Vape Guardian Education's Privacy Policy
VapeGuardian.education
Last updated: 20/5/2026
VapeGuardian.education is operated by SMF Systems Ltd, trading as Vape Guardian.
This Privacy Policy explains how we handle personal data in connection with our online education course for schools. It is intended to explain clearly what information we collect, what we do not collect, how the course works, and how we protect the privacy of students, schools and staff.
Vape Guardian Education has been designed with privacy in mind. Our aim is to help schools provide students with a constructive vaping intervention course, while avoiding the unnecessary collection of student personal data.
1. Who we are
SMF Systems Ltd trading as Vape Guardian
CRN. 14204902
Email: [email protected]
For the purposes of this policy, “Vape Guardian”, “we”, “us” and “our” refer to SMF Systems Ltd trading as Vape Guardian.
2. What VapeGuardian.education does
VapeGuardian.education provides an online educational course for schools to use with students who have been caught vaping, or who may benefit from vaping awareness education.
The course may include:
- video lessons
- quiz questions
- learning checks
- student progress tracking
- completion tracking
- staff guidance materials
- downloadable resources for schools
The course is intended to support schools with education, safeguarding, awareness and behaviour intervention.
3. Our approach to student privacy
Vape Guardian Education is designed so that schools can use the course without providing us with students’ real names, personal email addresses, home addresses, phone numbers, dates of birth or other direct student identifiers.
Where student accounts are required for course progress to be saved, schools may be issued anonymous student access codes or anonymous user accounts.
For example, a student account may be shown as:
VG-SCHOOL-001
VG-SCHOOL-002
VG-SCHOOL-003
The school is responsible for deciding which student uses each anonymous code. The school may keep its own internal record of this, but Vape Guardian does not need to know which individual student is linked to which code.
4. Student data we do not collect
We do not ask schools to provide us with:
- student names
- student personal email addresses
- student home addresses
- student phone numbers
- student dates of birth
- student photographs
- parent or guardian contact details
- medical information
- disciplinary records
- safeguarding case files
- personal explanations given by individual students
- individual student quiz answers linked to a named student
- individual student test results linked to a named student
We do not require students to register using their real identity.
5. Information we may collect
Although we aim to minimise student data, we may process some information to operate the course and provide the service to schools.
This may include:
School information
- school name
- school address
- staff contact name
- staff email address
- staff role
- billing information
- licence status
- group or school account details
- support requests from school staff
Staff account information
Where staff are given access to manage their school account, we may collect:
- staff name
- work email address
- username
- role within the platform
- school group
- login and account activity
- support communications
Anonymous student account information
Where students are given anonymous course access accounts, we may process:
- anonymous username or access code
- anonymous placeholder email address, if required by the platform
- course progress status
- course completion status
- lesson completion status
- quiz completion status
- login activity
- technical information needed to operate the course
These anonymous accounts are not intended to identify students to Vape Guardian.
6. Individual quiz results and student performance
Vape Guardian does not need to receive or use named individual student quiz results.
The purpose of quizzes in the course is to support learning and confirm understanding. Where progress tracking is enabled, the platform may record whether an anonymous student account has completed a quiz, lesson or course.
Schools may use this information internally to manage their own intervention process. Vape Guardian does not ask schools to tell us which real student is linked to each anonymous access code.
7. Anonymous and aggregated data
We may use anonymous and aggregated data for service improvement, research, reporting and marketing purposes.
This may include information such as:
- number of schools using the course
- number of anonymous course completions
- average course completion rates
- average quiz pass rates
- number of course licences issued
- broad usage trends
- common areas where students may need more support
- anonymised feedback from schools
- anonymised case study statistics
We may use this information to:
- improve the course
- improve safeguarding and education resources
- understand how schools use the course
- produce research insights
- produce marketing materials
- report general outcomes to schools, partners or stakeholders
We will not publish information that identifies an individual student.
If we use anonymous or aggregated data in marketing, it will be presented in a way that does not identify individual students. For example:
“Over 1,000 students have completed the course across participating schools.”
or:
“Schools using the course reported improved consistency in their vaping intervention process.”
