Privacy policy

Protecting your privacy is important to us. We hope the following privacy policy ("Privacy Policy") will help you understand how we collect, use and safeguard the personal information you provide to us through the Fiction Express website (the "Site").

Boolino Ltd (the “Company”, “Boolino”, or “we/us”), as a subsidiary company, on behalf Boolino SL, the owner of the Site, is committed to making your use of the Site as easy and enjoyable as possible. Please take a moment to read the following Privacy Policy to determine how your personal information will be processed as you make full use of our Service. By using the Site, or providing the information requested by the Site, or by continuing to use the Site after having an opportunity to review this Privacy Policy, you agree to accept the terms of our Privacy Policy and our use of the information we collect. If you do not agree to the terms of this Privacy Policy, please do not use the Site.

Boolino reserves the right to modify this Privacy Policy at any time and we shall give notice to registered users. Your use of the Site following any such modification, as a registered user or new visitor to the Site, constitutes your agreement to be bound by this Privacy Policy as modified.

There are two modes of subscribing to and use the Fiction Express Service:

  • As part of a school project
  • As an independent teacher under a free trial account

The school and the independent teacher will be collectively referred as “Customer”.


When a school subscribes to Fiction Express, from a data protection perspective:

  • We are responsible for the school contact data, the billing contact and the resource manager data involved during the registration and management of our relationship with the school, the data provided during the account set up phase and needed for the correct management during the term of the subscription (i.e. we are “Data Controller”).
  • The school, as “Data Controller”, is responsible for the data of the teachers and students involved in the Fiction Express platform, and Boolino is “Data Processor”, providing the platform service to these end users on behalf of the school.

The following provisions regulate data processing with in this mode of subscription.

1. Boolino Ltd as Data Controller

The entity responsible for registration and account management data is Boolino Ltd (company number 10305431), whose registered office is at Dalton House, 60 Windsor Avenue, London SW19 2RR, UK.

All communications regarding the processing of your personal data shall be directed to our Privacy Manager indicated below.

Contact person: Cristina Puig,

2. Personal information we collect about School representatives and how we use it

2.1 Data: In order to register and participate as a member of Fiction Express, we ask the school to provide the following details (“School Contact Data”) of a School representative/s (from now, “Resource Manager”) in this link

  • Name and last name, job title, email address
  • Username and password
  • Reference (how you got to know about us)
  • School name and address and telephone number
  • Billing data, Billing contact details (full name and email)

2.2 How we use it: We use the School Contact Data to manage the relationship with the school, provide our services (as set out in the Fiction Express Site) efficiently, administrative and billing purposes, and eventually legal purposes.

All these details will also be registered in a written Service Agreement signed by both parts that will be sent to the school upon the registration and before the beginning of the service.

The Resource Manager will be the responsible for the account. All teachers will be invited, deleted or modified by him/her.

2.3 Characteristics of the processing

2.3.1 Legal Basis of processing. The processing of this data is necessary to perform the contract with the school, and we also have a legitimate interest in having this data so as to manage the relationship with our clients (schools). In some circumstances, we process this data in order to comply with a legal or regulatory obligation: it means to process this personal data when necessary to comply with a legal or regulatory obligation to which we are subject.

2.3.2 Retention. We retain this data for so long as the school has an account with us, and then keep the data in a secure back-up file for a further period (usually 6 years) for legal, tax and administrative purposes.

2.3.3 Data Sharing. We may share this data with:

  • Other companies of the Boolino Group (namely Boolino SL, Spain) for managing the provision of the service, accounting and reporting purposes, analysing and improving our services, and customer support.
  • Our third-party service providers, for providing their services (hosting, email communications, shared drive, etc.).
  • Companies co-operating with Boolino to provide our Customers with interesting offers. Such companies do not have access to Customer personal data other than for assisting Boolino with its mailings, banner marketing which you have given Boolino permission to.
  • Eventually, when a school requests us to do that, we share with our authors the name of the Resource Manager and of the school, in order to allow the authors to contact them to share some time with him/her and the students.
  • Third parties with whom we can choose to sell, transfer or merge parts of our business or our assets.
  • Third parties with whom we must share information to investigate suspected fraud, harassment or other violations of any law, rule or regulation, or website policies.

