Who we are
USTBAS Online Academy ("USTBAS", "we", "us") is a small, online primary-age academy operated from the United Kingdom. Our website is ustbas.uk. For all data-protection matters you can reach us at hello@ustbas.uk.
For the purposes of UK GDPR and the Data Protection Act 2018, USTBAS is the data controller of the personal data described in this notice.
What personal information we collect
We only collect what we genuinely need to evaluate an enrolment, deliver the academy programme, and keep parents informed.
From the register-of-interest form
- Parent / guardian: full name, email address, phone number.
- Student: full name, current year group, any specific learning requirements you choose to share.
- Goals & preferences: reasons for choosing a specialist programme, curriculum interests, preferred session time, comfort with the digital format.
- Technical metadata: the IP address the form was submitted from, the browser's user-agent string, and the date and time of submission. This is only kept to help diagnose abuse.
If your child is later enrolled
- Enrolment record: contractual details, billing contact, attendance, progress reports we issue, and any notes the teacher needs to support your child.
- Lesson participation: our live lessons run on a third-party video platform; brief technical metadata (joining/leaving times) may be processed by that platform.
- Payments: we use a regulated payment provider for fees. We don't store full card numbers — the provider handles those directly.
From the website itself
We don't run third-party analytics or advertising trackers. Standard server access logs (IP, page requested, status code, timestamp) are kept for a short period for security purposes only.
Why we use your data & the lawful basis
| Purpose | Lawful basis |
|---|---|
| Reviewing your register-of-interest submission and arranging a 15-minute consultation. | Legitimate interests — assessing your enquiry. You can object at any time. |
| Delivering the academy programme once your child is enrolled. | Performance of a contract with you. |
| Sending you essential service updates (term dates, schedule changes, safeguarding notices). | Performance of a contract / legitimate interests. |
| Optional marketing emails about future intakes or open events. | Your consent — you can withdraw it at any time. |
| Meeting our legal, accounting, and safeguarding obligations. | Legal obligation. |
| Detecting and preventing fraud or abuse of the website. | Legitimate interests — site security. |
Children's data
Our service is for primary-age children. Where we collect any information about a child (their name, year group, learning needs, progress notes), we treat it with extra care:
- It is provided by you, the parent or legal guardian — not by the child directly.
- It is only ever used for the educational purposes you have signed up for.
- It is not used for marketing or profiling, and it is never sold or shared with advertisers.
- Access is restricted to the lead teacher and, where strictly necessary, the small operations team.
Who we share your data with
We share data only with carefully chosen service providers who help us run the academy. These act as our data processors under written contracts and may not use your data for their own purposes:
- Hosting & email infrastructure — UK / EU based, used to host the website and to send you transactional and consultation emails.
- Video lesson platform — used to deliver live classes once your child is enrolled.
- Payment provider — used to take fees once you've decided to enrol. Card data is handled by the provider directly.
- Professional advisors — accountants, lawyers, and insurers, where strictly necessary.
We do not sell, rent, or trade your personal information. We do not use it for advertising. We will only ever disclose data to a public authority where we are legally required to do so.
How long we keep your data
- Register-of-interest forms — kept for up to 12 months after submission so we can follow up across an intake cycle, then deleted unless you have enrolled.
- Enrolment & financial records — kept for the duration of enrolment and then for 7 years afterwards, where required by HMRC and our insurers.
- Educational progress notes — kept while your child is enrolled, then minimised to a summary record once enrolment ends.
- Server logs — typically rotated within 30 days.
Your rights
Under UK GDPR you have the right to:
- Access the personal data we hold about you (a "subject access request").
- Correct data that is inaccurate or incomplete.
- Erase data we no longer need to hold (the "right to be forgotten").
- Restrict or object to certain processing.
- Port data you have given us to another provider.
- Withdraw consent at any time, where consent was the lawful basis.
To exercise any of these rights, email hello@ustbas.uk. We aim to respond within one calendar month and never charge a fee for a reasonable request.
Cookies & website tracking
The public website does not set marketing or analytics cookies. The only cookies you may see are strictly necessary ones: a small session cookie used by the site administrator when signing in to the editor, and standard browser caching of fonts loaded from Google Fonts. We do not use Google Analytics, Facebook Pixel, or any third-party advertising trackers.
Security
The website and admin tools are hosted on a UK-based virtual private server. All traffic is served over HTTPS. The administrator account is protected by a strong password. Form submissions and any educational records are stored on the same server, in directories that are not publicly accessible. We review our hosting and security arrangements periodically.
No system is perfectly secure — if we ever discovered a personal-data breach that posed a real risk to you, we would notify the Information Commissioner's Office within 72 hours and contact you directly without undue delay.
International transfers
Where any of our service providers are based outside the United Kingdom or the European Economic Area, we only use providers that offer an adequate level of protection — for example via UK-approved Standard Contractual Clauses or where the country has been formally recognised as having adequate data-protection laws.
Changes to this notice
We will update this notice when we change the way we handle personal data. The date at the top of this page reflects the latest revision; we'll let you know directly if a change materially affects you.
Contact & complaints
For any privacy question, request, or concern, write to hello@ustbas.uk. We always prefer to resolve concerns directly.
You also have the right to lodge a complaint with the UK regulator — the Information Commissioner's Office (ICO) — at any time, although we'd appreciate the chance to address it first. The ICO can be reached at ico.org.uk or on 0303 123 1113.