1. Project description

System name: Mustard Investments — Financial Education Platform

Purpose: To provide age-appropriate financial education to students aged 11–18 through interactive lessons, quizzes, paper trading, and gamified learning pathways.

Data controller: [Your school name — to be completed by school]

Data processor: Mustard Investments Ltd

DPO contact: dpo@mustardinvestments.com

2. Necessity and proportionality

Lawful basis: Legitimate interests of the school in delivering financial education (Article 6(1)(f) UK GDPR). For under-13s, parental consent (Article 8 UK GDPR / ICO AADC).

Data minimisation: Only data strictly necessary for the educational service is collected. No home addresses, photographs, biometric data, or special category data.

Alternatives considered: Offline alternatives (worksheets, textbooks) do not provide personalised learning, progress tracking, or the engagement benefits of gamification. The data processing is proportionate to the educational benefit.

3. Consultation

[To be completed by school] — Record any consultation with students, parents, staff, governors, or the ICO.

4. Risk assessment

Pre-filled with platform-specific risks. Add school-specific risks (e.g. shared devices, BYOD policies) as needed.

Risk	Likelihood	Severity	Mitigation	Residual
Children’s personal data processed for educational tracking	High	Medium	Data minimisation — only display name, DOB (for age band), and learning progress collected. No home address, photo, or biometric data.	Low
Unauthorised access to student data by other students	Medium	High	Firestore security rules enforce per-class data isolation. Students cannot access other classes’ data. Leaderboards are class-scoped.	Low
Educator account compromise exposing class rosters	Low	High	Firebase Authentication with email verification. School email domain validation. Session timeout after 24h inactivity.	Low
Third-party sub-processor breach	Low	High	Only essential sub-processors used (Firebase/GCP, Vercel). All covered by SCCs or adequacy decisions. Sub-processor list published and updated with 30-day notice.	Low
Paper trading activity misinterpreted as financial advice	Medium	Medium	All paper trading uses simulated funds with clear disclaimers. FCA compliance notice on every relevant page. No real money or real products involved.	Low
Age band miscategorisation due to incorrect DOB entry	Medium	Medium	DOB captured at registration with validation. Age band computed server-side. Educators can review and correct student profiles. Under-13s require parental consent regardless.	Low
Retention of data beyond educational need	Low	Medium	Data retained only during active school agreement. 90-day deletion upon termination. Immediate deletion available on request. Subject rights page enables student/parent self-service.	Low
International data transfer to non-adequate country	Low	Medium	Primary processing in UK (europe-west2). Any international transfers covered by SCCs. Sub-processor jurisdictions published.	Low

5. ICO AADC compliance

Mustard aligns with all 15 standards of the ICO Age Appropriate Design Code. Full details are published at /safety.

6. Sign-off

School DPO:

[Name and signature]

Date:

[Date]

Headteacher / Principal: