Privacy Policy
How we collect, use, store, and protect your personal data.
1. Introduction
The Data and AI School of London (referred to in this policy as "the school", "we", "us", or "our") is committed to protecting the privacy and personal data of all individuals who interact with us. This includes learners enrolled on our programmes, prospective learners who enquire about our courses, staff and associate tutors, and any other person whose data we process in the course of our operations.
We deliver our qualifications entirely online. As a result, the personal data we collect is processed digitally across a range of platforms and cloud-based services. We recognise that this creates specific data protection obligations, and we take those obligations very seriously.
This Privacy Policy explains:
- who we are and how to contact us
- what personal data we collect and why
- the legal basis on which we process your data
- how long we keep your data
- who we share your data with
- your rights under UK data protection law
- how to make a complaint or exercise your rights
2. Who We Are
2.1 Data Controller
The Data and AI School of London is the data controller for all personal data processed in connection with our qualifications, services, and website.
| Organisation | Data and AI School of London |
|---|---|
| Address | Office LG06, 1 Quality Court, Chancery Lane, London WC2A 1HR |
| Phone | +44 207 0990 956 |
| privacy@dataaischool.com | |
| ICO Registration Number | ZC086597 |
| Data Protection Officer | Ali Fraz Khan |
| DPO Contact Email | dpo@dataaischool.com |
2.2 ICO Registration
We are registered with the Information Commissioner's Office (ICO) as required by the Data Protection Act 2018. Our ICO registration number is ZC086597. You can verify our registration at ico.org.uk/registration.
3. Legal Framework
This policy and all of our data processing activities comply with the following legislation:
| Legislation / Framework | Relevance |
|---|---|
| UK General Data Protection Regulation (UK GDPR) | Primary legislation governing personal data processing in the United Kingdom. |
| Data Protection Act 2018 | Supplements UK GDPR and sets out the UK's national provisions for data protection. |
| Privacy and Electronic Communications Regulations 2003 (PECR) | Governs electronic marketing, cookies, and electronic communications. |
| Computer Misuse Act 1990 | Governs unauthorised access to computer systems and data. |
| Online Safety Act 2023 | Applies to our online platforms and the safety of learners using them. |
4. The Personal Data We Collect
We collect only the data that is necessary for the purposes described in this policy.
4.1 Learner Data
Identity and Contact Data
- Full name, date of birth, email address, phone number, home address
- Photographic identity (passport or driving licence, for identity verification)
- Unique Learner Number (ULN), assigned by the Learning Records Service
Enrolment and Qualification Data
- Qualification enrolled on and units registered
- Entry requirements evidence (prior qualifications, transcripts)
- Application form responses, enrolment date, qualification completion status and certification records
Learning and Assessment Data
- Assessment submissions (assignments, projects, code repositories, portfolios)
- Assessment grades, feedback, and quality assurance records
- Originality check reports (e.g. Turnitin similarity scores)
- Recognition of Prior Learning (RPL) evidence and decisions
- Reasonable adjustment and special consideration applications and outcomes
Engagement and Platform Data
- VLE login activity, last access dates, and content completion records
- Assessment submission timestamps
- Messages sent through the VLE messaging system
- Attendance records for live online sessions
Special Category Data (Sensitive Data)
We may process health and disability information for reasonable adjustments and mental health information where voluntarily disclosed for learner support. We process special category data only where we have obtained the learner's explicit consent, or where processing is necessary in the substantial public interest to provide education and training.
4.2 Prospective Learner Data
When someone enquires about our programmes, we collect name, email address, the course of interest, and any information provided voluntarily in the enquiry message. We retain prospective learner data for 12 months from the date of enquiry, after which it is securely deleted unless the individual has enrolled.
4.3 Website and Technical Data
When visitors use our website, we may collect IP address and browser type, pages visited and duration of visit, referral source, and cookie data (see Section 13). Website analytics data is aggregated and anonymised wherever possible and used solely to improve our website.
4.4 Data We Do Not Collect
- Payment card details (processed by a third-party payment provider, we do not store card data)
- Biometric data (we do not use fingerprint, facial recognition, or other biometric systems)
- CCTV recordings (we have no physical premises requiring CCTV)
5. How We Collect Personal Data
5.1 Directly from You
Most personal data is provided directly when you complete our online application or enquiry form, enrol on a qualification, upload identity documents, submit assignments or portfolios, communicate with staff, or complete feedback forms.
5.2 Automatically Through Platforms
Some data is collected automatically through VLE login records, assessment submission metadata, session recordings (with prior notice), and website cookies and analytics.
