Data Protection and Sharing Policy - June 2026

About us

Grofar is a company registered in England and Wales under company number 09505988, whose registered address is at Walden House, Foxcombe Road, Boars Hill, Oxford, OX1 5DL.

At Grofar, we value privacy and are committed to protecting personal information. This policy explains how we process, use, and share personal data when acting as a Data Processor on behalf of our customers (educational institutions, who are the Data Controllers).

Document aims

This policy sets out how Grofar processes, stores, and protects the personal data your establishment shares with Grofar, and forms the framework for our Data Sharing Agreement (DSA). It reflects our joint obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025. Acceptance of this policy forms part of your organisation's agreement to use the Grofar platform.

How to read this policy

This policy is addressed to two audiences:

Section 1 contains information for both educational institutions and individuals (each subsection covering students, applicants, staff, parents and carers, and businesses is addressed directly to that data subject category, and also explains to institutions what data Grofar processes on their behalf).
Sections 2 to 13 are directed at educational institutions (Data Controllers) and set out the terms on which Grofar processes personal data on their behalf.
Sections 14 to 16 are directed at individuals (students, applicants, staff, parents, guardians, carers, and business contacts) and explain their data protection rights and how to exercise them.

UK GDPR definitions

Personal Data: Any information relating to an identified or identifiable natural person. This can include names, contact details, identification numbers, location data, or other factors that can identify a person either directly or indirectly.
Special Category Data: Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data used for the purpose of uniquely identifying a person, health data, or data concerning a person's sex life or sexual orientation.
Criminal Offence Data: Personal data relating to criminal convictions and offences, including data about alleged offences. This data is subject to separate protections under Article 10 UK GDPR and Schedule 1 of the Data Protection Act 2018 and must not be processed without an appropriate condition in place.
Processing: Any operation or set of operations performed on personal data or sets of personal data. This includes collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
Data Subject: An identified or identifiable natural person whose personal data is being processed. This can include employees, customers, clients, or any individual whose personal data is held by the organisation.
Controller: The organisation (or individual) that determines the purposes, conditions, and means of processing personal data. In this case, your institution acts as the Data Controller.
Processor: A third party that processes personal data on behalf of the Data Controller. This includes entities such as third-party service providers, cloud providers, or marketing agencies.
Sub-processor: A third party engaged by the Processor to carry out specific processing activities on behalf of the Data Controller. The Processor remains responsible for the sub-processor's compliance with data protection obligations.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes, by which they signify agreement to the processing of their personal data.
Data Protection Impact Assessment (DPIA): A process used to assess the potential risks to data subjects' rights and freedoms when initiating new processing activities involving personal data. This is required for high-risk processing activities.
Data Subject Rights: The rights granted to individuals under the UK GDPR, including the right to access, rectify, erase, restrict, object to processing, and port their data.
Lawful Basis: One of the seven legal grounds under the UK GDPR on which personal data may be processed, which include consent, contract, legal obligation, vital interests, public task, legitimate interests, and recognised legitimate interests (introduced by the Data (Use and Access) Act 2025); processing must have a valid lawful basis in place before it begins.
Supervisory Authority: An independent public authority responsible for monitoring the application of data protection law. In the United Kingdom, this is the Information Commissioner's Office (ICO).
Data Breach: A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.
Data Sharing Agreement (DSA): The formal agreement between Grofar and the Data Controller (your institution) that governs the terms on which personal data is shared and processed. This policy forms the framework for that agreement.

Who this policy applies to

This Policy applies to the following individuals, as applicable:

Students: Students who use the Grofar Software Platform.
Applicants: Prospective students who have submitted applications via the Data Controller's website.
Staff members: Staff who are users of the Grofar Software Platform, typically including but not limited to work experience coordinators, careers advisers, tutors, employer engagement teams and curriculum staff who will access the platform.
Parents/Guardians or Carers: Who will provide emergency contact details and provide consent for students under the age of 18.
Businesses/Business Contacts: Whose information has been added to the system by the Data Controller (our customer) as a point of interest, i.e. potential or existing partnership.

Grofar will have entered into an agreement with the Data Controller (your Institution). It should be noted that the Data Controller is in full control of which records they transfer from the institution to Grofar and can limit the records to just those with a justifiable reason for inclusion.

