Tru-Data Protection

Privacy Policy

Effective: January 2026

Simple, clear information about how we handle your data. No jargon, no surprises.

This is our Privacy Policy for website visitors and enquirers.

Which Service Are You Using?

TDS website (Tru-Digital Services Ltd): This policy applies in full.

TDP website (Tru-Digital Protection): TDP is a trading name/brand of Tru-Digital Services Ltd. This policy applies in full, including when the site is used to access our portal.

Derrick website: Currently an informational/marketing site only. This policy applies (mainly the “Website visitors” and “Contact us” sections). If Derrick becomes a product in future, we will update this policy.

1. Who We Are

Tru-Digital Services Ltd (trading as Tru-Digital Protection (TDP) and Derrick)

We're a Data Protection Officer (DPO) service provider for UK schools and Multi-Academy Trusts.

Our details:

Company No. 16210598

ICO Registration: ZB887707

Address: 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

Email: dpo@trudigital.co.uk

Phone: 0204 621 2983

Data Protection Officer: Gareth Eynon (dpo@trudigital.co.uk)

2. What This Policy Covers

This Privacy Policy explains:

  • What personal data we collect
  • Why we collect it
  • How we use it
  • Who we share it with
  • How long we keep it
  • Your rights

Who this applies to:

  • Website visitors
  • People who contact us via our enquiry form
  • Schools and trusts who are our clients

Separate policies for clients:

If you're a client, we also act as your Data Processor. We have a separate Data Processing Agreement that governs how we handle your school's data when delivering DPO services.

3. What Data We Collect

When You Visit Our Website

Essential technical data (automatically collected):

  • IP address
  • Browser type and version
  • Device type
  • Pages visited and time spent
  • Referring website

Why: To deliver the website, ensure security, and fix technical issues.

Legal basis: Legitimate interests (operating our website)

When You Contact Us

Information you provide (via contact form, email, or phone):

  • Name
  • Email address
  • Phone number
  • School or trust name
  • Pupil count
  • Your message or enquiry

Why: To respond to your enquiry and provide information about our services.

Legal basis: Legitimate interests (responding to enquiries) or consent (where you've opted in to marketing)

When You Become a Client

Contract and service delivery data:

  • School details (name, address, type, pupil count, key contacts)
  • Invoice and payment information
  • Service tier and contract terms
  • Portal login credentials
  • Communications about your service

Why: To deliver our DPO services and fulfil our contract with you.

Legal basis: Contract (necessary to provide services) and legal obligation (accounting, tax, ICO registration)

When We Deliver DPO Services

This section covers our DPO service delivery work.

When we are the Controller (our own business/admin data):

  • Portal user accounts and access management (for your staff)
  • Contract, service administration, and support communications
  • Security and audit logs (to protect the service and investigate issues)

When we are the Processor (client school/trust data):

  • Staff, pupil, and parent data (as instructed by you)
  • SAR and FOI request details
  • Data breach information
  • Policy and DPIA documentation

Your role (client): Data Controller (you decide what data to process)

Our role: Data Processor for client data, and Data Controller for our own business/admin data as described above

Legal basis: Contract (Data Processing Agreement) and legitimate interests (security and service administration)

4. How We Use Your Data

Website Visitors

  • Deliver website content
  • Ensure security and prevent abuse
  • Analyse website performance (aggregated, anonymised data)

Enquirers

  • Respond to your questions
  • Provide information about our services
  • Send you a quote or proposal
  • Follow up on your enquiry (if you've consented)

Clients

  • Deliver DPO services under our contract
  • Invoice and process payments
  • Communicate about your service
  • Improve our services
  • Comply with legal obligations (tax, accounting, ICO registration)

Marketing (with your consent)

  • Send you updates about our services
  • Share relevant guidance and resources
  • Invite you to events or webinars

You can opt out at any time by clicking "unsubscribe" in any email or contacting us.

5. Who We Share Data With

We do not sell or rent your personal data to third parties.

We may share your data with:

Service Providers (Data Processors)

Companies that help us deliver our services:

  • Notion: Workspace and portal hosting
  • Tally: Contact form processing
  • Stripe: Payment processing (clients only)
  • Google Workspace: Email and document storage
  • Amazon Web Services (AWS): Website hosting and content delivery (e.g. Amazon S3 and Amazon CloudFront)

All processors are bound by Data Processing Agreements and must comply with UK GDPR.

Legal Obligations

We may disclose data when required by law:

  • Court orders or legal proceedings
  • Regulatory investigations (e.g., ICO, HMRC)
  • Protection of our legal rights

ICO and Regulators

As a DPO service, we may liaise with the ICO on your behalf (with your authorisation).

