Privacy Notice
Effective Date: 4 May 2026
Bedford ("Bedford", "we", "us", "our") commits to safeguarding your information. This Privacy Notice describes what personal information we gather when visiting learnbedford.com or using the Bedford learning platform, our use practices, sharing recipients, and your protections under data protection law.
This Notice fulfills transparency obligations under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Privacy and Electronic Communications Regulations (PECR).
For unclear matters or to exercise your rights, contact the Data Protection team at privacy@learnbedford.com.
1. Who We Are
Bedford serves as the data controller for collected personal information, deciding why and how processing occurs.
| Item | Detail |
|---|---|
| Trading name | Bedford – School for the Creator Economy |
| Website | learnbedford.com |
| Privacy contact | privacy@learnbedford.com |
| Data Protection Officer | Reachable at privacy@learnbedford.com |
Company registration details appear in the website footer.
2. Personal Data We Collect
Bedford collects only necessary information to deliver, secure, and improve its service. Categories include:
| Category | Examples |
|---|---|
| Account data | Name, email address, username and password (hashed storage only) |
| Profile data | Professional background, skills, expertise areas and profile photo (mentors/learners) |
| Learning data | Course progress, AI interaction history, assessment results and mentor feedback |
| Payment data | Billing name, address and payment details; card information processed by PCI-DSS compliant processor, not stored completely by Bedford |
| Communications | Platform messages, support requests and email correspondence |
| Technical data | IP address, device type, browser, operating system and usage logs |
| Marketing preferences | Opt-in status for marketing communications and channel preferences |
3. How We Use Your Personal Data and Our Lawful Bases
Processing requires lawful bases under UK GDPR and EU GDPR:
| Purpose | Lawful basis |
|---|---|
| Providing and personalizing the Bedford learning platform and AI-powered tools | Performance of a contract with you (Article 6(1)(b)) |
| Matching learners with mentors and supporting mentorship sessions | Performance of a contract with you (Article 6(1)(b)) |
| Processing payments and managing billing | Performance of a contract (Article 6(1)(b)) and compliance with legal obligations like tax and accounting (Article 6(1)(c)) |
| Sending essential service communications such as account notifications, security alerts and receipts | Performance of a contract (Article 6(1)(b)) |
| Improving our platform through aggregated analytics and product research | Our legitimate interests in improving and securing our service (Article 6(1)(f)). Balancing tests conducted before relying on this basis |
| Detecting and preventing fraud, abuse and security threats | Our legitimate interests in protecting the platform and our users (Article 6(1)(f)) |
| Sending marketing communications about Bedford courses, events and updates | Your consent (Article 6(1)(a)). You can withdraw consent anytime |
| Complying with legal obligations including tax, fraud prevention and regulatory requests | Compliance with a legal obligation (Article 6(1)(c)) |
| Using AI features to personalise your learning experience and generate recommendations | Performance of a contract (Article 6(1)(b)). Where automated decision-making applies, see section 9 |
4. Who We Share Your Personal Data With
Personal information is not sold. Sharing occurs only with selected recipients assisting service delivery or where legally required.
- Mentors – Learners' profile and progress data shared with assigned mentors for learning support
- Payment processors – Payment data shared with PCI-DSS compliant payment processors for transaction completion
- Cloud infrastructure and hosting providers – Data stored and processed on reputable cloud provider infrastructure acting as processors
- AI service providers – Anonymised or pseudonymised learning data processed through third-party AI APIs for platform features
- Analytics providers – Aggregated and anonymised usage data shared with analytics tools for understanding platform usage
- Professional advisers – Lawyers, auditors and insurers, where necessary and under appropriate confidentiality obligations
- Legal and regulatory authorities – Information disclosed where required by law, court order, or regulatory request
All third parties processing personal data operate under written data processing agreements meeting Article 28 UK GDPR requirements.
5. International Transfers
Some providers operate outside the United Kingdom and European Economic Area (EEA), including the United States. International transfers use these safeguards required by UK GDPR:
- A UK or EU adequacy decision, where the destination country provides adequate protection
- The UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses (SCCs)
- Another lawful safeguard, such as Binding Corporate Rules, where appropriate
Transfer impact assessments are conducted where required and reviewed at least annually. Request more information about international transfers and safeguards by contacting privacy@learnbedford.com.
