Privacy Policy
Learn how we collect, use, and protect your personal data on Vinspired.
Version 2.0
Last updated: March 2026
Effective date: March 2026
Applies to: vinspired.com, the Vinspired for Schools platform, the Vinspired volunteer platform, and all related services.
This policy covers all Vinspired users. Use the guide below to find the section most relevant to you:
- Students using Vinspired through your school → Read the Student Summary below and Section 6
- Individual volunteers (18+) → Section 7
- Non-profit organisations → Section 8
- Corporate/for-profit partners → Section 9
- School staff → Section 6
- All users (rights, security, cookies, complaints) → Sections 10–17
For Students: Your Privacy in Plain English
This is a summary written for you. The full policy is below. If you need help understanding anything, ask a parent, guardian, or teacher.
What we collect: Your name, date of birth, year group, the volunteering hours you log, your reflections, and any badges or certificates you earn. Your school may also share your SEND status, free school meals status, Young Carer status, or ethnicity with us, but only if your school decides to.
Why: To track your volunteering, give you certificates, and help your school show that students are getting great opportunities.
Who sees it: You, your school staff (teachers and the person managing volunteering), and the charity you volunteer with. Nobody else, unless the law says we must.
Your portable record: The volunteering hours and badges you earn stay with you. Even after you leave school, you can keep your Vinspired profile until you turn 30 and use it for UCAS, job applications, or Unifrog.
Your rights: You can ask to see your data, fix it, delete it, or get compensation if we break the rules. Your parent or guardian can do this too. Just email us at [email protected].
We don’t sell your data, show you adverts, track your location, profile you, or share your information with anyone for marketing purposes.
High privacy by default: Your settings start at the most private option. We never nudge you to share more than you need to.
Do you have to give us your data? No. Using Vinspired for independent volunteering is optional. But if you don’t create an account, you won’t be able to log independent hours or get portable badges. If your school uses the platform, they’ll tell you what data is needed through their own privacy notice.
Where does your data come from? If your school imports your details (like your name and year group), that data comes from your school, not from you directly. We’ll let you know when that happens.
Part A: General — All Users
1. Who We Are
Vinspired Digital Limited (“Vinspired”, “we”, “our”, “us”) is a volunteer recruitment, engagement, and community-building platform serving schools, individual volunteers, non-profit organisations, and corporate partners across the United Kingdom.
- Registered address: 128 City Road, London, EC1V 2NX
- Registered in: England and Wales
- Company number: 14962671
- ICO registration number: ZB622532
- Data Protection Lead: Eser Poyraz, Director
- Contact: [email protected]
This Privacy Policy explains how we collect, use, store, and protect personal information across all our services. It applies to all users: school pupils, school staff, individual volunteers, charity administrators, corporate partners, and website visitors.
We take extra care with children’s data. Many of our users are under 18. We comply with the ICO’s Children’s Code (Age Appropriate Design Code) and the Data (Use and Access) Act 2025 for any service likely to be accessed by children. In accordance with the DUAA 2025 amendment to Article 25 of the UK GDPR, Vinspired takes into account children’s heightened protection requirements when determining how to process their personal data, including how children can best be protected and supported when using the Platform.
2. Our Data Protection Roles
Vinspired acts as both a data controller and a data processor, depending on the context.
| Role | When | What this means |
|---|---|---|
| Processor | When a school uses Vinspired for Schools and instructs us to process pupil data on its behalf | The school decides what data is collected and why. We follow their instructions. A Data Processing Agreement (DPA) governs this relationship. |
| Controller | When individuals use Vinspired directly (volunteers, charity admins, corporate users), student-initiated volunteering, portable credentials, and platform analytics | Vinspired decides what data is collected and why. This Privacy Policy is the transparency notice for these activities. |
3. What We Do Not Do
These commitments apply to all users, everywhere on our platform:
- We do not sell personal data to anyone, ever.
- We do not share data with advertisers, marketing companies, or data brokers.
- We do not serve advertisements on the platform.
- We do not profile users or make automated decisions about them.
- We do not collect geolocation data.
- We do not use nudge techniques to encourage users (especially children) to share more data or lower their privacy settings.
- We do not market directly to children.
- We do not use children’s personal data in ways that are detrimental to their well-being.
