nextstepedu
Menu

Privacy Policy

Become an Agent

PRIVACY POLICY

Last Updated: April 2026

INTRODUCTION

NextStep Education Group (“we,” “us,” “our,” or “Company”) is committed to protecting your privacy and ensuring you have a positive experience on our website and when using our services. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website, interact with our services, and engage with us across all digital platforms. Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our services.

This policy has been updated to reflect the latest requirements of the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, and the most current guidance from the Information Commissioner’s Office (ICO).

 

DATA CONTROLLER AND CONTACT INFORMATION

NextStep Education Group is the data controller responsible for your personal data. We take our data protection obligations seriously and have appointed a Data Protection Officer to oversee our compliance activities. If you have any questions about this Privacy Policy, our privacy practices, or how we handle your personal data, please contact us using the details below:

Mailing Address: Aspley House, Suite 2, 36 Hylton Street, Birmingham B18 6HN

Email Address: hello@nextstepedu.co.uk

Telephone: 0333 444 1971

Online Contact Form: https://nextstepedu.co.uk/contact

 

We aim to acknowledge all data protection enquiries within 30 days of receipt. If you have concerns about how we handle your data, you also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), which is the independent authority for data protection in the UK. You can contact the ICO at www.ico.org.uk or by telephone on 0303 123 1113.

 

PERSONAL DATA WE COLLECT

We collect personal and non-personal data from you through various means to enable us to provide our services effectively and manage our relationship with you. The categories of personal data we may collect include the following: your full name, date of birth, gender, home address, email address, telephone number, job title, profession, information about your preferences and interests, and any other information you voluntarily provide to us through forms, applications, or communications.

We collect this information through a variety of methods, including web forms on our website, paper-based forms, telephone conversations, email communications, and interactions through our online platforms. We may also collect information through our use of cookies and similar tracking technologies, which are explained in detail in our separate Cookie Policy. When you visit our website, we may collect information about your browsing behaviour, the pages you visit, the time and date of your visits, and the links you click on. This helps us understand how our services are used and enables us to improve your experience.

In addition to information you provide directly, we may collect information about you from third parties where this is necessary to provide our services or where you have consented to us receiving such information. For example, if you are participating in an apprenticeship scheme or other funded programme, we may collect information from the funding body or your employer to verify your eligibility or to meet statutory requirements.

 

LAWFUL BASES FOR PROCESSING YOUR DATA

Under the UK GDPR, we must always have a lawful basis for using your personal data. We process your information based on one or more of the following lawful bases: performance of a contract with you, your explicit consent, our legitimate business interests, compliance with legal obligations, protection of your vital interests, or the performance of a task in the public interest.

 

Contract Performance

We process your personal data as necessary to enter into and perform our contract with you. Your personal details are required in order for us to provide our services, manage your account, process payments, and fulfill our contractual obligations to you. Without this information, we cannot provide the services you have requested.

 

Consent

Where processing is not necessary for contract performance or a legal obligation, we will request your explicit consent before processing your personal data. You will have the opportunity to opt in or opt out of various processing activities, particularly in relation to marketing communications. You can withdraw your consent at any time by contacting us using the details provided above or by clicking the unsubscribe button in any marketing email.

 

Legitimate Interests

We process your personal data where it is in our legitimate business interests to do so, provided that these interests are not overridden by your fundamental rights and freedoms. Our recognised legitimate interests include managing and improving our website and services, analysing usage patterns and trends, preventing fraud and detecting crime, conducting market research and customer feedback activities, and ensuring the security of our systems and data. When we rely on legitimate interests, we assess whether our processing is reasonable and proportionate and take steps to protect your rights. You have the right to object to processing based on legitimate interests by contacting us.

 

Legal Obligation

We process your personal data where we are required to do so by applicable law, including the processing of special category data where this is necessary to comply with statutory requirements, such as health and safety regulations, employment law, or funding scheme requirements.

 

Vital Interests

Where necessary to protect your vital interests or those of another person, we may process your personal data. This would typically apply in emergency situations where your safety or wellbeing is at risk.

 

Public Task

Where we are performing a task in the public interest or exercising official authority, we may process personal data as necessary to fulfill that function.

 

HOW WE USE YOUR PERSONAL DATA?

