Toddle & UAE PDPL
(Personal Data Protection Law, UAE)
- Products
Toddle at a glance
From curriculum maps to lesson plans
From curriculum maps to lesson plans
All your assessment needs in one place
Your assessment cycle in one place
Make learning visible
Build customised progress reports
Build customized report cards
Keep your entire community in sync
Track and report student well-being
Attendance, timetable, calendar
Be accreditation-ready at all times
Save time & elevate practices with your personal teaching assistant
Integrate with your favourite tools
Secure your school’s data
- Explore Toddle for your school
- Solutions
How Toddle Protects your data under the UAE PDPL
Lawful Processing of Personal Data
Toddle processes personal data strictly in accordance with the instructions of the school. Toddle does not determine the purposes or means of processing personal data. These decisions rest with the school, which acts as the data controller under the UAE PDPL.
Toddle does not use any personal data for its own purposes. Data is never repurposed for advertising, profiling, or product development. Every aspect of data processing is limited to what is required to provide the educational services requested by the school.
Security of Personal Data
Toddle implements a wide range of technical and organisational measures to protect personal data from unauthorized access, loss, or misuse. These include:
- End-to-end encryption of data at rest and in transit
- Strict role-based access controls and secure authentication
- Hosting on Amazon Web Services (AWS) in a UAE-based data center located in Dubai
- Continuous monitoring and incident detection systems
- Regular external security audits and penetration testing
All security controls are reviewed and updated on an ongoing basis to keep pace with evolving threats.
Legal Basis for Processing and Consent
Under the UAE PDPL, personal data can only be processed if there is a valid legal basis. In the context of schools using Toddle, this legal basis is typically the performance of a contract or the consent of the individual or, where applicable, their legal guardian. Toddle does not collect consent directly from individuals, as it operates under the authority and instructions of the school, which acts as the data controller. It is the responsibility of the school to ensure that appropriate consent has been obtained from individuals or their legal guardians prior to using Toddle’s services, where required under applicable laws. If you become aware of a situation where Toddle is collecting personal data without the necessary consent having been obtained by the school, please contact us immediately at privacy@toddleapp.com. Schools can download a sample of the Parental Consent form from here.
Use of Sub-Processors
Toddle works with trusted service providers (sub-processors) to support core services like hosting, error monitoring, and customer support. Each sub-processor is carefully vetted and bound by a contract that enforces PDPL-compliant privacy and security standards.
A current list of sub-processors is available here. Toddle notifies schools in advance when a new sub-processor that processes personal data is added, providing schools the opportunity to review or raise any objections.
Hosting and Cross-Border Transfers
All core personal data of UAE schools is hosted and processed within the United Arab Emirates using secure AWS infrastructure located in Dubai. Where limited data processing by third-party sub-processors occurs outside the UAE, Toddle ensures compliance with the PDPL’s cross-border transfer requirements. This includes using countries with adequate protection levels or applying appropriate safeguards such as Standard Contractual Clauses.
Data Protection Impact Assessments (DPIAs)
Toddle supports schools in meeting their obligations to conduct Data Protection Impact Assessments (DPIAs) as required under the PDPL. When a proposed activity may involve high-risk processing, Toddle provides the necessary details on systems, safeguards, and risk mitigation measures to support the assessment.
Supporting Data Subject Rights
Toddle supports schools in fulfilling data subject rights as defined under the UAE PDPL. These rights include:
- Right to Access: Individuals may request access to their personal data.
- Right to Request Correction or Erasure: Individuals can request that inaccurate data be corrected or that data be deleted if no longer necessary.
- Right to Restrict or Object to Processing: Individuals have the right to restrict or object to the processing of their personal data in certain situations.
- Right to Data Portability: Individuals may request to receive their personal data in a structured and machine-readable format.
- Right not to be Subject to Automated Decision-Making: Individuals can object to decisions made solely through automated processing that significantly affect them.
Schools can contact Toddle at privacy@toddleapp.com to request any data subject rights actions, and Toddle will carry out the necessary steps promptly and securely in coordination with the school.
Data Breach Notification
Toddle maintains a documented and tested incident response process to manage personal data breaches. In the event of a breach involving personal data processed on behalf of a school, Toddle shall notify the school immediately upon becoming aware of the incident. The notification includes all necessary information to enable the school, as the data controller, to fulfil its obligation under the PDPL to notify the UAE Data Office and, where applicable, the affected data subjects. The information shared by Toddle includes the nature of the breach, categories and approximate number of data subjects concerned, likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
Data Protection Officer
Toddle has appointed Anshul Chauhan as its Data Protection Officer. He is responsible for ensuring compliance with the UAE PDPL and acts as the main point of contact for schools and regulators on data protection matters. He can be reached at privacy@toddleapp.com.
Accountability and Record-Keeping
Toddle maintains internal records of processing activities performed on behalf of schools. These records include the categories of data processed, purposes, data recipients, locations, and retention practices.
Privacy by Design and Default
Toddle incorporates privacy-by-design principles throughout its platform. Data collection is limited to what is necessary, default settings prioritize privacy, and new features are reviewed to minimise risks to personal data.
Human-Centered Decision Making
Toddle does not make decisions about users through automated processing that would have legal or significant effects. All AI-based features are designed to assist educators, with final decisions always remaining in human hands.
Staff Training and Awareness
Toddle ensures that all employees understand their responsibilities when handling personal data. Every team member undergoes mandatory privacy and security training during onboarding, with periodic refreshers conducted throughout the year. Additional role-specific training is provided to teams with elevated access to ensure a high standard of data protection across the organisation.