4. Lawful Bases for Processing
Every time we process personal data, we must have a lawful basis under Article 6 UK GDPR. The basis depends on the activity, our role, and who we are.
| Activity | Lawful Basis | Notes |
|---|---|---|
| School-instructed processing (processor role) | School’s public task (Art. 6(1)(e)) | The school determines the basis. We process their instructions. |
| Student-initiated volunteering | Consent (Art. 6(1)(a)) | Pupil (or parent for under-13s) consents. Can be withdrawn at any time. |
| Portable digital credentials | Consent (Art. 6(1)(a)) | Pupil consents to the retention of information beyond the school’s use. |
| Individual volunteer registration (18+) | Consent (Art. 6(1)(a)) | Volunteer consents when creating an account. |
| Non-profit admin accounts | Contract (Art. 6(1)(b)) | Necessary to perform the service agreement. |
| Corporate ESG/CSR programme | Contract (Art. 6(1)(b)) | Necessary to deliver the contracted service. |
| Corporate employee volunteer data | Legitimate interests (Art. 6(1)(f)) | The employer’s legitimate interest is: managing and reporting on its corporate social responsibility and ESG programme. A Legitimate Interest Assessment has been conducted. |
| Aggregated anonymised analytics | N/A | Not personal data once effectively anonymised. |
| Website analytics and security | Legitimate interests (Art. 6(1)(f)) | Our legitimate interest is: maintaining and improving the security and functionality of our website, and understanding how visitors use it. |
| Responding to enquiries | Legitimate interests (Art. 6(1)(f)) | Our legitimate interest is to respond to your communication and provide the information you have requested. |
4.1 Do You Have to Provide Your Data?
Whether you are required to provide personal data, and the consequences of not doing so, depend on your relationship with Vinspired:
| User type | Required? | Consequence of not providing |
|---|---|---|
| Pupils (school-instructed) | Determined by the school. See the school’s own privacy notice. | The school will advise. Vinspired cannot answer this for school-directed processing. |
| Pupils (student-initiated) | Voluntary. You choose to create an account. | You will not be able to log independent volunteering hours or receive portable credentials. |
| Individual volunteers (18+) | Voluntary. You choose to register. | You will not be able to use the platform, find opportunities, or receive certificates. |
| Non-profit admins | Contractual requirement to use the service. | You will not be able to administer volunteering opportunities through the platform. |
| Corporate admins | Contractual requirement to use the service. | You will not be able to manage your ESG/CSR programme through the platform. |
| Corporate employees | Determined by your employer. See your employer’s privacy notice. | Your employer will advise. You may not be able to participate in the corporate volunteering programme. |
4.2 Where Your Data Comes From
We may receive your personal data from sources other than you directly:
- From your school: If your school uses Vinspired for Schools, it may import your details (name, date of birth, year group, and demographic data, if instructed) from its MIS system (e.g., Arbor). We will inform you of this when you first access the Platform, or within one month of receiving the data, whichever is earlier.
- From your employer: If your employer uses Vinspired for its corporate volunteering programme, it may share your name, email, and department with us. Your employer should inform you of this through its own privacy notice.
- From a charity or organisation: The charity you volunteer with may confirm your hours of participation or provide supervisor feedback through the Platform. The source of this data is the organisation, not you.
5. Where Your Data Is Stored and How Long We Keep It
5.1 Location
All personal data is stored and processed within the United Kingdom. Our hosting infrastructure (Contabo and AWS) uses UK-based data centres. We do not transfer personal data outside the United Kingdom.
Website analytics data processed through Google Analytics may involve transfers to Google’s servers. Google Ireland Limited is our contractual counterparty, and we rely on Google’s standard contractual clauses and supplementary measures for any transfers outside the UK. We are reviewing our analytics configuration to ensure all data remains within the UK where possible.
If our data storage arrangements change, we will update this policy, notify affected users, and ensure that appropriate safeguards are in place under Article 46 of the UK GDPR.
