This Privacy Notice outlines how Herts for Learning Limited, trading as HFL Education ("the Company", "we", "us", or "our"), collects, uses, and processes personal data, and the measures we take to ensure its protection. It also informs you of your rights regarding your personal data and provides guidance on how to raise any questions or concerns.
This document details:
- The types of personal data we collect (i.e., information that can identify an individual),
- The purposes for which we process this data, and
- The parties with whom it may be shared.
In accordance with data protection legislation, the Company acts as both a data controller and a data processor.
We are committed to safeguarding your personal information. Any data you provide will be managed in line with this Privacy Notice and handled with the highest standards of privacy and security.
1. Our details
Herts for Learning Limited t/a HFL Education, Bank House, Ground Floor – North Wing, Primett Road, Stevenage, Herts, SG1 3EE
Information Commissioner's Office Registration Number: ZA154308
Our Data Protection Officer is: Lynette Dexter, Company Secretary – email: dp.foi@hfleducation.org
2. Why we collect Personal Data
We collect and retain personal information relating to our users and customers, as well as individuals whose personal data is processed by the Company under contractual agreements.
Personal data may be shared with other agencies, but only when necessary to fulfil our legal obligations or in accordance with our contractual and operational responsibilities.
The personal data we collect is typically provided voluntarily by users or customers when registering with us, purchasing products, or engaging with us under a contractual agreement.
We collect personal information primarily for the following purposes:
- To fulfil contractual obligations, including the provision of products and services
- To deliver a high standard of customer service
- To monitor and evaluate the quality of our products and services
- To pursue legitimate business interests, provided these do not override your data protection rights or fundamental freedoms
- Where explicit consent has been given
- To respond to enquiries or requests
- To comply with legal and regulatory requirements.
3. Legal basis for processing Personal Data
The legal basis for collecting and processing personal data, as outlined in this Privacy Notice, depends on the nature of the data and the context in which it is collected and used.
In most instances, we process personal data because it is necessary for the performance of a contract to which both the Company and the data subject are parties, or to take steps at the request of the data subject prior to entering into such a contract.
We may also process personal data where it is necessary for the purposes of our legitimate interests or those of a third party, provided these interests are not overridden by the data subject’s rights and freedoms. This includes data processing required to fulfil contractual obligations.
We do not process special categories of personal data unless it is necessary for reasons of substantial public interest, such as compliance with legal obligations under the Equality Act 2010, or to protect the vital interests of the data subject or another individual. In such cases, appropriate safeguards are in place to ensure the security of this data.
For clarity, special categories of personal data include information revealing:
- Racial or ethnic origin
- Political opinions, religious or philosophical beliefs, or trade union membership
- Genetic or biometric data used for unique identification
- Health-related data, or data concerning sex life or sexual orientation
- Data relating to criminal convictions, offences, or associated security measures
Additional personal data, including special category data, may be collected and processed where explicit consent has been provided. Where consent is the sole legal basis for processing, it may be withdrawn at any time, after which the data will no longer be collected or processed.
4. Categories of Personal Data we collect about you
As a user of our services, we may collect the following types of personal data (please note this is not an exhaustive list and may be updated periodically):
- Your full name
- The name of your organisation
- Your job title
- Telephone number(s)
- Email address
- Any postal addresses you provide
This information is typically collected when you register for our services, make a purchase, or contact us directly. We use your contact details to respond to enquiries and to communicate with you when necessary.
All personal data collected is treated as confidential and managed in accordance with the principles of applicable data protection legislation.
5. Who will have access to your Personal Data
Personal data collected by HFL Education will be accessible to authorised members of staff. Where necessary, directors may also be granted access. Access is strictly limited to individuals who require the information for legitimate business purposes. All personnel handling personal data are required to do so in an authorised manner and are bound by a duty of confidentiality.
We do not share personal data with third parties without your consent, unless required to do so by law or in accordance with our internal policies. Disclosure of personal data to third parties may occur under the following circumstances:
- To comply with a legal obligation
- To enforce agreements entered into with you
- To fulfil contractual obligations through third-party suppliers acting as data processors. We work closely with these suppliers to ensure they meet the requirements of applicable data protection legislation, including the UK GDPR. Our primary third-party subcontractors and data processors include (but are not limited to):
Data processor | Main purpose | Link to Privacy Policy |
Accipio | ‘HFL Hub’ Learning Management System | https://www.accipio.com/certifications-and-policies/privacy-policy/ |
Capita | Security clearance applications | |
Cheeky Munkey | Sharing of ConnectWise licence – IT helpdesk software | |
ConnectWise | IT helpdesk software | |
GovernorHub | Software for governance boards | |
Hertfordshire County Council | Statutory and commissioned work for Hertfordshire schools | https://www.hertfordshire.gov.uk/about-the-council/legal/privacy-policy/privacy-policy.aspx |
Innovate Healthcare | Health services provider | |
MHR UK (iTrent) | HR Information & payroll service / software | |
Modern Governor | Learning management system for governing boards | |
(Oracle) NetSuite | Accounting & client trading software | |
Stripe Payment Systems | Ecommerce payment system | |
Teach in Herts | Jobs board for Hertfordshire schools | |
UK Independent Medical | Health services provider |
- to protect the rights, property or safety of the Company.
