This privacy policy tells you how we, a trading division of Worth Publishing Limited, a company registered in the United Kingdom number 01234904, collect, use, and protect your personal information. By visiting or or (our websites), you accept and agree to the terms and conditions of this privacy policy. This privacy policy applies to information we collect on our websites and through e-mail and other electronic messages between you and us. It does not apply to information collected by any third party, including through any application or content that may be accessible from our websites. In particular, by visiting our websites you consent to our collection and use of your personal information as described in this privacy policy, including any updates or revisions to this privacy policy. 

    We are processing your data on the basis of legitimate interest as defined under Article 6 of the GDPR.  Registered Users must satisfy themselves they have a lawful interest in entering and processing data under the terms of the GDPR.  A Registered User is defined as a person or organisation that has a unique email and password in order to enter our web site. By agreeing the contents of this Privacy Policy Registered Users warrant that they already have such lawful interest. We are and will not be responsible for any liability whatsoever if a Registered User does not have a lawful interest in processing data under the GDPR or allows a third party to know of and or use their unique email and password. If a Registered User is unsure of their status under the GDPR they are responsible for clarifying this by visiting the web site below:

    We do not knowingly provide services or sell products to children. If you are below the age of 18, you may use our websites only with the permission and active involvement of a parent or legal guardian. If you are a minor, please do not provide us or other website visitors with any personal information and do not use our websites. If we learn we have collected or received personal information from a child under 18 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 18, please contact us at

    Our privacy policy is part of, and subject to, our websites’ terms and conditions of use. You may view these terms and conditions on our websites.

    Like most places on the Internet, simply by visiting our websites you automatically tell us certain information. This includes basic information such as your IP address, when you visited, the website from where you came prior to visiting us, the website where you go when you leave our websites, your computer’s operating system, location data, and the type of web browser that you are using. Our websites automatically record this basic information about you.

    And like many other websites, we may use cookies or similar tracking technologies. In plain English, this means information that our websites’ server transfers to your computer. This information can be used to track your session on our websites. Cookies may also be used to customize our website content for you as an individual. We may also use the services of Google Analytics. You can see how Google uses data when you use our partners’ sites or apps by clicking on this link

    If you are using one of the common Internet web browsers, you can set up your browser to either let you know when you receive a cookie or to deny cookie access to your computer.

    We may also collect any data that you provide us by posting it at our websites or by e-mail, including information by which you might be personally identified such as name, postal address, e-mail address, and telephone number, and/or any other contact or personally identifiable information.


    If you have a registered account and are a user of applications provided by us, you may voluntarily provide, and we may collect and store, additional information related to the registered account, including but not limited to: your email address, name and contact information, any API key provided by you or images you choose to upload. An application programming interface key (API key) is a code passed in by computer programs calling an application programming interface (API) to identify the calling program, its developer, or its user to the Web site.

    You can always choose not to provide us with information. However, if you do withhold information, you may not be able to make use of some or all of our websites’ services and features.

    Some transactions between you and our websites may involve payment by credit card, debit card, checks, money orders, and/or third party online payment services. In such transactions, we will collect information related to the transaction as part of the course of doing business with you, including your billing address, telephone number, and other information related to the transaction.
    We may also obtain information from third parties, for example, our business partners, third-party suppliers, and customers.


    We use your information to operate our business activities. For example, we may use this data to contact you about changes to our website, new services, or special offers, provide you with notices about your account, resolve disputes, troubleshoot issues, enforce our website’s terms and conditions, to carry out our obligations and enforce our rights arising from contracts entered into between you and us, to protect our business interests and the interests and rights of third parties, and to fulfil any other purpose for which you provide data.

    As a general rule, we will not give your data to third parties for direct marketing purposes without your permission. However, there are some important exceptions to this rule that are described in the following paragraphs and the paragraphs above.

    We may, in our sole discretion, provide information about you to comply with a court order, law or legal process, to law enforcement or other government officials for purposes of fraud investigations, alleged intellectual property infringement, or any other suspected illegal activity or matters that may expose us to legal liability or infringe on our rights or the rights of third parties.

    We may provide information about you to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which personal information held by us about our website users is among the assets transferred.

    We may disclose aggregate data about our websites’ visitors to advertisers or other third parties.