5.2 Retention Periods
| Data Category | Retention Period | Trigger for Deletion |
|---|---|---|
| School Personal Data (processor) | Duration of agreement + 12 months | End of agreement or school instruction |
| Student portable credentials | Until the pupil turns 30 or withdraws consent | Age threshold or consent withdrawal |
| Individual volunteer accounts (18+) | Duration of account + 12 months of inactivity | Account deletion or 12 months of inactivity |
| Non-profit admin accounts | Duration of service agreement + 90 days | End of agreement |
| Corporate partner accounts | Duration of service agreement + 90 days | End of agreement |
| Corporate employee volunteer data | Duration of corporate agreement + 90 days | End of agreement or employee request |
| Website logs and analytics | 12 months | Rolling deletion |
| Contact enquiries | 12 months after the last communication | Rolling deletion |
| Data backups | 90 days (rolling) | Automatic overwrite |
| Anonymised aggregated analytics | Indefinite | N/A — not personal data |
Part B: User-Specific Sections
6. Vinspired for Schools: Pupils, Parents, and School Staff
Section 6 is for: School pupils, parents/guardians, and school staff using Vinspired for Schools.
Important: Data Protection Role Boundary. When Vinspired processes data on behalf of a school as a data processor, the school’s own privacy notice and the Data Processing Agreement (DPA) between the school and Vinspired govern that processing. This Privacy Policy does not create, extend, or modify Vinspired’s obligations as a processor; those are set out exclusively in the DPA.
This Privacy Policy applies only to Vinspired’s controller activities: student-initiated volunteering, portable digital credentials, and aggregated, anonymised analytics. For all school-instructed processing, the school is the controller and is responsible for providing its own transparency notice to pupils and parents.
If there is any conflict between this Privacy Policy and the DPA regarding school-instructed processing, the DPA prevails.
6.1 Our Role
When a school uses the Vinspired for Schools platform, the school is the data controller and Vinspired is the data processor for school-instructed activities. This is governed by a Data Processing Agreement (DPA) between Vinspired and the school.
Vinspired also acts as an independent data controller for student-initiated volunteering, portable digital credentials, and aggregated anonymised analytics. For these activities, this Privacy Policy serves as the transparency notice required under Articles 13 and 14 of the UK GDPR.
6.2 What We Collect
| Who | Data collected | Purpose |
|---|---|---|
| Pupils (aged 11–18) | Name, date of birth, year group, tutor group, volunteering hours, activity records, skills self-assessments, reflective journal entries, certificates, digital badges, supervisor feedback | Tracking volunteering and enrichment; generating Ofsted/Gatsby evidence; issuing certificates; creating portable credentials |
| Pupils (if the school instructs) | SEND status (EHCP/SEN Support), FSM eligibility, Young Carer status, ethnicity | Equity analytics: ensuring disadvantaged and SEND pupils have equal access |
| School staff | Name, email address, role/title, login credentials | Platform administration, activity logging, and report generation |
6.3 Special Category and Sensitive Data
Special Category Data (Article 9 UK GDPR): SEND status (EHCP and/or SEN Support) and ethnicity. Only processed if the school specifically instructs us to do so. The school must identify an appropriate lawful basis (Article 6) and an additional condition (Article 9(2)).
Sensitive Personal Data (not Article 9, but enhanced protections): FSM eligibility and Young Carer status. We apply the same enhanced access controls as for Special Category Data.
6.4 Children’s Code Compliance
Vinspired complies with the ICO’s Children’s Code (Age Appropriate Design Code) for all processing where we act as a controller and the service is likely to be accessed by children. We conform to all 15 standards. Key standards include:
- Standard 1 (Best interests of the child): Children’s best interests are a primary consideration in every decision about their data.
- Standard 2 (DPIA): We conduct Data Protection Impact Assessments for processing that is likely to affect children’s rights and freedoms.
- Standard 3 (Data minimisation): We collect only what is necessary.
- Standard 4 (Transparency): This policy includes a plain-English summary for students. Privacy information is presented in clear, age-appropriate language.
- Standard 5 (Detrimental use): We do not use children’s personal data in ways that are detrimental to their wellbeing, or that exploit their vulnerabilities.
- Standard 6 (High privacy by default): All settings default to the most privacy-protective option.
- Standard 8 (Data sharing): We do not disclose children’s data to third parties unless we have a compelling reason to do so, and only to the minimum extent necessary.
- Standard 10 (Geolocation): We do not collect geolocation data.
- Standard 12 (Profiling): We do not profile children. All profiling-related options are switched off by default.
