Data Protection Privacy Policy

This Privacy Policy (the Policy) describes how CAP Certified Ltd collects, uses, and shares the information you provide to us on our website and the information we collect on our website.

We will share our Data Protection and Privacy Policies on how we collect, use, and share the information you provide to us during the course of operating our business, solution, and services at each touch point. For an example when a school signs-up to CAP Schools Programme and when a parent downloads the CAP Parent Portal app.

In this Policy when we refer to “you”, “your” or “yours” we mean you, parents, representatives of schools, digital platforms, and partners. When we refer to “CAP” or “we”/“us”/“our” we mean CAP Certified Ltd. Our company registered office is at 2 The Rise, 373 Harrow View, Harrow, England, HA2 6QN and we are a company incorporated under the laws of England and Wales (registered number 11748310). Our trading address is Unit 5A Wharfside House, Prentice Road, Stowmarket, IP14 1RD, Suffolk.

We may revise this Policy at any time by amending this page. You are expected to check this page from time to time to take notice of any changes we make, as they are binding on you.

1.0 The information that we collect and where we get it from

"Personal information" is any information that can be used to identify you and which we have in our possession or control – i.e., data we collect from you and your organisation, the way in which it is collected and the purposes for which it is collected and used.

1.1 Information you provide to us

On this website we will collect and process the following personal information about you:

1.1.1 Information that parents provide to us

We will process personal information that you give to us including when you sign-up to our Beta launch, enquire, email us or contact us through various channels as follows:

Your Information

When you submit the ‘Join Our Beta’ form, sign up for newsletters, events or obtain information from us or when you contact us with queries or respond to our communications, the personal information you provide may include your first and last names, email address, and your contact number.

1.1.2 Information that schools provide to us

We will process personal information and information about the school that you give to us including when you enquire about the programme, sign-up to the newsletter, email us or contact us through various channels as follows:

School Information

The information you provide may include the school’s name, phone number, and website. In addition, we ask for your first and last names, email addresses, and contact number.

1.1.3 Information that digital platforms provide to us

We will process personal information that you give to us including when you sign-up to our newsletter, enquire, email us or contact us through various channels as follows:

Digital Platform Information

When you or the firm you represent enquire or submit a form the information you provide may include the name of the platform, your first name, last name, email address, contact number and the job title.

1.2 Information we otherwise collect about you

We will also collect information about you, when you use our website or when we otherwise interact or correspond with you. We use various technologies to collect and store information when you visit our website. We may, for example, collect information about the type of device you use to access the website, your IP address and your geographic location, the operating system and version, your browser type, the content you view, and features you access on our website, the web pages and the search terms you enter on our website. For information about how we use Cookies and the choices you may have, please see our Cookies Policy.

2.0 How we use the information we collect

2.1 Purposes

We may use your personal information for the following purposes:

  1. to send newsletters, updates, event invitations and other information that may be of interest to you
  2. where you have applied for a position with us, to review and process your job application
  3. to comply with legal or regulatory obligations that we must discharge
  4. to establish, exercise or defend our legal rights, or for the purposes of legal proceedings
  5. log your use of our website or our other online services for our own legitimate business purposes, which may include the analysis of usage, measurement of site performance, generation of reports,
  6. to look into any complaints or queries you may have
  7. to process GDPR related requests from you
  8. to prevent and respond to actual or potential fraud or illegal activities, and
  9. to collate, process and share any statistics based on an aggregation of information held by us, provided that any individual is not identified from the resulting analysis and the collation, processing and dissemination of such information is permitted by law.
2.2 Grounds for using your personal information

We rely on the following legal grounds to process your personal information, namely:

  • Performance of a contract - We may need to collect and use your personal information to enter into a contract with you or to perform our obligations under a contract with you.
  • Legitimate interests - We may use your personal information for our legitimate interests, some examples of which are given above.
  • Compliance with law or regulation - We may use your personal information as necessary to comply with applicable laws/regulations.
2.3 How we share information with third parties

We share your personal information (limited to what’s mentioned in sections 1.1.1 and 1.1.2) with our offices around the world. As a result, your personal information may be transferred to locations outside Europe, as well as within it for the purposes described above.

