Data Protection and Sharing Policy – June 2025

About us

Grofar is a company registered in England and Wales under company number 09505988, whose registered address is at Walden House, Foxcombe Road, Boars Hill Oxford OX1 5DL.

At Grofar, we value your privacy and are committed to protecting your personal information. This Privacy Policy explains how we process, use, and share your information when acting as a Data Processor on behalf of our customers (Data Controllers).

Document Aims

This document details the data objects and items that are shared, the use of, use by, storage and storage duration, safeguarding and security of the data that your establishment will share with Grofar Ltd. This information provides a framework for our Data Sharing Agreement (DSA) with you. The Data Protection and Sharing Policy is an important document that supports our joint obligation to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the requirements of the Information Commissioner’s Office (ICO). To use Grofar your organisation must understand and formally accept this agreement.

GDPR Definitions

Personal Data: Any information relating to an identified or identifiable natural person. This can include names, contact details, identification numbers, location data, or other factors that can identify a person either directly or indirectly.
Sensitive Personal Data (Special Categories of Data): Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, health data, data concerning a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses.
Processing: Any operation or set of operations performed on personal data or sets of personal data. This includes collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
Data Subject: An identified or identifiable natural person whose personal data is being processed. This can include employees, customers, clients, or any individual whose personal data is held by the organisation.
Controller: The organisation (or individual) that determines the purposes, conditions, and means of processing personal data. In this case, your institution acts as the Data Controller.
Processor: A third party that processes personal data on behalf of the Data Controller. This includes entities such as third-party service providers, cloud providers, or marketing agencies.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they signify agreement to the processing of their personal data.
Data Protection Impact Assessment (DPIA): A process used to assess the potential risks to data subjects' rights and freedoms when initiating new processing activities involving personal data. This is required for high-risk processing activities.
Data Subject Rights: The rights granted to individuals under the GDPR, including the right to access, rectify, erase, restrict, object to processing, and port their data.
Supervisory Authority: An independent public authority established by an EU member state to monitor the application of data protection laws. For the UK, it is the Information Commissioner’s Office (ICO). For other EU member states, it would be the respective national authority.
Data Breach: A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Who this policy applies to:

This Policy applies to the following individuals, as applicable:

Students: Students who use the Grofar Software Platform.
Applicants: Prospective students who have submitted applications via the Data Controller’s website.
Staff members: Staff who are users of the Grofar Software Platform, typically including but not limited to work experience coordinators, careers advisers, tutors, employer engagement teams and curriculum staff who will access the platform.
Parents/Guardians or Carers: Who will provide emergency contact details and provide consent for students under the age of 18.
Businesses/Business Contacts: Whose information has been added to the system by the Data Controller (our customer) as a point of interest, i.e. potential or existing partnership.

Grofar will have entered into an agreement with the Data Controller (your Institution). It should be noted that the Data Controller is in full control of which records they transfer from the institution to Grofar and can limit the records to just those with a justifiable reason for inclusion.

1. Information we process on behalf of the Data Controller and legal basis for doing so

As a Data Processor acting on behalf of the Institution (Data Controller) we process certain types of personal data that are provided by the Data Controllers and individuals who use the system. This includes, but is not limited to:

Collection: We process personal data provided directly by the Data Controller, such as student, staff, parent and business-related data.
Storage: All information is encrypted and stored within a cloud-hosted database within the UK. Access to the database is restricted to the Grofar application and approved employees.
Use: We use the personal data solely under the instruction of the Data Controller.
Sharing: We only share personal data with authorised parties in accordance with the Data Controller’s instructions and applicable laws.
Processing: We process personal data for specific tasks requested by the Data Controller.
Retention: We retain personal data only for the duration necessary to fulfil the purpose outlined by the Data Controller and in accordance with their data retention policy

If you are a Student:

As a Data Processor on behalf of your Institution, Grofar may process:

Account Information: User account details such as usernames, email, and other authentication data necessary for logging into the system.
Student Activity: Any personal data provided by you, within the Grofar Software Platform. This may include, but is not limited to, text, video, photos, personal observations, or any other data entered while using the Grofar Software Platform.

