Privacy Policy
This privacy policy defines how we collect, use and protect your personal data.
Privacy Policy
Last updated: May 2026
This Privacy Policy (herein, "the Policy") is provided under Articles 13 and 14 of the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018"). On 19 June 2025, the Data (Use and Access) Act 2025 ("DUAA 2025") received Royal Assent; the implementation of DUAA 2025 is, however, being staggered with initial provisions coming into effect in August 2025 with further provisions taking effect in the months thereafter. This policy reflects those changes.
Who are we?
Educoda Ltd (company number 16434698) operates this platform across the
following domains: p16.uk, p16.app, p16app.com, sixthform.org,
and any subdomain thereof. We provide post-16 admissions and enrolment software to schools,
sixth forms and colleges in the United Kingdom.
We are registered with the Information Commissioner's Office (ICO registration number: ZB949031).
Contact details:
- Email: [email protected]
- Registered address: available on request
If you are a student (or parent/carer) and you have questions about how your data is used, you can always email us at [email protected].
What This Policy Applies To
This Policy relates to your use of this platform only.
Throughout the platform, we may link to other websites owned and operated by schools, colleges, or third-party service providers. Those websites may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to those third party websites, please consult their privacy policies.
Please note that this Policy does not apply to the school or college you are applying to in their capacity as data controller. Each educational institution using this platform is the data controller for the information you submit in your application to them. They have their own privacy policies which will explain how they use your data. We process your data on their instructions as a data processor - further details of which is contained within this Policy.
Data Controller and Data Processor
UK GDPR distinguishes between a data controller (who decides why and how personal data is processed) and a data processor (who processes data on the controller's instructions).
When we act as Data Processor
When you submit an application to a specific school, sixth form or college via this platform, that educational institution is the data controller for your personal data. Educoda Ltd acts as a data processor, handling your data solely on that institution's instructions.
The institution's own privacy policy describes how they use your data, their lawful bases for processing, and your rights in relation to data they control. If you cannot find their privacy notice, please contact the institution directly.
When we act as Data Controller
Educoda Ltd is an independent data controller for the following purposes:
- Operating and securing the platform (user accounts, authentication, security, fraud prevention)
- Error monitoring and system performance (maintaining platform integrity and reliability)
- Communicating with schools and staff about the platform itself (sales, support, billing, product updates)
- Complying with Educoda's own legal obligations (e.g., data protection law, company law)
This Policy covers both roles: our processing as data controller for the above purposes, and our processing as data processor on behalf of educational institutions (explaining how data flows through our systems).
Protection of Children's Personal Data
This platform is primarily used by students applying to post-16 institutions - be that a sixth form, college or other educational institution. As such, many users are under 18 years old and are therefore considered children under UK data protection law.
Under the Data (Use and Access) Act 2025 (DUAA 2025), organisations providing online services likely to be accessed by children must take into account "children's higher protection matters". We specifically consider:
- How best to protect and support children when using this service
- That children merit specific protection regarding their personal data, because they may be less aware of the risks and consequences of processing and their rights
- The importance of providing information to children in a clear, plain-language, age-appropriate manner
Our commitments to protecting children:
- We implement age-appropriate safeguards throughout the platform
- We do not use children's data for marketing purposes
- We do not use profiling or automated decision-making that could be harmful to children
- We do not sell children's data or share it for purposes unrelated to education
- We provide this information in clear language
- Parents and carers can exercise data rights on behalf of children under 18
If you are under 18, a parent or other legal guardian can contact us on your behalf to exercise any of your rights under data protection law.
Personal Data We Collect About You
The personal data we collect about you depends on the particular activities carried out through the platform and your interactions with us or the educational institution you are applying to.