We use the information we collect from you for a range of purposes, always in accordance with your expectations and applicable data protection law. The primary purpose of collecting and storing your personal information is to enable us to provide our services to you effectively. However, we may use your information for the following additional purposes:

We use your personal data to provide you with information or services you have requested from us, to manage and provide access to your account, to personalise and tailor your experience on our website and with our services, to supply our products and services to you, and to personalise and tailor our products and services to meet your specific needs. We communicate with you by responding to emails, telephone calls, and other enquiries you send to us. We supply you with information by email, post, telephone, or text message that you have opted into, and you may unsubscribe or opt out at any time using the mechanisms provided in those communications or by contacting us directly.

We use your data to meet our contractual commitments to you and to act on your behalf where third-party involvement is available and appropriate. For example, we may share your information with specialist training providers, certification bodies, awarding bodies, or other educational partners who are involved in delivering your training or qualification. We also use your information to obtain additional personal data necessary to secure funding or satisfy statutory legal or government scheme requirements, such as apprenticeship schemes, student finance schemes, or other funding programmes.

We analyse your use of our website and services to gather feedback, enabling us to continually improve our offerings and enhance your user experience. We monitor and analyse trends, usage patterns, and activities in connection with our websites and services to understand how they are being used and to identify areas for improvement. With your permission and where permitted by law, we use your personal data for marketing purposes, which may include contacting you by email, telephone, text message, or post with information about our products, services, news, and special offers. You will not be sent any unlawful marketing or spam. We always work to fully protect your rights and comply with our obligations under the UK GDPR and the Privacy and Electronic Communications (EC Directive) Regulations 2003. You will always have the opportunity to opt out of marketing communications.

We monitor and record telephone calls for training, quality assurance, customer service improvement, and to detect or prevent crime. These call recordings will be retained for a maximum of 30 days unless there is a specific reason to retain them for longer. As necessary to prevent or detect crime, protect against fraud, or respond to legal claims, we may use your personal data for security and investigation purposes. We may also use your information for other purposes that are not incompatible with those we have disclosed to you, such as statistical analysis and research purposes, provided this is permitted by applicable data protection laws and we have an appropriate lawful basis.

 

SPECIAL CATEGORY DATA

Special category data refers to personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for identification purposes, health data, or data concerning sex life or sexual orientation. We do not routinely collect special category data, however where we do collect such information, we do so only where we have a legal basis to do so and where one of the conditions in Article 9 of the UK GDPR is met.

We may collect health information, for example, to make reasonable adjustments for accessibility purposes, to ensure your safety during training or events, or to comply with health and safety legislation. We process this information on the basis of your explicit consent, where it is necessary for occupational health and safety purposes, or where processing is necessary for reasons of substantial public interest. Any health data you provide is treated with the utmost confidentiality and is only accessed by those who need to know for legitimate business purposes.

 

AUTOMATED DECISION-MAKING AND PROFILING

We use certain automated systems for carrying out decision-making and profiling activities. This may include using automated tools to analyse your behaviour on our website, to personalise content and recommendations, to assess your suitability for certain services or funding schemes, or to detect fraudulent activity. The results of automated decision-making may influence decisions that affect you.

Under the UK GDPR, you have the right to query any action that we take on the basis of automated decision-making and to request human intervention, whereby a person will review the action themselves rather than relying solely on the automated method. If you wish to exercise this right or to understand more about how we use automated decision-making, please contact us using the details provided in the contact section above. We will ensure that any significant automated decisions that affect you are reviewed by a human being where you request this, and you will have the opportunity to explain your position and challenge the decision.

 

THIRD-PARTY CONTENT AND COOKIES

Our website may contain content from third parties, and third-party companies may use cookies and similar tracking technologies on our site to collect information about your browsing behaviour. We do not control the activities of these third parties, nor do we control the data that they collect and use themselves. We strongly advise you to check the privacy policies of any such third parties to understand how they handle your personal data. Our Cookie Policy provides detailed information about how we use cookies and similar technologies and how you can control them. Please refer to our Cookie Policy https://nextstepedu.co.uk/cookie-policy for more information on managing your cookie preferences.

 

DATA RETENTION AND STORAGE

We retain your personal data for as long as necessary to fulfill the purposes for which it was collected, including to satisfy any legal, accounting, or reporting requirements. The length of time we retain your data depends on the purposes for which we use it and on our legal obligations. In general, we retain personal data for the duration of your relationship with us and for a reasonable period thereafter to handle any outstanding matters, respond to enquiries, or comply with legal obligations.

