Data protection

Privacy Policy

This policy explains how EveryDesign collects, uses, stores, protects, and shares personal data in line with UK GDPR and the Data Protection Act 2018.

Last updated: 22 June 2026

Privacy at a glance: EveryDesign is operated by EDUSOFT LTD in the United Kingdom. We are registered with the Information Commissioner's Office under registration number ZB799468.

1. Who We Are

This Privacy Policy applies to EveryDesign, operated by EDUSOFT LTD, a company registered in the United Kingdom under company number 15827191. References to "EveryDesign", "we", "us", and "our" mean EDUSOFT LTD trading as EveryDesign.

For most personal data connected with our website, enquiries, accounts, billing, support, and client relationships, EDUSOFT LTD is the data controller. This means we decide why and how that personal data is used.

Where we host, maintain, support, or process data inside a client's website, mailbox, database, portal, or managed system on the client's documented instructions, we may act as a data processor and the client may be the data controller.

ICO registration: ZB799468
Contact: [email protected]
Telephone: 0800 043 6404 Freephone
Website: everydesign.org

2. Scope of This Policy

This policy covers personal data processed through our website, contact forms, client portal, webmail access pages, support requests, email communications, telephone calls, contracts, invoices, hosting and email services, maintenance services, development work, analytics, security monitoring, and supplier relationships.

It does not replace any separate data processing agreement, service contract, support agreement, or written instruction agreed with a client. Where a conflict exists between this policy and a signed contract or data processing agreement, the signed agreement will normally take priority for that specific service.

3. Personal Data We Collect

We may collect and process the following categories of personal data where relevant to our services:

  • Identity and contact details: names, job titles, organisation names, email addresses, telephone numbers, postal addresses, usernames, and account identifiers.
  • Client and billing data: contracts, quotes, invoices, payment status, renewal dates, purchase history, VAT or accounting references, and correspondence about services.
  • Enquiry and support data: contact form submissions, support tickets, project briefs, call notes, attachments, technical descriptions, feedback, and service history.
  • Technical and usage data: IP addresses, device and browser information, server logs, access logs, authentication records, security events, error reports, analytics data, and cookie data.
  • Hosted or managed service data: website files, databases, mailbox data, uploaded content, user accounts, form submissions, backups, staging copies, and configuration data where we provide hosting, email, maintenance, or support.
  • Compliance and security data: evidence required to investigate abuse, fraud, malware, safeguarding concerns, unauthorised access, legal requests, disputes, or breaches of our terms.

We ask clients not to send unnecessary special category data, criminal offence data, safeguarding data, medical data, financial card data, or other high-risk information unless it is essential and there is a lawful basis and suitable protection in place.

4. How We Use Personal Data

We use personal data to respond to enquiries, provide quotes, set up and manage services, deliver website and software projects, provide hosting and email support, operate the client portal, maintain accounts, send service messages, process renewals, issue invoices, manage payments, prevent misuse, secure our systems, troubleshoot faults, meet legal obligations, and protect our business and clients.

We may also use business contact details to send relevant service updates, renewal reminders, security notices, maintenance notices, policy updates, and limited marketing about services similar to those already supplied or requested. You can ask us to stop marketing at any time.

We do not sell personal data.

5. Lawful Bases Under UK GDPR

We only process personal data where a lawful basis applies. Depending on the context, our lawful bases may include:

  • Contract: to provide services, respond before entering a contract, manage client accounts, deliver support, and administer renewals.
  • Legal obligation: to keep accounting records, respond to lawful requests, comply with company, tax, data protection, fraud prevention, and security obligations.
  • Legitimate interests: to operate and improve our business, protect systems, prevent fraud and abuse, manage client relationships, recover debts, defend legal claims, monitor service reliability, and communicate with business contacts.
  • Consent: where consent is required, such as optional marketing preferences or certain non-essential cookies. Consent can be withdrawn at any time.
  • Vital interests or public interest: where exceptionally necessary, for example to report credible threats, safeguarding concerns, or serious unlawful activity to competent authorities.

6. Client Service Data and Processor Role

Where we host, support, maintain, migrate, back up, or troubleshoot client systems, we may process personal data belonging to the client, the client's staff, customers, pupils, users, suppliers, or website visitors. In those circumstances, we will usually process that data on the client's instructions and for the purpose of providing the contracted service.

Clients are responsible for ensuring that personal data they place into websites, mailboxes, databases, portals, and systems has been collected lawfully, is accurate, is not excessive, and is covered by appropriate privacy information and lawful bases.

We may access hosted or managed data only where needed to provide services, investigate faults, maintain security, comply with law, prevent abuse, or enforce our terms.

7. Sharing Personal Data

We may share personal data with trusted third parties where necessary for the purposes described in this policy. These may include hosting providers, domain registries, DNS providers, email service providers, Postmark or transactional email providers, security providers, analytics providers, payment providers, accountants, professional advisers, insurers, debt recovery providers, and software suppliers.