5.3 From Third Parties
In limited circumstances we receive data from the Learning Records Service (LRS) for ULN validation, from employers for work placement confirmation, and from the Disclosure and Barring Service (DBS) for staff checks.
6. Why We Process Your Data and Our Legal Basis
UK GDPR requires us to have a lawful basis for each purpose for which we process personal data.
| Purpose of Processing | Lawful Basis (UK GDPR Article 6) |
|---|---|
| Responding to enquiries and processing applications | Article 6(1)(b), Performance of a contract (pre-contractual steps) |
| Enrolling you onto a qualification | Article 6(1)(b), Performance of a contract |
| Delivering online teaching and learning | Article 6(1)(b), Performance of a contract |
| Assessing and quality-assuring your qualification | Article 6(1)(b), Performance of a contract |
| Issuing your qualification certificate | Article 6(1)(b), Performance of a contract |
| Safeguarding, protecting the welfare of learners | Article 6(1)(c), Legal obligation; Article 9(2)(g), Substantial public interest |
| Providing learner support and monitoring engagement | Article 6(1)(b), Performance of a contract |
| Processing reasonable adjustments and special considerations | Article 6(1)(b), Contract; Article 9(2)(a), Explicit consent |
| Employing and managing staff and associate tutors | Article 6(1)(b), Performance of a contract; Article 6(1)(c), Legal obligation |
| Sending marketing communications | Article 6(1)(a), Consent (you can withdraw at any time) |
| Improving our website and online platforms | Article 6(1)(f), Legitimate interests |
7. Platforms and Third-Party Data Processors
Because we operate entirely online, we use third-party digital platforms to deliver our programmes. These providers process personal data on our behalf under written Data Processing Agreements (DPAs) and are contractually bound to process data only on our instructions.
Our website currently uses the following third-party services:
| Service | Purpose | Data Processed |
|---|---|---|
| Tawk.to (live chat) | Customer support chat on our website | IP address, messages sent via chat, browser information. Only loaded after you give cookie consent. |
| Google Fonts | Website typography | Your IP address is transmitted to Google's servers when fonts are loaded. Only loaded after you give cookie consent. |
We review our platform register annually and update DPAs whenever we adopt a new platform. We will never allow a third-party processor to use your personal data for their own purposes.
8. Sharing Your Personal Data
We do not sell your personal data. We do not share your data with organisations for their own marketing or commercial purposes. We share personal data only in the following circumstances:
- With our platform providers, as described in Section 7, acting as data processors under DPAs.
- With employers (work placements), where a qualification includes a placement, with learner consent.
- In safeguarding situations, we may share data with local authority children's services, adult social care, or the police where necessary to protect life or prevent serious harm.
- With associate tutors, who are given access to learner data strictly necessary for their role, governed by their subcontractor agreement.
- Legal requirements, where required by law, court order, or formal law enforcement request.
9. International Data Transfers
We process and store personal data within the United Kingdom wherever possible. Where any of our platform providers transfer personal data outside the UK, we ensure adequate safeguards are in place, including UK adequacy decisions, Standard Contractual Clauses (SCCs), or Binding Corporate Rules (BCRs).
10. How Long We Keep Your Data
| Data Category | Retention Period |
|---|---|
| Learner assessment portfolios and submitted evidence | 3 years minimum from qualification completion date |
| Learner registration, achievement, and certification records | 7 years from the date of qualification award |
| Staff employment records | Duration of employment plus 6 years |
| Complaints and appeals records | 3 years from resolution |
| Safeguarding records | As required by statutory guidance; potentially until learner's 25th birthday for serious cases |
| Prospective learner enquiry data | 12 months from the date of enquiry (if not enrolled) |
| Marketing consent records | Until consent is withdrawn, then 3 years as evidence of prior consent |
| Website analytics data | 26 months from collection |
At the end of each retention period, personal data is securely deleted or anonymised.
11. Your Rights Under UK GDPR
UK GDPR gives you significant rights over the personal data we hold about you. To exercise any of these rights, please contact our Data Protection Officer at dpo@dataaischool.com.
| Right | What It Means |
|---|---|
| Right to be informed | The right to be told clearly how and why we process your data. This Privacy Policy fulfils this obligation. |
| Right of access (SAR) | The right to request a copy of all personal data we hold about you. We will respond within one month. |
| Right to rectification | The right to have inaccurate personal data corrected or incomplete data completed. |
| Right to erasure | The right to request deletion of your personal data. This right is not absolute, we may be required to retain certain data by law. |
| Right to restrict processing | The right to request that we restrict how we use your data while a dispute or investigation is underway. |
| Right to data portability | The right to receive your personal data in a structured, machine-readable format. |
| Right to object | The right to object to processing based on legitimate interests or for direct marketing. For direct marketing: we must stop immediately. |
| Right to withdraw consent | Where we process data on the basis of consent, you can withdraw that consent at any time. |
To exercise any right, send a written request to dpo@dataaischool.com including your full name, the email address associated with your account, and a clear description of the right you wish to exercise. We will respond within one calendar month.