For specific data categories, our retention periods are as follows:

  • account and contract information is retained for the duration of the contract and for six years thereafter to meet legal and accounting requirements;
  • marketing and communications data is retained until you unsubscribe or request deletion, after which it is deleted within 30 days;
  • website usage and analytics data is retained for up to two years to enable us to analyse trends and improve our services;
  • applicant and recruitment data is retained for twelve months from the point of application, after which it is deleted unless you have consented to us retaining it for future opportunities;
  • special category data is retained only for as long as strictly necessary to fulfil the specific purpose for which it was collected; and
  • call recordings are retained for a maximum of 30 days unless there is a legitimate reason to retain them for longer, such as complaint resolution or legal proceedings.

 

Where data is no longer needed for business purposes, we will delete or anonymise it securely. If you request deletion of your data, we will remove it within 30 days unless we have a legal obligation to retain it. When data is deleted, it is securely destroyed and cannot be recovered.

 

INTERNATIONAL DATA TRANSFERS

Your personal data is primarily processed and stored within the United Kingdom. However, in some cases, your information may be transferred to, and processed in, countries outside the UK. Where we transfer your personal data outside the UK, we ensure that appropriate safeguards are in place to protect your information and to ensure that such transfers comply with the UK GDPR.

We transfer personal data internationally only where the transfer is permitted by UK GDPR and we have implemented appropriate safeguards. These safeguards may include transfer to countries that have been granted an adequacy decision by the UK government, meaning they have been assessed as providing an adequate level of data protection. Where an adequacy decision is not in place, we rely on Standard Contractual Clauses (SCCs), which are contractual commitments approved by UK authorities that ensure your data receives adequate protection. In some cases, we may use Binding Corporate Rules (BCRs) where we transfer data within our corporate group. We may also request your explicit consent to international data transfers where other safeguards are not available.

If you wish to find out more about the safeguards we have in place for international data transfers, please contact us using the details provided in the contact section. Where we transfer your data outside the UK, you retain all your data protection rights, and we remain responsible for the protection of your information.

 

DATA SECURITY

We are committed to ensuring that your personal data is secure. We have implemented appropriate technical and organisational measures to protect your information against unauthorised access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, secure password protection, regular security assessments, restricted access to personal data on a need-to-know basis, and staff training on data protection and information security.

However, no method of transmission over the internet or method of electronic storage is completely secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. You are responsible for keeping your password confidential and for any activities that occur under your account. If you suspect that your account has been compromised or that your personal data has been unlawfully accessed, please contact us immediately using the details provided above.

 

YOUR RIGHTS UNDER DATA PROTECTION LAW

Under the UK GDPR and Data (Use and Access) Act 2025, you have a number of important rights in relation to your personal data. These rights include the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restrict processing, the right to data portability, the right to object, and rights in relation to automated decision-making. You also have the right to lodge a complaint with the Information Commissioner’s Office if you believe your rights have been violated.

 

Right to be Informed

You have the right to be provided with clear, transparent information about how we process your personal data. This Privacy Policy provides that information in an accessible format.

 

Right of Access (Subject Access Request)

You have the right to request access to the personal data we hold about you. To exercise this right, you should submit a Subject Access Request (SAR) to us in writing using the contact details provided above. We will acknowledge your request within 30 days and will provide you with the information you have requested within 30 days of receipt, or within a further 30 days in certain circumstances where the request is complex or voluminous. Under the Data (Use and Access) Act 2025, we may pause the clock on responding to your request where you fail to provide information necessary to identify you or to locate your data, provided we notify you of this and give you a reasonable opportunity to provide the necessary information. We may charge a reasonable fee for providing access to your data if your requests are manifestly unfounded or excessive, or if you have already been provided with the information recently.

 

Right to Rectification

If you believe that the personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it. We will take reasonable steps to verify the accuracy of information and to correct any errors. Please contact us with details of any inaccuracies, and we will rectify them promptly.

 

Right to Erasure

You have the right to request that we delete your personal data in certain circumstances, such as where the data is no longer necessary for the purposes for which it was collected, where you withdraw your consent and there is no other lawful basis for processing, or where you object to processing and there is no overriding legitimate interest. This is often called the “right to be forgotten.” However, we may not be able to delete your data where we have a legal obligation to retain it or where we need it to defend legal claims.

