Privacy Policy - June 2026

Grofar is a company registered in England and Wales under company number 09505988, whose registered address is at Walden House, Foxcombe Road, Boars Hill, Oxford, OX1 5DL.

Grofar Ltd is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and share personal data in our role as a Data Controller, particularly for visitors to our website, sales and marketing communications, analytics, support services, financial operations, and other business-related activities. It reflects our obligations under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

For details about how we process data on behalf of our customers (schools or colleges) as a data processor, please see our Data Protection and Sharing Policy.

Data Protection

Data Protection Principles

We adhere to the following principles in accordance with UK GDPR:

Lawfulness, fairness, and transparency: We process personal data lawfully, fairly, and in a transparent manner.
Purpose limitation: Personal data is collected for specific, legitimate purposes and not processed in a manner that is incompatible with those purposes.
Data minimisation: We collect only the data necessary for the purposes we are processing it for.
Accuracy: We ensure that personal data is accurate and up to date.
Storage limitation: Personal data is stored only for as long as necessary for the purposes of processing.
Integrity and confidentiality: Personal data is processed securely to prevent unauthorised access, disclosure, alteration, or destruction.
Accountability: We take responsibility for our compliance with these principles and can demonstrate our compliance.

Data Protection Impact Assessments

In line with our commitment to data protection by design and default, Grofar conducts Data Protection Impact Assessments (DPIAs) when implementing new technologies or where processing is likely to result in a high risk to the rights and freedoms of individuals. We also review our data protection risks on an ongoing basis. These assessments help us identify and minimise data protection risks at an early stage.

UK GDPR Definitions

Personal Data: Any information relating to an identified or identifiable natural person. This can include names, contact details, identification numbers, location data, or other factors that can identify a person either directly or indirectly.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data. This includes collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
Data Subject: An identified or identifiable natural person whose personal data is being processed. This can include employees, customers, clients, or any individual whose personal data is held by the organisation.
Controller: The organisation (or individual) that determines the purposes, conditions, and means of processing personal data. In this case, Grofar acts as the Data Controller.
Processor: A third party that processes personal data on behalf of the Data Controller. This includes entities such as third-party service providers, cloud providers, or marketing agencies.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject's wishes, by which they signify agreement to the processing of their personal data.
Data Protection Impact Assessment (DPIA): A process used to assess the potential risks to data subjects' rights and freedoms when initiating new processing activities involving personal data. This is required for high-risk processing activities.
Data Subject Rights: The rights granted to individuals under UK GDPR, including the right to access, rectify, erase, restrict, object to processing, and port their data.
Supervisory Authority: An independent public authority responsible for monitoring the application of data protection law. In the United Kingdom, this is the Information Commissioner's Office (ICO).
Data Breach: A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Who this Policy applies to

This Policy applies to the following individuals when we act as a Data Controller:

Visitors/Sales enquiries: Anyone who visits the Grofar website and enquires about our products or services.
Marketing Communications: Individuals who enquire about our products/services or existing customers who wish to receive marketing information related to product updates.
Support Communications: Individuals who contact us for support, attend training and webinar sessions while using the Grofar Software Platform.
Customers: Educational institutions and individual staff members that use the Grofar Software Platform.

How we collect your personal information and legal basis for doing so

If you are a website visitor

When you visit our website, we collect the following types of information in accordance with UK GDPR.

Communications Data: Any communications or interactions with our team, typically including but not limited to demonstration requests and any information included in contact forms submitted via our website.
Technical Data: Data automatically collected as you use our website, such as your device's IP address, device type, operating system, and browser type. This also includes information collected through cookies and other tracking technologies.

For more detailed information on how we use cookies and other tracking technologies on our website, please refer to our Cookies Policy.

