Privacy Policy - June 2025

Grofar is a company registered in England and Wales under company number 09505988, whose registered address is at Walden House, Foxcombe Road, Boars Hill Oxford OX1 5DL.

Grofar Ltd is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, store, and share personal data in our role as a Data Controller, particularly for visitors to our website, sales and marketing communications, analytics, support services, financial operations, and other business-related activities. By using our services and visiting our website (www.grofar.com), you agree to the collection and use of information in accordance with this policy.

For details about how we process data on behalf of our customers (schools or colleges) as a data processor, please see our Data Protection and Sharing Policy.

Data Protection

Data Protection Principles

We adhere to the following principles in accordance with the GDPR:

Lawfulness, fairness, and transparency: We process personal data lawfully, fairly, and in a transparent manner.
Purpose limitation: Personal data is collected for specific, legitimate purposes and not processed in a manner that is incompatible with those purposes.
Data minimisation: We collect only the data necessary for the purposes we are processing it for.
Accuracy: We ensure that personal data is accurate and up to date.
Storage limitation: Personal data is stored only for as long as necessary for the purposes of processing.
Integrity and confidentiality: Personal data is processed securely to prevent unauthorised access, disclosure, alteration, or destruction.
Accountability: We take responsibility for our compliance with these principles and can demonstrate our compliance.

Data Protection Impact Assessments

In line with our commitment to data protection by design and default, Grofar conducts Data Protection Impact Assessments (DPIAs) periodically and when implementing new technologies or where processing is likely to result in a high risk to the rights and freedoms of individuals. These assessments help us identify and minimise data protection risks at an early stage.

GDPR Definitions

Personal Data: Any information relating to an identified or identifiable natural person. This can include names, contact details, identification numbers, location data, or other factors that can identify a person either directly or indirectly.
Sensitive Personal Data (Special Categories of Data): Personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a person, health data, data concerning a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses.
Processing: Any operation or set of operations which is performed on personal data or on sets of personal data. This includes collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
Data Subject: An identified or identifiable natural person whose personal data is being processed. This can include employees, customers, clients, or any individual whose personal data is held by the organisation.
Controller: The organisation (or individual) that determines the purposes, conditions, and means of processing personal data. In this case, Grofar acts as the Data Controller.
Processor: A third party that processes personal data on behalf of the Data Controller. This includes entities such as third-party service providers, cloud providers, or marketing agencies.
Consent: Any freely given, specific, informed, and unambiguous indication of the data subject’s wishes, by which they signify agreement to the processing of their personal data.
Data Protection Impact Assessment (DPIA): A process used to assess the potential risks to data subjects' rights and freedoms when initiating new processing activities involving personal data. This is required for high-risk processing activities.
Data Subject Rights: The rights granted to individuals under the GDPR, including the right to access, rectify, erase, restrict, object to processing, and port their data.
Supervisory Authority: An independent public authority established by an EU member state to monitor the application of data protection laws. For the UK, it is the Information Commissioner’s Office (ICO). For other EU member states, it would be the respective national authority.
Data Breach: A security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

Who this policy applies to:

This Policy applies to the following individuals when we act as a Data Controller:

Visitors/Sales enquiries: Anyone who visits the Grofar website and enquires about our products or services.
Marketing Communication: Individuals who enquire about our products/services or existing customers who wish to receive marketing information related to product updates.
Support Communications: Individuals who contact us for support, attend training and webinar session, while using the Grofar Software Platform.
Customers: Educational institutions and individual staff members that use the Grofar Software Platform.

How we collect your personal information and legal basis for doing so:

If you are a website visitor

When you visit our website, we collect the following types of information in compliance with the General Data Protection Regulation (GDPR).

Communications Data: Any communications or interactions with our team, typically including but not limited, demonstration requests and any information included in contact forms submitted via our website.
Technical Data: Data automatically collected as you use our website, such as your device's IP address, device type, operating system, and browser type. This also includes information collected through cookies and other tracking technologies.
Location Data (if applicable): If permitted by your device settings, we may collect your geographic location to provide location-based services or content. You can manage or disable location tracking through your device settings.