1. Information we process on behalf of the Data Controller and legal basis for doing so

As a Data Processor acting on behalf of the Institution (Data Controller) we process certain types of personal data that are provided by the Data Controllers and individuals who use the system. This includes, but is not limited to:

Collection: We process personal data provided directly by the Data Controller, such as student, staff, parent and business-related data.
Storage: All information is encrypted and stored within a cloud-hosted database within the UK. Access to the database is restricted to the Grofar application and approved employees.
Use: We use the personal data solely under the instruction of the Data Controller.
Sharing: We only share personal data with authorised parties in accordance with the Data Controller's instructions and applicable laws.
Processing: We process personal data for specific tasks requested by the Data Controller.
Retention: We retain personal data only for the duration necessary to fulfil the purpose outlined by the Data Controller and in accordance with their data retention policy.

If you are a student:

This section is addressed to students. If you are reading this as a school or college administrator, this section explains how Grofar processes student data on your behalf.

As a Data Processor on behalf of your Institution, Grofar may process:

Account Information: User account details such as usernames, email, and other authentication data necessary for logging into the system.
Student Activity: Any personal data provided by you, within the Grofar Software Platform. This may include, but is not limited to, text, video, photos, personal observations, or any other data entered while using the Grofar Software Platform.

We process this data solely on behalf of the Data Controller (your Institution) and to provide the service, as outlined in our agreement with them.

Student data:

It should be noted that the Data Controller is in full control of which records they transfer from the institution to Grofar, and can limit the records to just those with a justifiable reason for inclusion.

Data		Why	Legal Basis
School	College	Why	Legal Basis
Forename Surname Middle name Display name Admission Number Gender Date of Birth Registration group membership Year group membership House group membership UPN (Unique Pupil Number) ULN (Unique Learner Number) Educational and Health Care Plan Enrolment status SEN Provision FSM eligible Pupil premium EAL YSSA Uniform allowance Parental salutation Address Email communications Student photo Student timetable Ethnicity Religion or belief National identity First language and home language Legal name Mode of travel Sibling relationships Parent/carer relationship information SSO identity tokens (Azure AD and Google) Consent record Age band	Student ID Surname Forename Date of Birth Gender Telephone Email Tutor Campus Educational and Health Care Plan Special Educational Needs Learning difficulties Course memberships & enrolments Full postal address SSO identity tokens (Azure AD and Google) Consent record Age band	To allow your Institution (Data Controller) to support you in your careers or work placement journey.	Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.
Alumni/Destination details		To help your Institution review and compare how students are going into meaningful destinations against government guidelines.	The Department for Education requires that your school and college contact student leavers to provide insights into the overall success of the institution.
Placements Timesheets Assignments Activity Calendar Applications About you Activities/evidence you have uploaded to your Passport Assessments Feedback Targets Technical Skills Saved Jobs Courses/Qualifications/Achievements Generated CV or online profile Work experience & Extra-Curricular Career Categories References Action Plan Meeting notes Email Communication		To support your school and college (Data Controller) in providing career guidance and work placement support.	Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.

If you are an applicant:

This section is addressed to applicants. If you are reading this as a college administrator, this section explains how Grofar processes applicant data on your behalf.

As a Data Processor on behalf of your prospective Institution, to which you are applying, Grofar may process:

Applicant Activity: Any personal data provided, via the application form.

We process this data solely on behalf of the Data Controller (your prospective Institution) and for the purpose of providing the service, as outlined in our agreement with them.

Applicant data:

College Data	Why	Legal Basis
First name Middle name Last name Preferred name Gender National Insurance Number Ethnicity Email Mobile Postal address Learning difficulties - or disabilities	To allow your prospective Institution (Data Controller) to process applications.	Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.
Skillset Hobbies/Interests Criminal Conviction Disclosure (including unspent convictions and unspent serious criminal convictions) Qualifications Current/most recent education institution Employment history Nationality Residency eligibility Full driving licence Feeder school Adult Education Budget eligibility Care leaver status Carer status Receipt of income support or disability allowance College support requirements Access arrangements for exams Contact preferences	To allow your prospective Institution (Data Controller) to evaluate and process applications appropriately.	Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.
Emergency contact information: Parent/guardian/next of kin First name Last name Relationship to student Mobile Emergency contact home telephone number Email Postal address	To enable contact information for your prospective Institution (Data Controller) in case of emergencies.	Vital interests of the data subject and to fulfil contractual obligations with your prospective Institution (Data Controller).
Referee Name Relationship Postal address Referee email address	To allow your prospective Institution (Data Controller) to verify applicant information.	Grofar processes this data on instruction from the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.

