Skip to main content

Privacy policy

Last updated on 25 March 2024

The Hertfordshire Grid is an online platform, run by Herts for Learning Limited t/a HFL Education ('the Company', 'we', 'us' or 'our', providing information, guidance and support for Hertfordshire schools and academies.

This Privacy Policy explains why and how we collect, use and process Personal Data, and ensure that it is kept safe. It is also designed to let you know your rights and what you can do if you have questions about Personal Data.

This document sets out the types of Personal Data (meaning information about an individual from which that individual can be personally identified) we handle, the purposes of handling those Personal Data and any recipients of it.

For the purposes of data protection laws the Company is the data controller.

We are committed to ensuring that the privacy and security of your personal information is always protected. Any personal information that you provide us with will be handled in accordance with this Privacy Policy.

1. Our details

We are: HFL Education
Address: 1st Floor West, Abel Smith House, Gunnels Wood Road, Stevenage, SG1 2ST.
Information Commissioner's Office Registration Number: ZA154308
Our Data Protection Officer is: Lynette Dexter, Company Secretary
Email address for the Data Protection Officer:

2. Why we collect personal data

We collect and hold personal information relating to our users/customers, and in relation to any individuals included in data sets that are being processed by the Company under contractual agreements.

We may share Personal Data with other agencies, but only as necessary under our legal duties or otherwise in accordance with our duties/obligations as a Company.

The Personal Data we are provided with or collect is provided to us on a voluntary basis when users/customers register with us or purchase products from us, or by users/customers under contractual agreements with the Company.

In most cases, we will collect personal information from you for the following reasons:

  • To fulfil a contract with you (the provision of products/services)
  • To provide you with an appropriate level of service
  • To monitor and assess the quality of our products/services
  • For legitimate interest purposes, where data processing is not overridden by your data protection or fundamental rights and freedoms
  • Where you have provided your consent / permission
  • To respond to your requests
  • To meet our legal responsibilities.

3. Legal basis for processing personal data

The legal basis for collecting and using the personal information specified in this Privacy Policy will vary depending on the type of personal information and the context in which it is collected and used.

In most cases, the lawful basis for us to collect/process Personal Data is by reason of necessity for the performance of a contract to which both we and the Data Subject are party, or in order to take steps at the request of the Data Subject prior to entering into a contract.

We also process Personal Data where processing is necessary for the purposes of legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject. This will include processing where such processing is required in order to fulfil contractual obligations.

We do not process any special categories of Personal Data except where necessary for reasons of substantial public interest in complying with legal obligations including under the Equality Act 2010 or where necessary to protect the vital interests of the Data Subject or of another natural person and where safeguards are in place to ensure that this Personal Data is kept secure. For the avoidance of doubt where special categories of Personal Data are collected it shall not be used for the purposes of automated decision making and/or profiling.

Special categories of data means Personal Data revealing:

  • racial or ethnic origin;
  • political opinions; religious or philosophical beliefs or trade union membership;
  • genetic or biometric data that uniquely identifies you;
  • data concerning your health, sex life or sexual orientation; or
  • data relating to criminal convictions or offences or related security measures.

Further Personal Data including special categories of Personal Data may be collected and/or processed where consent has been given. If consent is the only legal basis for processing and has been given then this may be revoked in which case the Personal Data will no longer collected/processed.

4. Categories of Personal Data we collect about you

As a user of our services, we may collect the following Personal Data about you (please note this list does not include every type of Personal Data we collect and may be updated from time to time):

  1. your name;
  2. name of your organisation;
  3. your job title;
  4. telephone number;
  5. email address;
  6. any postal addresses that you provide.

This information will be taken from you at the time that you register for our services, make a purchase from us, or make contact with us. Contact information is used to respond to enquiries or get in touch with you when necessary.

Any Personal Data collected by us will be treated as confidential under the principles of the relevant data protection law.

5. Who will have access to your Personal Data

Personal Data will be accessible by members of HFL Education staff. Where necessary, directors will also have access to Personal Data. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We will not share personal information with third parties without consent unless we are required to do so by law or our policies. We will disclose Personal Data to third parties:

  • if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation;
  • in order to enforce any agreements with you;
  • in order to perform contracts with third party suppliers acting as data processors, as required to fulfil our contractual arrangements with you. We have worked with these suppliers to obtain reassurance that they are compliant with data protection regulations, including UK GDPR. Our main third-party sub-contractors / data processors include (but are not limited to):

Data processor

Main purpose

Link to Privacy Policy


‘HFL Hub’ Learning Management System


Security clearance applications


Helpdesk support software


Software for governance boards

Hertfordshire County Council

Statutory and commissioned work for Hertfordshire schools


Innovate Healthcare

Health services provider

MHR UK (iTrent)

HR Information & payroll service / software

Modern Governor

Learning management system for governing boards

(Oracle) NetSuite

Accounting & client trading software

SME HCI Limited (t/a VivUp)

Employee assistance programme

Stripe Payment Systems

Ecommerce payment system

Teach in Herts

Jobs board for Hertfordshire schools

UK Independent Medical

Health services provider

  • to protect the rights, property or safety of the Company.

