1. Who we are

This Privacy Policy is issued by NetWORK NotWORK CIC (Company Number 15419367), trading as Careers Navigator ('we', 'us', 'our'). Careers Navigator is not a separate legal entity - it is a trading name of NetWORK NotWORK CIC.
We are registered in England and Wales. Our registered address is: NotWORK Business Hub, 4b Evolution, Wynyard Avenue, Wynyard, TS22 5TB.
You can contact us about this policy at: privacy@careersnavigator.co.uk or by calling 07775 914711.

2. Who this policy covers

This policy explains how we collect, use, store, and share your personal data when you:

• • visit careersnavigator.co.uk (our Website)
  • take part in any of our programmes (including Ignite XP! and Ascend XP!),
  • purchase services from us, or
  • contact us or make an enquiry

It applies to learners, parents and guardians, schools, training providers, local authorities, and any other person or organisation that interacts with us.
We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Data (Use and Access) Act 2025, the major provisions of which came into force on 5 February 2026.

3. Who is responsible for your data

NetWORK NotWORK CIC is the data controller for personal data collected through our Website and in our direct relationships with learners, parents, guardians, and organisations.
Where a school, training provider, or local authority purchases services for learners, that organisation is typically the data controller for learner data and we act as a data processor - processing data on their instructions to deliver the services and provide agreed reporting. The terms of our data processing arrangement are confirmed in the relevant contract and data processing agreement before any learner data is shared.

4. What data we collect

A) Information you give us

When you contact us, make an enquiry, or purchase services, we may collect your name, email address, phone number, organisation name and role, and details of your enquiry or request.

B) Programme and learning data

• • When a learner is enrolled on our programmes (via DISCO LMS), we collect the following information provided at registration:
  • First name and surname
  • Date of birth
  • Organisational email address
  • Programme and level (for example Ignite XP! Beginner or Ascend XP! Advanced)
  • Programme start date
  • Additional support needs (where provided), including accessibility requirements such as visual impairment adaptations or dyslexia adaptations
  • Photo, video, and social media consent (yes or no per learner)
  • Research and audit consent (yes or no per learner)
  • Any additional information provided by the enrolling organisation (for example SEND details)

During participation in the programme, we also collect progress and activity data (including XP points and badges earned), participation and engagement records, and any feedback, reflections, or evidence submitted during activities.

C) Payment data

Payments from parents and guardians are processed via Stripe. Invoicing for organisations is managed via Sage. We do not store full card details. Payment providers handle payment data under their own privacy policies.

D) Website data

When you use our Website we automatically collect your IP address, browser and device type, pages visited and time spent, and referral source where available. We use Google Analytics (GA4) for this purpose, with IP anonymisation enabled and advertising features disabled. Please see our Cookie Policy for details.

5. Children and young people

Our programmes are designed for learners aged 8 to 24. We take the privacy and safety of all learners seriously, and especially those under 18.

Learners under 13

Children under 13 cannot create an independent account. A parent or guardian must hold the account on their behalf, and the child accesses the programme through the parent or guardian's account. We require a parent or guardian to provide consent for data processing at registration for this age group, where consent is the applicable lawful basis. This arrangement has been confirmed with DISCO LMS as the approved account architecture for under-13 learners on the platform.

Learners aged 13 to 17

Learners aged 13 to 17 are legally children under UK law. For delivering the programme, the lawful basis for processing is typically contract or legitimate interests rather than consent. Where consent is the appropriate basis for a specific optional feature (for example, appearing on a leaderboard, or having submitted work used in promotional materials), a learner aged 13 or over may provide their own consent, provided it is informed, specific, and freely given.

How we protect children's data

We only collect data we need to deliver our services. All content submitted by learners is reviewed by a trained mentor or assessor before it is visible to others. If any submitted content gives rise to a safeguarding concern, it is escalated to our Designated Safeguarding Lead. We do not use children's data for advertising or profiling. We do not market directly to anyone under 18.

Our Designated Safeguarding Lead and Deputy Designated Safeguarding Lead both hold a Level 3 safeguarding qualification. Safeguarding concerns can be reported to us at privacy@careersnavigator.co.uk

6. Special category data

We do not routinely collect sensitive personal data (such as health information, ethnicity, or religious beliefs) through our standard programme processes.

Where learners have specific accessibility or additional support needs, we collect this information at enrolment to ensure the programme is appropriately adapted. This data is handled with additional care, accessed only by those who need it to deliver the service, and stored securely within DISCO LMS.

Where sensitive data is shared with us in connection with a safeguarding concern or disclosure, we handle it under the legal basis of substantial public interest for safeguarding purposes (Data Protection Act 2018, Schedule 1, paragraph 18). Such data is stored in a confidential safeguarding record kept separately from general learner files.

7. How we use personal data

We use personal data to:

• • respond to enquiries and provide information about our programmes,
  • enrol learners and set up appropriate programme access,
  • deliver learning experiences, track progress, and issue badges and certificates,
  • adapt programme delivery for learners with accessibility or additional support needs,
  • provide progress reports to schools, providers, and local authorities where agreed,
  • manage bookings, orders, invoices, and payments,
  • improve our Website and services,
  • send service messages such as onboarding information and important updates,
  • send marketing communications where you have opted in,
  • use anonymised and aggregated data for research, impact reporting, and service improvement, and
  • meet our safeguarding, legal, and regulatory obligations.