12. How We Keep Your Data Secure
We implement robust technical and organisational measures to protect personal data, including:
- Access controls, role-based access ensures staff can only access data necessary for their role
- Multi-factor authentication (MFA), enforced on all accounts holding personal data
- Encryption, data in transit is protected by HTTPS/TLS; data at rest is encrypted on all platforms where available
- Cloud backups, automated daily backups to a secondary cloud location
- Data protection training, all staff complete training at induction and annually thereafter
- Data breach procedure, we notify the ICO within 72 hours of becoming aware of a notifiable breach (UK GDPR Article 33)
If you believe your personal data held by us has been compromised, contact our DPO at dpo@dataaischool.com immediately.
13. Cookies and Website Tracking
Cookies are small text files placed on your device when you visit a website. When you first visit our website, you will be shown a cookie consent banner. You can accept or decline non-essential cookies at any time using the link in the footer.
| Cookie Type | Purpose | Consent Required? |
|---|---|---|
| Strictly necessary | Essential for the website to function (e.g. your theme preference stored locally on your device). | No |
| Functional / performance | Google Fonts, loads website typography from Google's servers. Your IP address is transmitted to Google. | Yes, only loaded after consent |
| Live chat | Tawk.to, enables the live chat widget. Sets cookies and processes visitor IP and chat data. | Yes, only loaded after consent |
You can also control cookies through your browser settings. Note that disabling strictly necessary cookies may affect your ability to use our website.
14. Marketing Communications
We will only send you marketing communications where you have given us your explicit consent. You can withdraw consent at any time by clicking the "unsubscribe" link in any marketing email, or by emailing privacy@dataaischool.com.
We do not share your contact details with other organisations for marketing purposes. We do not engage in cold calling or unsolicited SMS marketing.
15. Children's Data and Learners Under 18
Some of our programmes may be open to learners under the age of 18. Where we process personal data about a learner under 18, we apply additional safeguards:
- A parent or guardian must provide consent on behalf of learners under 13 for any data processing not strictly required by the qualification contract.
- Our safeguarding policy applies in full to all learners under 18.
- We do not use the personal data of learners under 18 for any marketing purpose.
16. Automated Decision-Making and Profiling
We do not currently use any automated decision-making systems that make legally significant decisions about learners or staff without human involvement. All assessment decisions, support interventions, and qualification outcomes involve human review by qualified staff.
We use VLE analytics to monitor learner engagement levels to identify learners who may be at risk of disengagement. However, this monitoring only informs human decisions, no automated action is taken without human review.
17. Special Situations
17.1 The Learning Records Service (LRS) and Unique Learner Numbers
All learners registered for a regulated qualification must have a Unique Learner Number (ULN), assigned by the Learning Records Service operated by the Education and Skills Funding Agency (ESFA). The LRS maintains a national record of qualification achievements.
17.2 Freedom of Information
The Data and AI School of London is a private training provider and is not a public authority for the purposes of the Freedom of Information Act 2000. All requests for information about our practices should be directed to our DPO.
18. Your Right to Complain
18.1 Complain to Us First
If you are unhappy with how we have handled your personal data, please contact our DPO in the first instance at dpo@dataaischool.com. We will investigate and respond promptly.
18.2 Complain to the ICO
If you are not satisfied with our response, you have the right to make a complaint to the Information Commissioner's Office (ICO):
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Online complaint form: ico.org.uk/make-a-complaint/
You should make a complaint to the ICO within three months of your last contact with us about the matter.
19. Changes to This Privacy Policy
We review this Privacy Policy at least annually, and also whenever there is a material change to the personal data we process, the platforms we use, or the applicable law. Where we make a material change, we will update the version number and date, publish the updated policy on our website, and notify currently enrolled learners by email.
Version History
| Version | Date | Summary |
|---|---|---|
| 1.0 | April 2026 | Initial version. UK GDPR and Data Protection Act 2018 compliant. ICO registration ZC086597. |