Skip to content

Data Processing Agreement

(For UK GDPR, EU GDPR, US FERPA/COPPA & international school compliance)

Effective date: November 2025

Parties:

  • Processor: miMove PA Ltd (“miMove”) Company Number 11733518 Registered office: ℅ Barcant Beardon, 8 Blackstock Mews, Finsbury Park, London N4 2BT


  • Controller: The School / Organisation

This Data Processing Agreement forms part of the Agreement between the Controller and miMove.

1. Purpose

miMove processes student and staff data solely to provide the miMove platform and associated support services, including enrichment activity tracking, reporting, analysis and school improvement support.

We do not:

  • sell personal data

  • use student data for advertising or profiling

  • process personal data for our own purposes

2. Roles

  • miMove is the Data Processor.

  • The School is the Data Controller.

3. Categories of Data

We process the minimum needed for education purposes:

Data Type

Examples

Student identifiers

Student name or alias, student email where SSO is used, year group, class, student ID

Activity data

Enrichment activities (sport, arts, culture, volunteering, clubs), duration and setting

Wellbeing inputs (optional)

Mood check-ins, reflections in writing, voice recording, photography or video form (with the school having the option to not enable photos and video). Photos and videos are only seen by authorised staff and are not able to be shared amongst students.

Technical information

Login metadata, device/browser info (security only)


No biometric, geolocation, financial or advertising data is collected.

4. Lawful Basis

Processing is conducted under:

  • Public Task / Educational Purpose (UK schools)

  • Legitimate interest in education

  • Contract necessity (to deliver the service)

  • COPPA parental consent for under-13 in US schools where required

5. miMove Obligations

miMove shall:

  • Only process data on documented school instructions

  • Maintain confidentiality and train staff in data handling

  • Implement appropriate technical & organisational security measures

  • Assist with data subject rights (access, correction, deletion)

  • Support schools with incident response and compliance obligations

  • Delete or return data at end of contract per school instruction

6. Sub-Processors

miMove may use approved sub-processors such as secure hosting providers.
miMove uses local AWS services to host and store data.
Schools will be notified before changes are made.

7. Data Transfers

Where data is transferred internationally, we apply appropriate safeguards including:

  • UK/EU Standard Contractual Clauses (as applicable)

  • Equivalent data transfer mechanisms for the US and other territories

  • Regional data hosting as required

8. Security

miMove maintains security appropriate to protect children’s data including:

  • Encryption in transit and at rest

  • Access controls & monitoring

  • Regular security reviews & penetration testing

9. Breach Notification

miMove will notify the school without undue delay following any confirmed data breach affecting student data and support required reporting.

10. Data Retention & Deletion

Data is retained only for the term of the contract unless otherwise required by regulation or expressly requested.
At termination, data is:

  • returned or exported to school on request, and then

  • securely deleted or anonymised

11. Audit

Upon reasonable request, miMove will provide compliance documentation and allow audit or independent certification review.