Data Protection

Your rights under UK GDPR and how we protect your data

Our Data Protection Commitment

Whitespace is fully committed to protecting personal data in accordance with UK GDPR and the Data Protection Act 2018. As an educational platform, we take special care with student data and implement the highest standards of data protection.

Your Data Protection Rights

Under UK GDPR, you have comprehensive rights regarding your personal data:

1. Right to Access (Subject Access Request)

You can request a copy of all personal data we hold about you. We will provide:

  • What data we process
  • Why we process it
  • Who we share it with
  • How long we keep it
  • Your rights regarding the data

Response time: Within 30 days, free of charge

2. Right to Rectification

If any information we hold is incorrect or incomplete, you can request correction. We will:

  • Update the information promptly
  • Notify any third parties of the correction
  • Confirm the changes to you

3. Right to Erasure ('Right to be Forgotten')

You can request deletion of your data when:

  • It's no longer needed for its original purpose
  • You withdraw consent (where applicable)
  • You object to the processing
  • The data was unlawfully processed

Note: We may retain data if required for legal obligations or safeguarding.

4. Right to Restrict Processing

You can limit how we use your data while:

  • Verifying accuracy of disputed data
  • Investigating unlawful processing claims
  • Retaining data for legal claims
  • Considering objection requests

5. Right to Data Portability

You can receive your data in a:

  • Structured format
  • Commonly used format
  • Machine-readable format
  • Direct transfer to another provider (where feasible)

6. Right to Object

You can object to processing based on:

  • Legitimate interests
  • Direct marketing (we never do this)
  • Research purposes
  • Statistical purposes

7. Rights Related to Automated Decision Making

We do not use fully automated decision-making or profiling that produces legal effects.

Special Protections for Children

As we serve students under 18, we implement enhanced protections:

Data Minimisation

  • Collect only first names for students
  • No unnecessary personal details
  • Age-appropriate data collection
  • Clear, simple privacy information

Parental Rights

  • Parents can exercise rights on behalf of children
  • Access through school's data protection officer
  • Age-appropriate consent mechanisms
  • Transparent communication with schools

Enhanced Security

  • Additional encryption for student data
  • Restricted access controls
  • Regular security audits
  • Immediate breach notifications

Prohibited Activities

  • No marketing to students
  • No profiling or tracking
  • No sale of student data
  • No unnecessary data sharing

How to Exercise Your Rights

For Students

  1. Contact your teacher or school administrator
  2. School's Data Protection Officer will handle your request
  3. Parents/guardians can make requests on your behalf

For Teachers

Email: darren@coxon.ai Include:

  • Your full name
  • School name
  • Specific right you're exercising
  • Details of your request

For Schools

Contact your account manager or email: darren@coxon.ai

Identity Verification: We may request proof of identity to protect your data.

Data Breach Response

Our comprehensive breach response plan:

Immediate Actions (0-24 hours)

  1. Contain and assess the breach
  2. Secure affected systems
  3. Document all details
  4. Activate response team

Notification (24-72 hours)

  1. Notify ICO within 72 hours (if required)
  2. Inform affected schools immediately
  3. Provide detailed breach information
  4. Outline remediation steps

Follow-up Actions

  1. Full investigation report
  2. Implement preventive measures
  3. Review and update procedures
  4. Provide ongoing support

Data Processing Details

Legal Bases for Processing

  • Contract: Providing educational services
  • Legal Obligation: Safeguarding requirements
  • Legitimate Interests: Platform improvement
  • Consent: Optional features and analytics
  • Vital Interests: Child protection

Data Categories We Process

  • Identity Data: Names, user IDs
  • Contact Data: Email (teachers only)
  • Educational Data: Year groups, classes
  • Usage Data: Platform interactions
  • Safety Data: Monitoring logs
  • Technical Data: Device information

Data Retention Periods

Data TypeRetention PeriodReason
Student accountsSchool year + 1 yearEducational continuity
Safety logs7 yearsLegal requirement
Teacher accountsEmployment + 6 monthsAccount management
School dataContract + 90 daysTransition period
Support tickets2 yearsService improvement

International Transfers

  • Primary Storage: UK data centres only
  • No Student Data Transfers: Never leaves the UK
  • Teacher Auth Only: May use EU/US services with:
    • Standard contractual clauses
    • Adequacy decisions
    • Appropriate safeguards

Your Right to Complain

If you're unsatisfied with our data handling:

Step 1: Contact Us

Data Protection Officer Email: darren@coxon.ai Response: Within 5 working days

Step 2: Escalate to ICO

Information Commissioner's Office Website: ico.org.uk Phone: 0303 123 1113 Address: Wycliffe House, Water Lane, Wilmslow, SK9 5AF

Data Protection Officer

Our dedicated DPO ensures compliance and handles all data protection matters:

Contact Details

  • Email: darren@coxon.ai
  • Post: DPO, Kompass Education Limited, 4th Floor, Silverstream House, 45 Fitzroy Street, Fitzrovia, London, W1T 6EB
  • Response Time: 5 working days initial response
  • Full Resolution: Within 30 days

Updates to This Notice

We review this notice annually and update it when:

  • Laws or regulations change
  • Our processing activities change
  • New rights become available

Last updated: 27 September 2025