Are you GDPR compliant?

  • Doublestruck takes the privacy and security of your personal data very seriously. We will treat any personal data that we receive from you in accordance with the GDPR.

Are you registered with the Information Commissioner’s Office?

  • Yes, Doublestruck is ICO registered, registration number: Z8113100


Do you have any information management accreditation?


How do you ensure secure storage, erasure and destruction of personal data?

  • All customer data is stored either in the data centres of industry leading service providers (e.g. Mailchimp) or in our own systems in UK hosted data centres. These third party providers offer secure erasure/destruction services as part of their SLAs.

What technical and organisational security measures do you have in place to protect personal data?

  • Our systems are hosted by industry leading, fully accredited hosting providers in data centres in the UK. Our systems are built using industry standard approaches and tested for vulnerabilities rigorously by our own team on an ongoing basis as well as on an annual basis by 3rd party security experts. 

How secure are your systems?

  • Based on our most recent penetration and vulnerability tests there are no significant vulnerabilities associated with our systems.

What policies and procedures do you have in place to protect personal data?

  • Our data protection and acceptable use policies and associated staff training ensure that all staff are aware of their and the company’s obligations to protect any personal data that we hold. 

Do we need a new contract that reflects GDPR requirements?

  • We have introduced new Terms of Use and a new Privacy Notice that all users of Doublestruck Products are obliged to agree to. These address the requirements of GDPR compliance.


Do you have data protection policies and procedures for dealing with any data breaches?

  • Yes, we have both.


Are data management procedures reviewed regularly?

  • Yes, annually.


What data does your organisation hold in relation to our school?

  • We will hold different data depending on the services that you subscribe to and the choices that you have made about how you use them. Typically we hold the following personal data:



We may hold contact details (name, job title, email, telephone) for school staff based on publicly available information, previous orders or as part of signing up to a demo or competition. We may also hold details of marketing preferences.


Testbase/Exampro subscribers

We may hold contact details (name, job title, email, telephone) for school staff as well as marketing preferences.


MERiT/Optional Tests subscribers

In addition to school staff contact details we may hold data regarding pupils. The following is mandatory for pupils whose data is uploaded to MERiT:

First name, Surname, UPN, Admission number, gender, date of birth, year group, registration group, teacher name, class name/code, supervisor name

However the following data is optional and if uploaded is used to provide enhanced reports:

Middle name, Ethnicity, Eligibility for free school meals, FSM6, Pupil Premium Indicator, SEN status, in LEA care.

How long will Doublestruck retain data?

  • Please see our Privacy Notice for details of our data retention policy.