If you are a staff member:

This section is addressed to staff members. If you are reading this as a school or college administrator, this section explains how Grofar processes staff data on your behalf.

As a Data Processor on behalf of your Institution, Grofar may process:

Account Information: User account details for staff, including usernames and other authentication data necessary to log in and access the Grofar Software Platform.
Staff Activity Data: Any data provided by the staff member within the Grofar Software Platform.

We process this data solely on behalf of your Institution (Data Controller) and for the purpose of providing the service, as outlined in our agreement with them.

Staff data:

It should be noted that the Data Controller is in full control of which records they transfer and can limit the records to just those with a justifiable reason for inclusion.

Data		Why	Legal Basis
School	College	Why	Legal Basis
Staff code Forename Surname Middle name Display name Gender Work email Work phone Date of Birth Staff member classification Staff member photo School timetable information SSO identity tokens (Azure AD and Google) Consent record	First name Last name Job title Email Reference number Gender SSO identity tokens (Azure AD and Google) Consent record	This allows you to log into the system, based on the details provided by your Institution (Data Controller). Staff typically includes Work Experience Coordinators and Careers Advisers who will be logging in to maintain the records and Tutors and Curriculum Staff who will access the system to monitor students' progress.	Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.
Meeting notes Activities Tasks User role Assessments Email communication		To enable staff to record and monitor student/learner progress.	Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.

If you are a primary contact (parent/guardian/carer)

This section is addressed to parents, guardians, and carers. If you are reading this as a school or college administrator, this section explains how Grofar processes primary contact data on your behalf.

As a Data Processor on behalf of your Institution, Grofar may collect certain types of personal data.

Contact information: Contact information provided by the Institution (Data Controller).

Primary contact (parent/guardian/carer) data:

It should be noted that the Data Controller is in full control of which records they transfer and can limit the records to just those with a justifiable reason for inclusion.

Data	Why	Legal Basis
Forename Surname Display name Relationship Work email Home email Mobile phone	Forename Surname Title Home phone Mobile phone Email Relationship	To enable consent to be obtained for students under 18. Provides emergency contact information.	Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.

Data

Why

Legal Basis

School

College

Forename
Surname
Display name
Relationship
Work email
Home email
Mobile phone

Forename
Surname
Title
Home phone
Mobile phone
Email
Relationship

To enable consent to be obtained for students under 18.

Provides emergency contact information.

Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.

If you are a business:

This section is addressed to businesses and their contacts. If you are reading this as a school or college administrator, this section explains how Grofar processes business data on your behalf.

As a Data Processor we act on behalf of the Educational Institution (Data Controller) and process certain types of business-related data for the purpose of providing the service, as outlined in our agreement with them.

Business Information: We process business-related data, that has been added to the system by the Educational Institution (Data Controller) as a point of interest, i.e. potential or existing partnership.
Business Contacts: We may process personal data of stakeholders who are associated with the business (employees, managers etc.).
Business Activity: Records of communication between the Educational Institution staff members (Data Controller) and business contacts.

As a Data Processor, we do not make decisions about the purposes or means of processing business data. Instead, we act under the instructions of the Educational Institution (Data Controller) and only process the data as necessary to provide the agreed contracted services.

Business data:

It should be noted that the Educational Institution (Data Controller) can create custom fields within the Grofar Software Platform, which we process on behalf of the Data Controller. The Institution (Data Controller) is in full control of which records they transfer from the institution to Grofar and can limit the records to just those with a justifiable reason for inclusion.

