Privacy Policy

Last Updated February 2026

 

1. About this Privacy Policy 

This Privacy Policy explains how Autism Anglia (“we”, “us”, “our”) collects, uses, shares and safeguards your personal information. It also sets out your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. 

This Privacy Policy provides a clear overview of how we process your personal information. 

 

2.Who We Are 

Autism Anglia provides specialist services including a coeducational school, residential and supported living, outreach programmes, autism and ADHD diagnostic assessment services, and community support. 

Learn more: https://www.autism-anglia.org.uk/about-us/ 

Registered Charity: 1063717 

Company Limited by Guarantee: 3407778 (England & Wales) 

Data Protection Officer (DPO): We have appointed a DPO who oversees our compliance with data protection legislation. 

 

3. The Information We Collect 

Autism Anglia is the Data Controller for all personal information processed within our organisation. 

Depending on how you interact with us, we may process: 

Personal Information 

  • Name, address, email, telephone number 
  • Date of birth and identifiers 
  • Next of kin/emergency contacts 

Service Records 

  • Education records, support plans, progress data 
  • Care plans, daily notes, risk assessments 
  • Diagnostic screening and clinical assessments 
  • Safeguarding and wellbeing information (where necessary) 

Special Category Data (Health & Sensitive Data) 

Processed only where lawful: 

  • Physical and mental health details 
  • Diagnostic information for Autism and ADHD 
  • Disabilities and adjustments 
  • Equality and diversity information 

Financial Information 

  • Payments, donations, Gift Aid 
  • Invoice and funding details 

Employment 

  • Recruitment information 
  • DBS status 
  • Payroll, righttowork, training, occupational health 

Technical Information 

  • IP addresses and server logs 
  • Cookies and analytics (if consented) 

CCTV Footage 

Used for safety and crime prevention; we do not use audio recording. 

Other Information 

Information may come from you, your representatives, Local Authorities, schools, health professionals or referral sources where lawful. 

For children and young people, we process safeguarding, pastoral and wellbeing information under Keeping children safe in education and the Children Act 1989/2004. 

Equality and diversity information is collected only where provided voluntarily. It is not used for decisionmaking and is used only for anonymised monitoring and reporting. 

 

4. How We Use Your Information and Lawful Bases 

We only use your information where we have a lawful basis under the UK GDPR: 

Legal Obligation 

  • Safeguarding 
  • Care and education regulation 
  • Employment, payroll, righttowork 
  • Tax or finance records 
  • Statutory school returns and census data 

Public Task / Official Authority 

Under Article 6(1)(e) UK GDPR for delivering regulated education and children’s services under Ofsted and the Department for Education. 

Contract 

  • Providing education, care, outreach and diagnostic services 
  • Processing event, training or service bookings 
  • Recruitment, employment and volunteering agreements 

Legitimate Interests 

Used only when balanced with your rights, for: 

  • Daytoday service management 
  • Ensuring security (including CCTV) 
  • Responding to enquiries 
  • Improving our services 
  • Raising funds to support our work 

Consent 

Used for: 

  • Marketing communications 
  • Non-essential cookies/advertising pixels 
  • Some sharing of diagnostic reports or information not required by law 

Special Category Data (Health) 

Processed under UK GDPR Article 9 for: 

  • Health and social care provision Article 9(2)(h) 
  • Safeguarding children and vulnerable adults Article 9(2)(g) 
  • Employment law requirements Article 9(2)(b) 
  • Explicit consent (limited cases) 

Diagnostic Service – Legal Bases 

In addition to the above, Autism & ADHD diagnostic assessments rely on: 

  • Contract: providing assessments 
  • Health & social care purposes: clinical judgement and record-keeping 
  • Consent: sharing reports with third parties (schools/employers) 
  • Public interest: safeguarding disclosures where necessary 

We process safeguarding information in line with “Keeping Children Safe in Education” (KCSIE), the Children Act 1989/2004 and Working Together to Safeguard Children. This may include recording concerns, referrals, actions, meetings and outcomes to ensure the safety and wellbeing of children and vulnerable adults. 

