GDPR Compliance Statement

Last updated: 20th March 2025

We take data protection very seriously, especially because Mega Seating Plan deals mostly with children's data. On this page you can learn about what data is collected and stored, how it is used and how it relates to the terms of the General Data Protection Regulation (GDPR), now incorporated in the Data Protection Act 2018.

Mega Seating Plan Ltd ("we", "us") acts under the terms of the GDPR as the "data processor". Schools and school staff ("you", "your") retain responsibility under the GDPR as the "data controller".

The basis for processing data under the GDPR is 'legitimate interests'. The processing is necessary for the purpose of generating classroom seating charts (and other similar tools, described below) for teachers, and these tasks could not otherwise be performed. Processing of personal student data is limited to the purposes described below.

What data is collected and stored?
User data

This is data collected by Mega Seating Plan about visitors to the website. We use Google Analytics to monitor website visits - there is more detail about this on the Privacy page.

Aside from this, during registration we collect your name, school, country, email address, password (for non-Google sign-in users only) and your IP address, to be used as follows:

  • Name: Allows us to address any emails we send to you by name.
  • Email address: Allows you to recover your password if you forget it, and allows us to communicate with you (only if you have consented to receive marketing emails). Your email domain (the part of your address after the @ sign) may also be used to match you with colleagues from your school for the purpose of creating shared resources. Additionally, your email domain may be compared to publicly available data to identify your school.
  • Password: If you registered via the Google or Microsoft SSO buttons, this does not apply to you, as your password is never collected by Mega Seating Plan. When you register, you submit a password. This is never seen by us or received by our servers - it is stored in a 'hashed' format that cannot be decoded. This password is necessary to ensure that the student data you upload is visible only to you.
  • Country: This allows the user experience to be tailored to your specific country.
  • School: This allows you to be matched with colleagues at your school to allow the sharing of resources such as class lists.
  • IP address: This is a unique address associated with your computer or network. We collect this during registration and when you perform key actions around the site, so that we can estimate the approximate geographical location of users. This allows us to localise languages and currencies for some users. This is nothing unusual - your IP address is public whenever you browse the web. Your IP address right now is: 216.73.216.162, which tells the internet that your approximate location is: Columbus, US.
Student data

In order to protect student privacy, student data is pseudonomised. This is achieved by encrypting student names, photographs and email addresses when stored in the database; only the owner of the data (and colleagues that they have chosen to share it with) have access to the decryption key.

Data that would be considered sensitive under the the GDPR (for example, ethnicity) should not be uploaded.

Student data is stored in a database, with data only accessible to the user that has created it (and, optionally, colleagues that the user has explicitly chosen to share with), when logged in via their password. Student data will never be sold to or shared with third parties. Encryption keys are unique to each user and not stored in the database, meaning that even in the event of a serious database breach, student data remains protected.

How is the data used?

The data collected about website users is used only to improve the experience of website visitors.

Student data is used only for the purposes required by the website. These include:

  • To be displayed on seating plans.
  • To generate automatic seating plans.
  • To be displayed on the random name selector.
  • To be displayed on student profiles.
How is the data stored?

Written data and student photographs are stored in a MySQL database hosted on a dedicated JawsDB server. Larger pieces of data are stored encrypted on an Amazon Web Services cloud server. All servers are located in the European Union. Student names, email addresses and notes are encrypted with a key specific to the user that uploaded them.

How long is imported data stored?

When uploading class data, you must choose an expiry date for the class. When this date is reached, that class, all students within it and all seating plans associated with it will be permanently deleted.

User accounts with no activity in the previous two years are automatically deleted (see deletion policy below). We will send a warning email 30 days before deletion.

How is the data disposed of?

When a user deletes their account, this is processed as follows:

  • The user account is immediately stripped of all personally identifiable information (PII), including their name, email address, IP address and school name. These fields are replaced with anonymised placeholders. A hashed version of the email address is retained in a separate field to allow us to identify past accounts in the event of a GDPR access or erasure request. This hash is not reversible and is not used for any other purpose.
  • All associated data — including student data, classes, seating plans, student profiles, reports and uploaded photographs — are immediately and permanently deleted. This ensures that no personally identifiable student data remains in the system.
Registration with the ICO

Mega Seating Plan Ltd is registered with the Information Commissioner's Office (registration number ZA331933).

Other documents

GDPR Article 28 contract addendum