 

Right to Restrict Processing

You have the right to request that we restrict how we use your personal data while we verify its accuracy, while we consider your objection to processing, or while we consider whether we should delete it. Where processing is restricted, we will continue to store your data but will not actively use it for other purposes.

 

Right to Data Portability

You have the right to request your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another data controller. This right applies where we are processing your data on the basis of your consent or for the performance of a contract, and where processing is carried out by automated means.

 

Right to Object

You have the right to object to processing of your personal data where we are relying on legitimate interests as our lawful basis. You also have the right to object to processing for direct marketing purposes at any time. Where you object to processing based on legitimate interests, we will stop processing your data unless we can demonstrate compelling legitimate grounds that override your interests, or where the processing is necessary for the establishment, exercise, or defence of legal claims.

 

Rights in Relation to Automated Decision-Making

You have the right to request human intervention in any significant automated decision that affects you and to express your point of view. You also have the right not to be subject to a decision based solely on automated processing where that decision produces legal or similarly significant effects concerning you.

 

Right to Lodge a Complaint

If you believe we have violated your data protection rights, you have the right to lodge a complaint with the Information Commissioner’s Office. You can do this by visiting www.ico.org.uk, by telephone on 0303 123 1113, or by post to the ICO’s office in Wilmslow, Cheshire.

 

EXERCISING YOUR RIGHTS

To exercise any of your data protection rights, please contact us using the details provided in the contact section of this Privacy Policy. When you submit a request, we will ask for information to verify your identity to ensure we are releasing information to the correct person. Once we have verified your identity, we will respond to your request as quickly as possible and in accordance with the timescales set out in the UK GDPR and the Data (Use and Access) Act 2025. For Subject Access Requests, we will provide you with the information you have requested within 30 days of verification, or within a further 30 days where the request is complex or voluminous. We will keep you updated on the progress of your request and will explain any reasons if we are unable to provide the information you have requested.

You will not have to pay a fee to access your personal data or to exercise any of your other rights, unless your request is manifestly unfounded, excessive, or repetitive. In such cases, we may charge a reasonable fee or refuse to act on your request. Please note that in some circumstances we may be unable to comply with your request, for example where we are required by law to retain your data or where your request conflicts with the rights and freedoms of others. In such cases, we will explain our reasons in writing.

 

COMPLAINTS AND DISPUTE RESOLUTION

If you are unhappy about how we are handling your personal data or if you believe we have not complied with this Privacy Policy or with data protection law, we encourage you to contact us first so that we can try to resolve the matter. Please submit your complaint in writing to the contact details provided above, providing as much detail as possible about your concerns.

We will acknowledge receipt of your complaint within 30 days and will investigate the matter thoroughly. We will respond to your complaint with an explanation of our findings and, where appropriate, details of the steps we are taking to address your concerns. If you are not satisfied with our response, or if you prefer to do so from the outset, you have the right to lodge a complaint with the Information Commissioner’s Office, which is the independent authority responsible for data protection in the UK. You can contact the ICO at www.ico.org.uk, by telephone on 0303 123 1113, or by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

 

CHILDREN’S PRIVACY

Our website and services are not directed to children under the age of 13, and we do not knowingly collect personal data from children under 13. If we become aware that we have collected personal data from a child under 13 without verifiable parental consent, we will delete such data promptly. Where you are aged 13 to 18 (a “Young Person”), we will seek parental or guardian consent before processing your personal data for purposes other than the provision of information society services directly to you. If you are a young person using our services, you may exercise data protection rights independently, or you may ask your parent or guardian to exercise them on your behalf.

If you are a parent or guardian and believe that we have collected personal data from your child without your consent, please contact us immediately using the contact details provided above. We will take appropriate steps to investigate and to delete such data if necessary.

 

THIRD-PARTY LINKS

Our website may contain links to third-party websites, applications, and services that are not operated by us. This Privacy Policy applies only to information collected through our website and services, and we are not responsible for the privacy practices of third-party websites, applications, or services. We encourage you to review the privacy policies of any third-party services before providing your personal data or using their services. We are not liable for the content, accuracy, or practices of third-party websites, and you use third-party services at your own risk.

 

UPDATES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. Any updates will be posted on our website, and we will update the “Last Updated” date at the top of this Privacy Policy. Where changes are material or significantly affect your rights, we will notify you by email or through a prominent notice on our website. Your continued use of our website or services after such notification constitutes your acceptance of the updated Privacy Policy. We recommend that you review this policy regularly to stay informed about how we protect your information.