- Standard 13 (Nudge techniques): We do not use nudge techniques to encourage children to provide unnecessary data.
6.5 Portable Credentials: What Happens When You Leave School
When a pupil’s school stops using Vinspired for Schools, the pupil’s volunteering record, certificates, and digital badges can remain on the platform as portable credentials, provided the pupil has consented. The portable record is controlled by Vinspired (not the school) and is retained until the pupil turns 30 or withdraws consent, whichever comes first.
If a pupil (or their parent/guardian) does not want the portable credential retained, they can request deletion at any time by emailing [email protected]. The data will be deleted within 30 days.
6.6 Parents and Guardians
If your child is under 13, we require parental consent before processing their data as a controller (for example, for student-initiated volunteering). Parental consent is obtained via a school-provided consent form countersigned by the parent or guardian. Vinspired verifies this consent by cross-referencing with the school’s records before activating the child’s independent account.
For children aged 13–17, the pupil may consent themselves where they have sufficient understanding, but parents retain the right to exercise data subject rights on their child’s behalf.
Parents can request access to, correction of, or deletion of their child’s data at any time by emailing [email protected].
7. Individual Volunteers (18+)
Section 7 is for: Individual volunteers aged 18 and over who use Vinspired directly.
7.1 Our Role
When you create a personal Vinspired account as an individual volunteer, Vinspired is the data controller. We determine what data is collected and why.
7.2 What We Collect
| Data | Purpose |
|---|---|
| Name, email address, date of birth | Account creation and identity verification |
| Phone number (optional) | Contact about volunteering opportunities (only if you provide it) |
| Volunteering hours, activity records, and reflections | Tracking your volunteering, issuing certificates and digital badges |
| Skills self-assessments | Building your portable skills profile |
| Certificates and digital badges | Recognition of your volunteering at 10, 30, 50, and 100-hour milestones |
7.3 Lawful Basis
We process your data based on your consent (Article 6(1)(a) UK GDPR), given when you create your account. You can withdraw consent at any time by deleting your account or emailing [email protected].
7.4 Who Sees Your Data
Your volunteering hours and activity records may be visible to the charity or organisation where you volunteer, so they can verify your participation. Your data is not shared with any other third party for marketing or commercial purposes.
7.5 Your Portable Record
Your volunteering record stays with you for as long as your account is active. If your account is inactive for 12 months, we will email you a reminder. If there is no response within a further 30 days, we will delete the account and associated data. You can download your data in CSV format at any time before it is deleted.
7.6 The Children’s Code
If you are under 18 and using Vinspired directly (not through a school), the Children’s Code protections in Section 6.4 apply to you in full, regardless of which section you are reading.
8. Non-Profit Organisations
Section 8 is for: Charities, community groups, and social enterprises using Vinspired to recruit and manage volunteers.
8.1 Our Role
When a non-profit organisation uses Vinspired to post volunteering opportunities and manage volunteer engagement, Vinspired is the data controller for the platform and the organisation’s admin account data. The non-profit organisation may also be a data controller in its own right for the volunteer data it collects and manages through the platform.
Where both Vinspired and the organisation make decisions about the processing of volunteer data, we may act as independent controllers. Each party is responsible for its own compliance. We are not joint controllers unless a specific written agreement states otherwise.
8.2 What We Collect
| Data | Purpose |
|---|---|
| Organisation admin: name, email, role, organisation name | Account creation, platform access, and communications |
| Volunteering opportunity details | Publishing opportunities for volunteers to find and apply |
| Volunteer participation records | Tracking which volunteers participated, hours completed, and feedback |
| Organisation profile (public) | Displayed to potential volunteers browsing opportunities |
8.3 Lawful Basis
We process organisation admin data on the basis of contract (Article 6(1)(b) UK GDPR) — it is necessary to provide the service the organisation has signed up for. Volunteer participation data is processed on the basis of the volunteer’s consent (given when they sign up and apply for opportunities).
8.4 Your Obligations as a Non-Profit
If you collect additional volunteer data through Vinspired (for example, emergency contacts, health information, or DBS check status), you are the data controller for that data and must ensure you have your own lawful basis, privacy notice, and data protection arrangements in place. Vinspired does not control or take responsibility for data that organisations collect independently through the platform beyond the standard fields.