2.3.4 International Transfers. One of our third-party service providers, Rocket Science Group, is located in the US, a country that does not provide adequate general guarantees for the protection of personal data. However, this company is part of the “EU-US Privacy Shield” (that you can check here), which guarantees you the protection of your personal data as required by law.

2.3.5 Communications. If the Customer consents to receive commercial communications from us, we may send such communications through:

  • Email/Transactional email: all news regarding new books and new features or general communications will be performed using email.
  • Postal mail: eventually, we may send the schools letters, flyers or any information considered interesting for the schools, the parents and/or the students related to our Service.By providing Boolino with personal data, to the extent permitted by law, the Customer warrants all data subjects give Boolino permission to use the personal data for the above purposes. In particular, the Customer, as Data Controller and client of Boolino, represents and warrants to Boolino that it has the express consent (if necessary) of the data subjects (and, for under 16 year olds, their parents and tutors), for the provision of the Fiction Express Service and data processing hereunder, and can engage Boolino to provide the service.

If later the Customer does not wish to receive commercial information about us, it is possible to expressly opt out by sending a notification to by clicking the unsubscribe link in our email communications or opting-out from the user panel ( Please remember that the opt-out from all the emails means that we will never be able to communicate with you and your experience with the resource might not be the desired one.

2.3.6 Payment data. We do not have access to any payment card data, only the price and conformation of payment provided by our partner payment gateways (Paypal), whose terms are indicated on the payment page and apply to that data specifically. Apart from the online payment gateways, we will also perform the payments through bank transfers and/or SEPA payment method (if applicable).

2.3.7 Data subject consent. By providing Boolino with personal data, to the extent permitted by law, the Customer warrants all data subjects give Boolino permission to use the personal data for the above purposes. In particular, the Customer, as Data Controller and client of Boolino, represents and warrants to Boolino that it has the express consent (if necessary) of the data subjects (and, for under 16 year olds, their parents and tutors), for the provision of the Fiction Express Service and data processing hereunder, and can engage Boolino to provide the service.

3. Data subject rights

Resource Managers and all school contacts, as data subjects, have the following rights under data protection laws in relation to their personal data:

  • Request access to their presonal data (commonly known as a "data subject access request"). This enables them to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about them. This enables them to have any incomplete or inaccurate data we hold about them corrected, though we may need to verify the accuracy of the new data they provide to us.
  • Request erasure of their personal data. This enables them to ask us to delete or remove personal data where there is no good reason for us continuing to process it. They also have the right to ask us to delete or remove their personal data where they have successfully exercised their right to object to processing (see below), where we may have processed their information unlawfully or where we are required to erase their personal data to comply with local law. Note, however, that we may not always be able to comply with their request of erasure for specific legal reasons which will be notified, if applicable, at the time of your request.
  • Object to processing of their personal data where we are relying on a legitimate interest (or those of a third party) and there is something about their particular situation which makes them want to object to processing on this ground as they feel it impacts on their fundamental rights and freedoms. They also have the right to object where we are processing their personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process their information which override their rights and freedoms.
  • Request restriction of processing of their personal data. This enables them to ask us to suspend the processing of their personal data in the following scenarios: (a) if they want us to establish the data's accuracy; (b) where our use of the data is unlawful but they do not want us to erase it; (c) where they need us to hold the data even if we no longer require it as they need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of their personal data to them or to a third party (right to data portability). We will provide to them, or a third party they have chosen, their personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which they initially provided consent for us to use or where we used the information to perform a contract with them.
  • Withdraw consent at any time where we are relying on consent to process their personal data. However, this will not affect processing that is required for performance of the contract with Boolino or for our legitimate interests, nor the lawfulness of any processing carried out before you withdraw their consent. If they withdraw their consent, we may not be able to provide certain products or services to them. We will advise them if this is the case at the time they withdraw their consent.

The aforementioned rights may be effective by contacting us at We may take steps to verify the data subject identity prior to acting on his/her request.

Data subjects also have the right to make any complaint to the competent authority, in this case, as Boolino Ltd is a subsidiary company of Boolino S.L., the Spanish Data Protection Agency.

4. Prohibited data

In all events, it is forbidden to submit to us or upload to the Services any data containing sensitive personal data that is relative to identifiable persons such as: racial origin, membership in a trade union, religion, ideology and sexual life, health, the commission of criminal offences or proceedings and associated penalties or fines.

