← Help Centre

Privacy Policy (Updated 2025)

Status: Ready for publication

Version: 2.0

Effective Date: TBC (upon portal launch)

Replaces: Privacy Policy (October 2025)

Readability Score: 17.2 (estimated Flesch-Kincaid Grade Level)

Target Audience: Professional (schools, trusts, educational institutions)

Plain Language Version: Planned for Phase 2 (Grade 10-12 for general public)

Privacy Policy

Introduction

Tru-Digital Services Ltd ("we", "us", "our") is committed to protecting your personal data. This policy explains how we collect, use, and safeguard your information when you use our services, website, and customer portal.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025.

Last updated: [Date]

Next review: [Date]

Who We Are

Data Controller:

Tru-Digital Services Ltd

3rd Floor, 86-90 Paul Street

London, EC2A 4NE

United Kingdom

Company Registration: 16210598

ICO Registration: ZB887707

Data Protection Officer:

Email: dpo@trudigital.co.uk

Phone: [Number]

Tru-Digital Services Ltd is the parent company of Tru-Digital Protection and operates specialist data protection services for UK educational institutions.

What Information We Collect

Personal Information

We collect information necessary to provide our DPO services:

From customers (schools, trusts, educational institutions):

• Organisation name, address, and contact details
• Key personnel details (SRP, DPO, Governors, DSL)
• School type, structure, and governance information
• Subscription tier and payment information
• Communication history and service records

From individual contacts:

• Name, job title, and role
• Work email address and phone number
• Professional qualifications (where relevant)
• Communication preferences

Technical information:

• IP address and geographic location
• Browser type, version, and language
• Device type and operating system
• Portal usage data (pages viewed, features used, time spent)
• Login timestamps and access logs

Service delivery information:

• Support requests and service records
• Email correspondence
• Documents shared for review (policies, DPIAs, SARs)
• Training attendance and completion
• Audit findings and compliance assessments

Special Category Data

We do not routinely process special category personal data (as defined in Article 9 UK GDPR). If your organisation shares information involving special categories during service delivery (e.g., safeguarding contexts in SAR requests), we process this data only as necessary to fulfil our contractual obligations, under Article 9(2)(b) UK GDPR and with appropriate safeguards.

Children's Information

Our services are provided to educational institutions, not directly to children. We do not knowingly collect personal information from individuals under 18. If we become aware that we have inadvertently collected such information, we will delete it promptly.

How We Use Your Information

Legal Bases for Processing

We process your personal data under the following lawful bases:

Contract (Article 6(1)(b)) — to provide DPO services, process payments, and fulfil our contractual obligations.

Legitimate Interests (Article 6(1)(f)) — to:

• Improve our services and portal functionality
• Conduct business development and marketing to existing customers
• Maintain security and prevent fraud
• Comply with non-legal professional obligations

We conduct legitimate interest assessments before processing on this basis.

Legal Obligation (Article 6(1)(c)) — to comply with legal and regulatory requirements (e.g., tax, accounting, anti-money laundering).

Consent (Article 6(1)(a)) — for marketing communications to prospective customers and optional features.

Purposes

We use your information to:

1. Deliver DPO services:
   • Policy creation and management
   • ROPA and DPIA support
   • SAR and breach response
   • FOI advice and ICO liaison
   • Training and consultancy
2. Operate the customer portal:
   • Account management and authentication
   • Content delivery (Help Centre, policies, resources)
   • Service Records and communication tracking
   • Workspace collaboration
3. Process payments and invoicing
4. Provide customer support:
   • Respond to enquiries
   • Troubleshoot technical issues
   • Maintain service records
5. Improve our services:
   • Analyse portal usage and content effectiveness
   • Develop new features and resources
   • Conduct customer satisfaction surveys
6. Marketing and business development:
   • Send service updates to existing customers
   • Promote additional services to current clients
   • Send newsletters and blog updates (with consent)
7. Legal and regulatory compliance:
   • Maintain records as required by law
   • Respond to legal requests
   • Enforce our terms and conditions

How We Share Your Information

Third-Party Service Providers

We share information with trusted processors who help us deliver our services:

Portal and website infrastructure:

• [Bullet.so / Sotion.so] — customer portal hosting
• Notion — workspace collaboration and database management
• Google Workspace — email, documents, and file storage

Automation and communication:

• Make (Integromat) — workflow automation
• OpenAI — AI-powered categorisation and summaries

Payment processing:

• Stripe — subscription billing (PCI DSS compliant; we do not store card details)
• Xero — accounting and invoicing

Analytics and performance:

• Google Analytics 4 — website and portal usage
• Sentry — error monitoring and diagnostics

Security and compliance:

• Redactable — secure document redaction

All processors are bound by data processing agreements and process data only on our instructions.