We process this data solely on behalf of the Data Controller (your Institution) and to provide the service, as outlined in our agreement with them.

Student Data:

It should be noted that the Data Controller is in full control of which records they transfer from the institution to Grofar, and can limit the records to just those with a justifiable reason for inclusion.

Data		Why	Legal Basis
School	College	Why	Legal Basis
Forename Surname Middle Name Display Name Admission No Gender Registration Group Membership Year Group Membership House Group Membership UPN (Unique Pupil Number) Date of Birth ULN (Unique Learner Number) Educational and Health Care Plan Enrolment Status SEN Provision FSM Eligible Pupil Premium EAL YSSA Uniform Allowance Parental Salutation Address Email Communications Student Photo Student Timetable Email Communications Student Photo Student Timetable	StudentID Surname Forename Date of Birth Gender Telephone Email Tutor Campus Educational and Health Care Plan Special Educational Needs Learning Difficulties Course Memberships & Enrolments	To allow your Institution (Data Controller) to support you in your careers or work placement journey.	Allows us to fulfil the terms set in the service agreement and provide the necessary support to assist our customers (your Institution) in achieving their objectives.
Alumni/Destination Details		To help your Institution review and compare how students are going into meaningful destinations against government guidelines.	The Department of Education requires that your school and college contact student leavers to provide insights into the overall success of the institution.
Placements Timesheets Assignments Activity Calendar Applications About you Activities/evidence you have uploaded to your Passport Assessments Feedback Targets Technical Skills Saved Jobs Courses/Qualifications/Achievements Generated CV or online profile Work experience & Extra-Curricular Career Categories References Action Plan Meeting notes Email Communication		To support your school and college (Data Controller) in providing career guidance and work placement support.	Allows us to fulfil the terms set in the service agreement and provide the necessary support to your Institution (Data Controller) in achieving the objectives.

If you are an Applicant:

As a Data Processor on behalf of your prospective Institution, to which you are applying, Grofar may process:

Applicant Activity: Any personal data provided, via the application form.

We process this data solely on behalf of the Data Controller (your prospective Institution) and for the purpose of providing the service, as outlined in our agreement with them.

Applicant Data:

Data	Why	Legal Basis
First name Middle Name Last Name Preferred Name Gender National Insurance Number Ethnicity Email Mobile Postal Address Learning difficulties – or disabilities	To allow your prospective Institution (Data Controller) to process applications.	Allows us to fulfil the terms set in the service agreement and provide the necessary support to assist your prospective Institution (Data Controller) in achieving their objectives.
Skillset Hobbies/Interests Criminal Conviction Disclosure Qualifications Current/most recent Education Institution Employment History	To allow your prospective Institution (Data Controller) to evaluate and process applications appropriately.	Allows us to fulfil the terms set in the service agreement and support your prospective Institution (Data Controller) to process applications.
Emergency contact information: Parent/guardian/ next of kin First Name Last Name Relationship to student Mobile Email Postal Address	To enable contact information for your prospective Institution (Data Controller) in case of emergencies.	Vital interests of the data subject and to fulfil contractual obligations with your prospective Institution (Data Controller)
Referee Name Relationship Postal Address	To allow your prospective Institution (Data Controller) to verify applicant information	Allows us to fulfil the terms set in the service agreement and legal obligations of your prospective Institution (Data Controller) to verify information provided.

If you are a Staff Member:

As a Data Processor on behalf of your Institution, Grofar may process:

Account Information: User account details for staff, including usernames and other authentication data necessary to log in and access the Grofar Software Platform.
Staff Activity Data: Any data provided by the staff member within the Grofar Software Platform.

We process this data solely on behalf of your Institution (Data Controller) and for the purpose of providing the service, as outlined in our agreement with them.

Staff Data:

It should be noted that the Data Controller is in full control of which records they transfer and can limit the records to just those with a justifiable reason for inclusion.

