Legal

Privacy Policy

Effective date: 22 February 2026

This policy explains how TSO Education Ltd processes personal data in ICFP Core in accordance with UK GDPR and the Data Protection Act 2018.

1. Who we are

Controller: TSO Education Ltd (company number 11573380), 32 Church Street, Harwich, United Kingdom, CO12 3EA.

Privacy and data protection contact: support@icfp.school.

This service is for organisational customers (schools, trusts, and local authorities), not consumer use.

2. Data we process

  • Account data: name, work email, role, authentication and security settings.
  • Organisation data: organisation identity, school limits, subscription and licence status.
  • Service data: forecast inputs, planning data, operational and usage activity in the platform.
  • Billing data: Stripe customer/subscription/invoice reference IDs, payment status, and billing contact details.
  • Technical data: log data, timestamps, request metadata, and security telemetry.

3. Purposes and lawful bases

  • To provide and secure the service: performance of contract and legitimate interests.
  • To manage subscriptions and payments: performance of contract and legal obligations.
  • To provide support and service communications: performance of contract and legitimate interests.
  • To maintain audit trails, fraud controls, and platform integrity: legitimate interests and legal obligations.
  • To improve service reliability and capacity planning using aggregated or de-identified data: legitimate interests.

4. Payment processing and Stripe

  • Card and payment instrument details are processed by Stripe as payment processor.
  • We do not store full card numbers or card security codes.
  • We process limited payment and subscription metadata required to run billing and account access controls.
  • Stripe may process personal data under its own legal obligations and privacy terms.

5. Data sharing and recipients

  • Internal authorised staff with a need to know.
  • Infrastructure and hosting providers required to deliver ICFP Core.
  • Stripe for payment processing and related billing operations.
  • Professional advisers, regulators, and authorities where legally required.

6. International transfers

ICFP Core customer data is hosted in the United Kingdom. Where payment processing or operational support requires transfers outside the UK, we rely on recognised transfer safeguards such as the UK IDTA or UK Addendum to approved standard contractual clauses, as applicable.

7. Retention

  • Account and subscription records are retained while the account is active and for a limited period after closure.
  • Billing and finance records are retained to satisfy UK statutory and tax obligations.
  • Operational logs are retained for security, audit, and service reliability for proportionate periods.
  • On termination, customer data export and deletion are handled under contractual and legal requirements.

8. Security and incident handling

  • We apply technical and organisational measures proportionate to the risk, including access controls and monitoring.
  • Data is protected in transit using encryption.
  • We maintain backup and recovery controls and investigate suspected security incidents.
  • Where required by law, we notify relevant parties and regulators about reportable breaches.

9. Your rights

Subject to applicable law, data subjects may have rights to:

  • access personal data;
  • rectify inaccurate data;
  • erase data in certain circumstances;
  • restrict or object to processing in certain circumstances;
  • data portability where applicable.

Requests can be sent to support@icfp.school. You can also raise concerns with the UK Information Commissioner's Office (ICO) at ico.org.uk.

Related legal documents