Legal Disclosures

We may disclose your information:

• To comply with legal obligations, court orders, or regulatory requests
• To protect our rights, property, or safety, or those of our customers
• In connection with a business sale, merger, or acquisition (with confidentiality protections)

No Data Selling

We do not sell, rent, or trade your personal information to third parties for marketing purposes.

International Transfers

Your data is primarily stored and processed within the United Kingdom and European Economic Area.

Where we use service providers outside the UK/EEA (e.g., OpenAI in the United States), we ensure appropriate safeguards are in place:

• UK International Data Transfer Agreements (UK IDTA)
• EU Standard Contractual Clauses
• Data Privacy Framework adequacy decisions
• Article 49 UK GDPR derogations for specific situations

You can request details of our transfer mechanisms by contacting our DPO.

How Long We Keep Your Information

Active customers:

• Service records and correspondence: Duration of contract + 6 years (accounting and legal requirements)
• Policy documents and outputs: Duration of contract + 7 years (limitation periods)
• Portal usage data: Duration of contract + 1 year

Former customers:

• Contract and payment records: 6 years after termination (HMRC requirements)
• Service delivery records: 7 years after termination (professional indemnity)
• Marketing communications: Until consent is withdrawn or 3 years of inactivity

Prospective customers:

• Enquiry records: 2 years from last contact
• Marketing consent: Until withdrawn or 3 years of inactivity

Legal claims:

If a complaint arises or litigation is reasonably anticipated, we retain relevant data for the duration of the claim plus applicable limitation periods.

Your Rights

Under UK GDPR, you have the following rights:

Right to Access — request a copy of your personal data

Right to Rectification — correct inaccurate or incomplete data

Right to Erasure — request deletion (subject to legal retention obligations)

Right to Restrict Processing — limit how we use your data

Right to Data Portability — receive your data in a structured, machine-readable format

Right to Object — object to processing based on legitimate interests or direct marketing

Rights Related to Automated Decision-Making — we do not use automated decision-making or profiling that produces legal or similarly significant effects

Exercising Your Rights

To exercise any of these rights, contact our DPO at dpo@trudigital.co.uk.

We will respond within one calendar month of receiving your verified request. For complex requests, we may extend this by up to two months and will notify you of any delay.

Verification: We may request proof of identity to prevent unauthorised disclosure.

No fee: We do not charge for most requests. If your request is manifestly unfounded or excessive, we may charge a reasonable administrative fee or refuse the request.

Security

We implement technical and organisational measures to protect your data:

Technical measures:

• Encryption in transit (TLS 1.3) and at rest
• Multi-factor authentication for staff access
• Regular security patching and updates
• Intrusion detection and monitoring
• Secure API integrations with token rotation

Organisational measures:

• Access controls (role-based permissions)
• Staff training on data protection
• Confidentiality agreements
• Incident response procedures
• Regular security audits

Data breach notification:

If a breach occurs that is likely to result in a risk to your rights, we will notify you and the ICO within 72 hours, as required by UK GDPR.

Limitations:

Internet transmission is not completely secure. While we implement robust safeguards, we cannot guarantee absolute security. You transmit information at your own risk.

Cookies and Tracking

Our website and portal use cookies and similar technologies. See our Cookie Policy for full details.

Essential cookies: Required for site operation (session management, security)

Analytics cookies: Used to improve content and performance (with consent)

Functional cookies: Remember your preferences

You can manage cookie preferences via the banner in the site footer or through your browser settings.

Links to Other Websites

Our website and portal may contain links to third-party sites (e.g., ICO guidance, legislation.gov.uk). We are not responsible for the privacy practices of external sites. Please review their privacy policies before providing personal information.

Changes to This Policy

We review this Privacy Policy annually and update it as necessary to reflect:

• Changes in data protection law
• New service features or technologies
• Changes in our processing activities

We will notify you of material changes by:

• Email to registered account holders
• Prominent notice on our website and portal
• Updated "Last updated" date at the top of this policy

Continued use of our services after changes take effect constitutes acceptance of the updated policy.

Your Right to Complain

If you are unhappy with how we handle your data, please contact our DPO at dpo@trudigital.co.uk. We take complaints seriously and will investigate promptly.

You also have the right to lodge a complaint with the supervisory authority:

Information Commissioner's Office (ICO)

Website: ico.org.uk

Helpline: 0303 123 1113

Live chat: Available on ICO website

Contact Us

If you have questions about this Privacy Policy or how we process your data:

Email: dpo@trudigital.co.uk

Post: Data Protection Officer, Tru-Digital Services Ltd, 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

Document History:

• Version 1.0 — October 2022 (Initial publication)
• Version 1.5 — October 2024 (Minor updates)
• Version 2.0 — [Date] (Portal migration, Data Use and Access Act 2025 compliance)