Privacy Policy

Breadcrumb Abstract Shape
Breadcrumb Abstract Shape

Vape Guardian Education's Privacy Policy

VapeGuardian.education
Last updated: 20/5/2026

VapeGuardian.education is operated by SMF Systems Ltd, trading as Vape Guardian.

This Privacy Policy explains how we handle personal data in connection with our online education course for schools. It is intended to explain clearly what information we collect, what we do not collect, how the course works, and how we protect the privacy of students, schools and staff.

Vape Guardian Education has been designed with privacy in mind. Our aim is to help schools provide students with a constructive vaping intervention course, while avoiding the unnecessary collection of student personal data.

1. Who we are

SMF Systems Ltd trading as Vape Guardian
CRN. 14204902

7 Hedge End Business Centre. Botley Road. Hedge End Southampton. SO302AU. UK


Email: [email protected]

For the purposes of this policy, “Vape Guardian”, “we”, “us” and “our” refer to SMF Systems Ltd trading as Vape Guardian.

2. What VapeGuardian.education does

VapeGuardian.education provides an online educational course for schools to use with students who have been caught vaping, or who may benefit from vaping awareness education.

The course may include:

  • video lessons
  • quiz questions
  • learning checks
  • student progress tracking
  • completion tracking
  • staff guidance materials
  • downloadable resources for schools

The course is intended to support schools with education, safeguarding, awareness and behaviour intervention.

3. Our approach to student privacy

Vape Guardian Education is designed so that schools can use the course without providing us with students’ real names, personal email addresses, home addresses, phone numbers, dates of birth or other direct student identifiers.

Where student accounts are required for course progress to be saved, schools may be issued anonymous student access codes or anonymous user accounts.

For example, a student account may be shown as:

VG-SCHOOL-001
VG-SCHOOL-002
VG-SCHOOL-003

The school is responsible for deciding which student uses each anonymous code. The school may keep its own internal record of this, but Vape Guardian does not need to know which individual student is linked to which code.

4. Student data we do not collect

We do not ask schools to provide us with:

  • student names
  • student personal email addresses
  • student home addresses
  • student phone numbers
  • student dates of birth
  • student photographs
  • parent or guardian contact details
  • medical information
  • disciplinary records
  • safeguarding case files
  • personal explanations given by individual students
  • individual student quiz answers linked to a named student
  • individual student test results linked to a named student

We do not require students to register using their real identity.

5. Information we may collect

Although we aim to minimise student data, we may process some information to operate the course and provide the service to schools.

This may include:

School information

  • school name
  • school address
  • staff contact name
  • staff email address
  • staff role
  • billing information
  • licence status
  • group or school account details
  • support requests from school staff

Staff account information

Where staff are given access to manage their school account, we may collect:

  • staff name
  • work email address
  • username
  • role within the platform
  • school group
  • login and account activity
  • support communications

Anonymous student account information

Where students are given anonymous course access accounts, we may process:

  • anonymous username or access code
  • anonymous placeholder email address, if required by the platform
  • course progress status
  • course completion status
  • lesson completion status
  • quiz completion status
  • login activity
  • technical information needed to operate the course

These anonymous accounts are not intended to identify students to Vape Guardian.

6. Individual quiz results and student performance

Vape Guardian does not need to receive or use named individual student quiz results.

The purpose of quizzes in the course is to support learning and confirm understanding. Where progress tracking is enabled, the platform may record whether an anonymous student account has completed a quiz, lesson or course.

Schools may use this information internally to manage their own intervention process. Vape Guardian does not ask schools to tell us which real student is linked to each anonymous access code.

7. Anonymous and aggregated data

We may use anonymous and aggregated data for service improvement, research, reporting and marketing purposes.

This may include information such as:

  • number of schools using the course
  • number of anonymous course completions
  • average course completion rates
  • average quiz pass rates
  • number of course licences issued
  • broad usage trends
  • common areas where students may need more support
  • anonymised feedback from schools
  • anonymised case study statistics

We may use this information to:

  • improve the course
  • improve safeguarding and education resources
  • understand how schools use the course
  • produce research insights
  • produce marketing materials
  • report general outcomes to schools, partners or stakeholders

We will not publish information that identifies an individual student.