    From time to time, we may use third party suppliers to provide services on our websites. If a supplier wants to collect information about you through our websites, you will be notified. We restrict the way third party suppliers can use your information.

    We will share information with third parties to fulfil the explicit purpose for which you provide it. For example, we will post information that you enter into our blog’s comment system to our blog; share information where you give consent; and use information for the purpose that is disclosed by us when you provide the information; we share information with third parties who assist us in operating our business; for example if we use an email-service-provider, we may provide your email to such vendor to assist us in sending email communications.

    All information inputted into Reach2Teach Assessment for Inclusion tool (AFIT) is stored in the cloud (Azure, AWS or Linode) and is fully encrypted and secure.

    If you have a registered account and are a user of Reach2Teach Assessment for Inclusion Tool (AFIT), all information and data that you enter will remain the property of the school or institution the account is held by.  Should you archive data or unsubscribe from AFIT the deleted data will be encrypted in the cloud and lie dormant and remain the property of your school or relevant institution. 

    In order to help other professional users of AFIT follow the progress of pupils who have been assessed by you we have created a facility to transfer data.  This is particularly useful for those responsible for looked after children to be able to keep track of a child when they move to a new area away from their school.

    Should a pupil move school or institution, a professional at their new school (providing they are a registered user of AFIT) can search the AFIT database to see if the pupil’s UPN number is registered on AFIT (either an active account or an archived account). No information regarding the pupil is divulged at this stage. The professional can request for the pupil’s account to be released from their old school and transferred to the new.  The Team Leader of the old school will receive a notification with the requester’s details and contact information, should they need further information and can either accept or decline the transfer.  In the event of the old school no longer being a subscriber of AFIT, the AFIT team will contact the school and gain written consent to transfer the pupil account before any data can be transferred.

    You can refuse to agree to a data transfer.  In general, however, it is clearly helpful for those taking on responsibility for the welfare of a pupil after your relationship with the pupil has ended that they have as full a picture of the pupil’s history as possible. We therefore hope that you will agree to transfer data when requested.

    The safety and security of your information also depends on you. Where we have given you (or where you have chosen) a username and password for access to certain parts of our website, you are responsible for keeping the username and password confidential. Do not give your password to anyone. If you enter a section of our websites that requires a password, you should log out when you leave. As a safety precaution, you should also close out of your web browser completely and re-open it before viewing other parts of the Internet.

    If you have a customer account with us, you can review and change your personal information by logging into our websites and visiting your account profile page. You may also send us an e-mail at  to request access to, correct or delete any personal information that you have provided to us. We cannot delete your personal information except by also deleting your user account. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

    You may choose to provide personal information to website visitors or other third parties who are not our suppliers. Please use caution when doing so. The privacy policies and customs of these third parties determine what is done with your information.

    As part of our Privacy Policy you, as Data Controller (Data Controller), must enter into an agreement between you, a registered user of our website and whose contact details are those you have registered with us, and we, who are the data processor (Data Processor) at a website owned by Worth Publishing Limited a company registered in England number 01234904 whose address is Highgate Cottage Cheltenham Road Broadway WR12 7BX.

    (1) You agree we as Data Processor shall provide you as Data Controller the Services described in Schedule 1.
    (2) The provision of the Services by the Data Processor involves it in processing the Personal Data described in Schedule 2 on behalf of the Data Controller.
    (3) Under Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (the UK GDPR), the Data Controller is required to put in place an agreement in writing between the Data Controller and any organisation which processes personal data on its behalf governing the processing of that personal data.
    (4)The Parties have agreed to enter into this Agreement to ensure compliance with the said provisions of the UK GDPR in relation to all processing of the Personal Data by the Data Processor for the Data Controller.
    (5) The terms of this Agreement are to apply to all processing of Personal Data carried out for the Data Controller by the Data Processor and to all Personal Data held by the Data Processor in relation to all such processing.