 

5. Services Overview 

You may fall into more than one of the categories below. Detailed information can be provided: 

  • Website, Fundraising, Events & Training 
  • Employment, Recruitment & Volunteers 
  • Diagnostic Services (Autism & ADHD Assessments) 
  • Community Connect 
  • Adult Services (Residential, Supported Living, Outreach) 
  • School and Children’s Services 
  • Corporate Partnerships 
  • National Services 
  • Partners and Suppliers 
  • CCTV 

 

6. Marketing and Cookies 

We may use legitimate interests to send postal fundraising communications where we do not hold consent and where this is appropriate, proportionate, and does not override your rights. We do not send unsolicited email marketing without consent, in line with PECR. If you ask not to be contacted, we record this in Beacon CRM and will not contact you again. 

You can withdraw consent at any time via dataprotection@autism-anglia.org.uk 

We use essential cookies for website functionality. 

Analytics, advertising cookies and the Meta Pixel operate only with your consent. 

We do not share health or special category data with Meta. 

See Appendix for details of cookie technologies and thirdparty processors. 

Privacy and Electronic Communications Regulations (PECR) 

We comply with the Privacy and Electronic Communications Regulations (PECR) when sending marketing communications. We only send email or SMS marketing where we have your consent, and we use legitimate interests only for postal marketing where this is appropriate and you have not opted out. You can withdraw consent or opt out of any marketing at any time, and we will record your preferences in Beacon CRM to ensure they are respected. 

Charitable Purpose Soft OptIn (from February 2026) 

Under the Data (Use and Access) Act 2025, charities may rely on the new “charitable purpose soft optin” exemption within PECR when sending electronic marketing (such as email or SMS). This allows us to contact individuals without prior explicit consent where: 

  • The sole purpose of the communication is to further one or more of Autism Anglia’s charitable purposes; and 
  • We obtained the individual’s contact details in the course of them expressing an interest in or offering support for our charitable purposes (for example by donating, attending an event, signing up for an activity, or requesting information); and 
  • We provided a clear, simple optout at the time we collected their details and include an optout in every subsequent message. 

We will only rely on the soft optin where it is appropriate, proportionate, and does not override your rights and freedoms. You can opt out of electronic marketing at any time, and we will record your preferences in Beacon CRM to ensure they are respected. 

This exemption does not apply retrospectively to individuals already in our database who did not provide their details under the conditions above. 

 

7. Who we share your information with 

We may share your information, where lawful and necessary, with: 

Health, Education, and Social Care Partners:  

GPs, hospitals, therapists, Local Authorities, safeguarding partners including MultiAgency Safeguarding Hubs (MASH) and Local Authority Designated Officers (LADOs). 

Regulators and Public Bodies:  

CQC, Ofsted, HMRC, Police/law enforcement. 

Processors and Platforms We Use:  

e.g., Microsoft, Google Workspace, Beacon CRM, Mailchimp, Xero, Stripe, GoCardless, Tribepad, Ucheck  

We only share the minimum information necessary for the relevant purpose. 

Your Representatives:  

Where authorised by you, or where required for care, safeguarding, or legal purposes (for example under Mental Capacity Act bestinterest decisions). 

CQC and Ofsted may access relevant records under statutory powers. 

 

8. Common Law Duty of Confidentiality (Health & Care) 

We meet the Common Law Duty because information is used or shared: 

  • with your consent, or 
  • under a legal requirement, or 
  • in the public interest (e.g., safeguarding, serious crime) 

 

9. How we protect your information 

We use layered safeguards: 

  • Rolebased access controls 
  • Encryption (where applicable) 
  • Secure email and file-sharing 
  • Staff confidentiality undertakings 
  • Mandatory data protection and safeguarding training 
  • DPIAs for higherrisk processing 
  • Vendor due diligence and contracts 
  • Regular system access reviews 
  • Secure retention and disposal procedures 

 

10. National Data OptOut (NDOO) 

We review our use of confidential patient information at least annually to determine whether the NHS National Data OptOut applies to any of our processing. At present, Autism Anglia does not use or share confidential patient information for research or planning purposes in a way that brings the National Data OptOut into scope. If this changes, we will apply the optout, update this notice, and explain how you can manage your choice. 

 

11. How long we keep your information 

We retain personal data only as long as necessary to meet legal, regulatory and operational requirements. The information we hold about you is kept for the duration of your interactions with us, such as through employment or by accessing our services, and for no longer than six years from the date of leaving or ending your time with us, unless otherwise required by law. Retention schedules follow: 

  • CQC Regulation 17 
  • Education law and DfE guidance 
  • Safeguarding statutory requirements 
  • Professional clinical standards 

 

12. Your Rights 

You have the right to: 

  • Access your data 
  • Correct inaccurate information 
  • Request deletion (where applicable) 
  • Restrict processing 
  • Object to certain processing 
  • Withdraw consent 
  • Understand any automated decisionmaking (we do not make automated decisions with legal effect) 

We may need proof of identity. We will respond within one month. Where a child is able to understand their rights, we will respond directly to them unless it is not appropriate to do so. 

