Privacy policy and data processing (draft)

UK-hosted stack. LeisureDeck Limited. This page sets out our privacy policy where we act as controller, and our Data Processing Addendum (including annexes) where schools are controller.

If you need help, contact us or email [email protected]. For contract terms, see our terms and conditions.

Privacy policy

This Privacy Policy explains how LeisureDeck Limited (“we”, “us”) collects and uses personal data when you visit our websites or use Schreen.

Controller: LeisureDeck Limited
Contact: [email protected]

1. When this policy applies

This policy applies where LeisureDeck Limited acts as a data controller, including:

  • enquiries and sales conversations
  • customer account administration
  • billing and payments
  • support requests
  • security and fraud prevention
  • website and product usage analytics (where enabled)

Where a school or trust uses Schreen to process pupil/staff data, the school/trust is typically the controller and LeisureDeck Limited acts as a processor. Those processing activities are covered by our Data Processing Addendum below and the school’s own privacy information.

2. Personal data we collect (controller activities)

Depending on how you interact with us, we may collect:

  • Identity/contact data: name, work email, phone number, job title, organisation.
  • Account data: login details, user role, preferences.
  • Billing data: billing contact details, invoices, payment status (payment card details are handled by our payment provider).
  • Support data: messages you send us, attachments/screenshots you provide.
  • Technical data: IP address, device/browser information, logs, approximate location derived from IP.
  • Usage data: how you use our website/app (for example pages viewed, feature usage), where configured.

3. How we use personal data (and lawful bases)

We use personal data for:

  • Providing the service (performance of a contract): creating and administering accounts, providing features, communicating service updates.
  • Billing and administration (contract/legal obligation): invoicing, accounting, fraud prevention.
  • Support and service improvement (legitimate interests): responding to requests, troubleshooting, improving reliability and user experience.
  • Security (legitimate interests/legal obligation): monitoring, preventing abuse, maintaining system integrity.
  • Marketing (legitimate interests/consent depending on channel): sending product updates or responding to enquiries. You can opt out at any time.

4. Sharing your data

We share personal data with trusted service providers (processors) where needed to run Schreen, such as:

  • Cloudflare (security, content delivery, performance)
  • Mux (video processing/streaming where used)
  • Polar.sh / Stripe (payments, subscriptions, invoicing)
  • PlanetScale (database hosting)

We may also share data where required by law, or to establish/exercise legal claims.

5. International transfers

We aim to host data in the UK. Some suppliers may process limited data outside the UK (for example for support operations or global infrastructure). Where personal data is transferred internationally, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable.

6. Data retention

We keep personal data only as long as necessary for the purposes described:

  • account and billing records: for the duration of the contract and as required by law
  • support records: as needed to resolve issues and maintain service history
  • security logs: retained for a limited period for security and troubleshooting

7. Your rights

You may have rights including access, rectification, erasure, restriction, objection, and data portability. If you are using Schreen through a school/trust, requests relating to pupil/staff data should usually be directed to the school/trust as controller.

8. Complaints

You can complain to the UK Information Commissioner’s Office (ICO): https://ico.org.uk/

9. Updates

We may update this policy from time to time. We will post the latest version on our website.

Data Processing Addendum (DPA)

This DPA applies where the Customer (a school, trust, or other organisation using Schreen) is the controller and LeisureDeck Limited processes personal data on its behalf.

Parties and roles

  • Controller: the school/trust/customer
  • Processor: LeisureDeck Limited

1. Scope and instructions

1.1 The Processor will process personal data only on documented instructions from the Controller, including as necessary to provide Schreen.

2. Confidentiality

2.1 The Processor ensures persons authorised to process personal data are bound by confidentiality.

3. Security

3.1 The Processor implements appropriate technical and organisational measures to protect personal data.

4. Subprocessors

4.1 The Controller authorises the Processor to use subprocessors listed in Annex C.

4.2 The Processor will provide notice of material changes to subprocessors and allow the Controller to object on reasonable grounds.

5. Data subject rights assistance

5.1 The Processor will assist the Controller (taking into account the nature of processing) to respond to requests to exercise data subject rights.

6. Personal data breaches

6.1 The Processor will notify the Controller without undue delay after becoming aware of a personal data breach and provide information reasonably required for the Controller’s compliance.

7. Deletion and return

7.1 On termination, the Processor will delete or return personal data in accordance with the Controller’s instructions, unless retention is required by law.

8. Audits and compliance

8.1 The Processor will make available information necessary to demonstrate compliance and allow for audits in a reasonable manner.

9. International transfers

9.1 Where transfers occur, the parties will ensure appropriate safeguards (for example UK IDTA / UK Addendum).

Annex A — Details of processing (including cached MIS lookup)

  • Subject matter: Schreen digital signage content management.
  • Duration: subscription term plus agreed retention/backup windows.
  • Nature of processing: collection, storage, organisation, search, display, deletion.
  • Purpose: enable schools to manage and display content; enable removal of pupil images by searching name.
  • Data subjects: pupils, staff, and other individuals appearing in content.
  • Personal data categories:
    • pupil/staff names
    • photos/images
    • content metadata (for example upload time, tags, location/screen identifiers)
    • user account identifiers
    • MIS lookup fields (cached): limited identifiers/attributes retrieved from the school MIS to support search and matching, which may be cached for performance and reliability. Such data may be cached for a limited period; specifics may be described in technical documentation or agreed with the school.
  • Special category data: Schreen is not intended for processing special category data about identifiable individuals. The Controller is responsible for ensuring content uploaded does not include special category data relating to identifiable pupils/staff.

Annex B — Security measures

  • access controls and role-based permissions
  • encryption in transit (TLS)
  • encryption at rest where supported by infrastructure
  • logging/monitoring for security events
  • least-privilege access for staff
  • vulnerability management and patching
  • backup and recovery procedures

Annex C — Subprocessors

  • Cloudflare — CDN, WAF/security, performance.
  • Mux — video processing/streaming.
  • Polar.sh / Stripe — payments/subscriptions.
  • PlanetScale — database hosting.