    IT IS AGREED as follows:

    1. Definitions and Interpretation
      1. In this Agreement, unless the context otherwise requires, the following expressions have the following meanings:


        means the Information Commissioner (as defined in Article 4(A3) UK GDPR and section 114 Data Protection Act 2018;


        shall have the meanings given to the term controller by Article 4(7) of the UK GDPR and section 6 of the Data Protection Act 2018;

        Data Protection Legislation

        means all applicable legislation in force from time to time in the United Kingdom applicable to data protection and privacy including, but not limited to, the UK GDPR; the Data Protection Act 2018 (and regulations made thereunder); and the Privacy and Electronic Communications Regulations 2003 as amended;

        Data Subject

        means an identified or identifiable living individual to whom Personal Data relates;

        Personal Data

        means any information relating to an identified or identifiable living individual; an identified or identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of the individual;

        Personal Data Breach

        means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed;


        means a natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of a Controller;

        processing, process, processed, processes

        means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;


        means those [services] AND/OR [facilities] described in Schedule 1 which are provided by the Processor to the Controller and which the Controller uses for the purpose[s] described in Schedule 1; and

        UK GDPR

        means Regulation (EU) 2016/679 General Data Protection Regulation as it forms part of the law of England and Wales, Scotland, and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019.

      2. Unless the context otherwise requires, each reference in this Agreement to:
        1. writing, and any cognate expression, includes a reference to any communication effected by electronic or facsimile transmission or similar means;
        2. a statute or a provision of a statute is a reference to that statute or provision as amended or re-enacted at the relevant time;
        3. this Agreement is a reference to this Agreement and each of the Schedules as amended or supplemented at the relevant time;
        4. a Schedule is a schedule to this Agreement; and
        5. a Clause or paragraph is a reference to a Clause of this Agreement (other than the Schedules) or a paragraph of the relevant Schedule.
        6. a "Party" or the "Parties" refer to the parties to this Agreement.
      3. The headings used in this Agreement are for convenience only and shall have no effect upon the interpretation of this Agreement.
      4. Words imparting the singular number shall include the plural and vice versa.
      5. References to any gender shall include any other gender.
      6. References to persons shall include corporations.

    2. Scope and Application of this Agreement
      1. The provisions of this Agreement shall apply to the processing of the Personal Data described in Schedule 2, carried out for the Controller by the Processor, and to all Personal Data held by the Processor in relation to all such processing, whether such Personal Data is held at the date of this Agreement or received afterwards.
      2. Schedule 2 describes the type(s) of Personal Data, category or categories of Data Subject, the nature of the processing to be carried out, the purpose(s) of such processing, and the duration of such processing.
      3. The provisions of this Agreement supersede any other arrangement, understanding, or agreement made between the Parties at any time relating to the Personal Data.
      4. This Agreement shall continue in full force and effect for so long as the Processor is processing Personal Data on behalf of the Controller, and thereafter as provided in Clause 10.12.
      5. This Agreement is part of and incorporated in the Terms and Conditions on the reach2teach website owned by the Data Processor.

    3. Provision of the Services and Processing Personal Data
      1. The Controller shall retain control of the Personal Data and shall, at all times, remain responsible for its compliance obligations under the Data Protection Legislation including, but not limited to, providing any and all required notices and obtaining any and all required consents, and for the written processing instructions given to the Processor.
      2. The Processor shall only provide the Services and process the Personal Data received from the Controller:
        1. for the purposes of those Services and not for any other purpose;
        2. to the extent and in such a manner as is strictly necessary for those purposes; and
        3. strictly in accordance with the express written authorisation and instructions of the Controller (which may be specific instructions or instructions of a general nature, or as otherwise notified by the Controller to the Processor).