Data		Why	Legal Basis
School	College	Why	Legal Basis
Staff Code Forename Surname Middle Name Display Name Gender Work Email Work Phone Date Of Birth Staff member classification Staff member Photo School Timetable information	FirstName LastName Job Title Email Reference Number	This allows you to log into the system, based on the details provided by your Institution (Data Controller). Staff typically includes Work Experience Coordinators and Careers Advisers who will be logging in to maintain the records and Tutors and Curriculum Staff who will access the system to monitor students’ Progress.	Allows us to fulfil the terms set in the service agreement and provide the necessary support to assist your Institution (Data Controller) in achieving their objectives.
Meeting notes Activities Tasks User Role Assessments Email Communication		To enable staff to record and monitor student/learner progress	Allows us to fulfil the terms set in the service agreement and provide the necessary support to assist you and your Institution (Data Controller) in achieving their objectives.

If you are a Primary Contact (Parent/Guardian/Carer)

As a Data Processor on behalf of your Institution, Grofar may collect certain types of personal data.

Contact information: Contact information provided by the Institution (Data Controller).

Primary Contact (Parent/Guardian/Carer) Data:

It should be noted that the Data Controller is in full control of which records they transfer and can limit the records to just those with a justifiable reason for inclusion.

Data	Why	Legal Basis
Forename Surname Display Name Relationship Work Email Home Email Mobile Phone	Surname Forename Title HomePhone MobilePhone Email Relationship	To enable consent to be obtained for students under 18. Provides emergency contact information.	Allows us to fulfil the terms set in the service agreement and provide the necessary support to assist your Institution (Data Controller) in achieving their objectives.

Data

Why

Legal Basis

School

College

Forename
Surname
Display Name
Relationship
Work Email
Home Email
Mobile Phone

Surname
Forename
Title
HomePhone
MobilePhone
Email
Relationship

To enable consent to be obtained for students under 18.

Provides emergency contact information.

Allows us to fulfil the terms set in the service agreement and provide the necessary support to assist your Institution (Data Controller) in achieving their objectives.

If you are a Business

As a Data Processor we act on behalf of the Educational Institution (Data Controller) and process certain types of business-related data for the purpose of providing the service, as outlined in our agreement with them.

Business Information: We process business-related data, that has been added to the system by the Educational Institution (Data Controller) as a point of interest, i.e. potential or existing partnership.
Business Contacts: We may process personal data of stakeholders who are associated with the business (employees, managers etc.).
Business Activity: Records of communication between the Educational Institution staff members (Data Controller) and business contacts.

As a Data Processor, we do not make decisions about the purposes or means of processing business data. Instead, we act under the instructions of the Educational Institution (Data Controller) and only process the data as necessary to provide the agreed contracted services.

Business Data:

It should be noted that the Educational Institution (Data Controller) can create custom fields within the Grofar Software Platform, which we process on behalf of the Data Controller. The Institution (Data Controller) is in full control of which records they transfer from the institution to Grofar and can limit the records to just those with a justifiable reason for inclusion.

Data	Why	Legal Basis
Business Name Business Owner Company Registration Number Employer Reference Number Website Profile Industry Sector Company Size Public Liability Public Liability Amount Public Liability Policy number Public Liability Expiry Date Employer Liability Insurance Employer Liability Insurance Amount Employer Liability Insurance Policy Number Employer Liability Insurance Expiry Date Employer Liability Insurance Issuer Name Department ID Grofar Internal Department ID Department Name Is Primary Department Department Phone Department DBS Check is Required Department Higher Risk Assessment Required Do not contact department Department Address 1 Department Address 2 Department Address 3 Department Address Town Department Address Country Department Post Code Department Health and Safety Checked Department Health and Safety Checked Date Department Health and Safety Expired Date	To allow the Educational Institution (Data Controller) to arrange engagements with Employers.	Allows us to fulfil the terms set in the service agreement and provide the necessary support to assist the Institution (Data Controller) in following safeguarding guidelines i.e. Health and Safety, placement attendance etc.
Contact ID Grofar Internal Contact ID Main Contact email Main Contact Phone Main Contact Title Main Contact Name Main Contact Gender Main Contact Job Title Is primary Contact Is Department Primary Contact Is Health and Safety Contact Department Has Employer Liability Insurance Department Has Employer Liability Amount Department Has Employer Liability Policy number Department Has Employer Liability Expired Date Department Has Employer Liability Insurance Issuer Name Business Contacts Contact Name Contact Gender Contact title Contact Email Contact Telephone Contact Address Contact Job Title Contact is Primary Contact is H&S	To allow the Educational Institution (Data Controller) to arrange engagements with Employers.	Allows us to fulfil the terms set in the service agreement and provide the necessary support to assist the Institution (Data Controller) in following safeguarding guidelines i.e. Health and Safety, placement attendance etc.
Business feedback on placements Notes about business Current work experience and activities Vacancies Activities where business has been in attendance Email communication Marketing Communication	To allow the Institution (Data Controller) to facilitate work placements, careers activities and enrichments and analyse business engagement	Allows us to fulfil the terms set in the service agreement and provide the necessary support to assist the Institution (Data Controller) in achieving the objectives.

