Privacy Policy

This privacy policy takes effect from the 25th May 2018.

1. Introduction
1.1. We are committed to safeguarding the privacy of our application users. In this policy, we explain how we will treat your personal information.

1.2. In this policy, ‘application’ refers to one or all of the following:

  • This website, hereafter “our website”;
  • Our internal accounts and billing system, hereafter “our billing system”;
  • The hosted FirstSteps Management system, hereafter “FirstSteps Hosted”;
  • The standalone FirstSteps Management system, hereafter “FirstSteps Standalone”;
  • The FirstSteps Monitor & Tracker app, hereafter “Monitor & Tracker”;
  • The FirstSteps Parent Link app, hereafter “Parent Link”;
  • The FirstSteps Manager app, hereafter “FirstSteps Manager”;
  • Our helpdesk system, hereafter “our Helpdesk”;
  • Our Top Tips newsletter, hereafter “Top Tips”.

1.3. We will be specific where points only apply to certain applications. ‘We’ means Rio Computers Ltd T/A FirstSteps Software. ‘Customer’ refers to our customer, i.e. the nursery or school that has a contract with us.

2. What data we collect
2.1. For customers of FirstSteps Hosted and FirstSteps Standalone, we store the following information about you in our billing system:

  • The name, address, telephone number, email and website of your nursery/school

We will use this account information to inform you of upcoming changes to the system including availability.

  • The name, telephone number, email of the person at your nursery/school that is responsible for paying the account
  • Bank information if you are a customer paying by Direct Debit

We use this billing information in order to administer and bill you as per our contract.

2.2. Customers of FirstSteps Hosted may store some or all of the following information in the application:

  • The names, addresses, telephone numbers, date of births, photos, etc. of their staff
  • The names, addresses, telephone numbers, date of births, photos, etc. of their children
  • The names, addresses, telephone numbers, date of births, photos, etc. of parents/relatives of their children
  • The daily diary events (e.g. meals, bottle feeds) and observations which may include: photos, audio recordings, notes, comments relating to the children

The customer has full control of what data is inputted and stored and can choose whether this data is shared with staff or parents via the Monitor & Tracker and Parent Link apps. The customer can also edit/delete this data.

In order to provide access to the Monitor & Tracker, Parent Link, and FirstSteps Manager apps, we may use email addresses associated with accounts to send automated emails relating to password resets, account creations, notifications of events. We will not use this to send any marketing information.

We only access other data stored in the system about staff, children or parents/relatives when authorised by the customer, in order to support them, ensure the application remains running or to fix issues.

2.3. For users of our website, we store the following information about you:

  • IP Addresses
  • Information about your computer, including your operating system and web browser

We use this information to monitor the security of our service, to ensure that we are supporting the necessary hardware/browsers and improve our website.

2.4. For users of our website who contact us via our contract form, we store the following information about you:

  • The name, address, telephone number, email, and contents of your message

We use this information in order to respond to your queries. In the case of enquiries, this information is kept for 90 days after the enquiry has been concluded.

2.5. For users of our Monitor & Tracker, Parent Link, and FirstSteps Manager applications, we store the following information about you:

  • The make, model, operation system version of your tablet/device
  • Details of any crashes (reported to us via the respective app stores)
  • The timing of when users have logged in to the applications

We use this information in order to improve our service and ensure we are supporting the necessary devices.

2.6. For users of our Helpdesk, we store the following information about you:

  • The name, email, telephone number(s) of the person raising the support ticket
  • Any personal data provided to us by the person raising the support ticket, i.e. the contents of the ticket.

We use this information in order to support you via the Helpdesk.

2.7. For users signed up to our Top Tips newsletter, we store the following information about you:

  • The email of the person signed up to receive the newsletter

We use this information in order to send out the newsletter.

3. How do we collect the data?
3.1. The data we collect is either provided to us by the customer or entered into the system by the customer. The customer can then share this data to staff/parents/relatives via the Monitor & Tracker and Parent Link apps.

4. Who owns the data?
4.1. The data stored within the applications is owned by the customer – we are the “Data Processor” and they are the “Data Controller”. We only process the data on the customer’s behalf. Subject Access Requests received from staff/children/relatives will be directed to the Data Controller.

4.2. For customers using FirstSteps Standalone, we are not the “Data Processor”. However, we can assist with how data can be best managed in order for them to comply with data protection regulations.

5. Disclosing data
5.1. We do not disclose the data unless requested to by the customer.

5.2. The customer may share the data to staff/parents/relatives via the Monitor & Tracker and Parent Link apps or export the data out of the application.

5.3. We only access the data when authorised by the customer, in order to support them, ensure the application remains running or to fix issues.

6. Right to rectification/erasure
6.1. The customer can amend/remove any data they have stored about staff/children/relatives from within the application. Depending on their needs, this can either be removed instantly and permanently (so that it cannot be restored from backups) or from the application initially but remain in backups until they are deleted (after a period of time).

6.2. The customer can ask us to amend/remove any data we hold about them relating to our billing system, our Helpdesk, and the Top Tips newsletter.