    4. Data Protection Compliance
      1. All instructions given by the Controller to the Processor shall be made in writing and shall at all times be in compliance with the Data Protection Legislation. The Processor shall act only on such written instructions from the Controller unless the Processor is required by law to do otherwise (as per Article 29 of the UK GDPR).
      2. The Processor shall promptly comply with any request from the Controller requiring theProcessor to amend, transfer, delete, or otherwise dispose of the Personal Data, or to stop, mitigate, or remedy any unauthorised processing.
      3. Both Parties shall comply at all times with the Data Protection Legislation and shall not perform their obligations under this Agreement or any other agreement or arrangement between them in such way as to cause either Party to breach any of its applicable obligations under the Data Protection Legislation.
      4. The Controller hereby warrants, represents, and undertakes that the Personal Data shall comply with the Data Protection Legislation in all respects including, but not limited to, its collection, holding, and processing, and that the Controller has in place all necessary and appropriate consents and notices to enable the lawful transfer of the Personal Data to the Processor.
      5. The Processor agrees to comply with any reasonable measures required by the Controller to ensure that its obligations under this Agreement are satisfactorily performed in accordance with the Data Protection Legislation and any best practice guidance issued by the Commissioner.
      6. The Processor shall provide all reasonable assistance (at the Controller’s cost) to the Controller in complying with its obligations under the Data Protection Legislation with respect to the security of processing, the notification of Personal Data Breaches, the conduct of data protection impact assessments, and in dealings with the Commissioner. What is reasonable, for the purposes of this sub-Clause shall take account of the nature of the Processor’s processing and the information available to the Processor.
      7. The Processor shall notify the Controller in a timely manner of any changes to the Data Protection Legislation that may adversely affect its performance of the Services or of its obligations under this Agreement.
      8. When processing the Personal Data on behalf of the Controller, the Processor shall:
        1. not transfer the Personal Data outside the United Kingdom without the prior written consent of the Controller;
        2. not transfer any of the Personal Data to any third party without the written consent of the Controller.
        3. process the Personal Data only to the extent, and in such manner, as is necessary in order to comply with its obligations to the Controller or as may be required by law (in which case, the Processor shall inform the Controller of the legal requirement in question before processing the Personal Data for that purpose unless prohibited from doing so by law);
        4. implement appropriate technical and organisational measures, including those described in Schedule 3, and take all steps necessary to protect the Personal Data against accidental, unauthorised, or unlawful processing, access, copying, modification, reproduction, display, or distribution of the Personal Data, and against its accidental or unlawful loss, destruction, alteration, disclosure, or damage. The Processor shall inform the Controller in advance of any changes to such measures;
        5. implement measures to ensure a level of security proportionate to the risks involved including, as appropriate:
          1. the pseudonymisation and encryption of Personal Data;
          2. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
          3. the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and
          4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
        6. if so requested by the Controller (and within the reasonable timescales required by the Controller) supply further details of the technical and organisational systems in place to safeguard the security of the Personal Data held and to prevent unauthorised access;
        7. keep complete and accurate records and information concerning all processing activities carried out on the Personal Data in order to demonstrate its compliance with this Agreement and the Data Protection Legislation;
        8. make available to the Controller any and all such information as is reasonably required and necessary to demonstrate the Processor’s compliance with the Data Protection Legislation;
        9. on at least thirty days' prior notice, submit to audits and inspections and provide the Controller with any information reasonably required in order to assess and verify compliance with the provisions of this Agreement and both Parties’ compliance with the requirements of the Data Protection Legislation. The requirement to give notice will not apply if the Controller can provide evidence that theProcessor is in breach of any of its obligations under this Agreement or under the law; and
        10. inform the Controller immediately if it is asked to do anything that infringes the Data Protection Legislation.