2. How we process your data

As a Data Processor acting on behalf of the Data Controller (educational institution) process personal data provided by the Data Controllers.

Data Provided by Data Controllers

The Data Controller is responsible for determining the purposes and means of processing personal data, and we process this data on their behalf based on their instructions. We do not collect personal data directly from the individuals (such as students or staff) unless instructed to do so by the Data Controller.

Schools:

Information is extracted from the school Management Information System (MIS) using either CSV load or Groupcall’s industry-leading and secure Xporter software. The data is securely uploaded to Grofar using industry-standard SSL encryption. A unique identifier configured by Grofar Ltd in Groupcall Xporter ensures that the information is linked to the correct customer account in Grofar. Groupcall Xporter accesses your school MIS system using credentials that the school provide and cannot access it without them.

Colleges/Education Providers/Charity Organisations:

Information is extracted from the establishment's Management Information System (MIS) using either CSV Import or the Grofar supplied API. The data is securely uploaded to Grofar using Industry standard SSL encryption. A Unique Identifier configured by Grofar Ltd ensures that the information is linked to the correct customer account in Grofar. The Grofar API accesses your MIS using credentials that you provide and cannot access it without them.

In summary, the data that is transmitted to us is protected from exposure using a cloud-based enterprise firewall, string SSL https encryption, OAuth 2.0 application authentication, strong database encryption, data anonymisation where appropriate. The Grofar building and offices have physical access control.

3. Data storage

Grofar ensures that our data storage and processing practices comply with the requirements of the Data Controller. All information is encrypted and stored within a cloud hosted database within the UK. Access to the database is restricted to the Grofar application and approved employees.

International Data Transfers

Grofar does not transfer personal data outside the United Kingdom. All data processing, including our database hosting on Microsoft Azure, is conducted within the UK.

4. Data security

Grofar undergoes independent penetration testing carried out by a third-party provider to ensure the security robustness of the application and data.

Data Breach Notification

In the event of a personal data breach affecting data we process, Grofar has established comprehensive procedures for responding promptly and effectively. As a Data Processor, we understand our obligation to notify Data Controllers without undue delay and where feasible within 72 hours after becoming aware of a personal data breach.

We maintain a detailed Data Breach Policy that outlines:

Our procedures for detecting, reporting, and investigating a personal data breach
The information we will provide to Data Controllers to help them meet their GDPR obligations
Our timelines for notification and response
The measures we take to mitigate potential adverse effects

Our Data Breach Policy is available upon request to our Data Controllers and is reviewed and updated regularly to ensure compliance with current regulations and best practices.

5. Data Retention

Retention Criteria

The retention period for personal data is determined by the following factors:

Purpose of Processing: Data will only be retained for as long as is necessary to achieve the specific purpose(s) for which it was collected and processed.
Legal and Regulatory Requirements: If any laws or regulations require the data to be kept for a specific period (e.g., tax records, employee records), data will be retained accordingly.
Contractual Obligations: Personal data may be retained for the duration of the contractual relationship with the Data Controller, plus including any necessary time for post-contractual activities
Data Minimisation: We ensure that the personal data retained is only what is necessary for the specified purpose, and that it is reviewed regularly to determine if it is still required.