 

13. Changes to this Policy 

This policy does not form part of any contract to provide services, and we reserve the right to update this privacy notice at any time.  

 

14. Contact and Complaints 

If you would like to discuss anything within this privacy policy or have a concern about the way we are collecting or using your personal data, we request that you raise your concern via the email address provided below in the first instance. 

Data Protection Officer 

Email: dataprotection@autism-anglia.org.uk 

Tel: 01206 577678 

Post: Data Protection Officer, Autism Anglia, 846 The Crescent, Colchester Business Park, Colchester, Essex, CO4 9YQ 

If you are unhappy with our response, you can make a complaint at any time to the Information Commissioner’s Office. 

 

15. APPENDIX – DETAILED PRIVACY INFORMATION BY SERVICE 

We may update our systems and processors from time to time. Any new processors will be subject to appropriate due diligence and contracts under UK GDPR. 

A1. Website, Fundraising, Events & Training (Bulleted) 

Activities we support 

  • Donations, Gift Aid, fundraising (including thirdparty platforms) 
  • Joining mailing lists and receiving email updates 
  • Booking/attending Autism Anglia events and training 
  • General interactions with fundraising or marketing teams 

Legal bases 

  • Consent: mailing lists/marketing, certain online interactions 
  • Contract: event/training booking management, memberships, shop orders 
  • Legal obligation: financial records, Gift Aid 
  • Legitimate interests: relationship management, service improvement, raising funds 

Data collected 

  • Name, contact details, preferences, activity history 
  • Transaction details (via payment provider); we don’t store card details 
  • Event/training details (employer, accessibility needs if provided) 
  • Website technical data (cookiedependent) 

We maintain suppression lists in Beacon CRM to ensure that individuals who should not receive marketing communications including learners, parents/carers, and adults receiving care are excluded from fundraising or marketing activity. We record these details solely to prevent inappropriate contact. This is done under our legitimate interests in safeguarding individuals and ensuring respectful communication. 

Thirdparty systems (processors) 

  • Reach Digital (website hosting) 
  • Beacon CRM (contacts database; access only when we request support) 
  • Mailchimp (mailing lists, newsletters) 
  • Stripe / GoCardless (payments) 
  • Xero (accounts; access only on instructed support) 
  • Online event/training platforms: Microsoft Teams, Zoom (as applicable) 

Retention 

  • Donations/Gift Aid/financial records: 6 years from end of current financial year. 
  • Marketing interactions (no payment): 3 years from last contact (unless you opt out earlier) 
  • Event/training payments: finance records retained 6 years; attendance/admin retained as needed for delivery and audit 

Cookies & Meta Pixel 

  • Consentbased analytics/advertising pixels; withdrawing consent may affect features 
  • Meta Pixel used only after consent; we do not share sensitive data; see Section 6 

 

A2. Employment, Recruitment and Volunteers 

Includes recruitment, employment, HR records, payroll and volunteering 

Activity / Role 

Legal basis 

Data collected 

Third parties / systems 

Retention 

Job applications 

Contract (precontract steps) 

Name, contact details, academic & employment history, medical history (if relevant to role), DBS application details, interview records, references 

Tribepad (applicant tracking) 

6 months if unsuccessful; becomes part of employee record if successful 

Preemployment checks 

Contract and Legal obligation 

Right to work evidence, DBS evidence (we record check status; do not retain certificate) 

TribepadUcheck (DBS) 

Evidence retained 6 months (if successful, per row above); destroyed if unsuccessful when successful candidate starts 

Employment 

Contract and Legal obligation 

Personal/contact details; NI, next of kin; roles & rotas; absence; training; EDI (optional); health info (SSP/SMP, adjustments); supervision, probation, appraisal records 

SMI Care (HR/duty mgmt), Perspective (performance mgmt—Child Services), Microsoft 

7 years after employment ends (summary retained for references). Health/DBS handling per row notes 

Payroll & pensions 

Legal obligation 

Bank details, pay/tax records, pension records 

Xero (accounts/payroll), pension provider(s), SMI Care 

10 years after employment ends 

Safeguarding records (staff) 

