Nudge Education Policy Library

NEO by Nudge Education

Privacy Policy — Commissioners

4 min read

Operated by: Nudge Education Ltd · Version: Dec 2025 · Owner: Data Protection Officer

Privacy Policy: Commissioners Last Updated: 6/12/2025

Date of next review: 6/12/2026

  1. Who we are Nudge Education Limited (“Nudge”, “we”, “us”, “our”) provides specialist education support to help young people re-engage with learning. We are the data controller for the processing described in this notice. Company no. 10192753. Registered office: Sirius House, Amethyst Road, Newcastle upon Tyne, NE4 7YL.

Data Protection Lead (day-to-day contact): Brian Mair · privacy@nudgeeducation.co.uk 07958 440 937.

  1. Who this notice is for People who work for or with our commissioning and partner organisations (e.g., local authorities, schools/ trusts, education and youth services, NHS partners, and other stakeholders), including named contacts during bids, onboarding, delivery and review.

  2. What personal data we collect

  • Business contact details: name, role, organisation, work email, work phone, correspondence history.

  • Engagement & contract data: proposals, statements of work, contracts, reports, meeting notes.

  • Financial/transaction data: purchase orders, invoices, payments (limited personal data where identifiable).

  • {Preferences/marketing: topics you’re interested in, event attendance, newsletter sign-ups.}

We collect only what we need for the purposes below (data minimisation).

  1. Where we get your data

  • Directly from you (emails, calls, meetings, forms, bid/contract processes).

  • Your organisation (colleagues nominating you as the appropriate contact).

  • Public sources (e.g., professional profiles, websites) to identify appropriate contacts.

  1. Why we use your data & our lawful bases We only use your data for specified, explicit and legitimate purposes.

Purpose Examples Lawful basis

Pre-contract responding to enquiries, Article 6(1)(f) Legitimate interests engagement & preparing proposals (running and developing our bids services)

Contracting & onboarding, case reporting, Article 6(1)(b) Contract (with your service delivery safeguarding liaison, organisation) and 6(1)(f) performance reviews Legitimate interests

Financial & legal invoicing, audit trail, tax Article 6(1)(c) Legal obligation compliance records

Relationship service updates, surveys, Article 6(1)(f) Legitimate interests management & case studies, events or consent where PECR requires; updates always with an opt-out

Note: Where student/family data are processed in a commissioned programme, that is covered by the Students & Parents Privacy Notice (not this notice). Core student processing relies on legitimate interests with appropriate Article 9/DPA Schedule 1 conditions; we do not rely on contract with students.

  1. Who we share data with

  • Your organisation and relevant stakeholders for contract delivery.

  • Our practitioners/contractors engaged on the contract (only what they need; bound by confidentiality).

  • Service providers (processors): secure IT, case management, email/comms, hosting, analytics, finance and professional advisers. We use providers who meet Article 28 standards and sign data processing agreements.

  • Authorities or regulators where required by law (e.g., tax, audit) or to protect vital interests.

We do not sell personal data.

  1. International transfers Some suppliers (or their sub-processors) may process data outside the UK. Where this happens, we use lawful safeguards such as UK adequacy regulations and/or the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, plus any additional measures needed. You can request a copy/summary of the safeguards for your data.

  2. How long we keep your data

  • Contract and transaction records: typically 7 years from contract start or last transaction to meet audit/tax requirements.

  • General B2B correspondence/CRM: up to 7 years or until you ask us to remove you (unless we need to keep a minimal suppression record).

We securely delete or anonymise data when the retention period ends.

  1. Your rights You have rights to access, rectification, erasure, restriction, objection (including to direct marketing/legitimate interests), and data portability (where applicable). You can also withdraw consent at any time where we rely on consent.

To exercise your rights, contact our Data Protection Lead or DPO (Section 1). We aim to respond within one month (extendable by two months for complex requests).

You can also complain to the Information Commissioner’s Office (ICO): ico.org.uk · 0303 123 1113. We’d appreciate the chance to resolve concerns first. 10) Security We apply Article 32 technical and organisational measures proportionate to risk: role-based access, encryption in transit/at rest (where supported), device and identity management, secure configurations, supplier due diligence, staff training and incident management. (See our Information Security/Appropriate Policy Documents for more detail.)

  1. Marketing preferences If you receive updates from us, you can opt out at any time using the link in the message or by contacting us. We respect PECR rules and your preference choices.

  2. Changes to this notice We’ll update this notice when our processing changes or when law/guidance changes. We’ll post the new version here and update the “Last updated” date; we may also notify key contacts by email where appropriate. Your current policy already commits to page/email updates.

Document control

FieldValue
VersionDec 2025
OwnerData Protection Officer
Statuslive
Source file5. Nudge Education - Documentation for Commissioning Purposes/Privacy Policy Commissioners - Dec 2025.pdf

Graph View

Backlinks