8.5 Data Sharing
Vinspired shares volunteer contact details with the non-profit only when a volunteer applies for or is matched to an opportunity. The non-profit must not use this data for any purpose other than managing the volunteering relationship. Bulk export of volunteer data for marketing, fundraising, or any unrelated purpose is prohibited and constitutes a breach of the agreement between Vinspired and the organisation.
9. Corporate Partners
Section 9 is for: For-profit organisations using Vinspired for corporate ESG, CSR, or employee volunteering programmes.
9.1 Our Role
When a corporate partner uses Vinspired to manage its ESG/CSR volunteering programme, Vinspired is the data controller for the platform and the corporate admin account data. The corporate partner is typically the data controller for its employees’ personal data and determines the purposes for which employee data is processed in the context of its volunteering programme.
The relationship between Vinspired and the corporate partner may involve data sharing. Where this occurs, each party acts as an independent controller unless a separate Data Processing Agreement or Data Sharing Agreement specifies otherwise.
9.2 What We Collect
| Data | Purpose |
|---|---|
| Corporate admin: name, email, role, company name | Account creation, programme management, reporting |
| Employee volunteers: name, email, department (if provided by employer) | Matching to opportunities, tracking participation, and generating impact reports |
| Volunteering hours and activity records | Programme reporting, impact measurement, certificate issuance |
| Aggregated programme data | ESG/CSR reporting for the corporate partner (anonymised where possible) |
9.3 Lawful Basis
Corporate admin data is processed on the basis of contract (Article 6(1)(b)). Employee volunteer data is processed on the basis of the employer’s legitimate interests (Article 6(1)(f)) in managing and reporting on its corporate social responsibility and ESG programme. We have conducted a Legitimate Interest Assessment for this processing. Individual employees can object to this processing at any time (see Section 10).
9.4 Your Obligations as a Corporate Partner
The corporate partner is responsible for ensuring it has a lawful basis to share employee data with Vinspired, including informing employees, through its own privacy notice, that their data will be processed on the Vinspired platform. Vinspired will provide the corporate partner with the information needed to include in its employee privacy notice.
9.5 Employee Rights
Employees participating in a corporate volunteering programme through Vinspired have the same data subject rights as all other users (see Section 10). An employee can request access to, correction of, or deletion of their data at any time, regardless of the corporate partner’s programme. We will honour individual rights requests directly.
Part C: All Users — Rights, Security, and Complaints
10. Your Rights
Under UK GDPR, all users have the following rights over their personal data, regardless of which section above applies to you.
| Right | What this means |
|---|---|
| Right to be informed | You have the right to know how we collect and use your data. This Privacy Policy fulfils that right. |
| Right of access | You can ask for a copy of all the personal data we hold about you. We will respond within one calendar month. |
| Right to rectification | If any data we hold about you is inaccurate or incomplete, you can ask us to correct it. |
| Right to erasure | You can ask us to delete your personal data. We will do so unless we have a legal reason to keep it. |
| Right to restrict processing | You can ask us to limit how we use your data while a concern is being resolved. |
| Right to data portability | You can request your data in CSV or JSON format to move it to another service. |
| Right to object | You can object to processing on the grounds of legitimate interests. We will stop unless we have compelling grounds to continue. |
| Rights related to automated decisions | You have the right not to be subject to decisions based solely on automated processing. We do not currently carry out any automated decision-making or profiling. If this changes, we will update this policy and conduct a DPIA before commencing such processing. |
| Right to compensation | In accordance with Article 82 UK GDPR, if you suffer material or non-material damage (including distress) as a result of our breach of Data Protection Laws, you have the right to seek compensation through the courts. |
10.1 How to Exercise Your Rights
Email [email protected] with the subject line “Data Rights Request.” We will respond within one calendar month. If your request is complex, we may extend by a further two months, but we will tell you within the first month.
10.2 Children’s Rights
If you are under 18, you can exercise these rights yourself or ask a parent or guardian to do so on your behalf. We will verify identity before releasing personal data. We will never make it harder for you to exercise your rights because of your age.
10.3 Withdrawing Consent
Where we rely on consent, you can withdraw it at any time by emailing [email protected]. Withdrawal does not affect the lawfulness of processing that occurred before you withdrew consent.