Data	Why	Legal Basis
Business name Business owner Company registration number Employer reference number Website Profile Industry sector Company size Public Liability Public Liability amount Public Liability policy number Public Liability expiry date Employer Liability Insurance Employer Liability Insurance amount Employer Liability Insurance policy number Employer Liability Insurance expiry date Employer Liability Insurance issuer name Department ID Grofar Internal Department ID Department name Is primary department Department phone Department DBS check is required Department higher risk assessment required Do not contact department Department Address Department postcode Department Health and Safety checked Department Health and Safety checked date Department Health and Safety expired date Contact ID Grofar internal contact ID Main contact email Main contact phone Main contact title Main contact name Main contact gender Main contact job title Is primary contact Is department primary contact Is Health and Safety contact Department has Employer Liability Insurance Department has Employer Liability amount Department has Employer Liability policy number Department has Employer Liability expired date Department has Employer Liability Insurance issuer name Business contacts Contact name Contact gender Contact title Contact email Contact telephone Contact address Contact job title Contact is primary Contact is H&S Individual contact preferences Social media and other website links Custom fields for individual contacts Supervisor contact number Supervisor contact email	To allow the educational institution (Data Controller) to arrange engagements with employers.	Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.
Business feedback on placements Notes about business Current work experience and activities Vacancies Activities where business has been in attendance Email communication Marketing communication	To allow the Institution (Data Controller) to facilitate work placements, careers activities and enrichments and analyse business engagement.	Grofar processes this data on the instructions of the Data Controller. The Data Controller is responsible for determining the lawful basis under UK GDPR.

2. How we process your data

As a Data Processor acting on behalf of the Data Controller (educational institution), we process personal data provided by the Data Controllers.

Data provided by Data Controllers

The Data Controller is responsible for determining the purposes and means of processing personal data, and we process this data on their behalf based on their instructions. We do not collect personal data directly from the individuals (such as students or staff) unless instructed to do so by the Data Controller.

Grofar personnel may access customer data where reasonably necessary for support, maintenance, troubleshooting, security monitoring, legal compliance, or at the documented request of the Data Controller. Access is restricted to authorised personnel and subject to appropriate confidentiality and access control measures.

Grofar maintains recognised information security certification and conducts regular independent security testing of its platform, including any AI features in scope.

Certain fields within the Grofar platform (including but not limited to Tags and Custom Fields) are free-text fields that are created and managed entirely by the institution as Data Controller. The institution as Data Controller bears responsibility for ensuring that content entered into any free-text field complies with applicable data protection law, including the UK GDPR and the Data Protection Act 2018.

Where required by the institution for funding or placement eligibility purposes, Grofar may process residency eligibility flags on behalf of the Data Controller. The institution as Data Controller is responsible for ensuring it holds an appropriate lawful basis for the collection and use of this information, including where it relates to nationality or immigration status.

Where applicants disclose criminal conviction information as part of an application, Grofar processes this data solely on the instructions of the institution as Data Controller. This may include unspent convictions and, where the role is linked to a regulated profession or is exempt from the Rehabilitation of Offenders Act 1974, spent convictions and serious criminal convictions as required for recruitment or registration purposes. The institution as Data Controller is responsible for ensuring it holds an appropriate condition under Schedule 1 of the Data Protection Act 2018 for the processing of this information, and for determining what disclosure is lawfully required of applicants.

All Grofar personnel authorised to process personal data on behalf of the Data Controller are subject to a contractual or statutory duty of confidentiality. This obligation applies to all staff, including temporary and agency workers, and remains in force after the end of their engagement with Grofar.

Schools:

Information is extracted from the school Management Information System (MIS) using either CSV export or Groupcall's industry-leading and secure Xporter software. The data is securely uploaded to Grofar using industry-standard SSL encryption. A unique identifier configured by Grofar Ltd in Groupcall Xporter ensures that the information is linked to the correct customer account in Grofar. Groupcall Xporter accesses your school MIS system using credentials that the school provide and cannot access it without them.

Depending on the data made available by the Data Controller through the MIS integration, this may include student identity information, contact information, enrolment and group information, timetable information, parent/carer relationship information, additional support information, and demographic information such as ethnicity, language, religion or belief, and national identity. Some additional information may be received during the synchronisation process to match records, validate data, maintain links between records, or complete the import. Where this information is not required for the Grofar service, it is not routinely retained in the Grofar platform.