This may include sharing data with our Local Authority (Hertfordshire County Council), the Department for Education (DfE) (please see Section 2), the Police and other organisations where necessary.
Certain data collection obligations are placed on us by the DfE. To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) visit: https://www.gov.uk/education/data-collection-and-censuses-for-schools.
6. How Personal Data will be processed
Personal data may be processed in various ways, including but not limited to:
- Maintaining written records
- Verifying identity
- Communicating via email
- Inputting data into spreadsheets, word documents, databases, or similar systems for analysis and assessment
- Utilising educational software for purposes such as supporting learning, behaviour management, reporting, and other educational functions
All processing activities are carried out in accordance with applicable data protection legislation and are subject to appropriate safeguards to ensure the confidentiality and integrity of the data.
HFL is committed to the ethical and lawful use of Artificial Intelligence (AI) technologies to support and enhance our business operations, ensuring that their application respects the rights, privacy, and well-being of all employees and stakeholders. These tools may be used to assist with data analysis, automate routine tasks, and improve decision-making processes.
7. Cookies
This website uses cookies. We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.
Cookies are small text files that can be used by websites to make a user's experience more efficient.
The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.
This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
You can at any time change or withdraw your consent from the Cookie Declaration on our website. Please state your consent ID and date when you contact us regarding your consent.
Cookies for the website: www.hfleducation.org
Necessary (6)
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
| | | | |
|---|---|---|---|---|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
Statistics (16)
Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
| | | | |
|---|---|---|---|---|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
Marketing (15)
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.
| | | | |
|---|---|---|---|---|
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
Unclassified (1)
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
| | | | |
|---|---|---|---|---|
| | | | |
Cookies for the website: www.hertsforlearning.co.uk (our ecommerce platform)
8. Links to other websites
While using our website, you may encounter links to external web pages operated by third parties. Please be aware that we have no control over the content or operation of these external sites. As such, we cannot be held responsible for the protection and privacy of any personal data you may provide while visiting them.
We strongly recommend that you review the privacy policies of any third-party websites you visit to understand how your information may be collected, used, and protected.
9. Where we store Personal Data and how we keep Personal Data secure
We are committed to ensuring that any personal data you provide is handled securely. To safeguard your information, we have implemented appropriate physical, electronic, and managerial procedures.
Electronic records of personal data are stored securely, and data is only processed when we are confident that adequate security measures are in place. All information you provide is stored on the cloud or on secure servers. If you have been given (or have chosen) a password to access certain parts of our website, you are responsible for keeping this password confidential and must not share it with anyone.
In some cases, personal data may be shared with third-party providers (e.g., subcontracted software suppliers), which could result in data being stored outside the European Economic Area (EEA). However, we ensure that any sensitive data relating to young people is only processed by suppliers who store that data within the EEA. Where data is transferred outside the EEA, we take all reasonable steps to ensure it is protected in accordance with this Privacy Notice, including the use of contractual safeguards.
Our website is equipped with security measures to prevent loss, misuse, or alteration of the data under our control. All unauthorised access attempts are logged and investigated. Where appropriate, HFL Education will report such incidents to law enforcement or relevant authorities.
We respect the privacy of email accounts and store email addresses securely. Your details will not be shared with any external organisation without your explicit consent.
We may use email to keep you informed about products, services, and offers that may be of interest to you. If you prefer not to receive such communications, please let us know.
10. Retention periods
We retain personal data only for as long as necessary to fulfil the purpose for which it was originally collected. As a general principle, retention periods are determined in accordance with guidance issued by the Information and Records Management Society (IRMS).
In certain circumstances, personal data may be retained for extended periods where required by law or where necessary to establish, exercise, or defend legal claims.
Once the applicable retention period has expired, personal data is securely and permanently deleted or destroyed in accordance with our data disposal procedures.