    5. Data Subject Requests, Notices, Complaints, and Personal Data Breaches 
      1. The Processor shall, at the Controller’s cost, assist the Controller in complying with its obligations under the Data Protection Legislation. In particular, the provisions of this Clause 5 shall apply to requests by Data Subjects to exercise their rights (including, but not limited to, subject access requests), information or assessment notices served on the Controller by the Commissioner under the Data Protection Legislation, complaints, and Personal Data Breaches.
      2. The Processor shall notify the Controller immediately in writing if it receives:
        1. a request from a Data Subject to exercise their rights; or
        2. any other complaint, notice, communication, or request relating to the processing of the Personal Data or to either Party’s compliance with the Data Protection Legislation.
      3. The Processor shall, at the Controller’s cost, cooperate fully with the Controller and assist as required in relation to any Data Subject request, or other complaint, notice, communication, or request, including by:
        1. providing the Controller with full details of the complaint, notice, communication, or request;
        2. providing the necessary information and assistance in order to comply with a request from a Data Subject;
        3. providing the Controller with any Personal Data it holds in relation to a Data Subject (within the timescales required by the Controller); and
        4. providing the Controller with any other information reasonably requested by the Controller.
      4. The Processor shall not disclose any Personal Data to any Data Subject or to any other third party unless instructed to do so by the Controller in writing, or as required by law.
      5. The Processor shall notify the Controller immediately if it becomes aware of any form of Personal Data Breach, including any unauthorised or unlawful processing, loss of, unintended damage to, or destruction of any of the Personal Data.
      6. If an event of the type described under sub-Clause 10.5.5 occurs:
        1. Where recovery of the affected Personal Data is possible, the Processor shall recover the same as soon as possible.
        2. The Processor shall, without undue delay, also provide the following information to the Controller:
          1. a description of the nature of the event, including the category or categories of Personal Data affected, the approximate number of Personal Data records and Data Subjects involved;
          2. the likely consequences of the event; and
          3. a description of the measures that have been taken or will be taken in response, including those to mitigate potential adverse effects.
        3. The Processor shall provide all reasonable co-ordination, co-operation, and assistance to the Controller in the Controller’s investigation and handling of the event.
        4. The Processor shall not inform any third parties of the event without the Controller’s express written consent, unless required to do so by law.
        5. The Controller shall have the sole right to determine whether to provide notice of the event to any Data Subjects, the Commissioner, other applicable regulators, law enforcement authorities, or other parties, as required by law or regulation or at the Controller’s discretion.
        6. The Controller shall have the sole right to determine whether to offer any form of remedy to affected Data Subjects.
        7. Where the Processor is required to take action and/or provide assistance at its own expense under this sub-Clause 10.5.6, a requirement for the Processor to cover such expenses shall not apply if the event arose from the Controller’s specific written instructions, negligence, wilful default, or breach of this Agreement. In such cases, the Controller shall cover all such reasonable expenses.
        8. The Processor shall reimburse the Controller for reasonable expenses incurred by the Controller when responding to the event.
    6. Staff
      1. The Processor shall ensure that all personnel who are to access and/or process any of the Personal Data:
        1. be informed of the confidential nature of the Personal Data and be bound by contractual use restrictions and confidentiality requirements, as stated in sub-Clause 10.10.2;
        2. be given appropriate training on the Data Protection Legislation and how their job roles relate to it and are affected by it; and
        3. be made aware of both the Processor’s duties, and their personal duties and obligations under the Data Protection Legislation and this Agreement.
      2. The Controller has appointed a data protection officer in accordance with Article 37 of the UK GDPR, whose details are the registered user of this website or as otherwise advised by the Controller
      3. The Processor has appointed a data protection officer in accordance with Article 37 of the UK GDPR whose name is Martin Wood and whose address is the address of the Processor

    7. Warranties
      1. The Processor warrants and represents that:
        1. its employees, subcontractors, agents, and any other person or persons accessing and otherwise handling the Personal Data on its behalf are appropriately trained with respect to compliance with the Data Protection Legislation;
        2. it, and any party acting on its behalf, will process the Personal Data in compliance with the Data Protection Legislation and any and all other applicable laws, regulations, standards, and similar instruments;
        3. nothing, in its reasonable belief, in the Data Protection Legislation prevents it from providing the Services;
        4. it will take all appropriate and proportionate technical and organisational measures to prevent the accidental, unauthorised, or unlawful processing of the Personal Data and the loss of or damage to the Personal Data, ensuring a level of security appropriate in light of:
          1. the potential harm resulting from such an event;
          2. the nature of the Personal Data in question;
          3. the measures necessary to comply with all applicable Data Protection Legislation and all relevant policies and procedures.
      2. The Controller warrants and represents that the Processor’s use of the Personal Data in its provision of the Services and as specifically instructed by the Controller shall comply with the Data Protection Legislation.