Website Visitor Data:

Data	Why	Legal Basis
Your name Your email address Telephone number Name of your establishment	To fulfil or answer enquiries or requests from you regarding a demo and provide you with accurate and appropriate information about Grofar.	Legitimate interests: responding to sales enquiries and promoting Grofar's services to prospective customers.
Any information you include in any message to Grofar, either directly or via our contact form on our website	Allows us to respond to any enquiries, feedback, concerns, or complaints from you and to improve the functionality and user experience of the website.	Legitimate interests: responding to enquiries and improving our website and services.
Cookies	To enhance user experience, analyse site usage, and provide personalised content. Where cookies are non-essential, we obtain your consent before placing them, as required by the Privacy and Electronic Communications Regulations 2003 (PECR). You can manage your preferences via the Cookie Widget on our website.	Consent (PECR): for non-essential cookies, including analytics. Strictly necessary cookies are exempt from consent requirements under PECR Regulation 6.

Marketing Communications

We collect personal information from individuals who express interest in receiving updates of our product and marketing communications, typically including but not limited to:

Identity Data: Your name, title, and professional details.
Contact Data: Your email address, telephone number, and business address.
Professional Data: Your job title, organisation name, industry sector, and professional interests.
Marketing Preferences: Your preferences for receiving marketing communications from us.
Interaction Data: Information about your interactions with our marketing content, such as email opens, clicks, and webinar attendance.

Marketing Contact Data:

Data	Why	Legal Basis
Your name Your email address Telephone number Name of your establishment or business	To communicate with you about our products and services that may be of interest to you.	Legitimate interests to provide information about our services to individuals who have expressed interest. Consent, when you opt in to receive marketing communications.
Marketing preferences Communication history Email engagement metrics	To tailor our marketing communications to your interests and preferences.	Legitimate interests to provide relevant information. Consent for email marketing activities.
Event attendance Webinar participation	To understand your interests and provide relevant content.	Legitimate interests to improve our marketing effectiveness and provide valuable content.
Feedback and survey responses	To improve our products, services, and marketing activities.	Legitimate interests in business improvement.

PECR Compliance for Marketing Communications

Our marketing communications are also subject to the Privacy and Electronic Communications Regulations 2003 (PECR). We only send marketing communications to business email addresses where we have a legitimate interest in doing so, and we always include an unsubscribe link in our communications. You can opt out of receiving these communications at any time by:

Using the unsubscribe link provided in any marketing email
Contacting us directly at dataprotection@grofar.com
Managing your communication preferences through your account settings (where applicable)

We respect your choice and will process your opt-out request promptly.

Support

We collect personal information from individuals who contact us for support, attend training, and webinars, including:

Identity Data: Your name, job title and organisation.
Contact Data: Your email address and telephone number.
Support Request Data: Details of your support issue or question.
Communication History: Records of our communications regarding support issues, feedback and surveys.
Technical Data: Information about your use of our services that may be relevant to your support request.

The following applies where your organisation holds a licence with Grofar.

Support Data

Data	Why	Legal Basis
Name Organisation Email Job Title	To enable us to provide technical and user support.	Contractual necessity: processing is required to perform our agreement with you and provide the support services you are entitled to.
Support Communications	To provide technical and user support.	Contractual necessity: processing is required to perform our agreement with you.
Survey Answer/Feedback	Obtain views on education and how to improve our platform/service.	Legitimate interests: improving our platform and services based on customer feedback.
Webinar & Training sessions	For training and professional development.	Legitimate interests: supporting customers in making effective use of the platform and improving our training offering.

If you are a customer

We collect personal information from our customers, including:

Identity Data: Organisation name, website, employee job titles and roles of key contacts.
Contact Data: Staff email addresses, telephone numbers, and business addresses.
Contract Data: Information related to the services we provide, including contracts, service agreements, and payment terms.
Financial Data: Billing information, payment records, and transaction history.
Communication Data: Records of communications with us, including emails, calls, and meetings.

The following applies where your organisation holds a licence with Grofar.

Customer Data:

As the Data Controller, we store your data within our Customer Relationship Management (CRM) system. We may create and manage custom fields to record additional information relevant to our business relationship with you. This helps us provide more tailored and effective services to meet your specific needs. Any personal data added to these custom fields will be processed based on our legitimate business interests or contractual necessity, in accordance with this Privacy Policy and applicable data protection laws.