11. Who We Share Your Data With
We share personal data only with the following recipients, and only to the extent necessary:
| Recipient | Why | What data |
|---|---|---|
| The school (for Schools platform) | The school instructed us to process this data | All School Personal Data |
| Charity/non-profit (when volunteer applies) | To manage the volunteering placement | Volunteer name, contact details, hours |
| Corporate partner (for ESG reporting) | To report on the employee volunteering programme | Aggregated data; individual records if employee consented |
| Contabo Cloud Services | Infrastructure hosting | All platform data |
| Google Ireland Limited (Google Workspace) | Platform notification emails | Names and email addresses |
| Amazon Web Services EMEA SARL (AWS) | Backup and data storage | All platform data |
11.1 Third-Party Websites and Services
While we match you with trusted charity partners, Vinspired does not control the privacy practices of external organisations. Once you leave our platform to visit a third-party website, their own privacy policy applies. We encourage you to read their privacy policy before providing any personal information. Vinspired accepts no liability for the processing of your data by these independent controllers.
12. How We Protect Your Data
We implement appropriate technical and organisational measures, including:
- Encryption of all data in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access controls
- Multi-factor authentication for admin accounts
- Automated daily encrypted backups
- Annual vulnerability scanning
- Data protection training for all personnel with access to personal data
- Access logging and monitoring
Data breach notification: No system is 100% secure. If a data breach occurs:
- When Vinspired is a processor: We will notify the relevant controller (e.g. the school or corporate partner) within 48 hours and cooperate with any investigation.
- When Vinspired is a controller: We will notify the ICO within 72 hours and affected individuals without undue delay, where the breach is likely to result in a risk to their rights and freedoms.
13. Cookies
Our website uses cookies to function correctly and to understand how visitors use it.
- Essential cookies: Required for the website to function (session management, login). These are strictly necessary and do not require consent.
- Analytics cookies: We use Google Analytics to understand website usage. Analytics cookies are only set after you have given consent through our cookie consent banner. You can change your preference at any time. If you decline analytics cookies, the website will still function normally.
We do not use advertising cookies, tracking cookies, or third-party marketing cookies. You can also control cookie settings in your browser.
14. Complaints
If you are unhappy with how we have handled your personal data:
- Submit a complaint through the complaints form on our website at vinspired.com/complaints, or email us at [email protected]. We will acknowledge your complaint within 30 days and respond without undue delay.
- If not satisfied, you can lodge a complaint with the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113 | Website: ico.org.uk
15. Changes to This Policy
We may update this Privacy Policy to reflect changes in our processing, legal requirements, or regulatory guidance.
In particular, when the ICO publishes the statutory EdTech Code of Practice (expected in 2026 under the Data (Use and Access) Act 2025), Vinspired will review its processing activities for conformity with it and update this policy accordingly. We will notify schools directly of any changes that affect their use of the Platform.
If we make significant changes, we will notify affected users directly (schools, organisations, and registered volunteers) and update the “Last updated” date at the top. We encourage you to review this page periodically.
16. Contact Us
For any questions about this Privacy Policy, your personal data, or to exercise your rights:
- Vinspired Digital Limited
- Company number: 14962671
- Data Protection Lead: Eser Poyraz, Director
- Email: [email protected]
- Address: 128 City Road, London, EC1V 2NX
Legal framework
This Privacy Policy (v2.0) is issued in compliance with Articles 13 and 14 of the UK GDPR (as defined in the Data Protection Act 2018), the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, the Data (Use and Access) Act 2025 (including the Article 25 amendment on children’s higher protection matters), and the ICO’s Age Appropriate Design Code (Children’s Code). It covers Vinspired’s roles as both a data processor (for school-instructed activities under Article 28 UK GDPR) and an independent data controller (for volunteer platform services, student-initiated activities, portable credentials, non-profit partnerships, and corporate ESG programmes). This Privacy Policy does not constitute a contract and does not create contractual rights or obligations. Vinspired’s liability under Data Protection Laws is governed by statute (including Article 82 UK GDPR) and, where applicable, by separate contractual agreements (DPA, Pilot Agreement, Subscription Agreement).
Other Policies
Review our other legal documents and policies.