We do not share personal information with any third-party even to perform our obligations under a contract with you.

We may share your information outside CAP. This may include:

  • Third party agents/suppliers or contractors, bound by obligations of confidentiality, in connection with the processing of your personal information for the purposes described in this Policy. This may include, but is not limited to, IT infrastructure providers, and communications service providers.
  • Third parties relevant to the services that we provide. This may include, but is not limited to, counterparties to litigation, professional service providers, sponsors of our events, regulators, authorities and governmental institutions.

3.0 Protecting your data outside the EEA (EU Member States and Iceland, Liechtenstein and Norway)

We may transfer data that we collect from you to third-party data processors in countries that are outside the EEA such as Australia or the USA. This might be required, for example, in order to provide services, process your payment details or provide support services.

If we do this, we have procedures in place to ensure your data receives the same protection as if it were being processed inside the EEA. For example, our contracts with third parties stipulate the standards they must follow at all times.

Any transfer of your personal data will follow applicable laws and we will treat the information under the guiding principles of this Privacy Notice.

4.0 Keeping your information and information security

4.1 Duration

How long we hold your personal information for will vary and will depend principally on:

  • the purpose for which we are using your personal information - we will need to keep the information for as long as is necessary for the relevant purpose, and
  • legal obligations - laws or regulation may set a minimum period for which we have to keep your personal information.
4.2 Security Measures
  • We will ensure that the personal information that we hold is subject to appropriate security measures such as:
    • Use of standard HTTPS encryption when transferring data across networks
    • Database access restricted to VPN, and segregation of services even inside the VPN where applicable.
    • Adhering to internal data handling processes.
  • We also have following measures in place to avert a data breach:
    • Preventive measures against SQL injection and XSS.
    • Session based standard authentication for web portals.
    • OAuth 2.0 client-credentials implementation for internal and external third- party APIs.
    • OAuth 2.0 password-grant implementation for mobile app communication.
    • Linux security settings to prevent unwanted access to the sensitive information in configuration files or in source codes and prevent execution or writes from another user from another group.
    • Servers block port 22 used for SSH access (using a firewall option).
    • If above is enabled (rarely happens for debugging purposes), then SSH happens through a key pair.
    • Also, servers block all the ports except the one that exposes the APIs.

5.0 Your choices and rights

You have a number of legal rights in relation to the personal information that we hold about you and you can exercise your rights by contacting us using the details set out below. These rights include:

  • Obtaining information regarding the processing of your personal information and access to the personal information which we hold about you.
  • Please note that there may be circumstances in which we are entitled to refuse requests for access to copies of personal information.
  • Requesting that we correct your personal information if it is inaccurate or incomplete.
  • Requesting that we erase your personal information in certain circumstances. Please note that there may be circumstances where you ask us to erase your personal information but we are legally entitled to retain it.
  • Objecting to, and requesting that we restrict, our processing of your personal information in certain circumstances. Again, there may be circumstances where you object to, or ask us to restrict, our processing of your personal information but we are legally entitled to refuse that request.
  • In some circumstances, receiving some personal information in a structured, commonly used and machine-readable format and/or requesting that we transmit such information to a third party where this is technically feasible. Please note that this right only applies to personal information which you have provided to us.
  • Withdrawing your consent, although in certain circumstances it may be lawful for us to continue processing without your consent if we have another legitimate reason (other than consent) for doing so.
  • Lodging a complaint with the relevant data protection authority, if you think that any of your rights have been infringed by us.
  • We can, on request, tell you which data protection authority is relevant to the processing of your personal information.

6.0 Cookies

Click here for our Cookie Policy.

7.0 How to contact us and other important information

If you would like further information on the collection, use, disclosure, transfer or processing of your personal information or the exercise of any of the rights listed above, please contact us. You can do this by writing to us at: