Privacy Policy
Digital Mock Service
Last updated: 29 May 2026
Digital Mock Service (“we”, “our”, or “us”) is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, share and protect information when schools, academies or trusts use our digital mock examination and assessment services. For questions about this Privacy Policy, please contact: Digital Mock Service
Email:jordan@digitalmockservice.co.uk
1. Who we are
Digital Mock Service provides externally marked digital mock examinations, diagnostic assessments, feedback and reporting for UK secondary schools, including GCSE, Cambridge National and related qualifications.When we process student personal data as part of delivering assessments for a school, the school, academy or trust remains the Data Controller. Digital Mock Service acts as the Data Processor, processing student data only on the school’s documented instructions.For staff enquiries, bookings, invoices and general business administration, Digital Mock Service may act as a Data Controller for limited staff/business contact data.
2. Information we collect
We only collect personal data that is necessary to deliver and manage our services.
School staff data
We may collect: Name, work email address, school academy or trust name, role or job title, contact details provided through enquiries, bookings, emails or forms, booking, invoice and service communication records
Student data
Depending on the assessment setup agreed with the school, we may process: Student name or agreed student identifier, candidate number, class or group where used, school email address, username or account identifier where needed, login credentials or account details, assessment responses, marks, scores, predicted grades, feedback and reports, access arrangement information, such as an extra-time flag, where the school chooses to provide or configure it. We do not intentionally collect home addresses, dates of birth, parent/carer details, medical records, behaviour records, safeguarding information or special category data unless this is specifically agreed in writing and is necessary for the service.
3. Student self-entry of names or identifiers
Where agreed with the school, students may be asked to enter their own name, candidate number, class/group or agreed identifier at the start of an assessment.For example, students may be asked to enter their first initial followed by their surname, such as: John Brown = J Brown. This information is used only so the school can match the assessment response to the correct student and receive accurate reports.This method may reduce the need for school staff to send spreadsheets of student names or candidate lists. However, student names or identifiers are still personal data and are processed only for the school’s assessment and reporting purposes.Schools remain responsible for telling students what identifier to enter and for checking that returned reports are matched correctly before using them for school decisions.
4. How we use personal data
We use personal data only where necessary to provide and manage the service.This includes: Setting up and managing assessments, providing access to digital assessments, creating or supporting student accounts where needed, matching student responses to the correct student or identifier, marking and moderating student work, producing marks, grades, feedback and performance reports, returning assessment outcomes to authorised school contacts, providing support and resolving service queries, managing bookings, invoices and school communications, maintaining service security and records. We do not sell, rent or use student personal data for marketing, advertising, unrelated analytics, product profiling, automated decision-making unrelated to the assessment service, or training third-party AI systems.
5. Legal basis for processing
For student data, the school, academy or trust is the Data Controller and is responsible for identifying the lawful basis for processing under UK data protection law. Digital Mock Service processes student data as a Data Processor on behalf of the school and only on documented instructions. For staff contact, enquiry, booking and invoice data, Digital Mock Service may process personal data where necessary for: providing requested services, responding to enquiries, managing contracts, bookings and invoices, keeping business records, communicating with schools about the service
6. Data minimisation
We ask schools to provide only the personal data needed to deliver the service.Where student self-entry of names or identifiers is sufficient, schools should avoid sending unnecessary spreadsheets or additional student information.Schools should avoid providing detailed SEN, disability, medical, safeguarding or behaviour information unless it is strictly necessary and has been agreed in writing.Access arrangements should normally be provided only as a practical flag, such as whether extra time is needed, rather than detailed underlying medical or SEN information.
7. Data storage and security
We use appropriate technical and organisational measures to protect personal data. These may include: Password-protected systems, restricted access to authorised personnel only, secure cloud-based assessment and storage -based access where available, secure account management, secure transfer or return of reports, confidentiality control, deletion or anonymisation after the agreed retention period, reports containing personal data are shared only with authorised school contacts.
8. Sub-processors and service providers
We may use trusted third-party service providers where necessary to deliver and manage the service.These may include:Assessment hosting platforms, such as MoodleCloud or equivalent services. Secure cloud storage or productivity tools Email providers, Website, domain, payment and accounting. These providers are used only where needed for assessment delivery, support, administration, invoicing or communication. Where a provider processes personal data on our behalf, we take reasonable steps to ensure appropriate data protection terms and safeguards are in place.
9. International transfers
We do not knowingly make restricted international transfers of personal data unless appropriate safeguards are in place under UK GDPR. Where a service provider stores or accesses data outside the UK, we take reasonable steps to ensure that suitable safeguards are used, such as adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, or another lawful transfer mechanism.
10. Data retention
Personal data is kept only for as long as necessary to deliver the service, issue reports, resolve queries and complete agreed support.Unless otherwise agreed in writing with the school:Student personal data will normally be deleted or anonymised within 30 days after final reports are issued. Assessment reports and working files containing student personal data will be deleted or anonymised within the same period. Limited business records, such as invoices, booking records and staff communications, may be retained for legitimate administrative, accounting or legal purposes. Backups and system logs may retain limited data for a short operational period where deletion is not technically immediate. Such data remains protected and is not used for any other purpose.Schools may request earlier deletion where appropriate.
11. Data sharing
We do not share personal data except where necessary to provide the service, comply with legal obligations, or support school-requested administration. Student personal data may be shared with: Authorised school contacts, assessment hosting providers, secure cloud storage or productivity providers where necessary, email or communication providers where necessary, other approved sub-processors required to deliver the service. We do not share student personal data with advertisers, data brokers or unrelated third parties.
12. Data subject rights
Under UK data protection law, individuals may have rights including:The right to be informed. The right of access. The right to rectification. The right to erasure. The right to restrict processing. The right to object. The right to data portability, where applicable. The right to complain to the Information Commissioner’s Office. For student data, requests should normally be directed to the school, academy or trust in the first instance because the school is the Data Controller. Where we receive a request directly from a student, parent/carer or staff member relating to school-controlled student data, we will normally refer the request to the relevant school unless legally required to respond directly.
13. Data breaches
If we become aware of a personal data breach affecting student personal data processed on behalf of a school, we will notify the school without undue delay. Where reasonably practicable, we will aim to notify the school within 24 hours of becoming aware of a confirmed breach affecting student personal data. We will provide reasonable information to help the school assess the breach and meet its own legal obligations.
14. Cookies and website data
Our website may collect limited technical information such as browser type, device information, pages visited or usage data to help the website function and improve the service. We do not use tracking cookies for advertising purposes. Where cookies or analytics tools are used, they will be limited to what is necessary or proportionate for website functionality, security and basic service improvement.
15. Written acceptance and related terms
Schools using Digital Mock Service may be asked to accept our Data Processing Agreement, terms of service or booking terms.Acceptance may be given by email, booking form, purchase order, service order, written confirmation or other written instruction confirming that the school wishes to use the service.No physical signature is required unless specifically requested by the school, academy or trust.
16. Contact
For questions about this Privacy Policy or how data is handled, please contact:Digital Mock Service
Email:jordan@digitalmockservice.co.uk. For student data requests, students or parents/carers should usually contact the relevant school, academy or trust first.You can also contact the Information Commissioner’s Office if you are unhappy with how personal data has been handled.
17. Policy updates
We may update this Privacy Policy from time to time. The latest version will be made available on our website.