Colleges/Education Providers/Charity Organisations:

Information is extracted from the establishment's Management Information System (MIS) using either CSV export or the Grofar-supplied API, and securely transmitted to Grofar using HTTPS (SSL/TLS) encryption. A unique identifier configured by Grofar ensures that data is linked to the correct customer account. The Grofar API accesses the establishment's MIS using credentials provided by the institution and cannot access it without them. Transmitted data is further protected by a cloud-based enterprise firewall, OAuth 2.0 application authentication, strong database encryption, and data anonymisation where appropriate.

3. Data storage

All personal data processed by Grofar is encrypted at rest and stored within Microsoft Azure, hosted exclusively in UK data centres (UK South and UK West). Access to the database is restricted to the Grofar platform and authorised Grofar personnel only.

International data transfers

All personal data is stored in UK data centres. Limited sub-processors involved in platform delivery may, in limited circumstances, process operational data outside the UK as part of their standard service. Where this constitutes a restricted transfer under the UK GDPR and the Data Protection Act 2018, Grofar ensures that an appropriate safeguard is in place before any such transfer occurs. Depending on the destination country and the sub-processor involved, this will be either an adequacy decision (where the destination country has been recognised as providing an equivalent level of data protection to the UK) or a contractual safeguard approved under Article 46 UK GDPR.

All sub-processors are required to process personal data only in accordance with their published Data Protection Addendum or equivalent data processing terms, and are subject to contractual obligations to maintain appropriate technical and organisational measures to protect personal data. By accepting this policy, the Data Controller provides general authorisation for Grofar to engage sub-processors for the purposes of delivering the service. Grofar will notify Data Controllers of any material changes to sub-processor arrangements before they take effect. Grofar has conducted an appropriate internal assessment in respect of each such transfer.

4. Data security

Grofar undergoes independent penetration testing, carried out by a third-party provider, to verify the security of the platform and the data it holds.

Data breach notification

In the event of a personal data breach affecting data we process, Grofar has established comprehensive procedures for responding promptly and effectively. As a Data Processor we understand our obligation to notify Data Controllers without undue delay after becoming aware of a personal data breach and to provide reasonable assistance to support the Data Controller in meeting its own regulatory obligations.

We maintain a detailed Data Breach Policy that outlines:

Our procedures for detecting, reporting, and investigating a personal data breach
The information we will provide to Data Controllers to help them meet their UK GDPR obligations
Our timelines for notification and response
The measures we take to mitigate potential adverse effects.

Our Data Breach Policy is available upon request to our Data Controllers and is reviewed and updated regularly to ensure compliance with current regulations and best practices.

5. Data retention

Retention criteria

The retention period for personal data is determined by the following factors:

Purpose of Processing: Data will only be retained for as long as is necessary to achieve the specific purpose(s) for which it was collected and processed.
Legal and Regulatory Requirements: If any laws or regulations require the data to be kept for a specific period (e.g., tax records, employee records), data will be retained accordingly.
Contractual Obligations: Personal data may be retained for the duration of the contractual relationship with the Data Controller, together with any reasonably necessary period for post-contractual activities, dispute resolution, audit, or legal compliance purposes.
Data Minimisation: We ensure that the personal data retained is only what is necessary for the specified purpose, and that it is reviewed regularly to determine if it is still required.

Retention period

Unless otherwise specified by the Data Controller, we will retain personal data for students, parents, business, staff, alumni and applicants for a period of 5 years once the record has been archived. This period is set to ensure that we can meet the purposes for which the data was collected, while also complying with legal, regulatory, and contractual obligations.

Standard Retention Period: Data will typically be retained as previously stated, unless the Data Controller requests a longer or shorter retention period, or if legal requirements mandate a different retention duration.
Extension or Shortening of Retention Period: If the Data Controller requests a different retention period or has specific legal or business needs, we will comply with those requests.

6. Data deletion

Once the retention period has expired, the data is no longer needed for the specified purposes, or a deletion request is submitted, we will securely delete the data.

Exceptions to deletion

As a Data Processor, we will follow the instructions provided by the Data Controller regarding the deletion of personal data. However, there may be situations where data cannot be deleted immediately due to legal or contractual obligations, including but not limited to:

Legal Requirements: We may be required to retain certain personal data due to applicable laws, regulations, or industry standards (e.g., tax, financial reporting).
Contractual Obligations: If specified in the data processing agreement with the Data Controller, we may be required to retain data for specific periods to fulfil our contractual obligations.
Ongoing Processing: Data may need to be retained if the processing agreement with the Data Controller requires ongoing processing for the ongoing contractual or legal obligations.