Retention Period

Unless otherwise specified by the Data Controller, we will retain personal data for students, parents, business, staff, Alumni and Applicants for a period of 5 years once the record has been archived. This period is set to ensure that we can meet the purposes for which the data was collected, while also complying with legal, regulatory, and contractual obligations.

Standard Retention Period: data will typically be retained as previously stated, unless the Data Controller requests a longer or shorter retention period, or if legal requirements mandate a different retention duration.
Extension or Shortening of Retention Period: If the Data Controller requests a different retention period or has specific legal or business needs, we will comply with those requests as outlined in our agreement with the Data Controller.

6. Data Deletion

Once the retention period has expired, the data is no longer needed for the specified purposes, or a deletion request is submitted, we will securely delete the data.

Exceptions to Deletion

As a Data Processor, we will follow the instructions provided by the Data Controller regarding the deletion of personal data. However, there may be situations where data cannot be deleted immediately due to legal or contractual obligations, including but not limited to:

Legal Requirements: We may be required to retain certain personal data due to applicable laws, regulations, or industry standards (e.g., tax, financial reporting).
Contractual Obligations: If specified in the data processing agreement with the Data Controller, we may be required to retain data for specific periods to fulfil our contractual obligations.
Ongoing Processing: Data may need to be retained if the processing agreement with the Data Controller requires ongoing processing for the legitimate purposes of both parties.

7. Return of Data Upon Contract Termination

Upon termination of our contract with the Data Controller, Grofar will, at the choice of the Data Controller:

Return all personal data processed on behalf of the Data Controller in a structured, commonly used, and machine-readable format; or
Securely delete all personal data processed on behalf of the Data Controller, unless retention is required by applicable law.

The Data Controller must make this choice after contract termination. If no instruction is received, we will proceed with secure deletion of all personal data, subject to any legal retention requirements.

All returned data will be provided via secure transfer methods and will include verification of completeness and integrity. Following return or deletion, we will provide written confirmation to the Data Controller that all personal data has been returned or securely destroyed, except where prohibited by law.

8. Data Backups

Our system architecture is designed to ensure robust data protection and recovery capabilities. All customer data is securely stored on a unified Azure platform. This integrated approach means that our backups are comprehensive snapshots of all customer data at a given point in time.

To maintain the integrity and reliability of our backups, and to comply with our stringent business continuity and disaster recovery protocols, we do not modify these snapshots by extracting or deleting individual data segments.

In accordance with the ICO's Right to Erasure guidelines, the data contained within backups is put 'beyond use' and is securely retained solely for the purposes of compliance and recovery. Due to the dynamic nature of our operations and the high frequency of data input from customers, restoring a backup is reserved for extreme cases where significant data loss must be mitigated.

The retention policies for our encrypted backups stored within Azure are:

Point-in-time backups: Retained for 7 days.
Long-term recovery backups:
- Weekly: Retained for up to 4 weeks.
- Monthly: Retained for up to 12 months.
- Annual: Retained for up to 3 years.

9. Cookies

Use of Cookies and Consent Requirements.

Data Collection and Use of Cookies

Grofar Ltd uses cookies to enhance user experience and ensure proper functioning of our platform:

For Students (Under 18):

We use Google Analytics cookies to collect anonymous usage data. These analytics help us improve the platform's functionality and user experience specifically for younger users.
Essential session cookies are used to maintain your login status and enable core platform functionality.
Zendesk and Intercom cookies are used to facilitate customer support functionality and manage support interactions. These cookies help us maintain your session when accessing support resources and enable the proper operation of our support tools.

For Staff Members:

We use Google Analytics cookies for usage data collection.
Essential session cookies are used to maintain your login status and enable core platform functionality.
We use Microsoft Clarity cookies for more detailed analytics and session tracking.
Zendesk and Intercom cookies are used to facilitate customer support functionality and manage support interactions. These cookies help us maintain your session when accessing support resources and enable the proper operation of our support tools.

Important Note: We do not use Microsoft Clarity or any similar advanced tracking technologies on any websites or applications that target users under the age of 18. Our commitment to protecting children's privacy means we apply stricter standards to platforms and sections of our service that are designed for or likely to be accessed by minors.