Data	Why	Legal Basis
Organisation name, website, staff job titles and roles of key contacts, contact email addresses, telephone numbers, and business addresses	To identify and maintain records of educational establishments using our services.	Contractual necessity: processing is required to manage and perform our agreement with your institution.
Financial History	We retain financial records to comply with the requirements of HMRC, accounting regulations, and any other applicable UK laws and regulations.	Legal obligation: we are required to retain financial records to comply with HMRC requirements and applicable UK accounting regulations.

For information about data processed within the Grofar platform on behalf of your institution, please refer to our Data Protection and Sharing Policy.

How We Collect Your Data

We collect personal data through various channels when acting as a Data Controller:

Data Collected from Our Website

When you visit our website, we may collect certain personal data automatically using Google Analytics, cookies and other tracking technologies.

In cases where required, we obtain your consent for the collection of personal data, such as when you fill out forms, subscribe to newsletters, or interact with certain features of our website. You also have the option to manage your cookie preferences through your browser settings. For more detailed information on how we use cookies and other tracking technologies on our website, please refer to our Cookies Policy.

Data Provided Directly by You

We collect personal data when you:

Contact us through our website forms
Email or call us with enquiries
Register for events or webinars
Subscribe to our newsletters or updates
Request product demonstrations
Engage with our support services
Enter a contract with us
Complete feedback or survey forms

Data from Third Parties

In some instances, we may receive your personal information from third parties, such as:

Business partners who refer you to our services
Professional networking platforms (such as LinkedIn)
Public sources of professional information, e.g. Companies House and government services.

Data Storage

Personal data we hold as Data Controller is stored with trusted third-party service providers. Where providers process data outside the United Kingdom, we ensure appropriate safeguards are in place in accordance with UK GDPR. For information about data storage in our role as Data Processor, please refer to our Data Protection and Sharing Policy.

International Data Transfers

Some of our third-party service providers may process personal data outside the United Kingdom. We are committed to ensuring that all international transfers of personal data comply with UK GDPR requirements and that appropriate safeguards are implemented to protect your data.

Data Breach Notification

In the event of a personal data breach, Grofar has established comprehensive procedures for responding promptly and effectively. We will notify the relevant supervisory authority, such as the ICO, without undue delay and, where feasible, within 72 hours of becoming aware of a reportable breach. Where a breach is likely to result in a high risk to affected individuals, we will also notify those individuals without undue delay.

Our data breach notification will include:

The nature of the breach
The categories and approximate number of individuals affected
The likely consequences of the breach
The measures taken or proposed to address the breach
Contact details for obtaining more information

Data Retention

Retention Period

Website Visitors: Technical data and contact form submissions are retained only as long as necessary to fulfil the purpose for which they were collected, or to comply with legal requirements.
Sales/Marketing Contacts: Retained for as long as we have an ongoing relationship with you, or you continue to express interest in our services. We conduct a full review of our marketing contact database at least annually and remove records where there has been no meaningful interaction and no active relationship exists.
Support Contacts: Retained for as long as necessary to resolve your support issue and for a reasonable period afterwards to handle any follow-up questions or related issues.
Customers: Active customer data is retained for the duration of our business relationship and for a period afterwards as required by applicable laws, particularly for financial records which are subject to UK tax regulations.

Financial Records

We retain financial records to comply with the requirements of HMRC, accounting regulations, and any other applicable UK laws and regulations.

Data Deletion

Once the retention period has expired, the data is no longer needed for the specified purposes, or a deletion request is submitted, we will securely delete the data.

Third-party Service Providers

Grofar engages trusted third-party service providers who may process personal data on our behalf. All service providers are bound by data processing agreements that ensure UK GDPR compliance. These providers fall into the following categories:

Analytics and Performance Monitoring: Services that help us understand website usage and system performance.
Communication Services: Tools that facilitate customer and user communications, with appropriate data retention limits.
Marketing and Customer Management: Platforms that support our marketing activities and customer relationships.
Operational Support: Tools for internal business operations, feedback collection, and financial management.

