Privacy Policy
Company No. 17061559 · Leon.Berchie@bridgepoint-education.com · bridgepoint-education.com
1. Who We Are
BridgePoint Education Ltd ("BridgePoint", "we", "us", "our") is a company incorporated in England and Wales (Company No. 17061559). We operate an EdTech platform at bridgepoint-education.com that provides diagnostic mathematics assessments and adaptive learning tools to support students transitioning from prior curricula (GCSE, MYP, Common Core) into the IB Diploma Programme.
Our registered contact address is available on request. Our primary contact for data privacy matters is:
| Data Contact | Leon Berchie |
| Leon.Berchie@bridgepoint-education.com | |
| Website | bridgepoint-education.com |
2. Scope of This Policy
This policy explains how BridgePoint collects, uses, stores and protects personal data when you use our platform. It applies to:
- Students who complete diagnostic assessments and summer bridging programmes on the platform
- Teachers and Heads of Department who use the teacher dashboard to view student performance
- School Administrators who manage school-wide settings and user accounts
- Parents or guardians who access parent-facing progress summaries
- Visitors to our website
This policy is written to comply with UK GDPR (UK General Data Protection Regulation) and the Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016). Where requirements differ between these frameworks, we apply the higher standard.
3. Our Role: Controller and Processor
BridgePoint operates in two distinct roles depending on the data involved:
3.1 BridgePoint as Data Controller
BridgePoint is the data controller for data collected in order to run our own business operations. This includes teacher and administrator account information, billing contact details, platform usage analytics, and communications with BridgePoint.
3.2 BridgePoint as Data Processor
When a school subscribes to the BridgePoint platform, the school is the data controller for the personal data of their students and parents. BridgePoint acts solely as a data processor on behalf of the school, processing student data only as instructed by the school and only for the purpose of delivering the contracted service.
In this capacity, BridgePoint and the subscribing school enter into a Data Processing Agreement (DPA), a separate document that sets out the obligations of both parties. Schools must sign this DPA before any student data is entered into the platform.
4. What Data We Collect
4.1 Student Data (processed on behalf of schools)
- Full name and year group (provided by the school)
- Class or cohort assignment
- Prior curriculum background (e.g. GCSE, MYP, Common Core)
- Diagnostic assessment responses and scores
- Skill mastery levels across prerequisite topic areas
- Adaptive learning session activity (questions attempted, time on task, answers given)
- Course recommendation outputs (teacher-facing only, not shared with parents)
4.2 Teacher and Admin Data (controller relationship)
- Full name and professional email address
- School name and role (e.g. Maths Teacher, HoD, School Admin)
- Account login credentials (passwords stored in encrypted form only)
- Platform usage logs for support and security purposes
4.3 Parent Data (processed on behalf of schools)
- Full name and email address (provided by the school at enrolment)
- Access logs when viewing child's progress summary
4.4 Website Visitor Data
- Standard server access logs (IP address, browser type, pages visited)
- We do not use third-party tracking or advertising cookies
5. Legal Basis for Processing
Under UK GDPR, we must have a lawful basis for processing personal data. Our bases are as follows:
| Data Type | UK GDPR Basis | Qatar PDPPL Basis |
|---|---|---|
| Student assessment data | Contract performance (school DPA) / Legitimate interests | Contractual necessity with the school |
| Teacher/admin accounts | Contract performance (platform licence) | Contractual necessity |
| Parent progress summaries | Legitimate interests (educational welfare of the child) | Consent obtained via school enrolment |
| Platform usage analytics | Legitimate interests (improving platform quality) | Legitimate interests |
| Website visitor logs | Legitimate interests (site security) | Legitimate interests |
6. How We Use Your Data
We use the data described above only for the following purposes:
- Delivering the diagnostic assessment and adaptive learning service to students
- Generating teacher dashboards showing class-level gap maps and individual student profiles
- Providing school administrators with school-wide performance overviews
- Sending parents progress summaries on their child's learning readiness
- Managing teacher and admin accounts and platform access
- Maintaining platform security and investigating unauthorised access
- Improving the platform through anonymised, aggregated usage analytics
- Communicating with schools about service updates, renewal, and support
We do not use student data for advertising, profiling beyond the educational purpose, or selling to third parties. Course recommendation outputs are visible to teachers only and are not surfaced to parents or students.
7. Data Storage and Third-Party Services
BridgePoint uses the following infrastructure to store and serve data:
7.1 Supabase (Database and Authentication)
All student, teacher, parent and admin data is stored in a Supabase PostgreSQL database. Our Supabase project is hosted in Amazon Web Services (AWS) EU West 1 — region code eu-west-1 (Ireland). Supabase is our primary data sub-processor. Supabase provides row-level security, encrypted connections, and daily automated backups. Because this region is in the European Economic Area, personal data in the database is primarily processed within the EEA. Where any ancillary Supabase processing or subprocessors involve transfers outside the EEA, appropriate safeguards apply as described in Supabase's data processing documentation, including Standard Contractual Clauses (SCCs) where required.