Student personal data
- Full name, preferred name
- Date of birth, sex/gender
- Email address, phone number, home address
- Photograph (biometric data under UK GDPR when used to uniquely identify you)
- Ethnicity and nationality
- Religion or belief
- First language and home language
- Special Educational Needs and Disabilities (SEND) information and Special Educational Assessment (SEA) information
- Looked After Child (LAC) status
- Free School Meals (FSM) eligibility
- Medical needs, allergies and dietary requirements
- Academic history, qualifications, predicted grades and final exam results
- Unique Learner Number (ULN), Unique Pupil Number (UPN), Unique Candidate Identifier (UCI)
- Career and university aspirations
- Emergency contact details (parents, carers, guardians)
Parent, carer and referee personal data
- Name, email address, phone number
- Relationship to the student
- Address (where the same as the student or separately provided)
- Predicted grades and reference information (for referees such as teachers)
- School or college affiliation and role (for referees)
Technical and usage data
- IP address and browser/device information (collected by our hosting and security providers)
- Platform activity logs (actions taken on the platform, timestamps)
- Session data (maintained for the duration of your session)
- Error reports (which may include page URL, authenticated user identity, and request data at the time of the error)
Data received from the Department for Education ("DfE")
Where a school or college has separately authorised it, we may receive data about a student from the Department for Education's View Education Record API (VERA) service. This service is currently under development by the DfE, and provides institutions with national data held by the DfE, such as prior attainment records. This data is used solely to pre-populate or validate information in the student's application and is processed under the institution's instruction. Details of DfE data sharing are governed by the DfE's own privacy notice and the institution's authorisation to access VERA.
Whether you must provide personal data
You must provide certain personal data to use this platform and submit an application to an educational institution. Where specific data is required, this will be indicated on the relevant forms (usually marked with an asterisk *).
Some personal data is optional. Where you have a choice about whether to provide data, we will tell you clearly before you provide it. We will also tell you whether declining to share that data will have any effect on your use of the platform or the processing of your application.
In general:
- Required for your application: name, date of birth, contact details, address, academic history, qualifications
- Required by law or for safeguarding: SEND information (where applicable), emergency contacts, certain identity verification data
- Optional but helpful: photograph, career aspirations, some diversity monitoring information (though institutions may require some of this)
Information for referees
If you are a referee (teacher or school staff member) providing a reference for a student:
- You must provide or otherwise verify your contact details (name, email, school affiliation) to submit a reference; this is necessary to verify the authenticity of the reference
- We will use your contact details for two purposes: (1) to facilitate the reference process for the student's application, and (2) to send you marketing communications about our platform and services (you can opt out of marketing at any time)
- By providing a reference, you acknowledge that we will use your details for both these purposes
How Your Personal Data is Collected
We collect personal data from you:
- Directly, when you enter or send us information, such as when you:
- Register an account on the platform
- Complete and submit an application or enrolment form
- Upload documents (such as exam results, certificates, or photographs)
- Contact us via email or support channels
- Participate in surveys or provide feedback
- Book appointments or respond to invitations (e.g., taster days, results day slots)
- Provide a reference for a student (for referees) - when you do this, we collect your contact details both to facilitate the reference and because we have a legitimate interest in contacting you about our platform and services
- Indirectly, such as:
- Your browsing activity while using the platform (we collect information indirectly using cookies and similar technologies)
- From referees (teachers) who submit predicted grades or references on your behalf
- From the educational institution you previously attended or currently attend
- From the Department for Education via the VERA service (where separately authorised by the institution)
- From our technology and security providers in the course of providing services to us (e.g., Cloudflare may collect network data for security purposes)
How and Why We Use Your Personal Data
Under data protection law, we can only use your personal data if we have a proper reason, for example:
- where you have given consent
- to comply with our legal and regulatory obligations
- for the performance of a contract with you or to take steps at your request before entering into a contract
- for our legitimate interests or those of a third party
- for the performance of a task carried out in the public interest or in the exercise of official authority
A legitimate interest is when we (or an educational institution) have a business or educational reason to use your personal data, so long as this is not overridden by your own rights and interests. We carry out an assessment when relying on legitimate interests to balance our interests against your own.
