The Learning LabThe Learning LabProvision HubSign in

Privacy Policy

The Learning Lab — SEND / AP / wellbeing provision. Last reviewed: 2026.

The Learning Lab ("we", "us") is the data controller for personal data we hold about children, parents, carers, and partner schools as part of our SEND, Alternative Provision (AP) and wellbeing work. This policy explains what we collect and why, in line with UK GDPR and the Data Protection Act 2018.

1. What we collect

  • Child details: name, date of birth, address, year group, school.
  • SEND information: EHCP, diagnoses, communication needs, triggers, strategies.
  • Special-category data (Article 9): medical, allergies, safeguarding, behaviour.
  • Family contacts: parent/carer names, phone, email, emergency contacts.
  • School / SENDCo / LA contact details and correspondence.
  • Session records, attendance, notes, reports, and communication logs.
  • Account data for staff (email, role, sign-in audit).

2. Lawful basis

  • Public task and legitimate interests for delivering education and SEND support commissioned by schools and local authorities.
  • Consent for photos / media, non-essential communications, and information shared with third parties beyond the commissioning body.
  • Legal obligation for safeguarding (Keeping Children Safe in Education) and statutory reporting.
  • Vital interests for emergency medical situations.
  • Special-category data is processed under Article 9(2)(g) (substantial public interest — safeguarding and SEND) and where applicable Article 9(2)(c) (vital interests).

3. How long we keep data

  • Safeguarding records: until the child's 25th birthday (DfE guidance).
  • Communication logs: 7 years, then reviewed.
  • Session and attendance records: 7 years after last session.
  • Inactive student profiles: reviewed and archived after 12 months of inactivity.

Our current retention settings are maintained internally and reviewed by our DPO.

4. Who we share data with

  • The child's school, SENDCo, and where applicable the local authority.
  • Other professionals (educational psychologists, health) only with consent or legal basis.
  • Sub-processors who provide our secure cloud platform.
  • Safeguarding partners and statutory bodies where required.

We do not sell personal data and do not use it for marketing without consent.

5. Security

Data is held on encrypted, access-controlled cloud infrastructure. Staff access is role-based: only assigned tutors see their students, only administrators and the Designated Safeguarding Lead see safeguarding records. All sensitive access is audited.

6. Your rights

  • Access — request a copy of what we hold (SAR).
  • Rectification — correct anything inaccurate.
  • Erasure — ask us to delete, subject to safeguarding retention obligations.
  • Restriction and objection — ask us to limit how we process data.
  • Withdraw consent at any time where consent is the basis.

Contact us in writing to exercise these rights. We respond within one calendar month. You can complain to the Information Commissioner's Office (ICO) at ico.org.uk.

7. Contact

Data Protection Officer — please contact The Learning Lab via your usual channel.