Privacy Policy

This Privacy Policy explains how Bywater Kent Support Services ("we", "our", or "us") collects, processes, and protects personal data in accordance with applicable laws, including the UK Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) as amended by the Data (Use and Access) Act 2025.

We provide HR consultancy and Data Protection Officer (DPO) services mainly within the education sector. This policy applies to the personal data we collect and process while delivering these services, including through our website and online client portal. It outlines how we ensure compliance with data protection principles.

1. Data Controller and Contact Information

For any questions or concerns about this Privacy Policy or your personal data, please contact us at the details provided above.

2. Types of Data We Process

We process the following types of personal data as part of our services to schools, childcare providers, and other businesses that mostly support the education sector:

• Personal Identification Information: Name, contact details (email, phone number), job title, and professional qualifications.
• Employment Information: Employment history, role details, salary, performance reviews, and other employment-related data.
• Sensitive Data: Health data (such as medical certificates), criminal background checks, safeguarding information, details information about criminal allegations or court orders (where applicable).
• School and Childcare Provider Data: Information regarding staff, pupils, parents, and other individuals in relation to HR and data protection services.
• Communication Data: Emails, correspondence, and other communications for the purposes of providing consultancy and DPO services.

3. Lawful Bases for Processing Personal Data

We process personal data in compliance with the UK GDPR, relying on the following lawful bases:

• Consent: Where we have obtained explicit consent from individuals for specific processing activities (e.g. health data or other sensitive personal information).
• Contractual Necessity: Where processing is necessary for the performance of a contract with our clients (e.g. providing HR consultancy services).
• Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject (e.g. data protection laws).
• Legitimate Interests: Where processing is necessary for our legitimate interests, provided these interests are not overridden by the data subject's rights and freedoms (e.g. ensuring effective communication with clients and staff).

4. How We Use Personal Data

We use personal data for the following purposes:

• HR Consultancy: To assist our clients with employee management, recruitment, performance evaluations, and other HR-related services.
• Data Protection Officer (DPO) Services: To provide our clients with guidance and advice on data protection compliance, data security, and safeguarding of personal data.
• Compliance with Legal Obligations: To ensure that our services comply with employment law, data protection law, and any other applicable legislation.
• Communications: To communicate with clients, employees, and other stakeholders in relation to our services, including updates, queries, and reporting.

5. Website, Online Client Portal, and Cookies

Website and Client Portal Processing:

When you visit our website or use our online client portal, we may collect personal data in order to provide you with our services, respond to enquiries, or ensure the functionality of the portal. This includes:

• Contact Information: Name, email, phone number, or any other personal details you provide when filling out contact forms or signing up for our services.
• User Account Data: When you create an account on our client portal, we may collect login details, contact information, and any information necessary to support the services you access via the portal.
• Technical Data: This includes information about your use of our website and client portal, such as IP address, browser type, device information, and browsing activity.

Website Analytics:

We use Rybbit Analytics, a privacy-focused, cookieless analytics service to understand how visitors use our website. This service:

• Does NOT use cookies or track you across websites
• Does NOT collect personally identifiable information
• Hosts all data within the European Union (Germany)
• Is fully GDPR compliant by design
• More information: Rybbit Privacy Policy | Rybbit Data Processing Agreement

By using our website, you consent to the use of Rybbit Analytics in accordance with this Privacy Policy.

Legal basis: Legitimate interests (improving our website and services).

Cookies and Similar Technologies:

We use cookies and similar tracking technologies to enhance the functionality and user experience of our website and client portal. Cookies help us:

• Remember your preferences and settings for future visits
• Analyse how our website and portal are used to improve functionality
• Provide you with personalised content or offers (if applicable)

Cookie Types:

• Essential Cookies: Necessary for the website and portal to function properly (e.g. session cookies to keep you logged in to the client portal)

Important: We only use essential cookies that are strictly necessary for our client portal to function. We do NOT use performance cookies, functional cookies, or targeting/advertising cookies. Our analytics service (Rybbit) is completely cookieless.

You can obtain up-to-date information about blocking and deleting cookies via these links:

• Chrome
• Firefox
• Opera
• Internet Explorer
• Safari
• Edge

Please note that blocking essential cookies may prevent you from logging into the client portal.

6. Data Retention

We will retain personal data only for as long as necessary to fulfil the purposes for which it was collected or to comply with legal, regulatory, or contractual requirements. Once personal data is no longer needed, it will be securely deleted or anonymised.

7. Data Sharing and Third-Party Processors

We may share personal data with third-party service providers who assist us in delivering our services, such as IT providers, cloud storage services, and legal advisors. These third-party processors will only process personal data in accordance with our instructions and in compliance with data protection laws.

We will never sell, rent, or otherwise share your personal data with third parties for marketing purposes.

8. Use of ProductDyno (PromoteLabs Platform)

We use ProductDyno, a course delivery and digital content platform provided by PromoteLabs, to host and manage our online training courses. When you enrol on or access any online course delivered by Bywater Kent Support Services Ltd, your name, email address, login details, course activity, and progress information will be processed within the ProductDyno system for the purpose of providing access to the course and managing your learning experience.

PromoteLabs (ProductDyno) acts as a data processor on our behalf. They process personal data solely for the purpose of providing the ProductDyno service and only in accordance with our overall instructions as the data controller, as required under the UK GDPR.

You can view PromoteLabs' Privacy Policy here: https://promotelabs.com/privacy-policy/

9. Data Transfers

We process personal data within the United Kingdom and European Union. Our website analytics data is processed and hosted within the EU (Germany) by Rybbit Analytics, which is fully GDPR compliant.

When you submit our contact form, your enquiry is delivered via Resend, an email service based in the United States. Resend is fully GDPR compliant and processes this data solely to deliver your message to us. They operate under appropriate data protection safeguards including Standard Contractual Clauses (SCCs) for EU-US data transfers.

If we need to transfer personal data to other third countries in the future, we will ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), to protect the data in accordance with data protection law.

10. Your Rights

Under the UK GDPR, you have the following rights in relation to your personal data:

• Right to Access: You can request a copy of the personal data we hold about you.
• Right to Rectification: You can request that we correct any inaccuracies in your personal data.
• Right to Erasure: You can request that we delete your personal data, subject to certain conditions.
• Right to Restrict Processing: You can request that we restrict the processing of your personal data, subject to certain conditions.
• Right to Object: You can object to the processing of your personal data on the basis of legitimate interests or direct marketing.
• Right to Data Portability: You can request to receive your personal data in a structured, commonly used, and machine-readable format for transfer to another data controller.

To exercise these rights, please contact us using the contact information provided above.

11. Security of Personal Data

We implement appropriate technical and organisational measures to ensure the security of personal data, including protection against unauthorised or unlawful processing, accidental loss, destruction, or damage.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, business practices, or legal requirements. Any updates will be posted on our website with the effective date of the changes. We encourage you to review this Privacy Policy periodically.

13. How to Complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we've used your data after raising a complaint with us, you can also complain to the ICO.