7.2 Vercel (Platform Hosting)
The BridgePoint web application is hosted on Vercel. We deploy the application to Vercel's EU region so that compute and edge routing for the live service are aligned with European data residency preferences. Vercel serves the application and processes requests but does not have persistent access to user personal data held in our Supabase database. Vercel infrastructure is subject to Vercel's Data Processing Addendum and its security and compliance documentation, which describe GDPR-aligned measures including Standard Contractual Clauses for transfers where applicable.
We do not use Google Analytics, advertising networks, or any other tracking services that involve third-party access to personal data.
8. International Data Transfers
BridgePoint Education Ltd is incorporated in the United Kingdom. Our Supabase database is hosted in the EEA (AWS EU West 1, Ireland, eu-west-1), and the BridgePoint web application is deployed on Vercel in the European Union region. Some limited processing, subprocessors, or support activity may still involve transfers outside the UK and/or Qatar. Where personal data is transferred outside these jurisdictions, we ensure appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO)
- Sub-processor Data Processing Agreements with Supabase and Vercel
Schools based in Qatar are advised that their students' data may be processed on servers outside Qatar. This is disclosed to schools at the point of contract and reflected in the Data Processing Agreement.
9. Data Retention
We retain personal data only for as long as necessary for the purpose for which it was collected. Our specific retention periods are:
| Data Category | Retention Period |
|---|---|
| Student assessment data | Retained for the duration of the academic year in which the licence is active. Deleted within 30 days of the end of that academic year or licence expiry, whichever is sooner. |
| Teacher and admin accounts | Retained while the school licence is active. Deactivated within 30 days of licence expiry; permanently deleted within 90 days. |
| Parent access records | Retained for the same period as student data for the associated student. |
| Platform usage logs (anonymised) | Retained for up to 2 years for platform improvement purposes. |
| Website visitor logs | Retained for up to 90 days for security purposes. |
10. Your Rights
Depending on your jurisdiction and your relationship to BridgePoint, you may have the following rights:
Under UK GDPR
- Right of access — request a copy of your personal data
- Right to rectification — correct inaccurate data
- Right to erasure — request deletion of your data (see Section 11)
- Right to restriction — limit how we process your data
- Right to data portability — receive your data in a portable format
- Right to object — object to processing based on legitimate interests
Under Qatar PDPPL (Law No. 13 of 2016)
- Right to access your personal data and know how it is used
- Right to correct inaccurate or incomplete data
- Right to request deletion of data no longer required for its original purpose
- Right to object to processing that causes harm
Where BridgePoint is acting as a data processor (i.e. processing student data on behalf of a school), rights requests relating to student data should be directed to the school in the first instance, as the school is the data controller. BridgePoint will cooperate with schools to fulfil these requests.
11. How to Request Data Deletion
Deletion requests can be made by the following parties:
11.1 Schools (Primary Route)
School administrators can request deletion of any student, parent, or teacher data associated with their school by contacting BridgePoint directly. As the data controller, the school's request will be actioned within 30 days.
11.2 Parents
Parents may request deletion of their own account data and their child's data by emailing Leon.Berchie@bridgepoint-education.com. BridgePoint will acknowledge receipt within 5 working days and complete the deletion within 30 days. Where the school is the data controller for the child's data, BridgePoint will notify the school of the request before proceeding.
11.3 Students
Students wishing to request deletion of their data should raise this with their school in the first instance. The school will then instruct BridgePoint to act. Students aged 16 or over in the UK who wish to exercise rights directly may contact BridgePoint at the address below; we will respond within 30 days.
All deletion requests should be sent to: Leon.Berchie@bridgepoint-education.com with the subject line "Data Deletion Request".
12. Data Security
BridgePoint takes data security seriously. Our technical and organisational measures include:
- All data in transit is encrypted using TLS 1.2 or higher
- All data at rest is encrypted within the Supabase database
- Row-level security (RLS) policies ensure teachers can only see data for their own students
- Access to the Supabase database is restricted to authorised personnel only
- Passwords are never stored in plain text; authentication is managed through Supabase Auth
- Daily automated database backups are enabled
In the event of a personal data breach, BridgePoint will notify affected schools within 72 hours of becoming aware of the breach, in line with UK GDPR Article 33 requirements.
13. Children's Data
BridgePoint's platform is designed for use by students aged approximately 15 to 18. Under UK GDPR, all persons under the age of 18 are treated as children for the purposes of educational data processing. We take additional care with children's data:
- We do not market to students
- Course recommendation outputs are only visible to teachers, not to students or parents
- Student accounts are created and managed by the school, not directly by students
- We do not allow students to create accounts independently
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services or legal requirements. The effective date at the top of this document will be updated when changes are made. Where changes are material, we will notify subscribing schools by email. Continued use of the platform after notification constitutes acceptance of the revised policy.
15. Contact and Complaints
If you have any questions about this Privacy Policy or how your data is handled, please contact:
| Name | Leon Berchie, BridgePoint Education Ltd |
| Leon.Berchie@bridgepoint-education.com | |
| Website | bridgepoint-education.com |
If you are based in the UK and are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.
If you are based in Qatar, you may raise a complaint with the Ministry of Communications and Information Technology (MCIT) or the relevant data protection authority.