Last updated: 22 April 2026
What is GDPR?
The UK General Data Protection Regulation (UK GDPR), together with the Data Protection Act 2018, governs how organisations collect, use, store and share personal data in the United Kingdom. The UK GDPR was introduced following the UK’s departure from the European Union and largely mirrors the EU GDPR whilst applying specifically to the UK. It sets out individuals’ rights over their personal data and the obligations of organisations that process it. Further information is available from the Information Commissioner’s Office at ico.org.uk.
The Data Protection Act 2018 supplements the UK GDPR and together they form the primary data protection framework in the UK. The Information Commissioner’s Office (ICO) is the independent regulator responsible for upholding data rights and can be contacted at ico.org.uk.
Data Controllers and Data Processors
When a school enrols a cohort on a Flosendo programme, pupil data is transferred to Flosendo via Wonde, a third-party MIS integration service authorised by the school. In this scenario the school is the Data Controller – it determines what data is shared and is responsible for informing pupils and parents about how their data is used. Flosendo acts as Data Processor and processes that data only on the school’s instructions and for the purpose of delivering the programme.
Flosendo is the Data Controller of parent or guardian email addresses provided voluntarily by pupils within the app for the purpose of sending a programme progress report. Flosendo determines how that data is used and is responsible for ensuring it is processed lawfully.
How we comply with GDPR
Cloud Hosted
We are fully hosted in the cloud in servers based within the EEA.
Data Managed in EEA
We store, process and manage all personal data within the EEA.
Trusted Third Parties – We share personal data only with the following trusted third parties where necessary to deliver our services: Wonde Ltd (MIS integration, authorised by the school); Stripe Inc. (payment processing for school invoices only – no pupil data is shared); and our cloud hosting provider (data storage within the EEA). We use Google Analytics to analyse anonymous website usage data only. We do not sell personal data or share it with any advertising networks or data brokers.
Bank Level Encryption
We encrypt all personal data in transit and at rest using industry-standard encryption protocols. Access to personal data is restricted to authorised personnel only.
Permission-based Access – Schools have full control over which users have access to which data.
Secure logins – Every user has secure logins with automatic logouts after periods of inactivity.
Easily retrievable data – Schools can easily download all data that Flosendo holds about a pupil, parent, teacher or school.
Permanent deletion of data – All users can make subject access and/or right to be forgotten requests by contacting enquiries@flosendo.com
Data minimisation – We collect only the personal data necessary for programme delivery. Where data is used for internal reporting, it is aggregated and anonymised so that individual pupils cannot be identified.