We may also share data with law enforcement, regulators, safeguarding bodies, courts, public authorities, domain registries, hosting suppliers, or other competent organisations where we reasonably believe disclosure is required or justified for legal compliance, public safety, fraud prevention, cyber security, abuse handling, safeguarding, dispute resolution, or protection of rights.

Where we use processors, we expect them to process personal data only for authorised purposes and to apply appropriate security and confidentiality measures.

8. International Transfers

Some suppliers may process personal data outside the United Kingdom. Where this happens, we take steps designed to ensure that the transfer is lawful under UK GDPR, such as using suppliers in countries with adequacy arrangements or relying on appropriate contractual safeguards where required.

Because internet services often involve global routing, security filtering, cloud infrastructure, and email delivery networks, personal data may pass through or be processed in more than one country as part of normal service delivery.

9. Retention and Deletion

We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including service delivery, account management, legal compliance, accounting, security, dispute handling, and enforcement of our terms.

Indicative retention periods include:

  • Enquiries: normally up to 24 months after the last meaningful contact, unless a client relationship begins or there is a legal, security, or dispute reason to retain longer.
  • Client, contract, billing, and accounting records: normally up to 6 years after the end of the relevant financial year or client relationship, unless law requires longer.
  • Support tickets and project records: normally for the life of the client relationship and a reasonable period afterwards for continuity, audit, dispute handling, and service improvement.
  • Security, server, and access logs: normally for a limited operational period, unless needed for investigation, legal compliance, abuse handling, or security protection.
  • Hosted service data after cancellation: unless we are legally required or reasonably entitled to retain data for longer, data is deleted from active servers 31 days after cancellation, including backups within our control.

Backups are designed for service recovery and may not be individually editable. Where data is scheduled for deletion, backup copies are removed or overwritten through normal backup rotation unless preservation is required for legal, security, accounting, safeguarding, dispute, or abuse investigation reasons.

10. Security

We use appropriate technical and organisational measures intended to protect personal data against unauthorised access, loss, misuse, alteration, disclosure, and destruction. Measures may include access controls, password protection, encrypted connections where supported, server hardening, monitoring, patching, backups, supplier controls, least-privilege access, and staff confidentiality obligations.

No website, email system, hosting platform, or internet transmission can be guaranteed completely secure. Clients must also take sensible steps to protect their accounts, including using strong passwords, limiting user access, keeping devices secure, and notifying us promptly of suspected compromise.

11. Your Data Protection Rights

Depending on the circumstances, UK GDPR gives individuals rights to be informed, access their personal data, request correction, request erasure, restrict processing, object to processing, request data portability, withdraw consent, and challenge certain automated decisions.

To exercise your rights, contact [email protected]. We may need to verify your identity before responding. We aim to respond without undue delay and normally within one month, although this period may be extended where permitted by law for complex or multiple requests.

Some rights are not absolute. For example, we may need to keep certain data for accounting, legal, security, contractual, fraud prevention, safeguarding, or dispute reasons.

12. Cookies and Similar Technologies

Our website, client portal, webmail pages, and hosted services may use cookies or similar technologies to provide core functionality, maintain sessions, secure accounts, remember preferences, measure performance, and understand how services are used.

Strictly necessary cookies are used where required to operate the site or services. Where non-essential cookies are used, we will seek consent where legally required and provide a way to manage preferences where applicable.

13. Automated Decision-Making

We do not use personal data for solely automated decisions that produce legal or similarly significant effects on individuals. Automated security, spam, fraud, bot prevention, or abuse detection tools may be used to protect our systems and clients, but significant account or service decisions are reviewed where appropriate.

14. Children and Safeguarding

Our services are not directed at children as consumers. Some clients may operate education, community, or safeguarding-related services. Where we process personal data in those systems, we do so under the relevant client's instructions and the client is responsible for providing appropriate privacy information and lawful bases to affected individuals.

Where we reasonably suspect a safeguarding risk, child exploitation, credible threat, or serious unlawful activity, we may preserve relevant evidence and report the matter to law enforcement, safeguarding bodies, regulators, hosting providers, or other competent authorities.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our services, suppliers, legal obligations, security practices, or business operations. The latest version will be published on this website with an updated date.

16. Contact and Complaints

If you have questions about this policy, want to exercise your rights, or wish to make a data protection complaint, contact us at [email protected] or call 0800 043 6404 Freephone.

You also have the right to complain to the Information Commissioner's Office, the UK supervisory authority for data protection. The ICO can be contacted through ico.org.uk.

Company: EDUSOFT LTD
Trading as: EveryDesign
Company number: 15827191
ICO registration: ZB799468
Telephone: 0800 043 6404 Freephone
Website: everydesign.org