GDPR Compliance

Our commitment to privacy, security and why you can trust us

Great tools take a lot of building.

Our tools are free for everyone, but we want to make more and make these ones even better. If you want amazing technical support, feature requests and a say in what we build next, please consider supporting us.


Despite the recent blizzard of media attention and marketing emails, data protection is not new. In the UK, we have all been working under the 1998 Data Protection Act (itself born from the European Union’s 1995 Data Protection Directive). We have had 20 years of strong legislation governing the management of processing of personal data, and almost 2 years (at time of writing) to prepare for enforcement of the more comprehensive General Data Protection Regulation.

Working with more than a decade of experience developing software for managing data in education, we have built our tools with privacy and security right at their core. We have not had to scramble to ensure compliance, as we have always sought to ensure that the protection of personal data is at the heart of what we do.

As the responsibility for protecting personal data rests with the controller of that data, most organisations will be auditing what services and systems they use to ensure they secure their data effectively and can prove their compliance with legislation.

The more systems you use, the more difficult and time consuming this job will be. The more storage platforms your data is spread around on, the greater your exposure is to potential security flaws. The more accounts you and your staff have, the more likely it is that they are going to be compromised.

We want to help you keep your data safe. We do this by providing a platform that does not receive nor store any of your confidential data, does not use any additional accounts. We do this by making tools that help you better manage and use your Google-based data. We don’t add to your GDPR compliance burdens; we help lessen them!


Zero-Knowledge Design

From the outset, we decided that we didn’t want to store, record or capture any sensitive personal information. We wanted to build tools to help people do their jobs, not to design a business around advertising or commercial data-mining. We wanted our tools to run in your browser, without any need to transmit sensitive information to us. Our role is to design, code and deliver our tools to you, not to process your data. Your data is yours; we don’t want it!

Google-Based Services

Complexity is the enemy of security. In building tools that don’t seek to store any data, but simply help you interact, manage and work with your existing Google data stores, we are not adding complexity. We are allowing you to do more, with the same platforms. Google systems, particularly those provided for education, take security and data protection very seriously.

Security Architecture

We deliver all our web tools to you using HTTPS. This means every request you make for our website, and every page we deliver is encrypted, right to your device. You can verify the security of this process yourself by using one of these respected SSL Testing Tools:

Once one of our tools has been loaded, the communication is solely between you and the Google environment. None of your requests pass through our servers. When you authorise one of our apps and sign-in, you receive a token (similar to a short-term password) from Google that allows you to access various parts of your Google account (these are referred to as scopes). This token is stored just on your device and is periodically refreshed (when it expires) while you are still signed in, and removed when you sign out.

This means using our apps is as secure as your account is. Password security is vital and we would therefore strongly advise you to enable 2-Step Verification on your Google Account. For any organisation handling personal information (such as a school), this is absolutely essential to make sure you are meeting your own data protection obligations.

In line with almost every other website, we make use of third-party code libraries to help make our tools performant, reliable and useful. We also publish a list of all the libraries that we use, and what we use them for. We load these libraries from content delivery networks (for improved speed and reliability). We use a cryptographic system called SRI to ensure that the code that is loaded by our apps matches the exact code we develop with and test. By doing this, we mitigate the impact of any security breaches on the delivery network, or at the original authors of the libraries. Should this occur, the resources will simply not load - the principle of ‘fail-safe’. As this is a browser security feature, not every browser will support this, but you can check if which versions do here.

Tracking Data

As set out in our privacy information, we use Google Analytics to gather aggregated and anonymous usage statistics about our site. We do this to help us understand how to make your experience better. But we value and respect your decisions about your privacy above everything else, so this tracking code is automatically disabled if you signal that you wish to remain private by setting the do not track option in your browser.


While ensuring our platform has privacy at its core, we have also designed features into our tools to help you manage your data security.


Using our Folders app, you can mark any files with metadata about their confidentiality, importance and review requirements. These tags can be displayed automatically whilst editing files within G-Suite using our Tag-a-Doc extension. Sharing permissions for your drive and team drives can be audited using this tool, giving your staff and organisation confidence that personal data is not being erroneously shared.


Our View app allows simple conversion between Google Sheets and numerous other spreadsheet formats, including legacy versions of Excel. By allowing fast and efficient filtering of both rows and columns before conversion, supplying data to authorised third parties can be done efficiently but also proportionately. Easy filtering means that only the exact data required can be extracted and output, ensuring that personal data that isn’t appropriate for or required by, the recipient stays firmly under your control.


Due for release soon, Reflect will allow performance reviews, self-evaluations and observations to be undertaken, whilst storing the data solely in Google Drive. You can reduce or remove your dependencies on less secure tools by taking advantage of the existing sharing tools built into Google Drive. Staff will feel more confident and comfortable managing their data using Drive and benefit from the familiarity of permissions management and auditing.


Customised documents, sheets and mailings using Merge provide a simple mechanism for selective data report dissemination, data collection and sharing. All of this can be done using your existing data stores, documents and email. For small-scale mailings this provides an excellent way to avoid having to select and audit a new platform, reducing your workload and increasing security.