iEnrol Privacy Policy for Schools and School Staff

This is our privacy policy governing interactions between Schools, their staff, and the iEnrol platform. If you are an end user (parent), you can view the schools end user privacy policy on the specific schools iEnrol portal, or contact us directly if you have any questions.

Last Updated: 12 February 2026

1. Introduction

This Privacy Policy explains how iEnrol (a trading name of Admissions UK Ltd, registered in England and Wales) collects, uses, stores, and protects your school’s information when you use the iEnrol platform to manage your admissions process.

This policy is intended for schools, their staff, and administrators (“you”, “your school”) who subscribe to or use the iEnrol platform. For the privacy policy applicable to prospective families and end users of the admissions portal, please refer to our separate User Privacy Policy.

2. Who We Are

iEnrol Contact Information:

  • Company Name: Admissions UK Ltd (trading as iEnrol)
  • Company Number: 16893172
  • Registered in: England and Wales
  • Email: [email protected]

iEnrol provides an online admissions information portal that schools use to engage with prospective families, manage enquiries, and streamline their admissions process using AI-powered chat technology.

3. Data Controller and Data Processor Roles

  • Your School as Data Controller: Your school is the data controller for all personal data relating to prospective families, parents, and students that is collected through the iEnrol platform on your behalf. Your school determines the purposes and means of processing this data.
  • iEnrol as Data Processor: iEnrol acts as a data processor, processing personal data on behalf of your school in accordance with your instructions, our Data Processing Agreement, and applicable data protection laws.
  • iEnrol as Data Controller: iEnrol is the data controller for the personal data of your school’s staff and administrators collected for the purposes of account management, billing, and platform administration.

4. Information We Collect

4.1 School and Organisation Information

  • School name, address, and contact details
  • School website URL
  • Admissions-related content and knowledge base materials you upload to the platform
  • Bot configuration settings, branding preferences, and customisation choices

4.2 Staff and Administrator Information

  • Names and email addresses of authorised staff members
  • Account credentials (passwords are securely hashed and never stored in plain text)
  • Role and permission levels within the platform
  • Login activity and session data

4.3 Prospective Family Data (Processed on Your Behalf)

As a data processor, iEnrol processes the following data on your behalf:

  • Chat conversations between prospective families and your admissions bot
  • User profile information provided by prospective families (e.g. email addresses, enquiry details)
  • Analytics data derived from portal usage and conversations
  • Any information prospective families voluntarily share during interactions, such as their child’s expected year group or joining date

4.4 Technical Data

  • IP addresses and device information of staff accessing the admin dashboard
  • Browser type and operating system
  • Usage patterns within the admin dashboard

Under the General Data Protection Regulation (GDPR), we process personal data on the following legal bases:

  • Contractual Necessity: To provide the iEnrol platform and services as agreed in our terms of service
  • Legitimate Interests: To maintain and improve the platform, ensure security, provide support, and enable your school to manage its admissions process effectively
  • Legal Obligation: To comply with applicable laws and regulations
  • Consent: Where required, for example for marketing communications from iEnrol to your school

6. How We Use Your Information

6.1 Platform Provision and Management

  • To provide, maintain, and improve the iEnrol platform
  • To set up and manage your school’s account, bots, and staff access
  • To process and store admissions-related content and knowledge base materials
  • To deliver AI-powered chat functionality using your uploaded content

6.2 Analytics and Reporting

  • To provide your school with analytics dashboards showing engagement data, conversation patterns, and user trends
  • To generate anonymised and aggregated insights to help improve your admissions process

6.3 Support and Communication

  • To provide technical support and respond to your enquiries
  • To notify you of platform updates, maintenance windows, or service changes
  • To communicate important information about your account or the platform

6.4 Security and Compliance

  • To protect against unauthorised access, fraud, and security threats
  • To monitor platform usage for compliance with our terms of service
  • To comply with legal obligations

6.5 What We Do Not Do

  • We never use your school’s data or prospective family chat data to train AI models
  • We never sell your data or prospective family data to third parties
  • We never share prospective family data with other schools or organisations

7. Data Sharing and Disclosure

7.1 Data Subprocessors

We use Google LLC as our only data subprocessor for:

  • Cloud hosting and database services (Google Cloud Platform / Firebase)
  • AI technology (Google Gemini) to power the admissions chat bot
  • Authentication infrastructure (Firebase Authentication)
  • Cloud Functions for data processing

All subprocessors are bound by strict data protection agreements and are required to maintain appropriate security standards. We will notify you of any changes to our subprocessors.

We may disclose information if required by law, regulation, legal process, or governmental request, or to:

  • Protect our rights, privacy, safety, or property
  • Enforce our terms and conditions
  • Respond to emergency situations

We will notify your school promptly of any such disclosure unless prohibited by law.

7.3 Business Transfers

In the unlikely event of a merger, acquisition, or sale of assets, your data may be transferred to the acquiring entity, subject to the same privacy protections outlined in this policy. We will notify you in advance of any such transfer.

7.4 No Sale of Data

We do not and will never sell your school’s data or any prospective family data to third parties under any circumstances.