For more detailed information on how we use cookies and other tracking technologies on our website, please refer to our Cookies Policy.

Website Visitor Data:

Data	Why	Legal Basis
Your name Your email address Telephone number Name of your establishment	To fulfil or answer enquiries or requests from you regarding a demo and provide you with accurate and appropriate information about Grofar.	Enable us to determine the suitability of potential opportunities and promote Grofar.
Any information you include in any message to Grofar, either directly or via our contact form on our website	Allows us to respond to any enquiries, feedback, concerns, or complaints from you and to improve the functionality and user experience of the website	We use the information you provide to respond to your request and process your enquiries.
Cookies	To enhance user experience, analyse site usage, and provide personalised content. By using our website, you consent to the use of cookies as outlined in our cookie policy.	We may use cookies for analytics and performance purposes, based on our legitimate interest in improving the functionality and content of the Grofar website.

Marketing communication:

We collect personal information from individuals who express interest in receiving updates of our product and marketing communication, typically including but not limited to:

Identity Data: Your name, title, and professional details.
Contact Data: Your email address, telephone number, and business address.
Professional Data: Your job title, organisation name, industry sector, and professional interests.
Marketing Preferences: Your preferences for receiving marketing communications from us.
Interaction Data: Information about your interactions with our marketing content, such as email opens, clicks, and webinar attendance.

Marketing Contact Data:

Data	Why	Legal Basis
Your name Your email address Telephone number Name of your establishment or business	To communicate with you about our products and services that may be of interest to you.	Legitimate interest to provide information about our services to individuals who have expressed interest Consent, when you opt in to receive marketing communications.
Marketing preferences Communication history Email engagement metrics	To tailor our marketing communications to your interests and preferences	Legitimate interest to provide relevant information Consent for email marketing activities
Event attendance Webinar participation	To understand your interests and provide relevant content	Legitimate interest to improve our marketing effectiveness and provide valuable content
Feedback and survey responses	To improve our products, services, and marketing activities	Legitimate interest in business improvement

PECR Compliance for Marketing Communications

Our marketing communications are also subject to the Privacy and Electronic Communications Regulations 2003 (PECR). We only send marketing communications to business email addresses where we have a legitimate interest in doing so, and we always include an unsubscribe link in our communications. You can opt out of receiving these communications at any time by:

Using the unsubscribe link provided in any marketing email
Contacting us directly at dataprotection@grofar.com
Managing your communication preferences through your account settings (where applicable)

We respect your choice and will process your opt-out request promptly.

Support

We collect personal information from individuals who contact us for support, attend training, and webinars, including:

Identity Data: Your name, job title and organisation.
Contact Data: Your email address and telephone number.
Support Request Data: Details of your support issue or question.
Communication History: Records of our communications regarding support issues, feedback and surveys.
Technical Data: Information about your use of our services that may be relevant to your support request.

Support Data

Data	Why	Legal Basis
Name Organisation Email Job Title	To enable us to provide technical and user support	Allows us to fulfil the terms set in the License Terms to support customers in using the Grofar platform. Contractual necessity to provide support services.
Support Communications	To provide technical and user support	Contractual necessity to provide support services
Survey Answer/Feedback	Obtain views on education and how to improve our platform/service	Allows us to fulfil the terms set in the service agreement and improve Grofar
Webinar & Training sessions	For training and professional development	Legitimate interest in improving staff capabilities with the platform

If you are a customer

We collect personal information from our customers, including:

Identity Data: Organisation name, website, employee job titles and roles of key contacts.
Contact Data: Staff Email addresses, telephone numbers, and business addresses.
Contract Data: Information related to the services we provide, including contracts, service agreements, and payment terms.
Financial Data: Billing information, payment records, and transaction history.
Communication Data: Records of communications with us, including emails, calls, and meetings.

Customer Data:

As the Data Controller, we store your data within our Customer Relationship Management (CRM) system. We may create and manage custom fields to record additional information relevant to our business relationship with you. This helps us provide more tailored and effective services to meet your specific needs. Any personal data added to these custom fields will be processed based on our legitimate business interests or contractual necessity, in accordance with this Privacy Policy and applicable data protection laws.