7. Return of data upon contract termination

Upon termination of our contract with the Data Controller, Grofar will, at the choice of the Data Controller:

Return personal data processed on behalf of the Data Controller in a structured, commonly used, and machine-readable format; or
Securely delete personal data processed on behalf of the Data Controller, unless retention is required by applicable law.

The Data Controller makes this choice after contract termination. If no instruction is received, we will proceed with secure deletion of all personal data, subject to any legal retention requirements.

All returned data will be provided via secure transfer methods and will include verification of completeness and integrity. Following return or deletion, we will provide written confirmation to the Data Controller that all personal data has been returned or securely destroyed, except where prohibited by law.

8. Data backups

Our system architecture is designed to ensure robust data protection and recovery capabilities. All customer data is securely stored on a unified Azure platform. This integrated approach means that our backups are comprehensive snapshots of all customer data at a given point in time.

To maintain the integrity and reliability of our backups, and to comply with our stringent business continuity and disaster recovery protocols, we do not modify these snapshots by extracting or deleting individual data segments.

In accordance with the ICO's Right to Erasure guidelines, the data contained within backups is put 'beyond use' and is securely retained solely for the purposes of compliance and recovery. Due to the dynamic nature of our operations and the high frequency of data input from customers, restoring a backup is reserved for extreme cases where significant data loss must be mitigated.

The retention policies for our encrypted backups stored within Azure are:

Point-in-time backups: Retained for 7 days.
Long-term recovery backups:
- Weekly: Retained for up to 4 weeks.
- Monthly: Retained for up to 12 months.
- Annual: Retained for up to 3 years.

9. Data collection and use of cookies

Grofar uses cookies to enhance user experience and ensure proper functioning of our platform:

For students (under 18):

We use Google Analytics cookies to collect anonymous usage data.
Essential session cookies are used to maintain the user's login status and enable core platform functionality.
Intercom cookies are used to facilitate access to our student support centre, which provides help articles and a contact widget for submitting messages to the Grofar support team. These cookies also enable usage tracking to help us improve the platform experience.

For staff members:

We use Google Analytics cookies for usage data collection.
Essential session cookies are used to maintain the user's login status and enable core platform functionality.
We use Microsoft Clarity cookies for analytics and usability monitoring.
Intercom cookies are used to facilitate access to our staff support centre, in-platform chat, product guidance features, and an optional AI-powered support assistant (powered by Fin AI). These cookies enable support interactions, in-app messaging, and usage tracking to help us improve the platform experience.

Note: We do not use Microsoft Clarity or any similar advanced tracking technologies on any websites or applications that target users under the age of 18. As a matter of good practice, and consistent with the principles of the ICO's Children's Code (Age Appropriate Design Code), Grofar applies higher standards of protection to the processing of personal data relating to children and young people. Where our platform is likely to be accessed by users under the age of 18, we assess and mitigate risks to their privacy by design, apply data minimisation principles, and restrict the use of tracking and profiling technologies accordingly. Our commitment to protecting children's privacy means we apply stricter standards to platforms and sections of our service that are designed for or likely to be accessed by minors.

The essential cookies we use are necessary for the correct functioning of our applications, including user authentication and maintaining your session while using the platform. Without these cookies, the platform cannot function effectively.

Cookie consent and management

When we use cookies and similar technologies, we apply the following principles:

Transparency: We provide clear information about the cookies we use and their purpose in this policy and through our cookie banner.
Consent: We obtain appropriate consent before implementing non-essential cookies on users' devices.
Control: The ability for users to manage cookies depends on the cookie type and where it is set.
1. Essential session cookies (used for login and core platform functionality) are necessary for the platform to operate and cannot be disabled without preventing access to the platform.
2. Google Analytics and Microsoft Clarity cookies (staff only) collect anonymised usage data; users who wish to opt out of Google Analytics tracking may do so via the Google Analytics Opt-out Browser Add-on at https://tools.google.com/dlpage/gaoptout.
3. Intercom cookies support our in-platform help centre and support chat and can be blocked via browser settings, though doing so will affect access to support features.
4. The Grofar cookie banner at www.grofar.com controls cookies on our external marketing website only and does not apply to cookies set within the Grofar platform. Further information about cookies on the Grofar marketing website is available in our Cookies Policy.
Data Protection: All data collected through cookies is processed in accordance with the data protection principles outlined in this policy, including data minimisation and purpose limitation.

