GDPR Compliance Statement
Our commitment to data protection under UK GDPR
Our approach to data protection
CircuitSwirl Learning Ltd operates under UK GDPR and the Data Protection Act 2018. We recognize that families trust us with personal information, and we take that responsibility seriously.
This page explains how we meet GDPR requirements and what that means for you.
Lawful basis for processing
Every piece of personal data we collect has a lawful basis under GDPR:
- Contract: We process data necessary to deliver programmes you've purchased
- Consent: Marketing communications are sent only with explicit opt-in consent
- Legitimate interests: Website analytics and service improvements, balanced against your rights
- Legal obligation: Financial records and compliance with UK education regulations
We document the lawful basis for each processing activity in our internal data protection records.
Your GDPR rights explained
Right to access (Subject Access Request)
You can request a copy of all personal data we hold about you. We provide this free of charge within one month, in a commonly used electronic format.
Right to rectification
If your personal data is inaccurate or incomplete, you can ask us to correct it. We update records promptly and notify any third parties where necessary.
Right to erasure (right to be forgotten)
You can request deletion of your personal data in these circumstances:
- The data is no longer necessary for the original purpose
- You withdraw consent and there's no other legal basis
- You object to processing based on legitimate interests and we can't demonstrate overriding grounds
- The data was processed unlawfully
Note: We may retain data where required by law, such as financial records for tax purposes.
Right to restrict processing
You can ask us to limit how we use your data while we investigate a concern about accuracy or processing legality.
Right to data portability
For data processed based on consent or contract, you can receive your information in machine-readable format and transmit it to another service provider.
Right to object
You can object to processing based on legitimate interests, including profiling. We must stop unless we demonstrate compelling legitimate grounds that override your interests.
You have an absolute right to object to direct marketing at any time.
Rights related to automated decision making
We do not use automated decision-making or profiling that produces legal or similarly significant effects.
How to exercise your rights
To make a request regarding your personal data:
Email: [email protected]
Subject line: "GDPR Request" followed by the specific right you're exercising
We may ask for identification to verify your identity before processing requests. This protects your data from unauthorized access.
Most requests are fulfilled within one month. Complex requests may take up to three months, and we'll notify you if this applies.
Data protection principles
We adhere to GDPR's core principles when handling personal data:
- Lawfulness, fairness, transparency: We process data legally, explain what we do, and operate openly
- Purpose limitation: Data is collected for specific, explicit purposes and not used incompatibly
- Data minimization: We collect only what's necessary for the stated purpose
- Accuracy: We maintain accurate records and correct errors promptly
- Storage limitation: Data is kept only as long as needed, then securely deleted
- Integrity and confidentiality: Appropriate security measures protect against unauthorized access
- Accountability: We document compliance and can demonstrate adherence to principles
Data protection by design and default
We implement data protection from the outset of any new activity:
- Privacy considerations are built into system design, not added afterward
- Default settings minimize data collection and retention
- Access controls ensure staff see only data necessary for their role
- Regular reviews assess whether we still need the data we hold
Third-party processors
Where we use third-party services, we ensure GDPR compliance through:
- Written contracts specifying data protection obligations
- Verification that processors implement appropriate security measures
- Clauses allowing us to audit processor compliance
- Restrictions preventing processors from using data for their own purposes
We remain responsible for processors' handling of your data and can be held accountable for their actions.
International data transfers
When data is transferred outside the UK, we ensure adequate protection through:
- Transfers to countries with adequacy decisions from the UK government
- Standard contractual clauses approved by the UK Information Commissioner's Office
- Binding corporate rules for multinational service providers
We assess transfer risks and implement supplementary measures where necessary.
Data breach procedures
In the unlikely event of a data breach, we follow these procedures:
- Assess the breach within 24 hours of discovery
- Notify the ICO within 72 hours if there's a risk to individuals' rights
- Inform affected individuals without undue delay if there's high risk to their rights
- Document all breaches, including facts, effects, and remedial action taken
We maintain security measures designed to prevent breaches, including staff training, access controls, and regular security reviews.
Children's data protection
GDPR provides enhanced protection for children's personal data. Our practices:
- This website collects data from parents/guardians, not directly from children
- Programme materials involve parental accounts with appropriate safeguards
- We use clear, age-appropriate language in any child-facing materials
- Parental consent is required for processing children's data
Complaints and supervisory authority
If you believe we've mishandled your personal data:
- Contact us first at [email protected] so we can address your concern
- If unsatisfied with our response, lodge a complaint with the UK supervisory authority:
Information Commissioner's Office (ICO)
Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Record of processing activities
As required by GDPR Article 30, we maintain internal records documenting:
- Categories of personal data we process
- Purposes of each processing activity
- Categories of data subjects and recipients
- International transfers and safeguards
- Retention periods for different data types
- Technical and organizational security measures
These records are available to the ICO upon request.
Updates to this statement
We review GDPR compliance regularly and update this statement as practices evolve. Material changes are communicated to registered users via email.
Last reviewed: May 2026