Data Protection Policy
Last updated: May 2026
1. Introduction
4Sight Education Ltd (“the Company”), trading as VESPA Academy, is committed to protecting the rights and freedoms of individuals in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This policy sets out how the Company meets its obligations and ensures that all staff, contractors, and partners understand their responsibilities when handling personal data.
2. Data Controller and Processor Roles
- Where a school or college subscribes to VESPA Academy, the educational institution is the data controller and 4Sight Education Ltd is the data processor.
- For our own business contacts (enquiries, marketing, billing), 4Sight Education Ltd acts as the data controller.
- A standard Data Processing Agreement is published at vespa.academy and incorporated into our subscription terms. Contact admin@vespa.academy for a signed copy if required.
3. Lawful Basis for Processing
We process personal data under the following lawful bases as defined by Article 6 of the UK GDPR:
| Activity | Lawful Basis |
|---|---|
| Providing the VESPA coaching platform to schools | Contract (with the school) and Legitimate Interests (educational benefit to the student) |
| Student psychometric assessments | Contract (school subscription) with appropriate safeguards for minors |
| Marketing to prospective schools | Legitimate Interests (with opt-out) |
| Responding to enquiries | Legitimate Interests / Consent |
| Payment processing | Contract |
| Legal and regulatory compliance | Legal Obligation |
4. Data Protection Principles
In accordance with Article 5 of the UK GDPR, we ensure that personal data is:
- Processed lawfully, fairly, and transparently — we are clear about what data we collect and why
- Collected for specified, explicit, and legitimate purposes — student data is used only to provide the educational coaching service
- Adequate, relevant, and limited to what is necessary — we collect only the minimum data required for the service
- Accurate and kept up to date — schools can update student data at any time; automated syncs keep records current
- Kept for no longer than necessary — see our Data Retention Policy
- Processed securely — encrypted in transit and at rest, access controls, regular security reviews
5. Data Protection Officer
The Company's Data Protection Officer can be contacted at:
6. Individual Rights
Under the UK GDPR, individuals have the following rights. Requests should be directed to the data controller (the school/college) in the first instance, or to us at admin@vespa.academy:
- Right of access (Article 15) — request a copy of personal data held
- Right to rectification (Article 16) — request correction of inaccurate data
- Right to erasure (Article 17) — request deletion of personal data
- Right to restrict processing (Article 18) — request limitation of processing
- Right to data portability (Article 20) — receive data in a structured, machine-readable format
- Right to object (Article 21) — object to processing based on legitimate interests
We will respond to subject access requests within one calendar month of receipt.
7. Data Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption in transit (TLS 1.2+) and at rest
- EU-hosted database infrastructure (Supabase, AWS eu-west)
- Role-based access controls and authentication (including SSO via Microsoft 365 and Google Workspace)
- Regular security assessments; Cyber Essentials certified (IASME-CE-060416, 2 July 2026–2 July 2027) — verify certificate
- Automated backups with point-in-time recovery
- Sub-processor agreements with all third-party service providers
8. International Data Transfers
Primary data storage is in the EU (Supabase, AWS eu-west region). Some processing may occur in the United States through our hosting provider (Vercel) and email provider (SendGrid/Twilio). All international transfers are protected by:
- Standard Contractual Clauses (SCCs) approved by the ICO
- The UK–EU adequacy decision
- Sub-processor Data Processing Agreements
9. Data Breach Procedures
In the event of a personal data breach:
- The breach will be assessed within 24 hours of discovery
- Where required, the ICO will be notified within 72 hours in accordance with Article 33
- Affected data controllers (schools/colleges) will be notified without undue delay
- Affected individuals will be notified where the breach is likely to result in a high risk to their rights and freedoms (Article 34)
- All breaches are documented in our internal breach register, including those that do not require notification
10. Data Protection Impact Assessments
We conduct Data Protection Impact Assessments (DPIAs) when introducing new features or processing activities that are likely to result in a high risk to individuals, in accordance with Article 35 of the UK GDPR. This includes assessment of AI features (see our AI Usage Policy).
11. Sub-Processors
We use the following sub-processors, each bound by Data Processing Agreements. Where optional AI features are used, prompt data is sent to the AI provider’s API for that request only — this is sub-processor processing, not sale or sharing of data with unrelated third parties.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, storage | EU (AWS eu-west) |
| Vercel | Hosting and serverless functions | EU / US (edge) |
| SendGrid (Twilio) | Transactional email | US (SCCs in place) |
| Stripe | Payment processing | EU / US (PCI DSS Level 1) |
| OpenAI | Optional AI features (on-demand only) — API processing; no model training on customer data | US (SCCs; API business terms) |
| Anthropic | Optional AI features (on-demand only) — API processing; no model training on customer data | US (SCCs; API business terms) |
| Wonde | MIS data integration (schools only) | UK |
Full sub-processor details for schools and colleges are also set out in Schedule 2 of our Data Processing Agreement. See our AI Usage Policy for how AI API processing works and our no-training commitments.
12. Staff Training and Awareness
All staff and contractors with access to personal data receive data protection training and are bound by confidentiality obligations. Access to personal data is limited to those who require it to perform their duties.
13. Review
This policy is reviewed annually or when there are significant changes to our processing activities, legal requirements, or organisational structure. The “last updated” date indicates the most recent revision.
14. Complaints
If you are unsatisfied with how we handle personal data, you may lodge a complaint with the Information Commissioner’s Office:
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Helpline: 0303 123 1113
Website: ico.org.uk
Related Documents
See our full Policies & Compliance index for all published documents.
- Privacy Policy
- Data Processing Agreement
- Data Retention Policy
- Information Security Policy
- Modern Slavery Policy
- Quality Policy
- Environmental Policy
- Equality, Diversity & Inclusion Policy
- Health & Safety Policy
- Safeguarding Statement
- Accessibility Statement
- Terms and Conditions
- AI Usage Policy
- Business Continuity & Disaster Recovery Plan
© 2026 VESPA Academy 2.0 - 4Sight Education Ltd. All rights reserved.