For information about cookies on the Grofar marketing website (www.grofar.com), including analytics and advertising cookie preferences, please refer to our Grofar Website Cookies Policy.

10. Other data we collect as a Data Controller

This policy outlines how we process personal data strictly on behalf of our customers, in our role as a Data Processor. However, we also collect and process personal data for our own business purposes, including sales and marketing activities, data analytics, and interactions with individuals via support contacts or prospective customers. For more information on how we handle this data in our role as a Data Controller, please refer to our Grofar Privacy Policy.

11. Use of Artificial Intelligence

This section explains how artificial intelligence (AI) is used within the Grofar platform and the safeguards that apply.

Where an institution activates an AI feature developed and deployed by Grofar within its own platform, the institution as Data Controller is responsible for ensuring that data subjects are informed that AI tools are in use, in accordance with their obligations under Articles 13 and 14 of the UK GDPR. Grofar will provide institutions with sufficient information about the nature and scope of any AI feature to enable them to meet this obligation.

Grofar uses AI only as a processor acting on the instructions of the Data Controller. The institution's existing lawful basis for processing personal data covers AI processing carried out within the scope of the original purpose for which the data was collected, provided that processing does not constitute a new or incompatible purpose under UK GDPR.

AI features developed by Grofar

Grofar may, from time to time, introduce AI features that are developed and deployed by Grofar within its own platform, to assist staff in their work. Such features may analyse data already held within the platform, such as interaction records, placement data, or activity histories, for purposes consistent with the original reason that data was collected, for example to support employer engagement, placement management, or careers guidance.

Any AI feature that processes personal data held by the institution will be subject to the following conditions before it is made available:

A Data Protection Impact Assessment will be completed.
The feature will be opt-in at institution level.
No such AI feature involving personal data will be enabled without the institution actively choosing to activate it.
Institutions will be notified in advance of any new AI feature of this kind that involves personal data.

The following safeguards will apply to all AI features developed and deployed by Grofar:

Data minimisation: AI features are designed to use the minimum data necessary for their purpose. As Grofar develops new AI functionality, our approach is to build AI models to operate on indexed data held separately from the core platform database, without personal details, so that personal data held by the institution is not directly passed to or accessible by the AI model.
No model training: Customer personal data processed through Grofar's AI features is not used to train foundation AI models.
Human oversight: AI outputs are advisory only. No AI feature within the Grofar platform produces a solely automated decision with legal or similarly significant effects on a student, applicant, or staff member. Where AI generates a suggestion or recommendation, a staff member makes the final decision.
Scope: All AI processing is scoped to the data of the specific institution. Data from one institution is never used in AI processing for another institution.

Additional safeguards for student-facing features

Where any AI feature is designed to be accessed directly by students, the following additional requirements will be met before that feature is made available:

Safeguarding escalation: a defined process will be in place for identifying and escalating disclosures of sensitive information, including safeguarding concerns, to the institution's designated safeguarding lead.
Equality impact assessment: Grofar will complete an equality impact assessment to identify and mitigate risks of bias or unfair outcomes, including for learners with protected characteristics.
Accuracy and correction: a defined route will be in place for students, parents, and staff to identify and challenge inaccurate AI-generated output, with human review required before any AI-generated content becomes part of a permanent record.

All of the above will be documented and made available to the institution as part of the opt-in activation process.

AI model provider

Grofar currently uses Microsoft Azure OpenAI as its AI model provider, hosted in UK data centres. Prompts and completions are not used to train foundation models and are not shared with any other third party.

Automated decision-making

Grofar does not use solely automated decision-making, as defined under Articles 22A to 22D of the UK GDPR as amended by the Data (Use and Access) Act 2025, in any way that produces legal or similarly significant effects on individuals.

Any future AI development will be designed and assessed to ensure compliance with those provisions, including the requirement for meaningful human involvement in any significant decision affecting a data subject.