We ensure all third-party providers maintain appropriate technical and organisational measures to protect personal data in accordance with UK GDPR requirements and ICO guidance.

Cookies

Data Collection and Use of Cookies

Grofar Ltd uses cookies to enhance user experience and ensure proper functioning of our website. For more detailed information on the specific cookies we use, their purpose, and how to manage them, please refer to our full Cookies Policy.

Your Rights

As a Data Controller, we are responsible for responding directly to requests from individuals (data subjects) regarding their personal data. The following are the rights that individuals have regarding their personal data under UK GDPR:

Right to Access

You have the right to:

Confirm if we are processing your personal data
Access your personal data that we hold
Receive information about how we use your data, including the purposes of processing, categories of data, recipients, retention periods, and information about automated decision-making

Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data we hold about you. We will update your data promptly upon receiving a verifiable request.

Right to Erasure

Under certain circumstances, you may request the erasure of your personal data. We will comply with erasure requests unless we have a legal basis for retaining the data, such as a legal obligation or the need to establish, exercise, or defend legal claims.

Circumstances in which this right may apply include:

The data is no longer necessary for the purposes it was collected
You withdraw consent, and there is no other legal basis for processing
The data has been unlawfully processed

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data under certain conditions. If you believe that your data is being processed incorrectly, you can request that we temporarily restrict processing.

Restrictions may apply if:

You contest the accuracy of your personal data
You object to processing, and we are evaluating your objection

Right to Data Portability

Where processing is based on your consent or on a contract with you, you have the right to request a copy of personal data you have provided to us in a structured, commonly used, and machine-readable format. You may also request that we transfer this data directly to another Data Controller, where technically feasible.

Right to Object

You have the right to object to the processing of your personal data, especially if the processing is based on legitimate interests or for direct marketing purposes. If you object to marketing, we will cease processing your data for marketing purposes immediately.

Right in Relation to Solely Automated Decision-Making

You have rights in relation to solely automated decision-making that produces legal or similarly significant effects. Where this applies, you have the right to receive information about the decision, to request human intervention, to make representations, and to contest the decision.

Right to Withdraw Consent

If we are processing your personal data based on consent, you have the right to withdraw that consent at any time. This will not affect the legality of the processing before you withdrew your consent. To withdraw consent, please use the unsubscribe links in our communications or contact us directly.

Exercising Your Rights

To exercise any of these rights, please contact us at dataprotection@grofar.com. We will respond to your request without undue delay and at the latest within one month. Under the Data (Use and Access) Act 2025, where a request is complex, or we receive multiple requests from you, we may extend this period by up to two additional months, and we will notify you if this applies. In responding to any subject access request, we will conduct a reasonable and proportionate search of the information we hold.

To protect your privacy and security, we may require verification of your identity before processing your request, typically through proof of identity documentation or account information. In most cases, requests are processed free of charge. However, we may charge a reasonable fee if your request is manifestly unfounded, excessive, or repetitive.

Accountability

Grofar is committed to demonstrating compliance with UK GDPR and takes responsibility for protecting your personal data. We maintain comprehensive records of our data processing activities and regularly review our data protection practices to ensure ongoing compliance.

For data protection matters, please contact us at dataprotection@grofar.com.

Complaints

If you believe that your rights have been violated or that we are not processing your personal data in compliance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

The Office of the Information Commissioner,

Wycliffe House,

Water Lane,

Wilmslow,

Cheshire,

SK9 5AF

Tel: 0303 123 1113

Website: www.ico.org.uk

Under the Data (Use and Access) Act 2025, you have the right to make a data protection complaint directly to us. Please contact us in the first instance at dataprotection@grofar.com and we will acknowledge your complaint promptly, investigate it, and inform you of the outcome without undue delay. If you remain dissatisfied, you retain the right to lodge a complaint with the Information Commissioner's Office (ICO).

Policy Version Information

Version: 3.0

This Policy has been approved and authorised by:

Name:

Abbie Pullman

Position:

Managing Director

Date:

June 2026

This policy is reviewed annually to ensure continued compliance with data protection regulations and to reflect any changes in our data processing practices.