We will not publish information such as:
“Student X at School Y failed a quiz.”
8. Important note about anonymisation
Where data is truly anonymised, it does not identify an individual and is not intended to be capable of identifying an individual. The ICO explains that anonymisation is the process of turning personal data into anonymous information so that individuals are not, or are no longer, identifiable.
If information could still be used to identify an individual, directly or indirectly, it may remain personal data. We will take care to avoid using data in a way that could identify students.
9. How we use personal data
We may use personal data for the following purposes:
To provide the course
This includes creating school accounts, giving staff access, managing licences, enabling student course access, saving anonymous progress and supporting course completion.
To support schools
This includes responding to questions, resolving technical issues, helping schools manage accounts and providing guidance on how to use the course.
To manage billing and contracts
This includes issuing invoices, processing payments, managing subscriptions, renewing licences and keeping records of school purchases.
To improve the service
This includes reviewing anonymous and aggregated usage trends, improving the course content, updating quizzes and improving the user experience.
To communicate with schools
This includes sending important service updates, account information, renewal reminders, course updates and support information.
To meet legal obligations
This includes keeping appropriate business records, responding to lawful requests and complying with applicable legal or regulatory requirements.
10. Lawful bases for processing
Where we process personal data, we rely on one or more lawful bases under UK data protection law, depending on the purpose.
These may include:
Contract
We process information where necessary to provide the course and manage our agreement with a school.
Legitimate interests
We may process information where necessary for our legitimate business interests, such as improving the service, providing support, keeping the platform secure and communicating with school customers.
Legal obligation
We may process information where necessary to comply with legal, accounting, tax or regulatory obligations.
Consent
Where we rely on consent, we will make this clear at the point the information is collected.
11. Children and student users
The course is intended for use by schools with students, including young people under the age of 18.
We recognise that children’s information requires particular care. The ICO’s Children’s Code includes privacy standards for online services likely to be accessed by children, including data minimisation and privacy by default.
Our service is designed to minimise the information collected about students. In particular:
- students do not need to use their real name
- students do not need to use their personal email address
- students do not need to provide contact details
- student identities remain under the control of the school
- Vape Guardian does not need to know which student is linked to an anonymous access code
12. School responsibility for student allocation
Where a school uses anonymous student access codes, the school is responsible for allocating those codes to students.
For example, a school may internally record that:
VG-SCHOOL-001 = a particular student
That internal record is held by the school. Vape Guardian does not require access to that mapping.
The school is responsible for managing any internal student records it creates in connection with the use of the course.
13. Staff accounts and school dashboards
School staff may be given access to a dashboard or account area to manage course use.
This may allow staff to:
- view anonymous student accounts
- check course progress
- check completion status
- assign or distribute student access codes
- manage their school’s use of the course
Staff should not enter student names or unnecessary student personal data into the platform unless Vape Guardian has specifically agreed this in writing and appropriate data protection arrangements are in place.
14. What schools should avoid entering into the platform
To help protect student privacy, schools should not enter unnecessary student personal data into VapeGuardian.education.
This includes:
- student full names
- personal email addresses
- home addresses
- medical information
- safeguarding notes
- behaviour reports
- disciplinary history
- sensitive personal information
If a school needs to keep this type of information, it should usually be kept within the school’s own systems.
15. Cookies and similar technologies
VapeGuardian.education may use cookies and similar technologies to operate the website and course platform.
These may include:
Essential cookies
These are needed for the site to work, such as login sessions, account security and course access.
Performance or analytics cookies
These help us understand how the site is used and how we can improve it. Where possible, we use aggregated data.
Functionality cookies
These may remember preferences or support course functionality.
Where required, we will ask for cookie consent through a cookie banner or similar tool.
16. Technical information we may collect
When someone uses the website, we may collect technical information such as:
- IP address
- browser type
- device type
- operating system
- pages visited
- login times
- error logs
- security logs
- approximate location derived from IP address
- cookie identifiers
This information is used to operate the site, keep it secure, troubleshoot issues and understand general usage.
