GDPR Compliance and Privacy Policy

What we do with your data.

1. Terms and definitions

  • 'GDPR' refers to the General Data Protection Regulation

  • 'USTAN' refers to the University of St Andrews, the provider of the SUMAC platform

  • 'SUMAC' - the SUMAC platform, referred to as 'the Platform'

  • 'Customer' refers to the account-holding organisation using the Platform

  • 'Subscription Agreement' - the agreement between USTAN and a Customer detailing the terms and conditions under which the Customer is able to use the Platform

  • 'Scheme/Programme' - a unique instance of a scheme or programme hosted on SUMAC, which facilitates the creation and management of mentoring or coaching partnerships (or other similar partnerships)

  • 'Data Subject' - an individual whose personal data is stored on the Platform.

    • Can be 'Authorised Users' (individuals authorised by the Customer to access data held on the Platform for the purposes of running schemes/programmes hosted on the Platform)

    • Can be 'Scheme Members' (individuals whose personal data is held on the Platform for the purposes of participation in schemes/programmes hosted on the Platform. These Data Subjects will be referred to as 'Members'.

    • Data Subjects may also be referred to as 'Users'

  • 'Mentoring/coaching/other similar programmes' - SUMAC can host any programme where there is a clear process of setting up and managing partnerships. The Platform was designed to support mentoring and coaching programmes but may support a range of similar schemes. In the interests of brevity, we will simply refer to 'mentoring'.

2. Privacy Policy Overview

This Privacy Policy applies to the following websites: which are operated by the University of St Andrews (USTAN), College Gate, North Street, St Andrews, Fife KY16 9AJ. 'SUMAC' is a Software as a Service platform provided by USTAN. This Privacy Policy describes how we collect, use and protect the personal data held on SUMAC, and states how this information can be accessed, updated and removed. For ease of reference we will refer to USTAN, where appropriate, as 'we' or 'us'. We will refer to SUMAC as 'the Platform' or 'Platform'. The contract between us and our Customers, detailing the terms and conditions for the provision and use of the SUMAC service, will be referred to as 'the Subscription Agreement'. A 'Data Subject' is an individual whose personal data is stored on the Platform. Data Subjects can be 'Authorised Users' (individuals authorised by the Customer to access data held on the Platform for the purposes of running schemes/programmes hosted on the Platform) or may be individuals ('Members') whose personal data is held on the Platform for purposes of participation in schemes/programmes hosted on the Platform. 

This Policy tells you, among other things, what information we gather from Data Subjects through our Platform, how we may use or disclose that information, and our on-going commitment to protect it. Please read this policy carefully and feel free to contact us at if you have any questions regarding its contents.

3. Data Processor and Data Controller roles

USTAN, via SUMAC, provides storage for the Customer’s data and provides functionality for the Customer to manage this data for the purposes of running mentoring, coaching or similar schemes. Within the terms of the GDPR, USTAN acts as the ‘Data Processor’. The Customer is defined as the ‘Data Controller’.

The Data Controller is responsible for protecting the data it controls and for the privacy of Data Subjects. The Data Processor is responsible for the security of the data it processes and for maintaining the privacy of Data Subjects.

USTAN undertakes to maintain the security of this data in accordance with the terms of this statement and in accordance with other relevant clauses contained within the Subscription Agreement and related policies.

4. When we act as a Data Processor

The Platform is an online platform for the management and administration of centrally coordinated mentoring and coaching programmes. It provides an administrative interface for the creation of signup forms, the management of scheme membership (mentors and mentees, or equivalent for other programme-types), the creation of partnerships and the reporting on the stored data. It enables organisations to set up and run multiple programmes, each of which can be tailored to meet specific requirements. It streamlines processes and keeps scheme data accurate and accessible, saving time and money - which allows scheme managers to focus on supporting more mentoring partnerships, and on building mentoring capacity within their organisations.