Under DUAA 2025, new lawful bases called "recognised legitimate interests" have been introduced for specific purposes such as crime prevention, safeguarding vulnerable people, and national security. We do not currently rely on recognised legitimate interests for processing student data on this platform.
The table below explains what we use your personal data for and why.
| What we use your personal data for | Our lawful basis |
|---|---|
| Creating and managing your account on the platform | Contract - To perform our contract with you or to take steps at your request before entering into a contract |
| Processing your application or enrolment to an educational institution | Contract Public task - To perform our contract with you and for the institution to perform its public task in providing education |
| Sharing your application data with the school, sixth form or college you are applying to | Contract Public task - This is the fundamental purpose of the platform; you have requested this |
| Sending you communications about your application status, reminders, meeting invitations, and results day appointments | Contract - To perform our contract with you |
| Allowing referees to submit predicted grades and references on your behalf | Contract Public task - Necessary for your application and the institution's educational function |
| Verifying your identity and preventing fraudulent applications | Legitimate interests - To minimise fraud that could be damaging for you, educational institutions, and us |
| Platform security, abuse detection, and protecting systems and data | Legitimate interests - To protect users and the platform from harm, and to prevent and detect criminal activity |
| Error monitoring and technical performance (Sentry) | Legitimate interests - Maintaining a reliable, secure service for all users |
| Supporting safeguarding, inclusion and pastoral duties (sharing emergency contacts, SEND data, medical information with the institution) | Legal obligation Public task - Required to support safeguarding and the institution's duty of care |
| Complying with DfE, Ofsted or other regulatory reporting requirements | Legal obligation - Required by education law and regulations |
| Conducting checks to verify eligibility (e.g., checking predicted grades against entry requirements) | Contract Legitimate interests - To enable institutions to assess applications efficiently |
| Communications with you not related to your application (e.g., changes to our terms, policies, or the platform) | Legal obligation (where required by data protection law); otherwise Legitimate interests - To be as efficient as we can so we can deliver the best service to you |
| Updating and enhancing records (e.g., updating your contact details, keeping application data current) | Contract Legal obligation (where required); otherwise Legitimate interests - To keep in touch with applicants and maintain accurate records |
| Enforcing legal rights, defending or undertaking legal proceedings | Legal obligation (where required); otherwise Legitimate interests - To protect our business, interests and rights |
| Marketing communications to prospective students (where opt-in consent is obtained via an enquiry form on behalf of an institution) | - You can withdraw consent at any time using the unsubscribe link in emails |
| Marketing communications to referees (teachers and school staff) about our platform and services | Legitimate interests - Our legitimate interest in promoting our platform to educational professionals who may benefit from using it. You can opt out at any time using the unsubscribe link in emails or by contacting us. |
Where we rely on legitimate interests, we have carried out a balancing test to ensure our interests or those of the educational institution are not overridden by your rights. You have the right to object to processing based on legitimate interests.
Special Category and Sensitive Personal Data
Certain personal data we collect is classified as special category data under Article 9 of the UK GDPR. This data receives additional protections under data protection law. Special category data we collect includes:
- Racial or ethnic origin (ethnicity information)
- Religion or belief
- Health data (medical needs, allergies, dietary requirements)
- Data concerning disability (SEND and SEA information)
- Biometric data (your photograph, where used to uniquely identify you)
We also collect data revealing social vulnerability (Looked After Child status, Free School Meals eligibility), which requires additional safeguards under UK law.