    8. Liability and Indemnity
      1. The Controller shall be liable for, and shall indemnify (and keep indemnified) the Processor in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Processor arising directly or in connection with:
        1. any non-compliance by the Controller with the Data Protection Legislation;
        2. any processing carried out by the Processor in accordance with instructions given by the Controller that infringes the Data Protection Legislation; or
        3. any breach by the Controller of its obligations under this Agreement,
          1. except to the extent that the Processor is liable under sub-Clause 10.8.2.
      2. The Processor shall be liable for, and shall indemnify (and keep indemnified) the Controller in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, the Controller arising directly or in connection with the Processor’s processing activities that are subject to this Agreement:
        1. only to the extent that the same results from the Processor’s breach of, or non-compliance with, this Agreement, the Controller’s instructions, or the Data Protection Legislation; and
        2. not to the extent that the same is, or are contributed to, by any breach of this Agreement by the Controller.
      3. The Controller shall not be entitled to claim back from the Processor any sums paid in compensation by the Controller in respect of any damage to the extent that the Controller is liable to indemnify the Processor under sub-Clause 10.8.1.
      4. Nothing in this Agreement (and in particular, this Clause 10.8) shall relieve either Party of, or otherwise affect, the liability of either Party to any Data Subject, or for any other breach of that Party’s direct obligations under the Data Protection Legislation. Furthermore, the Processor hereby acknowledges that it shall remain subject to the authority of the Commissioner and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a Processor under the Data Protection Legislation may render it subject to the fines, penalties, and compensation requirements set out in the Data Protection Legislation.

    9. Intellectual Property Rights
      All copyright, database rights, and other intellectual property rights in the Personal Data (including but not limited to any updates, amendments, or adaptations to the Personal Data made by either the Controller or the Processor) shall belong to the Controller or to any other applicable third party from whom the Controller has obtained the Personal Data under licence (including, but not limited to, Data Subjects, where applicable). The Processor is licensed to use such Personal Data only for the purposes of providing the Services, and in accordance with this Agreement.

    10. Confidentiality
      1. The Processor shall maintain the Personal Data in confidence, and in particular, unless the Controller has given written consent for the Processor to do so, the Processor shall not disclose any Personal Data supplied to the Processor by, for, or on behalf of, the Controller to any third party. The Processor shall not process or make any use of any Personal Data supplied to it by the Controller otherwise than in connection with the provision of the Services to the Controller.
      2. The Processor shall ensure that all personnel who are to access and/or process any of the Personal Data are contractually obliged to keep the Personal Data confidential.
      3. The obligations set out in in this Clause 10 shall continue for a period of two years after the cessation of the provision of Services by the Processor to the Controller.
      4. Nothing in this Agreement shall prevent either Party from complying with any requirement to disclose Personal Data where such disclosure is required by law. In such cases, the Party required to disclose shall notify the other Party of the disclosure requirements prior to disclosure, unless such notification is prohibited by law.

    11. Subcontractors
      1. The Processor shall not subcontract any of its obligations or rights under this Agreement without the prior written consent of the Controller such consent not to be unreasonably withheld.
      2. If the Processor appoints a subcontractor the Processor shall:
        1. enter into a written agreement with the subcontractor which shall impose upon the subcontractor the same obligations as are imposed upon the Processor by this Agreement and which shall permit both the Processor and the Controller to enforce those obligations;
        2. ensure that the subcontractor complies fully with its obligations under that agreement and the Data Protection Legislation;
        3. maintain control over all Personal Data transferred to the subcontractor; and
      3. In the event that a subcontractor fails to meet its reasonable obligations under any such agreement, the Processor shall remain fully liable to the Controller for failing to meet its obligations under this Agreement.
      4. The Processor shall be deemed to have control legally over any Personal Data that is in the possession of or practically controlled by its subcontractors.

    12. Deletion and/or Disposal of Personal Data
      1. The Processor shall, at the written request of the Controller, delete or otherwise dispose of the Personal Data or return it to the Controller in the format(s) reasonably requested by the Controller within a reasonable time after the earlier of the following:
        1. the end of the provision of the Services.
        2. the processing of that Personal Data by the Processor is no longer required for the performance of the Processor’s obligations under this Agreement.
      2. Following the deletion, disposal, or return of the Personal Data under sub-Clause 10.12.1, the Processor shall delete or otherwise dispose of all further copies of the Personal Data that it holds, unless retention of such copies is required by law, in which case the Processor shall inform the Controller of such requirement(s) in writing.

    13. Consideration
      The Processor accepts the obligations in this Agreement in consideration of the payment of £1 from the Controller, receipt of which the Processor hereby acknowledges.