Legal obligation / Public interest 

Allegations/concerns and outcomes 

Safeguarding Company 

Childrelated allegations: until staff member’s retirement age or 10 years, whichever is later. Vulnerable adult allegations: min. 15 years 

Investigation/disciplinary 

Legitimate interests / Legal obligation 

Investigation notes, outcomes 

SMI Care 

Until expunged per policy 

Service records containing staff names 

Legal obligation 

Names appearing in care/education records 

Microsoft; Google Workspace; Vantage; TeacherCloud (Evidence for Learning); MyConcern; SchoolPod;  

Sign In App 

Depends on service (see A4/A5) 

Volunteers 

Consent and Legal obligation (roledependent) 

Contact details; right to work (if applicable); training; may include health (adjustments), EDI (optional), DBS where required 

TribepadSMI CareUcheck 

7 years after volunteering ends; DBS evidence 6 months 

 

Key systems referenced 

  • SMI Care (Staff care HR & duty management) 
  • Perspective (performance management Children’s Services) 
  • Xero (accounts/payroll/slips; access only when we request support) 
  • MyConcern / Safeguarding Company (safeguarding records) 
  • Microsoft / Google Workspace (document storage) 
  • SchoolPod, TeacherCloud (Evidence for Learning) (Children’s services systems) 
  • Sign In App (visitor management) 

Access to all systems is rolerestricted; vendors may only access data for authorised support and are contractually bound. 

 

A3. Diagnostic Service 

Autism Anglia provides Autism and ADHD diagnostic assessments for children, young people, and adults. These assessments follow recognised clinical, developmental, and behavioural frameworks and require processing detailed personal and special category data. 

Activities 

  • Diagnostic enquiries, screening and triage 
  • Completion of diagnostic questionnaires and behavioural scales 
  • Clinical interviews and structured observations 
  • Internal clinical review and formulation 
  • Preparation of diagnostic reports, recommendations, and outcome letters 
  • Secure communication with referrers (if applicable) 
  • Administration and payment handling 

Legal bases 

  • Contract: providing assessments and associated administration 
  • Health & social care purposes (UK GDPR Art. 9(2)(h)): clinical recordkeeping and professional standards 
  • Consent: sharing diagnostic reports with schools, employers or third parties (only where not required by law) 
  • Legitimate interests: managing enquiries and improving service quality 
  • Public interest / safeguarding: reporting concerns involving children or vulnerable adults 
  • Legal obligation: financial administration and recordkeeping 

Data collected 

  • Contact and demographic details 
  • Developmental, medical, educational, and behavioural history 
  • School/college/employer information (where applicable) 
  • Autism/ADHD questionnaires (e.g. AQ, RAADSR, Conners, Vanderbilt, etc.) 
  • Clinical notes, assessment scores, and final diagnostic report 
  • Names of relevant professionals involved in care. 
  • Payment information (processed securely; card details not stored) 

Where you provide information about others (such as family history), you must ensure that you have authority to do so. 

Storage & access 

  • Diagnostic records are handled by qualified clinicians. 
  • Records are stored separately from other organisational files. 
  • Some clinicians work on a contracted basis; all are bound by confidentiality and data protection obligations  

Thirdparty systems 

  • Beacon CRM: diagnostic enquiries and client contact 
  • Jane App: clinical assessment and reporting system 
  • Microsoft 365: secure storage of reports and clinical materials 
  • Xero and Stripe: finance records (no card details stored) 

Retention 

  • Completed diagnostic pathways: 8 years 
  • Ceased or incomplete pathways: 6 months 
  • Finance records: 6 years 

National Data OptOut (Diagnostic Service) 

Our diagnostic service does not currently share confidential patient information for planning or research purposes. We review this annually. If this changes, we will apply the NHS National Data OptOut and update this notice. 

A4. Community Connect 

Community Connect provides nonclinical advice, information, signposting and practical support to autistic individuals, families, and professionals. It is not a diagnostic or clinical service. 

Activities 

  • Responding to enquiries (email, phone, online forms) 
  • Providing information, signposting and practical support 
  • Supporting individuals with benefits, education and access to services 
  • Recording brief notes to support continuity of advice 
  • Managing referrals to external agencies (where authorised) 

Legal bases 

  • Legitimate interests – responding to enquiries and providing support 
  • Consent – where you choose to share additional information required to progress a request 
  • Legal obligation – retaining finance records where relevant 
  • Public interest / safeguarding – responding to identified risks 

Community Connect is not a clinical service and does not give medical or diagnostic advice. 