7. Where is the data stored?
7.1. Information will be stored and processed within the EU. We may sometimes use third-party data processors that are located outside of the EU. Where we transfer any personal data outside the EU, we will take all reasonable steps to ensure that your data is treated as safely and securely as it would be within the UK and under the GDPR.

7.2. Information will be stored in our offices (in Leicester, UK) for the following applications: our billing system.

7.3. Information will be stored in Microsoft Azure in Ireland, Germany and the UK for the following applications: backups of our billing system, customer data for FirstSteps Hosted, backups of customer data for FirstSteps Hosted.

7.4. Customer data for FirstSteps Hosted will not leave Microsoft Azure, except in the rare occurrence when it is transferred to our office in order to locally debug an issue – the personal data transferred is minimised (as much data as possible is anonymised and cannot be linked back to an individual), this transfer of data is logged, and it is deleted as soon as possible.

7.5. Information stored in the Helpdesk system will be stored by our sub-processor ZenDesk, who may transfer data to countries outside the EU. As a data controller, you may pass personal data to us when raising tickets or in order for us to troubleshoot a problem. Upon request, we can remove/anonymise any personal data from any ticket raised if required.

7.6. Users who are signed up to the Top Tips newsletter may have their data transferred outside the EU by our sub-processor MailChimp.

7.7. Other than in the above cases, information will not be transferred outside of the EU, except in circumstances where users of the applications are accessing from outside the EU or where we are using sub-processors located outside of the EU.

8. Data retention
8.1. For FirstSteps Hosted customers, we act as the Data Processor so do not delete customer data while the customer still has a valid contract. The customer, acting as the Data Controller, can use the system to comply with their own data retention policy. We have implemented functionality within FirstSteps Hosted for customers to specify how long certain types of personal data should be kept when a staff member, parent or child is marked as left. Backups are retained for 90 days.

8.2. Upon termination or lapse of the contract, all users will be removed from our systems, including but not limited to: Hosted users, Monitor & Tracker users, Parent Link users, FirstSteps Manager users, Helpdesk users. The live system data is removed at this point. The personal data stored in the system can be provided to you as an export if required. Once 90 days have elapsed from the contract termination date, all backups are permanently deleted. Backups can be deleted prior to this time upon request. Once backups have been deleted there is no possible way to restore the data.

8.3. For data relating to account management, we keep this data while you have a valid contract with us. Upon termination of the contract, we remove bank data and keep remaining information for 7 years after the contract has terminated in case we are audited.

8.4. For data relating to the Top Tips newsletter, we keep this data while you are subscriber and it is deleted upon you unsubscribing.

8.5. Personal data may be kept in the following cases:
  (a) to the extent that we are required to do so by law;
  (b) if we believe that the documents may be relevant to any ongoing or prospective legal proceedings; and
  (c) in order to establish, exercise or defend our legal rights (including providing information to others for the purposes of fraud prevention and reducing credit risk).

9. Security of personal information
9.1. We will take reasonable technical and organisational precautions to prevent the loss, misuse or alteration of your personal data.

9.2. You are responsible for keeping the password you use for accessing our application confidential; we will not ask you for your password (except when you log in to our application).

10. Data Breaches
10.1. We will notify any customers affected by a data breach without undue delay of us becoming aware of such a breach except for the following circumstances:

  • We believe the act of performing a notification will increase the risk to other customers.
  • Other unusual or extreme circumstances, such as when requested by law enforcement.

We will be following the ICO’s guidance on this. You may be notified via any of the account information we hold about you.

11. Sub-processors
11.1. As part of providing our service to you, we may use the following sub-processors:

  • Microsoft Azure – for hosting.
  • ZenDesk – for providing our Helpdesk.
  • 1and1 – for managing our email.
  • MailChimp – for sending Top Tips newsletters.
  • TeamViewer – to facilitate support and may use it to remotely connect to your machine. We will always ask for your permission before connecting. Data transferred via TeamViewer is encrypted and not visible by TeamViewer.

11.2. We may need to amend the sub-processors that we use in order to provide our service to you. If we do, we will propose this as a change of contract and give you as much notice as possible. We will ask for your written agreement to change the list of sub-processors.

12. Amendments
12.1. We may update this policy from time to time by publishing a new version on our website and, where appropriate, will notify you via email.

12.2. Please check this page occasionally to ensure you are happy with any changes to this policy.

13. Cookies
13.1. Our website does not use cookies.

14. Data protection registration
14.1. We are registered as a data controller with the UK Information Commissioner’s Office.

14.2. Our data protection registration number is Z6296097

15. Data Protection Officer (DPO)
15.1. Under the GDPR, we have appointed a DPO: dpo@firststeps.software

16. Our details
16.1. This application is owned and operated by Rio Computers Ltd T/A FirstSteps Software
16.2. We are registered in England and Wales under registration number 2852326, and our registered office is at 16 Warren Park Way, Enderby, Leicester. LE19 4SA
16.3. Our principal place of business is at 16 Warren Park Way, Enderby, Leicester. LE19 4SA
16.4. You can contact us:

  • by post, using the postal address given above
  • by telephone, on the contact number published on our website
  • by email, using the email address published on our website