If we use anonymous or aggregated data in marketing, it will be presented in a way that does not identify individual students. For example:

“Over 1,000 students have completed the course across participating schools.”

or:

“Schools using the course reported improved consistency in their vaping intervention process.”

We will not publish information such as:

“Student X at School Y failed a quiz.”

8. Important note about anonymisation

Where data is truly anonymised, it does not identify an individual and is not intended to be capable of identifying an individual. The ICO explains that anonymisation is the process of turning personal data into anonymous information so that individuals are not, or are no longer, identifiable.

If information could still be used to identify an individual, directly or indirectly, it may remain personal data. We will take care to avoid using data in a way that could identify students.

9. How we use personal data

We may use personal data for the following purposes:

To provide the course

This includes creating school accounts, giving staff access, managing licences, enabling student course access, saving anonymous progress and supporting course completion.

To support schools

This includes responding to questions, resolving technical issues, helping schools manage accounts and providing guidance on how to use the course.

To manage billing and contracts

This includes issuing invoices, processing payments, managing subscriptions, renewing licences and keeping records of school purchases.

To improve the service

This includes reviewing anonymous and aggregated usage trends, improving the course content, updating quizzes and improving the user experience.

To communicate with schools

This includes sending important service updates, account information, renewal reminders, course updates and support information.

To meet legal obligations

This includes keeping appropriate business records, responding to lawful requests and complying with applicable legal or regulatory requirements.

10. Lawful bases for processing

Where we process personal data, we rely on one or more lawful bases under UK data protection law, depending on the purpose.

These may include:

Contract

We process information where necessary to provide the course and manage our agreement with a school.

Legitimate interests

We may process information where necessary for our legitimate business interests, such as improving the service, providing support, keeping the platform secure and communicating with school customers.

Legal obligation

We may process information where necessary to comply with legal, accounting, tax or regulatory obligations.

Consent

Where we rely on consent, we will make this clear at the point the information is collected.

11. Children and student users

The course is intended for use by schools with students, including young people under the age of 18.

We recognise that children’s information requires particular care. The ICO’s Children’s Code includes privacy standards for online services likely to be accessed by children, including data minimisation and privacy by default.

Our service is designed to minimise the information collected about students. In particular:

  • students do not need to use their real name
  • students do not need to use their personal email address
  • students do not need to provide contact details
  • student identities remain under the control of the school
  • Vape Guardian does not need to know which student is linked to an anonymous access code

12. School responsibility for student allocation

Where a school uses anonymous student access codes, the school is responsible for allocating those codes to students.

For example, a school may internally record that:

VG-SCHOOL-001 = a particular student

That internal record is held by the school. Vape Guardian does not require access to that mapping.

The school is responsible for managing any internal student records it creates in connection with the use of the course.

13. Staff accounts and school dashboards

School staff may be given access to a dashboard or account area to manage course use.

This may allow staff to:

  • view anonymous student accounts
  • check course progress
  • check completion status
  • assign or distribute student access codes
  • manage their school’s use of the course

Staff should not enter student names or unnecessary student personal data into the platform unless Vape Guardian has specifically agreed this in writing and appropriate data protection arrangements are in place.

14. What schools should avoid entering into the platform

To help protect student privacy, schools should not enter unnecessary student personal data into VapeGuardian.education.

This includes:

  • student full names
  • personal email addresses
  • home addresses
  • medical information
  • safeguarding notes
  • behaviour reports
  • disciplinary history
  • sensitive personal information

If a school needs to keep this type of information, it should usually be kept within the school’s own systems.

15. Cookies and similar technologies

VapeGuardian.education may use cookies and similar technologies to operate the website and course platform.

These may include:

Essential cookies

These are needed for the site to work, such as login sessions, account security and course access.

Performance or analytics cookies

These help us understand how the site is used and how we can improve it. Where possible, we use aggregated data.

Functionality cookies

These may remember preferences or support course functionality.

Where required, we will ask for cookie consent through a cookie banner or similar tool.

16. Technical information we may collect

When someone uses the website, we may collect technical information such as:

  • IP address
  • browser type
  • device type
  • operating system
  • pages visited
  • login times
  • error logs
  • security logs
  • approximate location derived from IP address
  • cookie identifiers

This information is used to operate the site, keep it secure, troubleshoot issues and understand general usage.