This may include sharing data with our Local Authority (Hertfordshire County Council), the Department for Education (DfE) (please see Section 2), the Police and other organisations where necessary.

Certain data collection obligations are placed on us by the DfE. To find out more about the data collection requirements placed on us by the DfE (for example; via the school census) visit:

The above listed third-party suppliers will process data on our behalf. Therefore, we audit these third-party suppliers to ensure their compliance with relevant data protection laws and specify their obligations in written contracts. 

6. How Personal Data will be processed

Personal Data may be processed in a variety of ways; this will include but is not limited to:

  • maintaining written records;
  • identification;
  • sending by e-mail;
  • adding to spreadsheets, word documents, databases or similar for the purposes of assessing Personal Data;
  • for educational software use (this could be for the purposes of helping children learn, discipline, reports and other educational purposes).

7. Cookies

This website uses cookies. We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services.

Cookies are small text files that can be used by websites to make a user's experience more efficient.

The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies, we need your permission.

This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.

A list of the cookies we use on the site is below:

Contensis functional or necessary cookies 

Cookie Name Purpose Expires

Cookies set or used by Contensis authentication.

These cookies are set once you login to a Contensis site




ContensisCMSUsername Stores information to re-authenticate a user when they have selected Save Password when logging in When the user exits the browser
RefreshToken Stores login authentication details  24 hours

Other functional cookies

Cookie Name Purpose Expires
We use Tawk to provide an online live chat facility on our website. This system is provided by __tawkuuid This cookie is used to collect information about how the visitor interacts with the live chat function on the website. Expires: 179 days
TawkConnectionTime Allows the website to recoqnise the visitor, in order to optimize the chat-box functionality. Expires: Session cookie

Performance cookies

These cookies are used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited.

Cookie Name Purpose Expires

Google Tag Manager


_ga Used to distinguish users. 2 years
_ga_<container-id> Used to persist session state. 2 years

Google Analytics


_utma Identifies unique visitors. Each unique browser that visits a page on the site is provided with a unique ID via the __utma cookie. In this way, subsequent visits to the website via the same browser are recorded as belonging to the same (unique) visitor. 2 years from set/update
_utmb This cookie is used to establish and continue a user session with the site. Each time a user visits a different page on the site, this cookie is updated to expire in 30 minutes, thus continuing a single session for as long as user activity continues within 30-minute intervals 30 minutes/On closure of browser
_utmc Determines whether or not to establish a new session for the user Expires on exit from browser
_utmv Determines how to classify the user for custom segmentation reports in Google Analytics. 2 years from set/update
_utmz When visitors reach the website via a search engine result, a direct link, or an ad that links to your page, Google Analytics stores the type of referral information in this cookie 6 months

8. Links to other websites

You may encounter a link to an external website page whilst visiting our website. If the link is to a website that is operated by a third-party you should know that we have no control over that website or its content and as such cannot be responsible for the protection and privacy of your data or information you provide whilst visiting the site. You are advised to check the privacy policies of those other sites for their terms and conditions. 

9. Where we store Personal Data and how we keep Personal Data secure

We are committed to ensuring that the data you provide is handled securely and have put in place suitable physical, electronic, and managerial processes to safeguard your information.

Electronic copies of Personal Data are kept securely, and information will only be processed where we are satisfied that it is reasonably secure.

All information you provide to us is stored on secure servers. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping this password confidential. You must not share your password with anyone.

When giving Personal Data to third parties (for example, sub-contracted software providers) it is possible that this Personal Data could be stored in a location outside of the European Economic Area. We do, however, ensure that all sensitive data relating to young people is only sub-contracted out to data processors who store that data within the EEA. We will take all steps reasonably necessary to ensure that your Personal Data is treated securely and in accordance with this Privacy Policy. In particular, any transfer of your Personal Data made by us to a location outside of the EEA will be governed by clauses in a written contract in order to keep these secure.

Our website has security measures in place to protect against the loss, misuse, and alteration of the information under our control. All instances of unauthorised attempted access to our site are logged and investigated. Where necessary, HFL Education will inform law enforcement agencies or other relevant organisations regarding misconduct.

At the Company we respect the privacy of email accounts, and we store your email addresses securely. Your details will not be passed to ANY organisation beyond us without your explicit permission.

However, we may use email to keep you up to date with news about products, services and offers that we think maybe are of interest to you. If you do not want to be kept informed in this way by email, please let us know. 