17. Sharing information
We do not sell student personal data.
We may share limited information with trusted service providers who help us operate the service, such as:
- website hosting providers
- learning platform providers
- payment processors
- email providers
- analytics providers
- IT support providers
- professional advisers
Where these providers process personal data for us, we take steps to ensure they are required to protect it appropriately.
We may also share information where required by law, regulation, court order or lawful authority.
18. Data processors and third party services
VapeGuardian.education may use third party platforms and services to deliver the course and manage the website.
These may include:
- WordPress
- LearnDash or related learning management tools
- hosting providers
- security plugins
- payment platforms
- email delivery tools
- analytics tools
We will only use these services where we consider them appropriate for operating the platform.
19. International transfers
Some of our service providers may process data outside the UK.
Where this happens, we will take steps designed to ensure that appropriate safeguards are in place, such as using providers with recognised transfer mechanisms or contractual protections where required.
20. How long we keep information
We only keep personal data for as long as reasonably necessary.
The retention period may depend on the type of information and the reason we hold it.
As a general guide:
- school billing and contract records may be kept for legal, tax and accounting purposes
- staff account records may be kept while the school licence is active
- support emails may be kept for a reasonable period so we can manage service history
- anonymous student progress records may be kept while the school licence is active, unless deletion is requested or agreed sooner
- anonymous and aggregated statistical information may be kept for longer, provided it does not identify individuals
Schools can contact us to discuss deletion or removal of accounts linked to their school licence.
21. Security
We take reasonable technical and organisational measures to protect information.
These may include:
- password protected accounts
- role based access controls
- secure hosting
- restricted administrator access
- software updates
- security monitoring
- backups
- staff access controls
- minimising student data collection
No online system can be guaranteed to be completely secure, but we take privacy and security seriously.
22. Your rights
Individuals have rights under data protection law in relation to their personal data.
Depending on the circumstances, these may include the right to:
- access personal data
- correct inaccurate personal data
- request deletion
- restrict processing
- object to processing
- request data portability
- withdraw consent where processing is based on consent
- complain to the Information Commissioner’s Office
Where a request relates to student information held by a school, the school may be the most appropriate organisation to respond, especially where the school holds the mapping between anonymous access codes and real student identities.
23. Requests relating to student accounts
If a student, parent or guardian contacts Vape Guardian about a student account, we may not be able to identify the student because we do not require real student names or personal emails.
In many cases, we may need to refer the request back to the school, because only the school knows which student is linked to which anonymous access code.
24. Marketing communications
We may send marketing or service communications to school staff, business contacts or organisations that have shown interest in Vape Guardian Education.
These communications may include:
- course updates
- product information
- renewal reminders
- education resources
- safeguarding resources
- relevant Vape Guardian updates
Recipients can opt out of marketing communications at any time.
We do not send marketing emails to students.
25. Research and marketing use of anonymous data
We may use anonymised and aggregated course data for research and marketing.
For example, we may analyse:
- how many anonymous users completed the course
- average completion rates
- overall quiz pass rates
- common learning themes
- school feedback
- broad adoption trends
This helps us improve the course and demonstrate its value to schools.
Any research or marketing outputs will be designed not to identify individual students.
26. Case studies and testimonials
We may publish school case studies, testimonials or success stories.
We will not name a school in a case study without permission from the school.
We will not name or identify individual students.
Where a case study includes statistics, we will aim to use anonymous and aggregated data.
27. Changes to this Privacy Policy
We may update this Privacy Policy from time to time.
When we make changes, we will update the “last updated” date at the top of this page.
If we make significant changes, we may notify schools by email or through the platform.
28. Contact us
If you have any questions about this Privacy Policy or how we handle data, please contact:
SMF Systems Ltd trading as Vape Guardian
Email: [email protected]
Address: 7 Hedge End Business Centre. Botley Road. Hedge End. Southampton. SO302AU. UK
You can also contact the Information Commissioner’s Office, the UK’s data protection regulator, if you have concerns about how personal data is handled.