Data collected 

  • Contact details 
  • Summary of enquiry and support needs 
  • Documents supplied voluntarily to assist with support (e.g., benefit paperwork, EHCP documents) 
  • Education or welfarerelated information (only where relevant and supplied by you) 
  • Notes recording the advice/support given 

Thirdparty systems 

  • Vantage – Community Connect case/support notes 
  • Microsoft 365 – document storage for support materials 

Retention 

  • General support notes: 2 years 
  • Welfare rights case documents: 10 years 
  • Education-related support: 5 years 
  • Finance records: 6 years 

 

A5. Adult Services – Care and Outreach 

We collect comprehensive information from you and your family after a referral and before you access full or parttime care from Autism Anglia. We will create a large amount of personal information about you while using one or more of our services. 

Where you provide information about other people, you should ensure that you have authority to do so. 

Activity / Record 

Legal basis 

Data collected 

Systems 

Retention 

Referral & Assessment 

Legitimate interests for initial enquiries/assessment; legal obligation once formal care begins. 

Referral & Assessment of Needs; family, medical, medication, education histories 

VantageMicrosoft, Log My Care 

If unsuccessful: 1 year (or 1 year after unsuccessful appeal). If successful: becomes part of care records 

Care & Support records 

Legal obligation (health & social care) 

Personal identifiers; Care Plan, Support Plan; planning; reviews; risk assessments; MCA assessments; fees; referral/assessment data 

VantageMicrosoft, Log My Care 

8 years from end of care (data may be shared with new provider on transfer) 

Medication records; daily notes 

Legal obligation 

Medicines administration; daily records 

VantageMicrosoft, Log My Care 

4 years 

Financial records (personal expenditure/fees) 

Legal obligation 

Transactional records 

VantageMicrosoft, Log My Care 

6 years from end of current financial year 

Safeguarding concerns 

Legal obligation / Public interest 

Case records and outcomes 

VantageMicrosoft, Log My Care 

15 years 

DoLS assessments (no safeguarding case) 

Legal obligation 

Assessments/authorisations 

VantageMicrosoft, Log My Care 

6 years 

Inventory of equipment/furniture 

Legitimate interests 

Inventory details 

VantageMicrosoft, Log My Care 

6 years 

Incidents/accidents; behavioural analysis 

Legal obligation / Legitimate interests 

Incident forms; analysis notes 

VantageMicrosoft, Log My Care 

7 Years 

Storage & access 

  • Secure file shares and Microsoft SharePoint; forms and care records in Vantage, Log My Care. 
  • Access limited to relevant teams and IT (support only). Vendors bound to authorised support only. 

National Data OptOut (Adult Services) 

We have assessed our Adult Services processing and, at present, we do not share confidential patient information for planning or research in a way that brings the NHS National Data OptOut into scope. We review this at least annually and will implement the optout and update this notice if our processing changes. 

A6. School and Children’s Services 

We collect comprehensive information from you and your family after a referral and before your child becomes a student in our Children’s Services. We will create a large amount of personal information about your child while they attend our Children’s Services. Where you provide information about other people, you should ensure that you have authority to do so. 

Activity / Record 

Legal basis 

Data collected 

Systems 

Retention 

Referral & Assessment (preadmission) 

Parental consent (under 13) or Legitimate interests 

Referral & Assessment of Needs; family, medical, medication, education histories 

SchoolPodMicrosoftGoogle Workspace 

If unsuccessful: 1 year (or 1 year after unsuccessful appeal). If successful: becomes part of pupil record 

School record while attending 

Legal obligation (education law) 

Personal details; student support plans, EHCP, IMP; planning; homeschool records; permissions (where incident occurred); reviews; behaviour records 

MicrosoftSchoolPodGoogle Workspace 

Until 25th birthday, or transferred to new school 

Education learning records 

Legal obligation / Public task 

Coursework/learning evidence 

TeacherCloud (Evidence for Learning) 

Until 25th birthday, or transferred 

Examination results 

Legal obligation 

Results (external/internal) 

SchoolPod 

External: 6 years; internal: 5 years 

SEN records (support given) 

Legal obligation 

Records of support 

SchoolPod 

Until 35th birthday, or transferred 

SEN records (advice given) 

Legal obligation 

Records of advice 

SchoolPod 

12 years 

Medication records (prescribed) 

Legal obligation 

MAR and medication records 

SchoolPod 

Until 21 years + 6 months 

Medication (nonprescribed remedies) 

