Our Commitment to You and the Protection of Your Data

For more information on how to exercise your GDPR rights please visit this page.

Data privacy and security is fundamental to Freckle’s operation. We’re committed to partnering with Freckle teachers and administrators to help them understand and prepare for the General Data Protection Regulation (GDPR). The GDPR is the most comprehensive EU data privacy law in decades, and will go into effect on May 25, 2018.

Besides strengthening and standardizing user data privacy across the EU nations, it will require new or additional obligations from all organizations that handle EU citizens’ personal data, regardless of where the organizations themselves are located. On this page, we’ll explain our methods and plans to achieve GDPR compliance, both for ourselves and for our customers.


Freckle is a data Processor with respect to the GDPR and its relationship to your data.

As a Freckle customer, you will typically act as a data Controller for any Personal Data made available to Freckle through use of our Service. The data Controller determines the purposes and means of processing personal data, while the data Processor processes data on behalf of the data Controller.

Personal Data in the context of the GDPR is quite broad and can be include anything which can identify a customer such as their nameemail addresspostal address, school affiliation, username and in some cases even their IP address.

Freckle, as the data Processor, will process Personal Data on your behalf in connection with your use of our Service. If you or any of your users are located in the European Economic Area (EEA), your use of Freckle will most likely involve transferring some of their Personal Data to our Service.


Freckle has made a number of changes in readiness for the GDPR to come into effect.

1) We have audited the Personal Data processed by Freckle and determined how it is stored, used and how long it is retained.

2) We have implemented automatic deletion of Customer Personal Data after 30 days from when date account is closed.

3) We have added additional controls to our web app to allow Controllers to delete all data associated with individual teacher or student records on request.

4) We have updated both our Terms of Service and Privacy Policy to better comply with the GDPR.


As Freckle can process your, as well as students, personal data, security is a core concern in all parts of our infrastructure. We’ve invested heavily into our security systems.

We use a third party enterprise-class web application firewall to restrict access to our services. All communication with our service is performed through a secure connection. We do not provide any non-SSL endpoints. Data encryption is applied wherever possible which means that even in transit between our servers, your data is kept encrypted. You can find an independent, live, review of our SSL security here:



All our servers are firewalled and kept updated with the latest security patches. All security keys and passwords stored by our application on your behalf are kept encrypted at rest.

Also known as the ‘right to erasure’, the GDPR clarifies the rights of people to have their data removed from the services they use. There’s two key aspects of this;

1) The removal of data when no longer necessary in relation to the purposes for which they were collected.

2) The removal of data when someone withdraws consent or objects to the processing (i.e. asks for their data to be deleted).

The changes Freckle has made allow us to comply with these requirements. We now automatically delete all account data within 24 hours from the account deletion action taken by the teacher or administrator.

We offer machine readable (CSV) files of all data in your account upon request.


Freckle uses sub-processors to assist in providing the our Service. A sub-processor is a third party data processor engaged by Freckle, who has or potentially will have access to or process service data (which may contain personal data). Freckle evaluates the security, privacy and confidentiality practices of proposed sub-processors that have access to or process service data both before they are engaged and on an ongoing basis.

The following is an up-to-date list (as of May 2018) of the names and locations of Freckle sub-processors:

Amazon Web services
Purpose: Hosting
United States

Purpose: Email delivery
United States

Purpose: Subscription and billing management
 United States

Periscope Data
Purpose: Data analytics & visualization
 United States

Purpose: Marketing emails
United States

Purpose: Customer relationship management
 United States


If you have any questions about any of the details on this page, or any other part of our GDPR compliance, please contact us and we’ll be happy to help.