We process this special category data under the following Article 9 conditions, together with the relevant Schedule 1 of the Data Protection Act 2018 condition:
| Data type | Article 9 UK GDPR condition | DPA 2018 Schedule 1 condition |
|---|---|---|
| Ethnicity, religion, first language | Article 9(2)(g) - Processing necessary for reasons of substantial public interest | Paragraph 6 - Statutory and government purposes Paragraph 29 - Education and training purposes |
| Health data (medical needs, allergies, dietary requirements) | Article 9(2)(h) - Processing necessary for health or social care purposes | Paragraph 2 - Health, social care or public health |
| SEND and SEA information | Article 9(2)(g) - Processing necessary for reasons of substantial public interest | Paragraph 29 - Education and training purposes Paragraph 6 - Statutory and government purposes |
| Looked After Child (LAC) status | Article 9(2)(g) - Processing necessary for reasons of substantial public interest | Paragraph 15 - Safeguarding of children and individuals at risk |
| Photograph (biometric data) | Article 9(2)(a) - Explicit consent (where obtained) Article 9(2)(g) - Substantial public interest (where consent not relied upon) |
Paragraph 29 - Education and training purposes |
In all cases, only the minimum necessary data is collected. Some information is requested voluntarily; where a field is optional this will be clearly marked. Some data (such as SEND status or medical needs) may be required to ensure the institution can properly support you and meet their legal duties.
Who We Share Your Personal Data With
We share your personal data with the following recipients:
a. The educational institution you are applying to
This is the primary purpose of the platform. The school, sixth form or college you are applying to will receive all the information you submit in your application. They are the data controller for that data and will process it in accordance with their own privacy notice.
b. Department for Education (DfE)
Where required by law or where an institution has separately authorised VERA (View Education Record) access, data may be shared with or received from the DfE. This includes national student record data held by the DfE for statutory purposes.
c. Technology service providers (sub-processors)
We use a number of third-party technology suppliers to operate the platform. All sub-processors are bound by data processing agreements and are required to process personal data only on our instructions and in accordance with UK data protection law.
| Provider | Purpose | Data involved | Location |
|---|---|---|---|
| Cloudflare, Inc. | Content delivery network (CDN), DDoS protection, CAPTCHA (Turnstile), object storage (R2) for uploaded files | All web traffic; uploaded media (photos, results documents); network/security data | UK / EU (R2 data stored in EU); global CDN nodes |
| Hetzner Online GmbH | Server hosting and infrastructure | All platform data in transit and at rest on servers | EU (Germany/Finland) |
| Amazon Web Services (AWS)-SES | Transactional email delivery (application updates, reminders, verifications, status notifications) | Email addresses; email content (application status, meeting invitations, links) | EU (eu-west-2, London) |
| IDDQD Ltd (t/a Ideal Postcodes) | UK address lookup and verification service | Address details (postcode, premises information entered by users) | UK |
| Functional Software, Inc. (Sentry) | Error monitoring and application diagnostics (used to identify and fix software bugs and performance issues) | Error events which may include: authenticated user identity (name/email), page URL, request data at the time of the error. We have configured Sentry to capture this information to enable effective debugging. | EU (Sentry's EU data region) |
We only allow these organisations to handle your personal data if we are satisfied they take appropriate measures to protect it. We also impose contractual obligations on them to ensure they can only use your personal data to provide services to us and to you, and that they comply with UK data protection law.
8d. Other recipients
We or the third parties mentioned above may occasionally also share personal data with:
- External auditors in relation to any audit of our accounts (the recipient will be bound by confidentiality obligations)
- Professional advisors (such as lawyers) for legal advice (the recipient will be bound by confidentiality obligations)
- Law enforcement agencies, courts, tribunals and regulatory bodies to comply with our legal and regulatory obligations
- Other parties that have or may acquire control or ownership of our business (and their professional advisers) in connection with a merger, acquisition, or sale-information will be anonymised where possible and recipients will be bound by confidentiality obligations
We do not sell, rent or trade personal data to any third party for their own commercial purposes.