The essential cookies we use are necessary for the correct functioning of our applications, including user authentication and maintaining your session while using the platform. Without these cookies, critical functionalities of our platform cannot operate effectively.

Cookie Consent and Management

In compliance with the UK GDPR:

Transparency: We provide clear information about the cookies we use and their purpose in this policy and through our cookie banner.
Consent: We obtain appropriate consent before placing non-essential cookies on users' devices.
Control: Users can manage their cookie preferences through our cookie banner on the Grofar website and their browser settings for the Grofar Software Platform. We provide information on how to do this in our Cookies Policy.
Data Protection: All data collected through cookies is processed in accordance with the data protection principles outlined in this policy, including data minimisation and purpose limitation.

For more detailed information on the specific cookies, we use, their purpose, and how to manage them, please refer to our full Cookies Policy.

10. Other Data We Collect as a Data Controller

This privacy policy outlines how we process personal data strictly on behalf of our customers, in our role as a Data Processor. However, we also collect and process personal data for our own business purposes, including sales and marketing activities, data analytics, and interactions with individuals via support contacts or prospective customers. For more information on how we handle this data in our role as a Data Controller, please refer to our Grofar Privacy Policy.

11. Assistance with Data Subject Rights Requests

As a Data Processor, Grofar assists Data Controllers in fulfilling data subject rights requests under GDPR. When we receive a data subject rights request directly, we will:

Forward the request to the relevant Data Controller without undue delay
Provide reasonable assistance to help the Data Controller respond within required GDPR timeframes
Supply personal data in formats that enable Data Controllers to fulfil their obligations.

Types of Assistance Provided

We assist with access, rectification, erasure (subject to legal retention requirements), data portability (in structured, machine-readable formats), and processing restrictions as instructed by the Data Controller.

We respond to Data Controller requests without undue delay. For complex requests, we will notify the Data Controller and provide regular updates on progress.

All assistance is provided at no additional cost unless requests are manifestly unfounded, excessive, or repetitive, in which case reasonable charges may apply as agreed in our data processing agreement.

Your Rights:

As a Data Processor, we process personal data on behalf of our customers, who are the Data Controllers. The Data Controllers determine the purposes and means of processing personal data. However, we want to ensure that individuals (Data Subjects) are aware of their rights under the General Data Protection Regulation (GDPR). You have the right to Access your data, Rectify, Erasure, restriction of processing, copy of your data, right to object, Not to Be Subject to Automated Decision-Making, withdraw consent.

Right to Lodge a Complaint

If you believe that your data protection rights have been violated, you have the right to lodge a complaint directly with the relevant Data Controller or with a supervisory authority such as the Information Commissioner's Office (ICO). For more information on how to file a complaint, please refer to the "Complaints" section of this policy.

13. How to contact us

As we are acting as a Data Processor, to exercise your rights under the GDPR, please contact the Data Controller directly. The Data Controller is the Institution or entity that has collected your personal data and determines how it is processed.

If you are unsure about how to contact the Data Controller, please reach out to us, and we will assist in facilitating your request by forwarding it to the appropriate Data Controller.

Our contact details are as follows:

Email: dataprotection@grofar.com
Phone: 0117 315 5261
Postal Address: Walden House, Foxcombe Road, Boars Hill Oxford OX1 5DL
Information Commissioners Office (ICO) number: ZA147283

We will forward any relevant requests to the appropriate Data Controller promptly.

14. Complaints

If you believe that your rights have been violated or that we are not processing your personal data in compliance with the GDPR, you have the right to lodge a complaint or seek advice from the Information Commissioner’s Office (ICO).

The Office of the Information Commissioner,

Wycliffe House,

Water Lane,

Wilmslow,

Cheshire,

SK9 5AF

Tel: +44 (0) 01625 545 745

Website: www.ico.org.uk

15. Policy Information

This Policy has been approved and authorised by:

Name:

Abbie Pullman

Position:

Managing Director

Date:

1st June 2025

Review:

1st June 2026

This policy is reviewed annually to ensure continued compliance with data protection regulations and to reflect any changes in our data processing practices.