Privacy Policy

About us

In this policy, the references to ‘we’ and ‘us’ are to Grofar Ltd (company number 09505988) . Our Data Protection Registration Number is ZA147283.

Why we use your personal information

The Grofar Careers and Work placement solutions are governed by a contract between us and the schools, Multi-Academy Trust, College or a Local Education Authority (“Grofar Customer”), and also the Terms and Conditions that you agree with when you sign up via our website or email web forms (“Grofar User”).

We process your personal data for the following purposes:

  • to provide you with the service activated and registered for
  • the verification of your identity where required
  • for the prevention and detection of crime, fraud and anti-money laundering
  • for the ongoing administration of the service
  • to allow us to improve the products and services we offer to our customers
  • for research and statistical analysis
  • to enable us to comply with our legal and regulatory obligations
  • to offer new products and services to you which are relevant and appropriate, and only to the extent that would be reasonably expected.

If we plan to introduce further processes for the use of your information, we will provide information about that purpose prior to such processing.

The legal basis for processing

Under Data Protection Law, there are various grounds which are considered to be a ‘legal basis for processing’. The legal basis for processing should be determined by the Data Controller.

Where we are the Data Processor, the legal basis is determined by the Customer. Typically, the legal basis in this scenario is:

  • ‘processing is necessary for the performance of a task carried out in the public interest’

Where we are the Data Controller, the legal basis for processing is based on:

  • ‘processing is necessary for the purposes of legitimate interests pursued by the controller’

It should be noted that in some circumstances this legal basis may vary, however, we always operate in full compliance with Data Protection Law and will only process data with a fair and reasonable legal basis for doing so.

What information we collect and how

The information we collect via our website, any sign-up forms or from a client school or college may include:

  1. Any personal contact details you type in or submit, such as name, school or college, role, address, email and phone number.
  2. Your preferences and contact choices
  3. Information sent to or from the school/college, until the school chooses to delete them

In the case of this third type of information detail can be found in the relevant product data sharing document. This data is provided by the school or college using the Groupcall XoD system, a CSV upload or an API. In all cases the school or college has full control of what data is shared and can change this consent at any time.

How we process your personal information

We use your personal information, and some of our employees have access to such information, only to the extent required to carry out the services for you and on behalf of the Customer.

We have introduced appropriate technical and organisational measures to protect the confidentiality, integrity and availability of your personal information during storage, processing and transit.

Some of our supporting services (for example Capsule CRM), might use cloud platforms that operate from Third Countries outside of the EEA. Where this is the case, we ensure that adequate safeguards are established to protect your data.

Your rights under Data Protection Law


You have the right of access to your personal information that we process and details about that processing.

You can usually access that information directly within the Grofar Products and Services (self-service). However, should this not be possible, you can raise a Subject Access Request (SAR) to receive this information in another format.


You have the right to request that information is corrected if it’s inaccurate. You can usually update your own information using the Grofar Products and Services (self-service). However, should this not be possible the school or college will need to correct the data held by them and provided to us for processing.

Erasure (Right to be Forgotten)

You have the right to request that your information is removed; depending on the circumstances, we may or may not be obliged to action this request.

Right to Object

You have the right to object to the processing of your information; depending on the circumstances, we may or may not be obliged to action this request.

Restriction of Processing

You have the right to request that we restrict the extent of our processing activities; depending on the circumstances, we may or may not be obliged to action this request.

Data Portability

You have the right to receive the personal data which you have provided to us in a structured, commonly used and machine-readable format suitable for transferring to another controller.

Right to lodge a complaint with a supervisory authority

If you think we have infringed your privacy rights, you can lodge a complaint with the relevant supervisory authority. You can lodge your complaint in particular in the country where your live, your place of work or place where you believe we infringed your right(s).

You can exercise your rights be sending an e-mail to [email protected]. Please state clearly in the subject that your request concerns a privacy matter, and provide a clear description of your requirements.

Note: We may need to request additional information to verify your identity before we action your request.

Partner services

We use a range of trusted service providers to help deliver our services. All of our suppliers are subject to appropriate safeguards, operating in accordance with our specific instructions and limitations, and in full compliance with Data Protection Law.

These service providers include:

  • CRM Provider – such as Capsule to process our contacts and communications with you
  • Email Providers – such as MailChimp to send out our email notifications or messages sent by Customers using Grofar Products and Services
  • Hosting Providers – such as Microsoft Azure to manage our secure enterprise datacentres
  • Security Providers – to protect our systems from attack
  • Telephony Providers – we might record calls for training, quality and security purposes
  • Support Portal (ZenDesk) – so that you can easily ask for help

We may also have access to your personal information as part of delivering the service.

If we need to change or add additional third parties, we will always update our Privacy Notice accordingly.

We will only disclose your information to other parties in the following limited circumstances

  • where we are legally obliged to do so, e.g. to law enforcement and regulatory authorities
  • where there is a duty to disclose in the public interest
  • where disclosure is necessary to protect our interest e.g. to prevent or detect crime and fraud
  • where you give us permission to do so e.g. by providing consent within the Grofar Products and Services or via an online application or consent form

How long we may keep your personal information

We will only retain information for as long as is necessary to deliver the service safely and securely. We may need to retain some records to maintain compliance with other applicable legislation – for example finance, taxation, fraud and money laundering law requires certain records to be retained for an extended duration, in some cases for up to seven years.

Changes to our Privacy Notice

This policy will be reviewed regularly and updated versions will be posted on our websites.

More information

All enquiries about individual Privacy or GDPR matters should be made to our Data Protection Officer. Please email [email protected]