How Long We Keep Your Personal Data
We only keep your personal data for as long as necessary for the purposes described in this notice, or as required by law. Different retention periods apply for different types of personal data.
| Data category | Retention period | Reason |
|---|---|---|
| Student application and enrolment data (for successful applicants who enrol) | For the duration of the admissions cycle, then transferred to the institution. Educoda retains a copy for up to 7 years after the academic year of application. | Legal obligation (education records retention requirements); safeguarding; audit trail; potential disputes |
| Student accounts where no application was completed or where application was withdrawn/unsuccessful | 2 years from last activity | Legitimate interests (account recovery; operational purposes) |
| Reference data (predicted grades and referee information) | As per the associated application retention period | Academic integrity; audit trail; part of the application record |
| Exam results and uploaded documents (certificates, results slips) | Up to 7 years after the academic year | Legal obligation; regulatory compliance; academic record keeping |
| Email communications sent via the platform | 2 years | Legitimate interests (communications audit trail; dispute resolution) |
| Marketing enquiry data (where consent given via enquiry forms) | Until consent is withdrawn, or 3 years from last interaction if no withdrawal | Consent; legitimate interests |
| Referee contact details used for marketing (teachers and school staff who have provided references) | Until you opt out of marketing, or 3 years from your last interaction with the platform (whichever is sooner) | Legitimate interests (marketing to educational professionals) |
| Error logs (Sentry) | 90 days | Legitimate interests (debugging and fixing issues) |
| Platform activity and security logs | 2 years | Security; fraud prevention; legitimate interests |
| Deleted accounts (where user exercises right to erasure) | Immediately deleted from active systems; backups purged within 30 days | Right to erasure (subject to legal retention obligations) |
Individual institutions may have longer retention obligations under their own policies or statutory requirements (e.g., safeguarding records). After the applicable retention period, data is securely deleted or irreversibly anonymised.
Note on DUAA 2025: Under changes to subject access request handling, we conduct "reasonable and proportionate" searches when responding to requests. This means that data stored in backups or archives beyond normal retention periods may not be retrieved unless it is reasonable and proportionate to do so.
Marketing
Marketing to students
Educoda does not send marketing communications directly to students or parents about our platform or services.
Where a school or college uses this platform to send marketing communications to prospective students (e.g., open day invitations, course information), this is only done where:
- The recipient has provided consent via an enquiry form submitted to that institution, or
- A prior relationship with the institution exists and the communication relates to similar educational services (the "soft opt-in" under Regulation 22 of the Privacy and Electronic Communications Regulations 2003)
Every marketing email sent via this platform on behalf of an institution includes an unsubscribe link. You can use this at any time to opt out of further marketing from that institution.
Marketing to referees (teachers and school staff)
We may use the contact details of referees (teachers and other school staff) who provide references through this platform to send marketing communications about our platform and services.
Lawful basis: We have a legitimate interest in using your personal data for marketing purposes. This means we do not need your consent to send you marketing information about our platform. Our legitimate interest is in promoting our platform to educational professionals who may benefit from using it, either personally or by recommending it to their schools or colleges.
We have carried out a legitimate interests assessment and determined that our interest in marketing to educational professionals is not overridden by your interests, rights and freedoms, because:
- As an educational professional who has used this platform, you have a reasonable expectation that we may contact you about similar services
- Our marketing is directly relevant to your professional role and activities
- You can easily opt out at any time (see below)
- We do not send excessive communications
- We do not share your data with other organisations for their marketing purposes
What marketing communications may include
Marketing communications to referees may include:
- Updates about new features on the platform
- Information about how the platform can benefit your school or college
- Case studies and best practices from other educational institutions
- Invitations to webinars or training sessions
- Information about our other products or services that may be relevant to your role
Your right to opt out
You have the right to opt out of receiving marketing communications from us at any time by:
- Using the 'unsubscribe' link in any marketing email we send you
- Emailing us at [email protected]
We will process your opt-out request within 2 working days and you will not receive further marketing communications after that time. This will not affect any transactional or service-related communications (e.g., notifications about students whose references you have provided).
Email tracking
Some emails sent via this platform may contain a tracking pixel (a 1×1 pixel transparent image) and tracked links to help us understand engagement with our communications. When you open an email, the tracking pixel loads and records that the email was opened. When you click a link, the click is recorded before you are redirected.