Data		Why	Legal Basis
School	College	Why	Legal Basis
Name Head Main Contact Telephone Web address Email address DfE or Deni No Governance Phase School Timetable Number of Students Staff Members Staff Roles	Main contact Telephone Web address Email URN Establishment number Phase of Education Establishment TYPE Number of Students Staff Members Staff Roles License details	To identify and maintain records of educational establishments using our services	Contractual necessity to provide services to the educational establishment
Financial History		We retain financial records to comply with the requirements of HMRC, accounting regulations, and any other applicable UK laws and regulations.	Legal interest to comply with HMRC, accounting regulations, and any other applicable UK laws and regulations.

How we collect your data

We collect personal data through various channels when acting as a Data Controller:

Data Collected from our Website

When you visit our website, we may collect certain personal data automatically using Google Analytics, cookies and other tracking technologies.

In cases where required, we obtain your consent for the collection of personal data, such as when you fill out forms, subscribe to newsletters, or interact with certain features of our website. You also have the option to manage your cookie preferences through your browser settings. For more detailed information on how we use cookies and other tracking technologies on our website, please refer to our Cookies Policy.

Data Provided Directly by You

We collect personal data when you:

Contact us through our website forms
Email or call us with enquiries
Register for events or webinars
Subscribe to our newsletters or updates
Request product demonstrations
Engage with our support services
Enter a contract with us
Complete feedback or survey forms

Data from Third Parties

In some instances, we may receive your personal information from third parties, such as:

Business partners who refer you to our services
Professional networking platforms (like LinkedIn)
Public sources of professional information i.e. Companies House and Government services.

Data storage

Grofar use third-party service providers for customer relationship management, support services, and customer communications.

International Data Transfers

Some of our third-party service providers may process personal data outside the United Kingdom. We are committed to ensuring that all international transfers of personal data comply with UK GDPR requirements and that appropriate safeguards are implemented to protect your data.

Data Breach Notification

In the event of a personal data breach, Grofar has established comprehensive procedures for responding promptly and effectively. We will notify affected individuals and the relevant supervisory authority (such as the ICO) without undue delay when legally required to do so, and where feasible, within 72 hours of becoming aware of the breach.

Our data breach notification will include:

The nature of the breach
The categories and approximate number of individuals affected
The likely consequences of the breach
The measures taken or proposed to address the breach
Contact details for obtaining more information

Data Retention

Retention Period

Website Visitors: Technical data and contact form submissions are retained only as long as necessary to fulfil the purpose for which they were collected, or to comply with legal requirements.
Sales/Marketing Contacts: Retained for as long as we have an ongoing relationship with you, or you continue to express interest in our services. If you haven't interacted with our communications for a reasonable period, we'll review whether to retain your data.
Support Contacts: Retained for as long as necessary to resolve your support issue and for a reasonable period afterwards to handle any follow-up questions or related issues.
Customers: Active customer data is retained for the duration of our business relationship and for a period afterwards as required by applicable laws, particularly for financial records which are subject to UK tax regulations.

Financial Records

We retain financial records to comply with the requirements of HMRC, accounting regulations, and any other applicable UK laws and regulations.

Data Deletion

Once the retention period has expired, the data is no longer needed for the specified purposes, or a deletion request is submitted, we will securely delete the data.

Third-party Service Providers

Grofar engages trusted third-party service providers who may process personal data on our behalf. All service providers are bound by data processing agreements that ensure GDPR compliance. These providers fall into the following categories:

Analytics and Performance Monitoring: Services that help us understand website usage and system performance
Communication Services: Tools that facilitate customer and user communications, with appropriate data retention limits
Marketing and Customer Management: Platforms that support our marketing activities and customer relationships
Content Delivery Systems: Services that help us manage and deliver digital content
Operational Support: Tools for internal business operations, feedback collection, and financial management

We ensure all third-party providers maintain appropriate technical and organisational measures to protect personal data in accordance with GDPR requirements and ICO guidance.