5. Security

We have a certified secured Site under a https protocol. We follow generally accepted industry standards to protect the personal information submitted to us, both during transmission and once we receive it. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect personal information, we cannot guarantee its absolute security.

Account information for Fiction Express subscribers are password-protected so that only subscribers have access to this personal information. Subscribers may edit their account information on the user panel on the Site.

We recommend that you do not divulge your password to anyone. It is your responsibility to ensure that students at your establishment keep their passwords secure. Boolino Ltd does not have access to your password neither to your students’ data and we will never ask you for your password in an unsolicited phone call or in an unsolicited email. Also remember (and remind your students) to sign out of your Fiction Express account and close your browser window when you have finished your activities when using a public computer. This is to ensure that others cannot access your personal information and/or correspondence if you share a computer with someone else or are using a computer in a public place such as a library.


6. Roles

In this mode, the teacher registers on the platform to test the process. As such:

  • Boolino is Data Controller of the Teacher Data, and the provisions of section 2, 3 and 4 above apply to processing this data.
  • The Teacher is considered Data Controller of the Student Data, and Boolino is a Data Processor.


As part of the Fiction Express Service, Boolino may access certain personal data under the responsibility of the Customer (whether Schools or independent Teachers with a trial account).

Under applicable privacy regulations, Customer is responsible for this data and is what is known under privacy regulation as the “data controller”. Customer appoints Boolino as a data processor of such personal data, to process them on Customer’s behalf, for the purpose of providing the Service.

We process this data according to our Data Processing Annex which you can access here.

Data Processing Annex

This Annex (the “Annex”) regulates the processing of any Personal Data by Boolino Ltd. (“Boolino” or the “Company”) under the Fiction Express Service Agreement.

1. Definitions

For the purpose of this Addendum, the following terms shall take the meaning set out herein:

  • Agreement: agreement between Boolino and the school for the provision of the Fiction Express services, as set out at
  • Personal Data: all information about an identified or identifiable individual; an identifiable natural person shall mean any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more identity elements Physical, physiological, genetic, psychological, economic, cultural or social.
  • Data Processor: the natural or legal person, public authority or other organization processing Personal Data on behalf of the Data Controller.
  • Data Subject: is the individual that is identified or identifiable.
  • Data Controller: the natural or legal person, public authority, or other organization that, alone or jointly with others, defines the purposes and means of the processing.
  • Processing: any operation or set of operations carried out on Personal Data or Personal Data sets, whether by automated processes or not, such as collection, registration, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of access, collation or interconnection, limitation, suppression or destruction.
  • Security breach of the Personal Data: any breach of security that results in the destruction, loss or accidental or unlawful alteration of Personal Data transmitted, preserved or otherwise processed, or unauthorized communication or access to such data.

2. Object and Term

This addendum regulates the processing of personal data by Boolino, as Data Processor, under the responsibility of the school or independent teacher (the “Customer”) as Data Controller. The duration of such processing shall be for the period during which the Parties perform their applicable obligations under the Agreement. The data subjects and data categories are as described in Appendix 1 below.

3. Data Protection Laws Compliance

Both Boolino and the Customer shall comply with all applicable laws relating to privacy and data protection, including (without limitation) the EU General Data Protection Regulation (2016/679), the EU Privacy and Electronic Communications Directive (2002/58/EC) as implemented in each jurisdiction, and any amending or replacement legislation from time to time (collectively and individually, “Data Protection Laws”).

4. Rights and responsibilities of the Data Controller

As established in the GDPR, the Customer as Data Controller shall:

  1. Implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with applicable legislation.
  2. Adopt data protection policies.
  3. Ensure that the Data Protection Officer or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of Personal Data.
  4. Adhere to a code of conduct that can be approved by the Commission or other competent authority.
  5. Keep a record of processing activities in the case of processing Personal Data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.
  6. Make available to the interested parties the essential aspects of this agreement, at the request of the Data Processor.
  7. Respond to the legal rights established by applicable law on the protection of Personal Data and comply with the stipulations indicated in clause 5 even if these were originally addressed to the Data Processor.