8. Legal bases for processing (UK GDPR)

We rely on the following legal bases:

• • Contract - where processing is necessary to deliver paid services or fulfil a purchase.
  • Legitimate interests - for service improvement, safeguarding, preventing misuse, and service administration, where our interests do not override your rights.
  • Consent - where you opt in to marketing, or where consent is the appropriate basis for a specific optional feature of the platform such as promotional use of submitted work.
  • Legal obligation - where the law requires us to process data, including safeguarding duties.
  • Substantial public interest (Data Protection Act 2018, Schedule 1, paragraph 18) - where we process special category data in connection with safeguarding.

9. Who we share your data with

We share personal data only where necessary. The third parties we work with are:

• • DISCO LMS - our learning platform, which hosts learner accounts, progress data, and submitted work. DISCO LMS is based in the United States and Canada. Data is protected by Standard Contractual Clauses approved for UK transfers, and DISCO has appointed VeraSafe as its UK representative under Article 27 of the UK GDPR.
  • Go High Level - our CRM system, used to manage contact with parents, partners, and organisations. Go High Level is based in the United States. Transfers are covered by the UK Extension to the EU-US Data Privacy Framework and the EU 2021 Standard Contractual Clauses with UK Transfer Addendum.
  • Google Analytics (GA4) - used to understand how people use our Website. Google is based in the United States. Transfers are covered by the UK-US Data Bridge or appropriate standard contractual clauses.
  • Google Workspace - used for internal administration and communications. Where personal data is held within Google Workspace it is kept to a minimum.
  • Stripe - payment processing for parent and guardian purchases. Stripe is based in the United States and covered by appropriate transfer safeguards.
  • Sage - invoicing and accounting for organisation customers.
  • IONOS - Website hosting.
  • Schools, training providers, or local authorities you are linked to, for agreed reporting and progress updates.
  • Professional advisers (legal, accounting) where needed.
  • Regulators, law enforcement, or safeguarding authorities where required by law.

We do not sell personal data. All third-party processors are required to handle data securely and only for the purposes we specify, under written data processing agreements.

10. International transfers

Several of our service providers are based in the United States and process data internationally. The transfer mechanisms in place are:

• • DISCO LMS - data stored principally in the United States and Canada. Transfer mechanism: Standard Contractual Clauses covering UK transfers, with VeraSafe appointed as UK Article 27 representative.
  • Go High Level - data stored in the United States (AWS and Google Cloud infrastructure). Transfer mechanism: UK Extension to the EU-US Data Privacy Framework, with EU 2021 Standard Contractual Clauses and UK Transfer Addendum as a backstop.
  • Google (Analytics / GA4) - covered by the UK-US Data Bridge or appropriate standard contractual clauses.
  • Stripe - covered by the UK-US Data Bridge or appropriate standard contractual clauses.

Where data is transferred outside the UK, we use appropriate safeguards as required by UK data protection law, including the UK International Data Transfer Agreement (IDTA) or other approved mechanisms.

11. How long we keep your data

We keep personal data only for as long as it is needed. Our standard retention periods are:

• • Learner programme data (progress, badges, reflections, enrolment information): 7 years from the end of the subscription, in line with NCFE requirements.
  • Safeguarding records relating to children: until the individual's 25th birthday, in line with Keeping Children Safe in Education (KCSIE) guidance.
  • Safeguarding records relating to adults: 7 years from last contact.
  • Financial and transaction records: 7 years from the date of transaction, as required for tax purposes.
  • Enquiry and contact data: 7 years from last contact, unless a service relationship exists.
  • Marketing consent records: retained while the contact is active. When a contact becomes dormant (no engagement and no active service relationship), marketing data will be reviewed and deleted.

A formal internal retention schedule is maintained separately from this policy, setting out deletion processes for each data category.

12. Keeping your data secure

We use appropriate technical and organisational measures to protect personal data against unauthorised access, loss, or disclosure. These include access controls, secure systems, and contractual security requirements for all data processors. No system is completely secure, but we take our obligations seriously and review our security arrangements regularly.

13. Your rights

Under UK data protection law you have the right to:

• • access the personal data we hold about you,
  • ask us to correct inaccurate data,
  • ask us to delete your data in certain circumstances,
  • ask us to restrict how we use your data,
  • object to processing based on legitimate interests,
  • receive your data in a portable format in certain cases, and
  • withdraw consent at any time where consent is the lawful basis.

To exercise any of these rights, contact us at privacy@networknotworkcic.co.uk. We will respond within one month of receiving your request. Under the Data (Use and Access) Act 2025, we may pause this deadline if we need to ask you for clarification to locate the relevant data - we will let you know promptly if this applies.

14. Automated decision-making

We do not make decisions about individuals using solely automated processes that produce legal or significant effects.

15. Links to other websites

Our Website may contain links to third-party websites. We are not responsible for their privacy practices. We encourage you to read their privacy policies before sharing any personal data with them.

16. How to complain

If you have a concern about how we handle your data, please contact us first so we can try to resolve it: privacy@networknotworkcic.co.uk
You also have the right to complain to the UK Information Commissioner's Office (ICO):

• • Website: ico.org.uk
  • Telephone: 0303 123 1113
  • Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

 

17. Changes to this policy

We may update this policy from time to time. We will post any changes on this page and update the effective date. Where changes are significant, we will notify learners, parents, and partners directly where we are able to do so.

End of Privacy Policy