDR

Last updated: 06/05/2026

Summary

ReadByte only collects the minimal data required to provide the contracted service. ReadByte acts as the data processor for all provided data, while customers remain the data controllers. Data is retained only for the duration of the contract, after which all personally identifiable information (PII) is removed. We use Microsoft Azure, a reputable hosting provider accredited to SOC 2 and ISO 27001 standards. Encryption is applied to all incoming and outgoing connections, and all databases are encrypted both at rest and in transit. We also implement strict access control, auditing, and authorisation policies to protect customer data. All personal data we store is held within the United Kingdom and will never leave the European Economic Area (EEA).

Introduction

Welcome to ReadByte (“we”, “our”, “us”). We are a business based in the United Kingdom and are committed to protecting your personal data and respecting your privacy.

Purpose

This policy describes how ReadByte complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 when processing personal data on behalf of schools that use the ReadByte platform.

Scope

This policy applies to all personal data processed by ReadByte in connection with the Junior BookShelf SaaS service. It covers data relating to school staff, students, Parents, and authorised users.

Data-Protection Principles

ReadByte follows the six key principles of the UK GDPR: lawful, fair and transparent; limited to purpose; data minimised; accurate; storage-limited; and secure.

Lawful Bases For Processing

ReadByte acts primarily as a Data Processor under the lawful basis of performance of a contract. Business contact data may be processed on the basis of legitimate interests.

Roles And Responsibilities

Schools are Data Controllers; ReadByte is the Data Processor. All employees and contractors must adhere to this policy and complete data-protection training.

Data Subject Rights

ReadByte assists schools in fulfilling data-subject rights, including access, rectification, erasure, restriction, objection, and portability.

Security And Access Control

We maintain technical and organisational measures such as encryption, role-based access control, backups, and secure UK data hosting.

Data Retention

Customer data is retained for the duration of the contract plus sixty (60) days post-termination, after which it is securely deleted unless legally required otherwise.

Data Breach Management

Any suspected data breach will be investigated immediately and reported to affected schools without undue delay.

Data Protection By Design And Default

Privacy is integrated into product development through minimal data collection, privacy impact assessments, and secure development practices.

Sub-Processors

Sub-processors are appointed only after due diligence and under written contracts with equivalent GDPR obligations. A list is available upon request.

International Transfers

ReadByte does not transfer data outside the UK.

Training And Awareness

All staff receive GDPR training and regular refreshers.

Policy Review And Maintenance

This policy is reviewed annually or when legislation or business practices change.

Enquires

ReadByte
Enquiry@ReadByte.co.uk