We use this information to:
- Understand which communications are most useful to recipients
- Improve the relevance and timing of our communications
- Follow up with important information if communications have not been opened
The lawful basis for email tracking is legitimate interests (ensuring important communications reach recipients and improving our service). You have the right to object to this processing.
What we will never do
We will always treat your personal data with the utmost respect and we will never:
- Sell or rent your data to other organisations for their marketing purposes
- Share your data with other organisations outside our group for marketing purposes
- Send you marketing about products or services wholly unrelated to education or our platform
- Use your data to market to the students whose references you provided
Transferring Your Personal Data Outside the UK
Countries outside the UK have differing data protection laws, some of which may provide lower levels of protection of privacy. It is sometimes necessary for us to transfer your personal data to countries outside the UK. In those cases we comply with applicable UK laws designed to ensure the privacy of your personal data.
The UK has granted adequacy regulations for data transfers to the European Economic Area (EEA). Most of our data processing occurs in the UK or EEA.
Under DUAA 2025, the test for international data transfers has been updated. We must ensure that the standard of data protection in the receiving country is "not materially lower" than the standard in the UK. This replaces the previous "essentially equivalent" test.
Where we transfer your personal data
We transfer your personal data to our service providers located outside the UK, as detailed in the table below:
| Recipient | Country | Processing operation | Transfer mechanism / safeguard |
|---|---|---|---|
| Hetzner Online GmbH (company registration: HRB 36915, Amtsgericht Ingolstadt; registered office: Industriestr. 25, 91710 Gunzenhausen, Germany) | Germany / Finland (EEA) | Server hosting and infrastructure-stores all platform data | Adequacy regulation further to paragraph 5(1)(a) of Part 3 of Schedule 21 to the Data Protection Act 2018 (EEA adequacy) |
| Functional Software, Inc. (Sentry) (registered in Delaware, USA; principal office: 45 Fremont Street, 8th Floor, San Francisco, CA 94105) | EU (Frankfurt data region-no transfer outside EEA/UK) | Error monitoring-stores error event data | Adequacy regulation (EEA)-data stored in EU region |
| Cloudflare, Inc. (incorporated in Delaware, USA; registered office: 101 Townsend St, San Francisco, CA 94107) | UK / EU for data storage (R2); global CDN nodes for network data | CDN, security, object storage for uploaded files | For R2 storage (EU): Adequacy regulation (EEA) For CDN (global): UK International Data Transfer Agreement (IDTA) / Standard Contractual Clauses (SCCs) under Article 46(2) UK GDPR, assessed under the "not materially lower" data protection test (DUAA 2025) Cloudflare Data Processing Addendum in place |
| Amazon Web Services EMEA SARL (registered in Luxembourg; registered office: 38 avenue John F. Kennedy, L-1855 Luxembourg) | EU (London, eu-west-2 region) | Transactional email delivery | Adequacy regulation (EEA)-data processed in EU region |
We have assessed all transfers to ensure they meet the DUAA 2025 data protection test (that the standard of protection is "not materially lower" than the UK standard).
Automated Processing and Decision-Making
Under Article 22 of the UK GDPR, as amended by DUAA 2025, you have rights regarding automated decisions made about you.
What automated processing we do
The platform uses automated logic for the following purposes:
- Application eligibility checks: The system automatically checks whether a student meets minimum grade requirements for specific subjects, based on rules configured by the institution. This may result in a flag or alert to admissions staff. These are advisory only and do not determine admissions outcomes.
- Reminder scheduling: Automated reminders are sent to applicants and referees based on time-based rules (e.g., if a reference has not been submitted within a set period).
- CAPTCHA verification: Cloudflare Turnstile automatically assesses whether form submissions are from a human user. An automated block may occur if a submission is assessed as originating from a bot.
Solely automated decisions
We do not make solely automated decisions that produce legal effects or similarly significantly affect you. Admissions decisions are always made by a human member of staff at the educational institution. Automated eligibility checks serve as advisory tools to assist staff, not to make final decisions.
