Skip to main content
Back to home
Legal

Privacy Policy

How NAfSA collects, uses, and protects personal data when you use the platform, purchase services, or interact with our community.

Last updated: 2 June 2026

Legal entity

National Alliance for School Attendance Ltd (NAfSA). Registered in England and Wales. Company Registration Number: 10252699. Registered Office: Cleveland, Hayscastle, Haverfordwest, Wales, SA62 5NY.

Who we are

National Alliance for School Attendance Ltd (NAfSA). Registered in England and Wales. Company Registration Number: 10252699. Registered Office: Cleveland, Hayscastle, Haverfordwest, Wales, SA62 5NY.

For the purposes of UK data protection law, National Alliance for School Attendance Ltd is the data controller for personal data processed through the NAfSA platform, unless we tell you otherwise for a specific service. We are registered as a data controller with the UK Information Commissioner's Office (ICO). Our ICO registration reference is ZA217586.

Registered entity details shown on this page are maintained centrally in our admin settings and may be updated when our corporate structure changes (for example, when NAfSA is registered as a separate limited company).

Personal data we collect

We collect and process personal data depending on how you use the platform, including:

  • Account and profile data: name, email, organisation, job title, phone (optional), school or Local Authority identifiers, and preferences you provide when registering or editing your profile.
  • Membership and billing data: membership tier, payment status, invoice or purchase order references, and transaction records processed via Stripe or recorded manually for invoice customers.
  • Event and ticket data: bookings, attendance-related event selections, discount codes applied, and payment confirmations.
  • Commercial activity data: partner directory and event listing submissions, tier selections, listing fees paid, and correspondence relating to approval or rejection.
  • Community content: forum posts, replies, resource uploads, expert questions, and related metadata.
  • Communications: messages sent through contact forms, support mailboxes, and email delivery logs.
  • Technical data: IP address, browser type, device information, and usage analytics where enabled.

How we use your data

We use personal data to provide, secure, and improve the platform, including:

  • Creating and managing member accounts and access to portal features.
  • Processing membership, event tickets, partner directory listings, and event calendar listing fees.
  • Sending transactional and service emails (for example, 7-day free evaluation alerts, booking confirmations, submission updates, and account notifications).
  • Moderating community content, preserving the professional integrity of our forums, and enforcing our terms.
  • Complying with statutory legal obligations and responding to lawful requests.
  • Understanding platform usage to improve system reliability, speed, and security.

Lawful bases

We rely on one or more of the following lawful bases under the UK General Data Protection Regulation (UK GDPR), depending on the specific activity:

  • Contract — to fulfill or prepare for a membership, evaluation access, ticketing, or commercial listing service you request.
  • Legitimate interests — to operate, secure, and improve the platform, manage collective industry insight, prevent fraud, and support our members, balanced fairly against your individual privacy rights.
  • Consent — where explicitly required for optional marketing or non-essential cookies.
  • Legal obligation — where we must retain or disclose information to comply with UK statutory law.

Service providers and processors

To deliver our cloud architecture efficiently and securely, we partner with trusted third-party sub-processors who handle data strictly under our instruction:

  • Clerk — Authentication, single sign-on, and account security.
  • Stripe — PCI-compliant card payments and checkout.
  • Neon (PostgreSQL) — Managed database — core member data.
  • Vercel — Application hosting and deployment.
  • Resend — Transactional email delivery.
  • Supabase — Cloud file storage for uploads and attachments.
  • Vercel Analytics — Aggregated, privacy-respecting usage analytics.

International data transfers

Some of our trusted service providers are headquartered or operate infrastructure outside the United Kingdom and the European Economic Area (EEA), primarily in the United States. Whenever your personal data is transferred internationally, we ensure a similar degree of protection is afforded to it by ensuring that appropriate legal safeguards are implemented, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to standard contractual clauses approved by the European Commission.

Sharing personal data

We do not sell, rent, or trade your personal data. We only share data with the infrastructure processors listed above, with other members where you explicitly choose to make information public (such as setting your profile to visible in the community directory), or where we are legally compelled to do so by law enforcement or regulatory authorities.

Event organisers using the NAfSA platform for ticketing receive the necessary purchaser information required to fulfill and manage the specific event they host, in line with our terms.

How long we keep data

We retain personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To comply with UK tax law and statutory limitation periods, membership financial transactions and billing records are securely retained for 6 years following the end of the financial year in which the transaction occurred. Unconverted 7-day evaluation account profiles are routinely reviewed and cleared of identifying personal data if inactive.

Your rights

Under UK data protection law, you have distinct rights regarding your personal data, including the right to access, rectify, erase, restrict, or object to the processing of your data, as well as the right to data portability. Where our processing relies entirely on your consent, you have the right to withdraw that consent at any time.

To exercise any of your statutory rights, please contact us via our dedicated contact page. To protect your privacy and security, we will take reasonable steps to verify your identity before granting access or making corrections.

You also have the right to lodge a formal complaint at any time with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.

Security

We implement strict technical and organisational security measures to prevent your personal data from being accidentally lost, used, altered, disclosed, or accessed in an unauthorised way. This includes encrypted connections (HTTPS), rigid database access controls, and fully outsourced, PCI-compliant payment handling via Stripe. While we strive to protect your information, no digital platform or internet transmission can ever be guaranteed as 100% secure.

Contact

For all privacy and data protection enquiries, please use our primary contact form on the contact page page.