Legitimate interests 

Administration records 

SchoolPod 

1 year from end of school year 

Therapy records 

Legal obligation / Public task 

Therapy notes/reports 

MicrosoftGoogle Workspace 

Until 25th birthday, or transferred 

Finance (fees/expenditure) 

Legal obligation 

Transactions, Gift Aid (if relevant) 

XeroMicrosoft 

6 years from end of current financial year 

Child protection records 

Legal obligation / Safeguarding 

CP case files and outcomes 

Safeguarding Company (MyConcern) 

Until 25th birthday, or transferred 

CP with allegation against staff 

Legal obligation / Public interest 

Case file 

Safeguarding Company 

Latest of: pupil 25th birthday10 years, or employee’s normal retirement age 

Attendance registers 

Legal obligation 

Attendance data 

SchoolPod 

3 years 

Incidents/accidents; behavioural analysis 

Legal obligation / Legitimate interests 

Incident forms; analysis notes 

SchoolPod 

Until 25th birthday 

Systems Notes 

  • Sign In App (onsite visitor/staff signin) at Doucecroft School 
  • Microsoft / Google Workspace (document storage) 
  • Safeguarding Company (MyConcern) (CP records) 
  • TeacherCloud (Evidence for Learning) and Purple Mash (learning resources) 
  • SchoolPod (attendance/behaviour/exams) 

All systems are accessrestricted, and vendor access is supportonly under contract. 

 

A7. Corporate Partnerships 

  • Scope: fundraising partnerships, sponsorships, volunteering, joint projects with organisations. 
  • Legal bases: legitimate interests (relationship management), contract (where applicable), legal obligation (finance/audit), consent (optional marketing). 
  • Data: business contact details; role; partnership history; sponsorship/donation records. 
  • Sharing: payment processors, HMRC (Gift Aid), auditors (where required). 
  • Retention: finance records 6 years; general partnership records kept as needed for relationship management and audit. 

A8. National Services 

  • Scope: national information services, online resources, enquiries, events. 
  • Legal bases: contract (event bookings), legitimate interests (responding to enquiries and improving resources), consent (marketing). 
  • Data: enquiry details; contact information; event registrations; feedback/surveys (may be anonymised for analysis). 
  • Retention: enquiry correspondence typically up to 2 years from last contact; anonymised/aggregated insights retained longer; finance records 6 years. 

A9. Partners and Suppliers 

  • Legal bases: contract, legitimate interests (service delivery, due diligence), legal obligation (finance/audit). 
  • Data: business contact details; contractual/billing information; due diligence information. 
  • Sharing: auditors, regulators (where required), payment/accounting providers. 
  • Retention: contracts and finance records 6 years from end of current financial year; other records retained for the contract term plus a reasonable period for queries/disputes. 

A10. CCTV 

  • Purpose: site safety, security, and crime prevention (legitimate interests; may support legal obligations). 
  • Data: video footage; vehicle registration plates where visible. 
  • Retention: typically up to 30 days unless required for an investigation, insurance, or legal claim. 
  • Sharing: law enforcement, insurers, legal representatives where lawful/necessary. 
  • Locations: signage indicates where CCTV operates. 

Our legitimate interest is to ensure the safety of pupils, adults, staff and visitors, and to protect property. Where footage is required for an investigation, safeguarding enquiry or legal matter, it may be retained for longer in line with those purposes. We do not use covert CCTV. 

 

A11. Systems and Processors Referenced 

  • Microsoft (SharePoint / M365), Google Workspace: secure cloud document storage/collaboration 
  • Beacon CRM: contact/client CRM (support access only when authorised) 
  • Log My Care: care recording system 
  • Vantage: bespoke database (Adults; Community Connect) 
  • Jane App: Assessment and Diagnosis System 
  • SchoolPod: pupil information (attendance, behaviour, exams) 
  • TeacherCloud (Evidence for Learning): learning evidence repository 
  • Mailchimp: newsletters/mailing lists 
  • Xero: accounts (support access on our instruction only) 
  • Experian: Payroll 
  • Stripe / GoCardless: payment processors 
  • Tribepad: applicant tracking (recruitment) 
  • Ucheck: DBS checks 
  • MyConcern / Safeguarding Company: safeguarding and CP records 
  • Sign In App: onsite visitor and staff signin 
  • Access IT: website, accounts and payment integrations hosting 

All vendors act as processors under contract (or as applicable platforms) and may only access data to provide their services to us, under strict security and confidentiality obligations.