10. Retention periods

We will only retain Personal Data processed by us for as long as is considered necessary for the purpose for which it was originally collected. As a general rule, Personal Data will be kept in accordance with guidance from the IRMS. Personal data may be held for longer periods where extended retention periods are required by law and/or in order to establish, exercise or defend our legal rights. Once the retention period concludes Personal Data is securely and safely destroyed / deleted. 

11. Your data rights

The General Data Protection Regulation and associated data protection law gives you rights in relation to Personal Data held about you. These are: 

  • Right to be informed: you have the right to be informed about the collection and use of your data. This policy contains information in relation to the collection of your Personal Data, however, if we collect additional data for other purposes, we will inform you about this.
    Right of Access: if your Personal Data is held by us, you are entitled to access your Personal Data (unless an exception applies) by submitting a written request. For further details please refer to our Subject Access Request (SAR) procedure (Section 13).
  • Right of Rectification: you have the right to require us to rectify any inaccurate Personal Data we hold about you. You also have the right to have incomplete Personal Data we hold about you completed. If you have any concerns about the accuracy of Personal Data that we hold then please contact us.
  • Right to Restriction: you have the right to restrict the manner in which we can process Personal Data where:
    • the accuracy of the Personal Data is being contested by you;
    • the processing of your Personal Data is unlawful, but you do not want the relevant Personal Data to be erased; or
    • we no longer need to process your Personal Data for the agreed purposes, but you want to preserve your Personal Data for the establishment, exercise or defence of legal claims.
      Where any exercise by you of your right to restriction determines that our processing of particular Personal Data are to be restricted, we will then only process the relevant Personal Data in accordance with your consent and, in addition, for storage purposes and for the purpose of legal claims.
  • Right to Erasure: you have the right to require we erase your Personal Data which we are processing where one of the following grounds applies:
    • the processing is no longer necessary in relation to the purposes for which your Personal Data were collected or otherwise processed;
    • our processing of your Personal Data is based on your consent, you have subsequently withdrawn that consent and there is no other legal ground we can use to process your Personal Data;
    • the Personal Data have been unlawfully processed; and
    • the erasure is required for compliance with a law to which we are subject.
  • Right to Data Portability: you have the right to receive your Personal Data in a format that can be transferred. We will normally supply Personal Data in the form of e-mails or other mainstream software files. If you want to receive your Personal Data which you have provided to us in a structured, commonly used and machine-readable format, please contact us via the details in this Policy.
  • Right to object: you have the right to object to the processing of your Personal Data where one of the following grounds apply:
    • the processing is based on legitimate interests or the performance of a task in the public interest;
    • the processing is for direct marketing; or
    • the processing is for the purposes of scientific/ historical research and statistics.

You can find out more about the way these rights work from the website of the Information Commissioner's Office (ICO). 

12. Controlling your personal information

If at any time you wish to stop receiving information from us, please contact us and we will update our records accordingly. If you no longer with to receive communications from us you can send an email to identifying yourself and asking that we remove you from our contact lists.

If you believe that any information, we hold about you is incorrect or incomplete then please write to or email us as soon as possible and we will promptly correct any information found to be incorrect.

To change or modify information previously provided, you can send an email to clearly identifying yourself and asking that we correct or update our databases.  

13. Subject Access Request (requesting your Personal Data)

You are entitled to request details of Personal Data that we hold about you and you can access that Personal Data by making a Subject Access Request (SAR).

A SAR is a written or verbal request for personal information (known as personal data) held about you by an organisation. Data protection legislation gives individuals the right to know what information is held about them. However, this right is subject to certain exemptions as set out in the Data Protection Act 2018.

To submit a SAR to HFL we recommend that you email a written request to our Data Protection Officer at To help us respond quickly and effectively to your request, please include information regarding your relationship with us, along with a comprehensive list of what personal data you want to access and any details, relevant dates, or search criteria that will help us identify the information that you want. 

14. Making a complaint

If you are unhappy with the way we have dealt with any of your data protection concerns, you can make a complaint to the Information Commissioners Office (ICO), the supervisory authority for data protection issues in England and Wales. We would recommend that you complain to us in the first instance, but if you wish to contact the ICO you can do so using the details below. The ICO is a wholly independent regulator established to enforce data protection law. 

ICO Concerns website:
ICO Helpline: 0303 123 1113
ICO Postal Address:
Information Commissioner's Office
Wycliffe House
Water Lane
Cheshire SK9 5AF

15. Changes to this privacy policy

Any changes we make to this Policy in the future will be posted on our website and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes.

This Privacy Policy was last updated on 13 November 2023.

By using this website you are accepting the terms and conditions of use contained within this policy. If this policy is not acceptable to you, please do not use this website.

Last updated on 25 March 2024