Privacy Policy
& GDPR

1. Who we are

Lief World Ltd ("Lief", "we", "us") is registered in England and Wales (Company No. 14364751). We provide a character evidence and student recognition platform for schools and related educational settings.

This page covers two different processing contexts:

• Website, demo booking, and direct enquiries: Lief World Ltd acts as the data controller for the personal data you provide to us directly.
• School-platform data: each school acts as the data controller for student and staff data used in the Lief platform, and Lief acts as the data processor, handling that data only on the school's instructions.

2. What data we collect

Website and enquiry data

• Name, email address, organisation or school name, and any information you provide when contacting us or booking a demo
• Scheduling details submitted through our demo-booking workflow
• Basic technical information needed to load and secure our website and booking tools

School staff data

• Name and school-issued email address
• School name and staff access credentials
• Role-based access information needed to restrict staff to data for their own school

Student data provided by schools

Schools may provide the following student data for use within the Lief platform, strictly under the school's instructions:

• Legal first name and legal last name
• Preferred names, where different
• Date of birth
• Sex / gender as recognised for the DfE census
• Unique Pupil Number (UPN)
• Ethnicity, including DfE census codes
• First language
• Nationality and country of birth
• Religion
• Free School Meals status and history
• Pupil Premium indicator
• Looked After Child / Previously Looked After Child status
• Responsible local authority details where relevant
• SEN status, including SEN Support / EHCP where applicable
• Primary and secondary SEN needs
• Medical conditions and disabilities
• Date of admission
• Year group
• Registration form / tutor group
• Enrolment status
• Optional student photograph supplied by the school
• Points awarded, categories, and associated teacher comments

3. Lawful basis and processing roles

For website and enquiry data, Lief acts as controller and processes personal data where necessary to respond to enquiries, arrange demonstrations, maintain the website, and protect our services.

For school-platform data, the school determines the purpose and means of processing and remains the data controller. Lief processes that data only to deliver the platform, under the school's authority and any applicable data processing agreement.

We never rely on a child's direct consent as the basis for school-platform processing. Student and staff platform data is handled under the school's authority as controller.

4. How we use data

Website and enquiry data

• Responding to enquiries and arranging demos
• Operating, securing, and improving our website and booking workflows
• Maintaining business records relating to enquiries and conversations with prospective schools or partners

School-platform data

• Delivering and maintaining the Lief platform and its school features
• Generating recognition records, reports, dashboards, and related outputs for schools
• Supporting authorised school staff using the platform
• Providing security, access control, logging, and operational support

Lief processes only the school data provided under the school's instructions. We do not sell student data, use it for independent commercial purposes, or carry out automated decision-making or profiling of children.

5. Access, authentication, and school safeguards

• School staff access the platform using school-issued email and password credentials.
• Staff can only view data relating to pupils in their own school.
• Optional student photos are shown only to authorised staff in the relevant school environment to help identify pupils correctly.
• Internal access to school data is restricted to two authorised Lief team members: Oliver and Rich.
• Internal access is authenticated via Google Workspace domain controls and logged using Google Cloud's standard auditing tools.
• Data is typically school-provided through MIS exports such as Arbor, together with an optional school-supplied photo set where used.
• No external communication is sent to parents or students in the pilot/current school use described in our source policies.

6. Data storage & security

Lief is built on Google Cloud / Firebase. The platform uses the following safeguards:

• AES-256 encryption at rest
• TLS 1.2+ encryption in transit
• Secure identity, access control, and logging features provided through Google Cloud / Firebase
• Role-based access control
• Firebase security rules restricting access by school
• Hashed authentication credentials
• No sensitive data stored in client-side local or session storage
• Regular security reviews and code hardening

No automated decision-making or profiling is performed on children's data, including photographs.

7. Data retention & deletion

For school-platform data, student and staff data is retained only for as long as the school participates in the Lief programme or instructs us to retain it.

• Schools may request export of their data at any time.
• Schools may request deletion of their data at any time.
• If a school does not proceed after a pilot or programme period, data is deleted on the school's instruction.

For website and enquiry data, we retain records for as long as reasonably necessary to respond to your enquiry, manage the relationship, and maintain relevant business records.

8. Sharing data with third parties

For school-platform data, the only confirmed subprocessor handling personal data in the source documentation is:

• Google Cloud / Firebase — hosting, authentication, storage, and platform infrastructure

For website and demo-booking data, we also use:

• Calendly — demo booking and scheduling workflows; this is limited to enquiry and scheduling data and does not process student platform data

No other third parties or contractors are given access to school or student data beyond what is necessary to deliver the platform as documented in our current materials.

9. Data breaches

In the event of a data breach affecting school data, Lief will:

• inform the affected school without undue delay
• provide details of the nature and scope of the incident
• cooperate fully with any required investigation or regulatory obligations

10. Data protection rights

Under UK GDPR, individuals may have rights including access, rectification, erasure, restriction, objection, and data portability, depending on the context of processing.

For student and school-platform staff data, requests should normally be directed to the school first, because the school is the data controller. Lief will support schools in handling valid requests under our processor obligations.

For website, demo, or direct enquiry data held by Lief as controller, please contact us at privacy@lief.world.

11. Cookies and website technologies

The Lief website uses limited technologies necessary to operate the site and related booking workflows. Where third-party tools such as Calendly are used, those services may set their own cookies or similar technologies as part of the booking experience.

We do not use the website to serve advertising to children or to profile student users.

12. Compliance roadmap and updates

As part of our broader compliance roadmap, Lief is completing and formalising a number of measures, including:

• a DPIA covering processing activities relating to children's data
• ongoing ICO registration work
• preparation for Cyber Essentials certification
• stronger authentication and frontend security controls
• additional data access and export tooling

We may update this policy from time to time to reflect operational, legal, or product changes. The date of the most recent revision is shown at the top of this page.

13. Complaints

If you believe your personal data has been handled incorrectly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.