5. Rights and responsibilities of the Data Processor

As established in the GDPR, Boolino as Data Processor shall:

  1. Process Personal Data only on the basis of documented instructions from the Data Controller, including transfers of Personal Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law; in such case, the Data Processor will inform the Data Controller of that legal requirement prior to the processing, unless otherwise prohibited by such law or in the public interest.
  2. Ensure that the persons authorised to process Personal Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature.
  3. Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing.
  4. Respect the conditions for having recourse to another Data Processor, as established in the current legislation on protection of Personal Data.
  5. Assist the Data Controller, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the data subjects.
  6. Assist the Data Controller in ensuring that they comply with their obligations, taking into account the nature of the processing and the information that is available to the Data Processor.
  7. At the choice of the Data Controller, either destroy or return all Personal Data once the processing services have been completed and destroy any existing copies unless the retention of Personal Data is required under Union or applicable Member State law.
  8. Make available to the Data Controller all information necessary to demonstrate compliance with the obligations established in herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorised auditors for the Data Controller.
  9. Process the Personal Data placed at the disposal of the Data Processor in a way that ensures that the personnel in charge follow the instructions of the Data Controller.
  10. Ensure that the Data Protection Officer or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of Personal Data.
  11. Adhere to a Code of Conduct that is approved by the Commission or other competent authority.
  12. Keep a record of processing activities in the case of processing Personal Data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.
  13. Respond to the legal rights established by the GDPR and comply with the stipulations indicated in clause 6 even if these were originally addressed to the Data Controller.

6. Data subjects’ exercise of their rights

If the Data Subject addresses a request or exercises any of the rights established in the Data Protection Laws, the Controller and / or the Processor must provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.

Similarly, but in the event that the Data Controller and / or the Processor do/es not proceed with the request of the Data Subject, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Data Subject with the reasons why he/she/they has/ve not acted and inform the Data Subject of his right to file a complaint before a competent authority and to file a judicial appeal. The response to the Data Subject’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.

7. Subcontracting

As Data Processor, Boolino may provide access to a subcontractor processor to Personal Data if we reasonably consider such access and processing necessary to the performance of the Services. In the event of such access and before the access takes place, Boolino shall ensure that an agreement with the third party is in place which is sufficient to require it to treat personal data in accordance with the applicable provisions of this Agreement and applicable. Approved subcontractors are set out below in Appendix 1.

8. International transfer of data

International transfers of Personal Data may only be performed if the requirements of the Data Protection Laws, are met. If a party carries out an international transfer of data without the other party’s consent, the latter shall be exempted from any liability that may arise as a result of or in connection with such transfer. Boolino may transfer Personal Data outside the EEA to its sub-processors indicated in Appendix 1, who have entered into contract with Boolino with appropriate contractual safeguards.

9. Security breach of the Personal Data

Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation or a delegated act, in the event of a security breach of the Personal Data, the Data Controller and/or Data Processor shall notify the competent supervisory authority of such breach without undue delay, and if possible, no later than 72 hours after it happened. If the breach is within Boolino’s systems, it must promptly notify Customer, at most within 48 hours.

10. Termination, resolution and expiration

In the event of termination, resolution or expiration of the contractual relationship for the provision of services hereunder between the Data Controller and the Data Processor, the latter shall not keep the Personal Data unless otherwise legally required to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, the Data Processor shall destroy or return to the Data Controller all Personal Data and any copies of it, as well as any support or other document containing any Personal Data.

Appendix 1

In accordance with the provisions set out in herein and in the GDPR, the Data Processor shall process the type and category of Personal Data provided by the Data Controller set out hereunder:

  • Teachers: Name, Surname, E-mail address, School, Username, Password, online activity (IP address, connection details).
  • Students: Full name (used to create a friendly username) and a personal password (using an algorithm) stored under his/her teacher account. Boolino will never have access to this password. Online activity (connection details).

Further data may be added to the list, on notice and approval with Customers

Processing activities: collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, combination, restriction, erasure or destruction, encryption, pseudonymisation, aggregation.

Approved subcontractors (Subcontractor/Service):

  • Google Ireland Ltd.: Platform hosting
  • Sentry: Service error tracking. You can check the Privacy Shield here.

International transfers (Recipient/Service):

  • Rocket Science Group: Mailchimp (USA). You can check the Privacy Shield here.