11. Your Data rights
The General Data Protection Regulation and associated data protection law gives you rights in relation to Personal Data held about you. These are:
- Right to be informed: you have the right to be informed about the collection and use of your data. This Notice contains information in relation to the collection of your Personal Data, however, if we collect additional data for other purposes, we will inform you about this.
- Right of Access: if your Personal Data is held by us, you are entitled to access your Personal Data (unless an exception applies) by submitting a written request. For further details please refer to our Subject Access Request (SAR) procedure (Section 13).
- Right of Rectification: you have the right to require us to rectify any inaccurate Personal Data we hold about you. You also have the right to have incomplete Personal Data we hold about you completed. If you have any concerns about the accuracy of Personal Data that we hold then please contact us.
- Right to Restriction: you have the right to restrict the manner in which we can process Personal Data where:
- the accuracy of the Personal Data is being contested by you;
- the processing of your Personal Data is unlawful, but you do not want the relevant Personal Data to be erased; or
- we no longer need to process your Personal Data for the agreed purposes, but you want to preserve your Personal Data for the establishment, exercise or defence of legal claims.
Where any exercise by you of your right to restriction determines that our processing of particular Personal Data are to be restricted, we will then only process the relevant Personal Data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.
- Right to Erasure: you have the right to require we erase your Personal Data which we are processing where one of the following grounds applies:
- the processing is no longer necessary in relation to the purposes for which your Personal Data were collected or otherwise processed;
- our processing of your Personal Data is based on your consent, you have subsequently withdrawn that consent and there is no other legal ground we can use to process your Personal Data;
- the Personal Data have been unlawfully processed; and
- the erasure is required for compliance with a law to which we are subject.
- Right to Data Portability: you have the right to receive your Personal Data in a format that can be transferred. We will normally supply Personal Data in the form of e-mails or other mainstream software files. If you want to receive your Personal Data which you have provided to us in a structured, commonly used and machine-readable format, please contact us via the details in this Notice.
- Right to object: you have the right to object to the processing of your Personal Data where one of the following grounds apply:
- the processing is based on legitimate interests or the performance of a task in the public interest;
- the processing is for direct marketing; or
- the processing is for the purposes of scientific/ historical research and statistics.
You can find out more about the way these rights work from the Information Commissioner's Office (ICO) website.
12. Managing your communication preferences and personal information
If at any time you wish to stop receiving communications from HFL Education, please contact us and we will update our records accordingly. You can opt out of receiving updates by:
- Submitting a request via the Contact Us form on the HFL Education website: www.hfleducation.org, or
- Sending an email to info@hfleducation.org, clearly identifying yourself and requesting removal from our contact lists.
If you believe that any personal information we hold about you is inaccurate or incomplete, please contact us by email or in writing as soon as possible. We will promptly correct any verified inaccuracies.
To update or modify previously provided information, please email info@hfleducation.org, clearly identifying yourself and specifying the changes you wish to make.
13. Subject Access Request (requesting your Personal Data)
You have the right to request access to the personal data we hold about you. This can be done by submitting a Subject Access Request (SAR).
A SAR is a written or verbal request for personal information held about you by an organisation. Under data protection legislation, individuals are entitled to know what personal data is held about them, subject to certain exemptions outlined in the Data Protection Act 2018.
To submit a SAR to HFL Education, we recommend sending a written request via email to our Data Protection Officer at dp.foi@hfleducation.org. To help us respond promptly and effectively, please include:
- Details of your relationship with HFL Education
- A clear description of the personal data you wish to access
- Any relevant dates, search criteria, or other information that may assist us in locating the data.
14. Making a complaint
Under the Data Use and Access Act 2025 (DUAA), you have the right to raise a complaint if you believe your personal data has been mishandled or your data protection rights have been infringed.
If you wish to raise a concern about how HFL Education has handled your personal data, please contact us directly in the first instance. You can submit a complaint using our online Complaints Form or by contacting us via email at dp.foi@hfleducation.org. Your complaint will be managed in line with the HFL Complaints Policy and we will aim to resolve the complaint within 20 working days of receipt.
We will:
- Review the details of your complaint.
- Keep you informed of progress.
- Provide a clear outcome once the investigation is complete.
If you are not satisfied with our response, you may escalate your complaint to the Information Commission’s Office, the UK’s independent regulator for data protection:
ICO website: www.ico.org.uk/make-a-complaint/
ICO Helpline: 0303 123 1113
15. Changes to this Privacy Policy
Any changes we make to this notice in the future will be posted on our website and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.
This Privacy Policy was last updated on 12 November 2025.
