Privacy Notice

“GDPR in Schools Limited delivers a service to its customers and to the public to help drive and improve data protection in the education sector. 

We take care to protect the privacy of customers and users of our apps and web sites on and including any relevant subdomains. We take our obligations under privacy and data protection law very seriously. This privacy notice explains how we collect, store and use your personal data. Please read it carefully. 


  1. In this privacy notice, references to “we”, “us” or “our” mean GDPR in Schools Ltd (“GDPRiS”) (further details of GDPRiS are provided at the bottom of this statement). References to “you” or “your” mean the person using this Website whose personal information we collect, store and use.
  2. This privacy notice applies to you and GDPRiS, the owner and operator of this Website.
  3. References to “the Website” mean or, including any relevant sub-domains, unless specific terms and conditions apply to that website or service.
  4. References to “Data” mean all personal information that you submit to GDPRiS via the Website.
  5. GDPRiS may change this privacy notice from time to time. You should check this page periodically to ensure that you are happy with the up-to-date version.

What this Privacy Notice covers

  • Why we use your personal information 
  • The lawful basis for processing 
  • What personal information we capture
  • How we use your personal information 
  • What rights you have under data protection legislation 
  • Sharing personal information with third parties
  • How long we may keep your information 
  • Changes to our privacy notice 
  • Contact details for your queries 

Why we use your information

GDPRiS operate a number of web sites and web applications that facilitate some of the processes that schools are required to undertake to achieve and evidence their compliance with the EU and UK General Data Protection Regulation and the UK Data Protection Act 2018. 

We process your personal data for the following purposes: 

  • to provide you with the service activated and registered for 
  • the verification of your identity, where required 
  • for the prevention and detection of crime, fraud and money laundering 
  • for the ongoing administration of the service 
  • to allow us to improve the products and services we offer to our customers 
  • to manage our relationship with you and offer support 
  • to ask for your opinion about our products and offer surveys 
  • for research and statistical analysis, including payment and usage patterns . We only use the data in an anonymised manner when we use it for this purpose. 
  • to enable us to comply with our legal and regulatory obligations 
  • to offer new products and services to you which are relevant and appropriate, and only to the extent that would be reasonably expected. 

If we plan to introduce further processes for the use of your information, we will provide information about that purpose prior to such processing. 

What Personal Data we capture and how long we keep it

When you visit any of our web sites or web applications then we will be capturing the date and time of your clicks, the IP address and your browser agent string. We keep this data for up to 3 months.

Some pages on our web sites may ask you to give us some information, such as your email address. Usually, when you give this information, you will want us to get in touch with you, e.g. for sales or support purposes.

When using the Compliance application under you will be enrolled by your school or organisation with your email address and name. Once you log in, you will set your own password, and have the opportunity to contribute to your school or organisation’s data protection compliance effort in many ways, partly by entering free text.

The data in your GDPRiS account is part of your organisation’s evidence of compliance. We will delete it at request of your organisation, or approximately 3 months after the end of the contract. Note that we are a Data Processor to your organisation. They, as the Data Controller, give us the instruction to process Data. You have the Right to file Subject Requests by law. If you file such requests with, we will have to pass them on to your organisation for authorisation.


GDPRiS also occasionally reach out to suppliers (often data processors) of our customers to ascertain details about their data processing. We do this in order to pass the information on to our customers. Personal data captured in this process will not be shared, unless we are given consent to do so. 

Lawful Bases

GDPR in Schools Ltd carry out some of the processing mentioned above independently from any processing instruction from your organisation. This is especially the case for activities that we may undertake to improve our service to our customers. Unless an exception is specifically mentioned in a Privacy Notice, we rely on the lawful basis of Legitimate Interest (GDPR Art 6(1)f) for any such processing.

Where our processing relies on an instruction from your organisation and we are not the data controller, we do not determine the lawful basis, but your organisation does. Because there is a clear instruction in the law (UK Data Protection Act 2018) to meet and document the compliance with data protection law, schools will typically be able to rely on the lawful basis of Legal Obligation under Art 6(1)c or Task Carried out in the Public Interest Art 6(1)e.

Your Rights to Your Data

You are able – at all times and with no conditions – to exercise your rights as a data subject. Where we are the Data Processor, we are required to pass the request on to the Data Controller for authorisation. Note that if the Controller are relying on the lawful basis of Legal Obligation or Public Task, not all rights apply in the same way.

The rights you as a Data Subject enjoy are the following:

  • Right To Access – you may see a copy of the data we hold
  • Right To Rectification – in case your data is incorrect
  • Right To Erasure – if you no longer want your data to be processed and want it removed
  • Right To Object – if you want processing of your data halted, until a decision is reached, e.g. on Erasure
  • Right To Restriction – if you don’t agree with the extent of the processing of your data
  • Right To Data Portability and Rights relating to automated decision making play no role for our services.
  • Right to Lodge a Complaint – if you have grave concerns of the processing activity, you may alert the Information Commissioner’s Office (ICO) and file a complaint.

Note that we will often need to verify your identity before we can action any of your requests.

Data Sharing and 3rd Parties

In order to fulfil our services reliably and effectively, we use 3rd parties and we necessarily transfer data to them.

These are the parties that we share information with:

  • Hubspot (US with EU data hosting) – CRM, support portal, website hosting
  • Brevo (formerly Sendinblue), EU) – transactional emails
  • Microsoft Azure (EU) – application hosting
  • Microsoft Office365 (EU) – collaboration and emails
  • Thinkific (Canada) – Continuous Personal Development
  • Zoom (US) – Remote training, telephony
  • Easyspace (UK) – DNS management
  • Wonde and Groupcall - at our customer's choice we facilitate a data pull of staff data (email, names) from the data broker into GDPRiS.
  • Imperva (US) - to protect from various forms of attack against our platform and our users, we use the Imperva cloud WAF and DDoS proxy.

Being retired:

  • Zendesk (US) – the support portal (being retired)
  • Siteground (EU) - website hosting

We may use auditors and external consultancies who may come to see some of your data. We limit this to the best possible degree.

We will only disclose personal information to other parties in the following, limited circumstances:

  • where we are legally obliged to do so, e.g. by law enforcement authorities
  • where there is a duty to do disclose in the public interest
  • where disclosure is necessary to protect ourselves from crime, fraud or other malicious activity
  • where you give us permission to do so, e.g. by granting Consent within the GDPRiS Products or Services or via an online application or consent form.

Third Party Web Sites

From time to time our web site will contain links to third parties’ web pages for your interest. This Privacy Notice does not extend to those 3rd party web sites, even when accessed from our web sites. We accept no liability or responsibility for any content delivered by 3rd party web sites. 

Changes to this Privacy Notice

This Privacy Notice will be reviewed and updated regularly.

Contact Details

GDPR in Schools Ltd is a limited company incorporated in England and Wales under the company registration number 10699302, whose registered address is 11 Kingsley Lodge, 13 New Cavendish Street, London, United Kingdom, W1G 9UG. 

If you have any questions regarding this Privacy Notice please use our Contact Form or email us under


Last updates:

03 January 2023 - made specific mention of interaction with EdTech suppliers for evidence capture.

01 November 2023 - we no longer use Siteground for website hosting. Included Wonde and Groupcall in the data sharing section.

21 October 2022 – we no longer use Mailchimp

1 August 2022 – amended sub-processors, minor UK-GDPR related wording

18 March 2024 - added Imperva