12. Assistance with data subject rights requests

As a Data Processor, Grofar assists Data Controllers in fulfilling data subject rights requests under UK GDPR. When we receive a data subject rights request directly, we will:

Forward the request to the relevant Data Controller without undue delay.
Provide reasonable assistance to help the Data Controller respond within required UK GDPR timeframes.
Supply personal data in formats that enable Data Controllers to fulfil their obligations.

Types of assistance provided

We assist with access, rectification, erasure (subject to legal retention requirements), data portability (in structured, machine-readable formats), and processing restrictions as instructed by the Data Controller.

We respond to Data Controller requests without undue delay. For complex requests, we will notify the Data Controller and provide regular updates on progress.

All assistance is provided at no additional cost unless requests are manifestly unfounded, excessive, or repetitive, in which case reasonable charges may apply.

Grofar will also make available to Data Controllers all information reasonably necessary to demonstrate compliance with its obligations as a Data Processor under UK GDPR, and will support audits or inspections conducted by or on behalf of the Data Controller, subject to reasonable notice and agreement on scope and confidentiality.

13. Email campaign functionality

Where an Institution uses Grofar's campaign email functionality, Grofar acts as Data Processor and processes campaign email data strictly in accordance with the Institution's instructions. The Institution, as Data Controller, is responsible for ensuring that communications sent via the platform comply with applicable data protection and electronic communications law.

Email tracking

Grofar's platform uses SendGrid to deliver transactional and campaign emails on behalf of institutions. The following tracking features are enabled on all outbound emails sent via the platform and cannot be disabled, as they are integral to the campaign reporting functionality available to institutions:

Open tracking: Grofar records when a recipient opens an email sent via the platform.
Click tracking: Grofar records when a recipient clicks a link within an email sent via the platform.

This data is processed for email delivery, platform administration, deliverability management, and reporting functionality made available to institutions through the platform, and is processed under a data processing agreement with SendGrid.

14. Your rights

As a Data Processor, we process personal data on behalf of our customers, who are the Data Controllers. The Data Controllers determine the purposes and means of processing personal data. However, we want to ensure that individuals (Data Subjects) are aware of their rights under the UK GDPR. Depending on the circumstances and the lawful basis relied upon by the Data Controller, individuals may have rights under UK GDPR including the right to: access personal data held about them; request rectification of inaccurate or incomplete personal data; request erasure of personal data in certain circumstances; restrict or object to processing; receive a copy of personal data in a portable format where applicable; and, in relation to solely automated decision-making that produces legal or similarly significant effects, to receive information about the decision, to make representations, to obtain human intervention in the decision, and to contest the outcome.

15. How to contact us

As Grofar acts as a Data Processor, your personal data is held and managed on behalf of your institution (the Data Controller). To exercise your data protection rights, or if you have a concern about how your personal data has been handled, you should contact your institution in the first instance, as they are responsible for determining how your data is used and for responding to data protection complaints.

If you are unsure how to contact your institution, please contact us and we will forward your request to the appropriate Data Controller. If your complaint relates specifically to Grofar's actions as a processor, please contact us directly:

Email: dataprotection@grofar.com
Phone: 0117 315 5261
Postal Address: Walden House, Foxcombe Road, Boars Hill, Oxford, OX1 5DL.
Information Commissioner's Office (ICO) number: ZA147283

If you remain dissatisfied following contact with your institution or with Grofar, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), detailed in the Complaints section of this policy.

16. Complaints

If you believe that your personal data has been processed unlawfully or that your data protection rights have not been respected, you have the right to complain directly to the Data Controller (your institution), which is required to operate a formal complaints procedure. You also have the right to lodge a complaint or seek advice from the Information Commissioner's Office (ICO).

The Office of the Information Commissioner,

Wycliffe House,

Water Lane,

Wilmslow,

Cheshire,

SK9 5AF

Tel: 0303 123 1113

Website: www.ico.org.uk

17. Policy information

This Policy has been approved and authorised by:

Name:

Abbie Pullman

Position:

Managing Director

Version:

3.0

Published:

June 2026

Review:

June 2027

This policy is reviewed annually to ensure continued compliance with data protection regulations and to reflect any changes in our data processing practices.