17. Sharing information

We do not sell student personal data.

We may share limited information with trusted service providers who help us operate the service, such as:

  • website hosting providers
  • learning platform providers
  • payment processors
  • email providers
  • analytics providers
  • IT support providers
  • professional advisers

Where these providers process personal data for us, we take steps to ensure they are required to protect it appropriately.

We may also share information where required by law, regulation, court order or lawful authority.

18. Data processors and third party services

VapeGuardian.education may use third party platforms and services to deliver the course and manage the website.

These may include:

  • WordPress
  • LearnDash or related learning management tools
  • hosting providers
  • security plugins
  • payment platforms
  • email delivery tools
  • analytics tools

We will only use these services where we consider them appropriate for operating the platform.

19. International transfers

Some of our service providers may process data outside the UK.

Where this happens, we will take steps designed to ensure that appropriate safeguards are in place, such as using providers with recognised transfer mechanisms or contractual protections where required.

20. How long we keep information

We only keep personal data for as long as reasonably necessary.

The retention period may depend on the type of information and the reason we hold it.

As a general guide:

  • school billing and contract records may be kept for legal, tax and accounting purposes
  • staff account records may be kept while the school licence is active
  • support emails may be kept for a reasonable period so we can manage service history
  • anonymous student progress records may be kept while the school licence is active, unless deletion is requested or agreed sooner
  • anonymous and aggregated statistical information may be kept for longer, provided it does not identify individuals

Schools can contact us to discuss deletion or removal of accounts linked to their school licence.

21. Security

We take reasonable technical and organisational measures to protect information.

These may include:

  • password protected accounts
  • role based access controls
  • secure hosting
  • restricted administrator access
  • software updates
  • security monitoring
  • backups
  • staff access controls
  • minimising student data collection

No online system can be guaranteed to be completely secure, but we take privacy and security seriously.

22. Your rights

Individuals have rights under data protection law in relation to their personal data.

Depending on the circumstances, these may include the right to:

  • access personal data
  • correct inaccurate personal data
  • request deletion
  • restrict processing
  • object to processing
  • request data portability
  • withdraw consent where processing is based on consent
  • complain to the Information Commissioner’s Office

Where a request relates to student information held by a school, the school may be the most appropriate organisation to respond, especially where the school holds the mapping between anonymous access codes and real student identities.

23. Requests relating to student accounts

If a student, parent or guardian contacts Vape Guardian about a student account, we may not be able to identify the student because we do not require real student names or personal emails.

In many cases, we may need to refer the request back to the school, because only the school knows which student is linked to which anonymous access code.

24. Marketing communications

We may send marketing or service communications to school staff, business contacts or organisations that have shown interest in Vape Guardian Education.

These communications may include:

  • course updates
  • product information
  • renewal reminders
  • education resources
  • safeguarding resources
  • relevant Vape Guardian updates

Recipients can opt out of marketing communications at any time.

We do not send marketing emails to students.

25. Research and marketing use of anonymous data

We may use anonymised and aggregated course data for research and marketing.

For example, we may analyse:

  • how many anonymous users completed the course
  • average completion rates
  • overall quiz pass rates
  • common learning themes
  • school feedback
  • broad adoption trends

This helps us improve the course and demonstrate its value to schools.

Any research or marketing outputs will be designed not to identify individual students.

26. Case studies and testimonials

We may publish school case studies, testimonials or success stories.

We will not name a school in a case study without permission from the school.

We will not name or identify individual students.

Where a case study includes statistics, we will aim to use anonymous and aggregated data.

27. Changes to this Privacy Policy

We may update this Privacy Policy from time to time.

When we make changes, we will update the “last updated” date at the top of this page.

If we make significant changes, we may notify schools by email or through the platform.

28. Contact us

If you have any questions about this Privacy Policy or how we handle data, please contact:

SMF Systems Ltd trading as Vape Guardian
Email: [email protected]
Address: 7 Hedge End Business Centre. Botley Road. Hedge End. Southampton. SO302AU. UK

You can also contact the Information Commissioner’s Office, the UK’s data protection regulator, if you have concerns about how personal data is handled.