Privacy Policy
Last updated 21 June 2026
This policy explains what personal data Ceidwad handles, why, and the rights you have. It is written to meet UK GDPR and the Data Protection Act 2018. Plain-English summaries sit alongside the detail.
Who we are
Ceidwad ("we", "us", "our") provides a cyber-security and compliance platform for schools, colleges and multi-academy trusts. The data controller is [registered legal name], [registered address], registered with the Information Commissioner's Office under number [ICO registration number]. You can reach us about privacy at privacy@ceidwad.co.uk.
Controller or processor — which applies
This matters for schools. There are two different relationships:
- We are the controller for personal data about visitors to this website, people who request an assessment or sign up, and the named contacts at a school or trust. This policy governs that data.
- We are a processor for the pupil and staff data inside a school's or trust's own systems (e.g. Microsoft 365). The school or trust remains the controller and decides how that data is used. Our handling of it is governed by the Data Processing Agreement that forms part of your contract — not by this website policy.
What we collect and why
- Account & contact details (name, work email, school/trust, role) — to create and run your account. Lawful basis: contract.
- School identity (URN, establishment type, trust membership) looked up in the DfE's public Get Information about Schools register — to assign the correct plan. Lawful basis: legitimate interests (accurate, fair pricing).
- Assessment answers you provide in the free security assessment — to generate your indicative score and recommendations. Lawful basis: consent.
- Microsoft 365 security posture data (configuration and security signals, read-only) where you connect a tenant — to assess and report your posture. We handle this as your processor. We do not read message content or files.
- Usage & technical data (e.g. pages viewed, device/browser, IP) — to keep the service secure and working. Lawful basis: legitimate interests.
We do not sell personal data, and we do not use it for third-party advertising.
Who we share data with
Service providers (sub-processors) that help us run Ceidwad:
- Microsoft — Microsoft 365 / Graph security signals you choose to connect, and Microsoft Azure (UK South region) for hosting.
- Email delivery — to send service messages and reports.
- AI processing — the "Ask Ceidwad" advisor. This currently runs on a self-hosted model, so prompts are not sent to a third-party AI provider. If we adopt a cloud AI provider we will update this list and the sub-processor register, and personal identifiers are redacted before any text leaves our systems.
A current sub-processor list is available on request at privacy@ceidwad.co.uk.
Where your data is held
We host in the UK (Azure UK South). Where any transfer outside the UK is unavoidable, we rely on UK-approved safeguards (an adequacy decision or the International Data Transfer Agreement / Standard Contractual Clauses).
How long we keep it
We keep personal data only as long as needed for the purpose above or to meet legal obligations: account data for the life of the relationship plus [retention period, e.g. 12 months]; assessment and enquiry data for [retention period]; then we delete or anonymise it. Pupil/staff data we process for a school is retained per the Data Processing Agreement and returned or deleted on request.
Your rights
Under UK GDPR you can ask us to:
- give you a copy of your data (access)
- correct inaccurate data (rectification)
- delete data in certain circumstances (erasure)
- restrict or object to processing
- port data you gave us, where it's based on consent or contract
- withdraw consent at any time, without affecting earlier processing
Email privacy@ceidwad.co.uk and we'll respond within one month. If you're a pupil, parent or staff member asking about data your school holds, contact the school — they are the controller and we'll support them.
Automated decisions
Your security score and recommendations are generated automatically, but they support human decisions — they do not produce legal or similarly significant effects on any individual, so Article 22 does not apply.
Children's data
Ceidwad is sold to and used by school staff, not children. Any pupil data is handled only as a processor on a school's instructions under the Data Processing Agreement.
Complaints
We hope to resolve any concern directly. You also have the right to complain to the Information Commissioner's Office — ico.org.uk, 0303 123 1113.
Changes
We'll update this policy as the service evolves and post the new date above. Material changes will be highlighted to account holders.