Changes under DUAA 2025
DUAA 2025 has narrowed the general prohibition on solely automated decision-making. The prohibition now applies specifically to significant decisions based entirely or partly on special category data (such as health, ethnicity, religion, or disability information). Where such processing occurs, you have enhanced rights to human review and explanation.
Because this platform processes special category data (SEND information, medical needs, ethnicity, religion), we ensure that:
- No solely automated decisions are made based on this data
- All admissions decisions involve meaningful human intervention
- You can request human review, explanation, and contest any automated processing that significantly affects you
Your rights regarding automated processing
You have the right to:
- Be informed when automated processing is being used in ways that significantly affect you
- Request human intervention and review of any automated decision
- Receive a meaningful explanation of the logic involved and the significance and consequences of such processing
- Express your point of view and contest the decision
To exercise these rights, contact us at [email protected] or contact the educational institution directly.
Your Rights
Under the UK GDPR, DPA 2018, and DUAA 2025, you have the following rights regarding your personal data. You can usually exercise these rights free of charge.
Important: These rights apply to Educoda's processing as data controller. For processing where an educational institution is the controller (i.e., your application data), you should contact them directly to exercise your rights, though we will assist where we can.
| Right | What it means | How we support it |
|---|---|---|
| Right of access (Article 15 UK GDPR) |
You can ask for a copy of all personal data we hold about you (a Subject Access Request or SAR) | Submit a SAR by emailing [email protected]. We will respond within 1 calendar month. Under DUAA 2025, we conduct a "reasonable and proportionate" search for your data. We may pause the one-month period if we need to verify your identity or clarify the scope of your request. You may need to provide proof of identity. |
| Right to rectification (Article 16 UK GDPR) |
You can ask us to correct inaccurate data or complete incomplete data | Most data can be corrected directly in your profile on the platform. For data you cannot edit (e.g., referee-submitted grades, data controlled by the institution), contact us or your school/college directly. |
| Right to erasure (Article 17 UK GDPR / "right to be forgotten") |
You can ask us to delete your data in certain circumstances | You can delete your profile via your account settings. For partial deletion or where legal retention obligations apply, email us. We will respond within 1 calendar month. Note: we may be required to retain certain data by law (e.g., for safeguarding, audit, or regulatory purposes). |
| Right to restrict processing (Article 18 UK GDPR) |
You can ask us to pause processing your data (e.g., while a dispute is resolved) rather than delete it | Email [email protected] to request restriction of processing. We will place a marker on your data and only process it in limited circumstances. |
| Right to data portability (Article 20 UK GDPR) |
You can ask for your data in a machine-readable format to transfer to another service, where processing is based on consent or contract | Email [email protected] to request a structured export of your data (e.g., in CSV or JSON format). |
| Right to object (Article 21 UK GDPR) |
You can object to processing based on legitimate interests or public task grounds, including profiling and direct marketing | Email [email protected]. We will stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or the processing is required for legal claims. For direct marketing, we must stop immediately upon objection. |
| Right to withdraw consent (Article 7(3) UK GDPR) |
Where processing is based on consent, you can withdraw it at any time (this does not affect the lawfulness of processing before withdrawal) | Use the unsubscribe link in marketing emails, or email [email protected]. Withdrawal is easy and does not affect any processing we have already done based on your consent. |
| Rights regarding automated decisions (Article 22 UK GDPR / DUAA 2025) |
You can request human review, an explanation, or contest automated processing that significantly affects you | Email us at [email protected] or contact the educational institution directly. Under DUAA 2025, you have enhanced rights where automated processing involves special category data. |
If you are under 18: A parent or carer can exercise these rights on your behalf. We may ask for proof of the relationship to protect your data.
For further information on each right, including the circumstances in which they apply, please contact us or refer to the ICO's guidance for the public.