In providing our software and services, we do not own or control any of the information we process on behalf of our Customers and their employees. All this information is owned and controlled by our Customers and/or their employees as applicable. We receive information within the European Economic Area (EEA) and all processing takes place within the EEA.

When we act as a processor on behalf of our Customers, this Privacy Policy applies to all data processing operations concerning personal information.

Data we process will not be further disclosed to third parties except where permitted or required by the Subscription Agreement, the EU General Data Protection Regulation (GDPR) or other applicable law. The Subscription Agreement will specify that the processing will be carried out with appropriate data security measures. We have established and maintain security measures to protect personal information from loss, misuse, unauthorized access, disclosure, alteration and destruction.

We may be required to disclose personal information in response to legal requests. 

5. Notice

When personal data is collected directly from Data Subjects, we will provide the Data Subject with notice concerning how the personal data will be used.

Customers should ensure that Data Subjects participating in schemes/programmes which they are hosting on the Platform are made aware of the Customers' own Data Privacy Policy. This can be done using functionality provided within the Platform (using the signup form template).

6. Personal information

Before or with the use of the Platform, we may collect a variety of information from Data Subjects in different ways. When we create a user account, we store certain personal information such as name and e-mail address, and in the case of Members, other data as defined by the Authorised Users. Personal data may be entered directly into the Platform by Authorised Users or may be submitted via web form into the Platform by Members.

Under no circumstances do we use the personal information submitted beyond the scope of providing our service. It is our commitment to preserve the confidentiality of this information and to care for the privacy of Data Subjects on the Platform.

We use the personal information provided by Data Subjects to administer Platform usage to monitor traffic-levels, to resolve service issues reported by Users and to contact Users regarding Service improvements.

We will not use personal information for any other unauthorised purpose.

We do not sell, rent or share any information we collect as part of our services to any third parties. 

From time to time, as stated above we may also disclose personal information in response to lawful requests by public authorities including to meet legal requirements or if we believe, in good faith that such disclosure is legally required or necessary to protect others' rights or to prevent harm.

If the Platform is involved in a merger, acquisition, or sale of all or a portion of its assets, Authorised Users will be notified via email and/or a prominent notice on the Platform of any change in ownership or uses of personal information, as well as any choices Data Subjects may have regarding their personal information.

7. Sensitive personal information

The Subscription Agreement (under which Customers use the platform to host Schemes/Programmes) prohibits the use of the Platform to procure or store information categorised as Sensitive Personal Information under the GDPR.

Sensitive Personal Information must not, therefore, be held on the Platform. Procurement and storage of such data would be in breach of the Subscription Agreement and we will not be liable for this data.

If such data is procured and stored on the Platform, in breach of the Subscription Agreement this data will be treated in the same way that other personal data is treated as described in this Policy.

If we become aware that such data has been procured and is held on the Platform in breach of the Subscription Agreement, we will notify the relevant Authorised User/s and will request that the data be removed.

8. Choice

If as an Authorised User, you opt in to receive our service update communications (as a 'User Group member') you may later opt out.

You may opt out of receiving the communications by getting in contact with us. Send an email to along with your request, including the username that is used within the Platform and with the email subject "Cancel User Group subscription."

If personal information of any Data Subject changes, this may be updated by logging into the Authorised User or Scheme Member account and editing the data accordingly.

9. Use of Log Files, Cookies, and Web Beacons

Log Files

Like most standard web servers, we use log files. This includes internet protocol (IP) addresses, browser type, referring/exit pages, platform type, date/time stamp, and number of clicks to analyse trends, administer the Platform, track User movement in the aggregate, and gather broad demographic information for aggregate use. IP addresses, etc. are not linked to personal information. We use software that reads log files to analyse user movement.