8. Data Security

We implement robust technical and organisational measures to protect your data:

  • All data is encrypted in transit (TLS/SSL) and at rest
  • Staff account passwords are securely hashed
  • Access to your school’s data is restricted to authorised staff members based on their assigned roles
  • We use industry-standard security protocols and infrastructure provided by Google Cloud Platform
  • Regular security monitoring and incident response procedures are in place

8.1 Your Security Responsibilities

Your school is responsible for:

  • Managing staff access and promptly removing access for staff who leave or change roles
  • Ensuring staff use strong, unique passwords
  • Keeping login credentials confidential
  • Complying with your own data protection policies when accessing prospective family data through the platform

9. Data Retention

  • School Account Data: Retained for the duration of your subscription and for a reasonable period afterwards to allow for account reactivation or data export, unless you request earlier deletion.
  • Staff Account Data: Retained while the staff member has an active account. Your school can remove staff members at any time.
  • Prospective Family Data: Retained in accordance with your school’s instructions and retention policies. Your school can request deletion of specific user data or all data at any time.
  • Knowledge Base and Bot Content: Retained for the duration of your subscription. Upon termination, this data will be deleted unless you request an export.
  • Analytics Data: Retained for the duration of your subscription to provide historical reporting.
  • Legal Requirements: Some data may be retained longer to comply with legal obligations.

Upon termination of your subscription, we will delete or return all personal data processed on your behalf within 90 days, unless retention is required by law.

10. International Data Transfers

Your school’s data, including prospective family conversations, names, and other account information, is stored on secure servers within the European Economic Area (EEA) using Google Cloud Platform.

Email addresses used for authentication may be transferred to Google LLC’s servers in the United States via Firebase Authentication. Google LLC is a certified participant in the EU-US Data Privacy Framework, which has been recognised by the European Commission through an adequacy decision as providing adequate protection for personal data.

11. Your Rights Under GDPR

11.1 Your School’s Rights (as Data Controller of Family Data)

As the data controller for prospective family data, your school has the right to:

  • Access all personal data processed on your behalf
  • Request correction or deletion of data
  • Request data export in a structured, commonly used format
  • Issue instructions regarding the processing of data
  • Terminate the processing arrangement

11.2 Staff Rights

Staff members whose personal data is held by iEnrol have the following rights:

  • Right of Access: Request a copy of personal data we hold about them
  • Right to Rectification: Request correction of inaccurate or incomplete data
  • Right to Erasure: Request deletion of personal data in certain circumstances
  • Right to Restriction of Processing: Request restriction of processing in certain circumstances
  • Right to Data Portability: Receive personal data in a structured, commonly used format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent
  • Right to Lodge a Complaint: Lodge a complaint with the relevant supervisory authority

UK Supervisory Authority: Information Commissioner’s Office (ICO) Website: www.ico.org.uk

11.3 Exercising Rights

To exercise any of these rights, contact iEnrol at [email protected]. We will respond within one month, which may be extended by two additional months for complex requests.

12. Your Obligations as Data Controller

As the data controller for prospective family data, your school is responsible for:

  • Ensuring a lawful basis exists for the processing of personal data through the iEnrol platform
  • Providing appropriate privacy notices to prospective families (iEnrol provides a template User Privacy Policy with customisable school name placeholders)
  • Responding to data subject access requests from prospective families, with iEnrol’s assistance where needed
  • Ensuring that marketing communications to prospective families comply with applicable laws, including obtaining appropriate consent
  • Notifying iEnrol promptly of any data subject requests that require iEnrol’s assistance
  • Conducting Data Protection Impact Assessments where required

13. Data Processing Agreement

Our relationship as data controller and data processor is governed by a Data Processing Agreement (DPA) that sets out the terms of data processing, security measures, and obligations of both parties in accordance with Article 28 of the GDPR. If you require a copy of our DPA, please contact [email protected].

14. Cookies and Tracking Technologies

The iEnrol admin dashboard uses a single essential authentication cookie for session management. This cookie is strictly necessary for the platform to function and contains a secure session token. We do not use advertising, marketing, or third-party tracking cookies.

For details about cookies used on the public-facing admissions portal, please refer to the User Privacy Policy.

15. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, iEnrol will:

  • Notify your school without undue delay and in any event within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to address the breach
  • Assist your school in meeting its own breach notification obligations to the relevant supervisory authority and affected individuals

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify your school of any material changes by:

  • Sending an email notification to the primary contact on your account
  • Posting the updated policy on the iEnrol platform
  • Updating the “Last Updated” date

Continued use of the iEnrol platform after changes become effective constitutes acceptance of the updated Privacy Policy.

This Privacy Policy is governed by:

  • General Data Protection Regulation (GDPR) (EU) 2016/679
  • UK Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • Other applicable UK and EU data protection laws

18. Contact Information

For questions about this Privacy Policy, our data practices, or to exercise your rights, please contact:

iEnrol (Admissions UK Ltd): Email: [email protected]

Acknowledgment By using the iEnrol platform, your school acknowledges that it has read and understood this Privacy Policy and agrees to its terms.