Who We Are
Charanga of 5th Floor, Olivier House, 18 Marine Parade, Brighton, BN2 1TL collects, uses and is responsible for certain personal information about you. When we do so, we are regulated under the General Data Protection Regulation (‘GDPR’) which applies across the European Union (including in the United Kingdom) and we are responsible as ‘processor’ of that personal information for the purposes of those laws, the ‘controller’ being the school, music service/hub or other educational organisation who has subscribed to Charanga’s programmes.
How to Contact us
Information That We Collect
Charanga processes your personal information to meet our legal, statutory and contractual obligations and to provide you with our products and services. We will never collect any unnecessary personal data from you and do not process your information in any way, other than as specified in this notice.
The personal data that we collect concerns:
- Billing contact details (name, organisation and email address)
- In the case where payment is done by card our payment provider (Stripe) would hold payment card details and Charanga would never have access to them.
- Contact details; name, school, email address and optional mobile phone (this is for those attending a live training event, so that should the event be cancelled for whatever reason, we can contact them at the last minute)
- Personal resources (files such as pdf, mp3, mp4 of personal educational materials)
- Personal lessons (lists of Charanga resources or own personal resources)
- Pupil/student groups (lists of students)
- Name, school
- Work evidence/assessment files
We collect information in the ways below:
- website orders
- online forms when lead teachers add new teachers/students from the school
How We Use Your Personal Data
Charanga takes your privacy very seriously and will never disclose, share or sell your data without your consent; unless required to do so by law. We only retain your data for as long as is necessary and for the purpose(s) specified in this notice. Where you have consented to us providing you with promotional offers and marketing, you are free to withdraw this consent at any time.
The purposes and reasons for processing your personal data are detailed below:
- We collect your personal data in the performance of a contract to provide a digital music teaching and learning service, to ensure that orders are completed and that you are able make the most out of the service
- We collect and store your personal data as part of our legal obligation for business accounting and tax purposes
- We will occasionally send you marketing information where we have assessed that it is beneficial to you as a prior subscriber and in our interests. Such information will be non-intrusive and is processed on the grounds of legitimate interests
Under the GDPR you have a number of important rights free of charge. In summary, those include rights to:
- require us to correct any mistakes in your information that we hold
- require the erasure of personal information concerning you in certain situations
- receive the personal information concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit that data to a third party in certain situations
- object at any time to processing of personal information concerning you for direct marketing
- object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
- object in certain other situations to our continued processing of your personal information
- otherwise restrict our processing of your personal information in certain circumstances
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please email, call or write to Paul Fletcher our Data Protection Officer.
If you would like to unsubscribe from any emails you can click on the ‘unsubscribe’ button at the bottom of the email.
Sharing and Disclosing Your Personal Information
For users of our VIP Studio Sessions programme for secondary schools, Charanga shares data with partner Soundation AB, of Mailbox 2452 111 75 Stockholm, Sweden. Soundation provide very specialist cloud-based digital audio workstation functionality in the form of an educational version of Soundation called Soundation4education which is tightly integrated into VIP. At the request of teachers at subscribing schools, students can be assigned login details or removed from Soundation4education. Details of their GDPR compliance policies can be found at https://soundation.com/gdpr
Occassionally some organisations may pay for their subscriptions using a payment card. Charanga uses Stripe as payment provider – see https://stripe.com/guides/general-data-protection-regulation#stripe-and-the-gdpr. Any payment card number is stored by Stripe and not directly accessible by Charanga.
We will share personal information with law enforcement or other authorities if required by applicable law.
We will not share your personal information with any other third party.
Charanga takes your privacy seriously and takes every reasonable measure and precaution to protect and secure your personal data. We work hard to protect you and your information from unauthorised access, alteration, disclosure or destruction and have several layers of security measures in place including:
- Charanga hosts its websites on Amazon Web Service’s (AWS) European data centres in Ireland. The Charanga servers in AWS are in a locked-down VPC (virtual private cloud), where access to those machines in the VPC is logically isolated from any other AWS instances.
- Charanga uses AWS’ geographic controls to ensure that no data leaves the EU data centres in Ireland. This ensures we are in compliance with Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
- The VPC acts like an isolated LAN. Network access is strictly controlled by security groups. Traffic in and out of the VPC from specific machines (ie the web server and only the web server) to the wider internet is further limited by firewall rules which only permit a limited set of protocols; HTTP, HTTPS, SMTP and SSH.
- SSH access into the VPC is only allowed from a set of whitelisted IP addresses. Password access is not permitted, nor is root access. Access is solely from SSH keypairs, which are reviewed on a regular basis.
- Data is stored on an AWS RDS (Relational Database Service) instance, which is a managed MySQL database. Backups are automatically maintained and securely stored on Amazon’s S3 infrastructure. The AWS VPC, RDS and S3 services all comply with ISO 27001.
- Access to personal data is strictly controlled internally within Charanga with a multi-tiered access hierarchy. Strict care of personal data is part of updated employment contracts for all staff. Employees are also periodically trained on the nature and importance of GDPR compliance.
- Charanga’s internal systems are Cyber Essentials self-certified.
Transfers Outside the EU
Charanga does not transfer or store any personal data outside the EU.
Consequences of Not Providing Your Data
You are not obligated to provide your personal information to Charanga however, as this information is required for us to provide you with our services, we will not be able to offer some/all our services without it.
As noted in the ‘How We Use Your Personal Data’ section of this notice, we occasionally process your personal information under the legitimate interests’ legal basis. Where this is the case, we have carried out a thorough Legitimate Interests’ Assessment (LIA) to ensure that we have weighed your interests and any risk posed to you against our own interests; ensuring that they are proportionate and appropriate.
We use the legitimate interests’ legal basis for processing personal data to provide emails to communicate new features of our service and similar new services and have identified that our interests are direct marketing. Within these communications, unsubscribe options are always easily available.
How Long We Keep Your Data
Charanga only ever retains personal information for as long as is necessary and we have strict review and retention policies in place to meet these obligations.
- Employees – records are kept for 3 years following end of employment
- Customer organisations: billing details – records are stored for 6 years following the latest invoice
- Customer organisations: teacher details – records are stored for 3 years following end of subscription unless deleted by the school prior to end of subscription
- Customer organisations: student details – records are stored for 18 months following end of subscription unless deleted by the school prior to the end of the subscription (no contact is ever made directly to students)
Lodging a Complaint
Charanga only processes your personal information in compliance with this privacy notice and in accordance with the relevant data protection laws. If, however you wish to raise a complaint regarding the processing of your personal data or are unsatisfied with how we have handled your information, you have the right to lodge a complaint with the supervisory authority.
The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/concerns/