Cookies

Data Collection and Use of Cookies

Grofar Ltd uses cookies to enhance user experience and ensure proper functioning of our platform. For more detailed information on the specific cookies we use, their purpose, and how to manage them, please refer to our full Cookies Policy.

Your Rights

As a Data Controller, we are responsible for responding directly to requests from individuals (data subjects) regarding their personal data. The following are the rights that individuals have regarding their personal data under the GDPR:

Right to Access

You have the right to:

Confirm if we are processing your personal data
Access your personal data that we hold
Receive information about how we use your data, including the purposes of processing, categories of data, recipients, retention periods, and information about automated decision-making

Right to Rectification

You have the right to request correction of any inaccurate or incomplete personal data we hold about you. We will update your data promptly upon receiving a verifiable request.

Right to Erasure (Right to be Forgotten)

Under certain circumstances, you may request the erasure of your personal data. We will comply with erasure requests unless we have a legal basis for retaining the data, such as a legal obligation or the need to establish, exercise, or defend legal claims.

Circumstances in which this right may apply include:

The data is no longer necessary for the purposes it was collected
You withdraw consent, and there is no other legal basis for processing
The data has been unlawfully processed

Right to Restriction of Processing

You have the right to request the restriction of the processing of your personal data under certain conditions. If you believe that your data is being processed incorrectly, you can request that we temporarily restrict processing.

Restrictions may apply if:

You contest the accuracy of your personal data
You object to processing, and we are evaluating your objection

Right to Data Portability

You have the right to request a copy of your personal data in a structured, commonly used, and machine-readable format. You can also request that we transfer this data to another Data Controller, if technically feasible.

Right to Object

You have the right to object to the processing of your personal data, especially if the processing is based on legitimate interests or for direct marketing purposes. If you object to marketing, we will cease processing your data for marketing purposes immediately.

Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to automated decision-making, including profiling, that has legal effects or similarly significantly affects you. If this is the case, you can request human intervention in the decision-making process.

Right to Withdraw Consent

If we are processing your personal data based on consent, you have the right to withdraw that consent at any time. This will not affect the legality of the processing before you withdrew your consent. To withdraw consent, please use the unsubscribe links in our communications or contact us directly.

Exercising your rights

To exercise any of these rights, please contact us using the details provided in the "How to contact us" section below. We will respond to your request without undue delay and at the latest within one month. This period may be extended by up to two additional months for complex requests. To protect your privacy and security, we may require verification of your identity before processing your request, typically through proof of identity documentation or account information. In most cases, requests are processed free of charge. However, we may charge a reasonable fee if your request is manifestly unfounded, excessive, or repetitive.

Accountability

Grofar is committed to demonstrating compliance with UK GDPR and takes responsibility for protecting your personal data. We maintain comprehensive records of our data processing activities and regularly review our data protection practices to ensure ongoing compliance.

Our Data Protection Officer is Lucy Coombs, who oversees our data protection compliance and can be contacted at dataprotection@grofar.com for any data protection matters.

To exercise your rights under the GDPR or for any questions about this Privacy Policy, please contact us using the following details:

Email: dataprotection@grofar.com
Phone: 0 117 315 5261
Postal Address: Walden House, Foxcombe Road, Boars Hill Oxford OX1 5DL
Information Commissioners Office (ICO) number: ZA147283

For data protection matters specifically, you can contact our Data Protection Officer on the email above.

Complaints

If you believe that your rights have been violated or that we are not processing your personal data in compliance with the GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO).

The Office of the Information Commissioner,

Water Lane,

Wilmslow,

Cheshire,

SK9 5AF

Tel: +44 (0) 01625 545 745

Website: www.ico.org.uk

We would appreciate the opportunity to address your concerns before you approach the ICO, so please contact us in the first instance.

Policy Version Information

Version: 2.0

This Policy has been approved and authorised by:

Name:

Abbie Pullman

Position:

Managing Director

Date:

1st June 2025

Review:

1st June 2026

This policy is reviewed annually to ensure continued compliance with data protection regulations and to reflect any changes in our data processing practices.