6. How Long We Keep Your Personal Data
Personal information is retained only as long as necessary for the stated purposes, then deleted or anonymised.
| Type of data | Retention period |
|---|---|
| Account data | Held while your account is active and for 2 years after account closure |
| Learning data and progress records | 5 years from your last active use of the platform |
| Payment records | 7 years, to comply with tax and financial regulations |
| Marketing preferences | Until you withdraw consent or close your account |
| Website analytics data | Anonymised after 26 months |
| Support communications | For the duration of the issue and up to 3 years after resolution |
Where legally required to retain data longer (for example, financial records), information is kept for the required period then deleted.
7. Your Rights
Under data protection law, you possess these rights regarding personal information:
- Right of access – Request a copy of personal data held and information about its use
- Right to rectification – Request correction of inaccurate or incomplete data
- Right to erasure – Request deletion of personal data in certain circumstances ("the right to be forgotten")
- Right to restriction – Request limitation of data use in certain circumstances
- Right to data portability – Request data in a structured, commonly used and machine-readable format
- Right to object – Object to processing based on legitimate interests, and to direct marketing anytime
- Rights relating to automated decision-making – Rights where decisions are made solely by automated means and have legal or similarly significant effect (see section 9)
- Right to withdraw consent – Where consent is relied upon, you can withdraw it anytime without affecting lawfulness of prior processing
To exercise these rights, email privacy@learnbedford.com or use privacy controls in account settings. Acknowledgment occurs within 5 business days and response within one calendar month. Complex or high-volume requests may extend by two additional months with notification within the first month.
Identity verification may be required before disclosure. Usually no fee applies, though reasonable fees may be charged or requests refused if manifestly unfounded or excessive.
8. Cookies and Similar Technologies
Cookies and similar technologies are used on the website and platform, falling into these categories:
| Category | Purpose |
|---|---|
| Strictly necessary | Required for platform function, including authentication and security. These do not require consent |
| Preferences | Remember your settings and personalisation choices. Set only with your consent |
| Analytics | Help us understand how the platform is used so we can improve it. Set only with your consent |
| Marketing | Used to deliver relevant advertising and measure campaign performance. Set only with your consent |
Upon first website visit, a cookie banner allows acceptance of all cookies, rejection of non-essential cookies, or customization of preferences. Non-essential cookies require consent before setting. Change or withdraw cookie preferences anytime using the "Cookie Settings" link in the website footer.
The full cookie list, including names, providers, purposes and retention periods, is published in the Cookie Policy on the Bedford website.
9. AI Features and Automated Decision-Making
Bedford uses AI to personalize learning experiences, including learner progress assessments, mentor matching recommendations and personalized learning path generation. Users are notified when AI or automated processing affects decisions, with explanations in accessible language about how recommendations are generated.
Where a decision is made solely by automated means with legal or similarly significant effect, you have the right to:
- Request human review of the decision
- Express your point of view
- Contest the decision
Exercise these rights by contacting privacy@learnbedford.com. Data Protection Impact Assessments are conducted before launching new AI features that may significantly affect users, and AI models are tested for bias.
10. Children
The Bedford platform targets users aged 16 and over. New users confirm their age during registration and no personal data is knowingly collected from anyone under 16 without verifiable parental or guardian consent.
If you believe a child under 16 provided personal data without appropriate consent, contact privacy@learnbedford.com and the data and account will be deleted promptly.
Where personal data of users under 18 is knowingly processed, heightened protections apply, including stricter access controls, no commercial profiling of children, and review of AI personalisation features for age appropriateness.
11. How We Protect Your Personal Data
Appropriate technical and organisational measures protect personal data against unauthorised access, alteration, disclosure or destruction. These include encryption in transit and at rest, access controls, regular security testing, staff training, and contractual safeguards with processors.
In the unlikely event of a personal data breach likely resulting in risk to your rights and freedoms, the UK Information Commissioner's Office (ICO) will be notified within 72 hours, and users affected by high-risk breaches will be notified without undue delay.
12. Changes to This Notice
This Privacy Notice may be updated to reflect processing changes or legal changes. The "Last updated" date at the top shows the most recent revision. Significant changes are communicated by email or platform notice before taking effect.
13. How to Contact Us and Make a Complaint
For policy questions or data handling concerns, contact the Data Protection team at privacy@learnbedford.com. Concerns are addressed promptly.
You also have the right to complain to a data protection supervisory authority. In the United Kingdom, this is the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113
Website: www.ico.org.uk
Based in the EEA, you can also contact the data protection authority in your EU member state of residence, work, or where the issue arose.
Bedford Education, Inc. · Privacy Notice