6. International Transfers

We store data in the UK and EU where possible.

Some of our service providers are based outside the UK:

  • Notion: Uses AWS servers in the EU (Frankfurt) with UK GDPR-compliant Data Processing Agreement
  • Stripe: Processes payment data with appropriate safeguards

All international transfers comply with UK GDPR requirements (adequacy decisions, Standard Contractual Clauses, or other appropriate safeguards).

7. How Long We Keep Your Data

Website Visitors

  • Technical logs: 12 months
  • Analytics data: 26 months (anonymised)

Enquirers (Non-Clients)

  • Contact form submissions: 2 years from last contact
  • Email correspondence: 2 years from last contact

Clients

  • Contract and invoice data: 7 years (legal requirement for accounting records)
  • Service delivery data: Duration of contract + 2 years
  • Communications: Duration of contract + 2 years

Data We Process on Your Behalf

Retained as instructed by you (the Data Controller) in line with your retention schedule.

After retention periods expire:

Data is securely deleted or anonymised.

8. Your Rights Under UK GDPR

You have the following rights:

Right to Access

Request a copy of the personal data we hold about you.

Right to Correction

Ask us to correct inaccurate or incomplete data.

Right to Erasure ("Right to be Forgotten")

Request deletion of your data (subject to legal retention obligations).

Right to Restrict Processing

Ask us to limit how we use your data.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests or for marketing purposes.

Right to Withdraw Consent

If we're processing your data based on consent, you can withdraw it at any time.

Right to Complain

You can complain to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Phone: 0303 123 1113
  • Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

9. How to Exercise Your Rights

Contact us:

  • Email: dpo@trudigital.co.uk
  • Phone: 0204 621 2983
  • Post: Tru-Digital Services Ltd, 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

We'll respond within 30 days (or explain why we need more time).

No fee unless your request is clearly unfounded or excessive.

10. How We Protect Your Data

Security measures we use:

  • Encrypted communications (TLS/SSL)
  • Secure password policies and two-factor authentication
  • Access controls (only authorised staff can access data)
  • Regular security reviews and updates
  • Staff training on data protection
  • Secure backups
  • Incident response procedures

Data breaches:

If we discover a data breach that affects you, we'll notify you within 72 hours and report it to the ICO where required.

11. Cookies and Tracking

Essential Cookies Only

Our website uses essential cookies to:

  • Remember your session
  • Ensure security
  • Deliver website functionality

No consent required (essential for website operation).

Analytics and Marketing Cookies

We currently do not use analytics or marketing cookies.

If we introduce non-essential cookies in future, we'll:

  • Ask for your consent first
  • Explain what each cookie does
  • Let you opt in or out

You can control cookies in your browser settings.

12. Third-Party Links

Our website may link to external sites (e.g., ICO guidance, government resources).

We're not responsible for:

  • The privacy practices of external sites
  • Content on external sites

Always check the privacy policy of any site you visit.

13. Children's Privacy

Our website and services are aimed at educational institutions, not children.

We do not knowingly collect personal data from children under 13 via our website.

If we discover we've inadvertently collected such data, we'll delete it.

When we process pupil data:

We do this on your instructions as Data Processor when delivering DPO services. You (the school) are responsible for ensuring lawful processing of pupil data.

14. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal or similarly significant effects.

All decisions about your enquiry, quote, or service delivery are made by humans.

15. Changes to This Policy

We may update this policy to reflect:

  • Changes in law
  • Changes to our services
  • Best practice improvements

When we make changes:

  • We'll update the "Last updated" date
  • For material changes, we'll notify you via email (if you're a client or have subscribed)
  • We'll post a notice on our website

Your continued use of our services after changes take effect means you accept the updated policy.

16. Contact Us

Questions about this policy or your data?

Data Protection Officer: Gareth Eynon

📧 dpo@trudigital.co.uk

☎️ 0204 621 2983

✉️ Tru-Digital Services Ltd, 3rd Floor, 86-90 Paul Street, London, EC2A 4NE

We aim to respond within 48 hours (working hours).

Need the Full Legal Version?

This simplified Privacy Policy covers the essentials in plain English. If you need the complete legal document (for procurement teams, trust boards, or legal review), we can provide it on request.

Last updated: December 2025

Questions? We're happy to talk you through anything that's unclear. We're data protection specialists—it's literally what we do. Email us at hello@trudigital.co.uk or call 0204 621 2983.