Cookies and Other Tracking Technologies

Technologies such as: cookies, beacons, tags and scripts are used by the Platform and our analytics and service providers (Monit, Google Analytics). We also use Handesk hosted on our own infrastructure to facilitate bug tracking and issue monitoring. These technologies are used in analysing trends, administering the Platform, tracking users' movements around the Platform and to gather demographic information about our userbase. We may receive reports based on the use of these technologies by these companies on an individual as well as aggregated basis.

10. Access

Data Subjects can access their information by logging into their account on the Platform. Once there, information can be modified, corrected or amended. Ordinarily, we will not restrict access to Data Subjects' information, except in rare cases where we reasonably believe that the rights of persons other than the Data Subject would be violated.

11. Security

A SUMAC Data Security Statement is in place to explain how we protect information from loss, misuse, unauthorised access, alteration and destruction. This forms part of the Subscription Agreement, and can be accessed by authorised users from the 'documents' section of the Platform, and can also be supplied on request by emailing The Platform's lead developer is responsible for conducting investigations into any alleged computer or network breaches or incidents and for referring any such incidents to USTAN's Data Protection Officer where appropriate. Any security or potential security problems should be reported to us immediately at We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. Despite our security commitment, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its absolute security. All user accounts are password protected. Data associated with any user account can be accessed only with a correct email address and password combination.

Authorised Users and Members also play an essential part in security. Password access to the Platform should never be shared with anyone and should be changed at regular intervals. Users will be prompted every 6 months to renew their passwords, with the last 5 passwords being stored for reference. Users are also advised to use a different password for this system than for other systems such as banking services. Standard security procedures recommend that a single password is never used more than once and never used for multiple system logins.

After Users have finished using the Platform, they should log off and exit the browser as unauthorised persons can access personal data held on the Platform by using an open session. Furthermore, if information is provided to parties who operate websites that are linked tor from the Platform, different rules may apply to their collection, use, or disclosure of Users' personal information. We encourage Users to review the privacy policies of such other Platforms before revealing any sensitive or personal information. Regardless of the precautions taken by Users or by us, "perfect security" does not exist on the Internet. We cannot ensure or warrant the ultimate security of any information transmitted.

12. Data Retention

We will retain Users' information for as long as the User account is active or as needed to provide Users with services. If Users wish to cancel their subscription or accounts with us or request that we no longer use their information to provide services or communicate with them, they should contact us at We will retain and use their information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

13. Data storage

All data stored in the Platform is stored in EEA datacentres which are IS27001 certified and meet with stringent data security requirements. Any data transmitted between these datacentres is encrypted twice (once with PGP, and then also in transit).

14. Data Integrity

We want User information to be suitable for the intended use, to ensure that it is accurate, complete, and current. To assist us with this, we encourage Customers to maintain and update Authorised User data and ensure that Members update their personal data held on the Platform as frequently as is necessary. We may periodically send a notice to Authorised Users asking them to visit the Platform and update their information.

15. Testimonials

If we post Customer testimonials on our website which may contain personal information such as the User's name we will obtain written consent prior to posting the testimonial. Users can contact us at if they wish for a testimonial to be changed or removed.

17. Notification of Changes to this Privacy Policy

The terms of this Privacy Policy may change from time to time. In order to ensure our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it, we will notify you of any material changes to this Privacy Policy by posting a notice on the homepage of the Platform and other places we deem appropriate, and by changing the Effective Date at the bottom of this Privacy Policy.

We will use information in accordance with the Privacy Policy under which the information was collected.

If, however, we are going to use Users' personal information in a manner different from that stated at the time of collection, we will notify Users via email or by posting a notice on our website for 30 days prior to the change becoming effective.

We encourage Users to check the homepage periodically for any changes. Continued use of the Platform following the posting of changes to these terms will be taken as acceptance of the changes.

18. Resources

Information Commissioner's Office section on the GDPR

Other documents relating to SUMAC can be found by logging in as an Authorised User and clicking the "Settings" menu on the top right of the screen, then "Documents".

Effective Date 5 May 2018

© University of St Andrews 2018.