    14. Law and Jurisdiction
      1. This Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall be governed by, and construed in accordance with, the laws of England and Wales.
      2. Any dispute, controversy, proceedings or claim between the Parties relating to this Agreement (including any non-contractual matters and obligations arising therefrom or associated therewith) shall fall within the jurisdiction of the courts of England and Wales.

    We may use autoresponders to communicate with you by e-mail. To protect your privacy, we use a verified opt-in system for such communications and you can always opt-out of such communications using the links contained in each autoresponder message. If you have difficulties opting out, you may contact us by sending an e-mail to, or sending us mail to the address listed below.

    This website does not monitor for or behave differently if your computer transmits a do not track or similar beacon or message.

    Unfortunately, the transmission of information via the internet is not completely secure. Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted to our Website. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on our Websites, including the illegal acts of third parties (such as criminal hacking).

    The terms of this policy may change from time to time. If we make material changes to how we treat our users’ personal information, we will notify you by e-mail to the e-mail address specified through your account. Your continued use of our websites constitutes your consent to such revised privacy policy.

    If you are concerned about the topic covered by this policy, you should read it each time before you use our websites. Any questions or concerns about this policy should be brought to our attention by sending an e-mail to, or one of the methods provided under Contact Information, and providing us with information relating to your concern.


    To ask questions or comment about this privacy policy and our privacy practices, contact us at:
    Highgate Cottage
    Cheltenham Road
    Broadway WR12 7BX
    United Kingdom

    Last updated on 1st March 2021



A six or twelve month subscription whenever paid by the Controller for the use of the website owned by the Processor.


Personal Data

Type of Personal Data

Category of Data Subject

Nature of Processing Carried Out

Purpose(s) of Processing

Duration of Processing

Unique Pupil Number (UPN), name, Date of Birth, Gender, Year group. Optional data includes; Learning history, family background  and observational information in as far as that may impact on learning, social and emotional characteristics.

Pupil of any age from Early Years Foundation Stage to Higher Education

Scoring the answers to an observational questionnaire before and after applying intervention strategies provided by the software to help the pupil.

To help the pupil to settle to learn, focus and concentrate on educational tasks and to avoid exclusion from mainstream education

Data is kept as long as the user or we have a good reason to justify retention


Technical and Organisational Data Protection Measures

 The following are the technical and organisational data protection measures referred to in Sub-Clause 10.4:

  1.  The Processor shall ensure that, in respect of all Personal Data it receives from or processes on behalf of the Controller, it maintains security measures to a standard appropriate to:
    1. the harm that might result from unlawful or unauthorised processing or accidental loss, damage, or destruction of the Personal Data; and
    2. the nature of the Personal Data.

  2. In particular, the Processor shall:
    1. have in place, and comply with, a security policy which:
      1. defines security needs based on a risk assessment;
      2. allocates responsibility for implementing the policy to a specific individual or personnel;
      3. is disseminated to all relevant staff; and
      4. provides a mechanism for feedback and review.
    2. ensure that appropriate security safeguards and virus protection are in place to protect the hardware and software which is used in processing the Personal Data in accordance with best industry practice;
    3. prevent unauthorised access to the Personal Data;
    4. protect the Personal Data using pseudonymisation and encryption, where it is practical to do so;
    5. ensure that its storage of Personal Data conforms with best industry practice such that the media on which Personal Data is recorded (including paper records and records stored electronically) are stored in secure locations and access by personnel to Personal Data is strictly monitored and controlled;
    6. have secure methods in place for the transfer of Personal Data whether in physical form (for example, by using couriers rather than post) or electronic form (for example, by using encryption);
    7. password protect all computers and other devices on which Personal Data is stored, ensuring that all passwords are secure), and that passwords are not shared under any circumstances;
    8. take reasonable steps to ensure the reliability of personnel who have access to the Personal Data;
    9. have in place methods for detecting and dealing with breaches of security (including loss, damage, or destruction of Personal Data) including:
      1. the ability to identify which individuals have worked with specific Personal Data;
      2. having a proper procedure in place for investigating and remedying breaches of the Data Protection Legislation; and
      3. notifying the Data Controller as soon as any such security breach occurs.
    10. have a secure procedure for backing up all electronic Personal Data and storing back-ups separately from originals;
    11. have a secure method of disposal of unwanted Personal Data including for back-ups, disks, print-outs, and redundant equipment;