How to Exercise Your Rights
- Self-service: Many rights can be exercised directly on the platform:
- Edit your profile to correct inaccurate data
- Delete your account via account settings (subject to legal retention obligations)
- Unsubscribe from marketing emails using the link in each email
- Email us: For rights you cannot exercise via self-service, email [email protected] with:
- Your full name and email address registered on the platform
- A clear description of your request and the right you are exercising
- Proof of identity (e.g., a scan of a passport or driving licence)-required for Subject Access Requests and other requests where we need to verify your identity
- Response time: We will acknowledge your request within 5 working days and respond in full within 1 calendar month. If your request is complex or numerous, we may extend this by a further 2 months (you will be notified). Under DUAA 2025, we may pause the one-month response period if we need further information from you to verify your identity or clarify the scope of your request. The clock resumes once we receive your response.
- Reasonable and proportionate searches: For Subject Access Requests, we are required under DUAA 2025 to conduct a "reasonable and proportionate" search for your data. This means we will search systems and locations where your data is reasonably likely to be held, but we are not required to search every possible system if doing so would be disproportionate to the request.
- No fee: Rights requests are free of charge. We may charge a reasonable fee only where requests are manifestly unfounded or excessive.
- Requests relating to institution-controlled data: If your request relates to data held and controlled by a school or college (i.e., your application data), we will forward your request to them and inform you. The institution is responsible for responding in their capacity as data controller.
How to Complain
If you are unhappy with how we have handled your personal data, please let us know. We hope we will be able to resolve any issues you may have.
Complaints to Educoda Ltd
Under the Data (Use and Access) Act 2025, we are required to provide you with a clear and accessible way to make complaints about how we process your personal data.
How to complain:
- Email: [email protected] with the subject line "Data Protection Complaint"
What happens next:
- We will acknowledge your complaint within 30 days of receiving it
- We will investigate your complaint and respond without undue delay
- We will explain our findings and any action we have taken or will take
- If you are not satisfied with our response, we will explain how you can escalate your complaint to the Information Commissioner's Office (ICO)
Complaints about a school or college
If your complaint relates to how a school, sixth form or college has processed your data (rather than Educoda's platform operations), you should contact that institution directly using their complaints procedure. We can assist in directing your complaint to the appropriate institution if needed.
Complaints to the Information Commissioner's Office (ICO)
You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection regulator, at any time. You do not have to contact us first, though we appreciate the opportunity to address concerns directly.
- Website: ico.org.uk/make-a-complaint
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Keeping Your Personal Data Secure
We have appropriate security measures in place to prevent personal data from being accidentally lost, or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it.
We also have procedures in place to deal with any suspected data security breach. We will notify you and the Information Commissioner's Office of a suspected data security breach where we are legally required to do so.
Security measures include:
- Encryption of data in transit (HTTPS/TLS) and at rest where appropriate
- Access controls and authentication (passwords, multi-factor authentication for staff)
- Regular security monitoring and logging
- DDoS protection and bot mitigation (Cloudflare)
- Regular backups and disaster recovery procedures
- Staff training on data protection and security
- Data Processing Agreements with all sub-processors requiring appropriate security measures
If you want detailed information from Get Safe Online on how to protect your information and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
Changes to This Privacy Policy
We review this privacy notice regularly to ensure it reflects our current practices and complies with applicable law, including changes arising from the implementation of the Data (Use and Access) Act 2025.
We may change this privacy policy from time to time.
Previous versions of this privacy notice are available on request by emailing [email protected].
How to Contact Us
You can contact us by email if you have any questions about this privacy policy, the information we hold about you, to exercise a right under data protection law, or to make a complaint.
Contact details:
- Email: [email protected]
- Subject line for rights requests: "Data Protection Rights Request"
- Subject line for complaints: "Data Protection Complaint"
- Registered address: Available on request via email
When contacting us, please provide:
- Your full name and email address registered on the platform
- A clear description of your query, request, or complaint
- Any supporting documentation (e.g., proof of identity for rights requests)
We aim to respond to all enquiries within 5 working days.