 

If you have any questions about updates to this Privacy Policy or if you do not agree with the changes we have made, please contact us using the details provided above. In some cases, where changes significantly reduce your privacy protections, we may request your explicit consent to the new terms.

 

COOKIE POLICY

We use cookies and similar tracking technologies on our website to enhance your experience, analyse usage, and deliver personalised content. A cookie is a small file of letters and numbers that is downloaded to your computer or mobile device when you access our website. Cookies allow us to recognise you, remember your preferences, and understand how you use our services.

 We use both session-based and persistent cookies. Session cookies are temporary and are deleted when you close your browser, while persistent cookies remain on your device for a specified period. Some cookies are essential for the operation of our website (essential cookies), while others are used for analytics, marketing, and personalisation purposes (non-essential cookies). For more information about the cookies we use, how we use them, and how you can manage your cookie preferences, please refer to our detailed Cookie Policy at https://nextstepedu.co.uk/cookie-policy.

You can control and manage cookies through your browser settings. Most browsers allow you to refuse cookies or to alert you when cookies are being sent. However, if you disable or refuse cookies, you may not be able to access certain parts of our website or use all of its features. We also respect your choice to enable Do Not Track signals, and we will not use tracking technologies for marketing purposes where you have activated this setting.

 

LAWFUL PROCESSING AND YOUR CONSENT

We process your personal data lawfully and fairly, with transparency about our practices. Where we rely on your consent to process your personal data, we will request your explicit opt-in consent before processing begins. You can withdraw your consent at any time by contacting us or by using the unsubscribe mechanism in our communications. Withdrawing consent will not affect the lawfulness of processing carried out before your withdrawal.

For certain types of processing, such as the use of cookies for marketing purposes or the sending of marketing communications, we comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003, which require us to obtain your prior consent before such processing takes place. We will always provide you with clear information about what you are consenting to and will make it easy for you to withdraw your consent at any time.

 

DATA PROCESSING AND THIRD-PARTY PROVIDERS

To provide our services, we may share your personal data with trusted third-party providers, including payment processors, hosting providers, email service providers, customer relationship management systems, analytics providers, and specialist training or certification bodies. All third parties with whom we share your data are subject to strict confidentiality obligations and are required to use your information only as necessary to provide services to us. We carefully select our service providers and conduct due diligence to ensure they maintain appropriate security measures and comply with data protection law.

Where we share your data with third parties, we ensure that appropriate data processing agreements are in place that specify the terms on which your data can be used. We also ensure that any international transfers of data to third parties outside the UK are subject to appropriate safeguards as described in the international data transfers section of this policy. You can request details of the third parties with whom we share your data by contacting us using the details provided above.

We do not sell your personal data to third parties for their marketing purposes. However, we may disclose your information where required by law, to comply with a court order or legal process, to protect our legal rights or those of others, to prevent or detect crime, or where necessary to protect the safety and security of our website or services.

 

DATA PROTECTION IMPACT ASSESSMENTS

For processing activities that involve high risks to your privacy or fundamental rights, we conduct Data Protection Impact Assessments (DPIAs) to evaluate the necessity and proportionality of our processing and to identify and mitigate risks. Where such assessments identify significant risks, we consult with the Information Commissioner’s Office and take appropriate steps to reduce those risks before processing begins. If you wish to know whether we have conducted a DPIA for a particular processing activity, please contact us using the details provided above.

 

CONTACT US

If you have any questions about this Privacy Policy, our privacy practices, your personal data, or your rights under data protection law, please contact us using the following details:

 

NextStep Education Group

Aspley House, 36 Hylton Street, Birmingham B18 6HN 

Email: hello@nextstepedu.co.uk

Telephone: 0333 444 1971

Online Contact Form: https://nextstepedu.co.uk/contact

Alternative Contact Methods: WhatsApp +44 7787 288555

 

Information Commissioner’s Office (ICO)

Website: www.ico.org.uk

Telephone: 0303 123 1113

Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

We are committed to protecting your privacy and to maintaining a transparent relationship with you regarding how we use your personal data. Thank you for trusting us with your information.

 

Company Registration Details

Company Name: NextStep Eduation Group Ltd

Company Number: 16088962

VAT Number:

Registered in England & Wales

 

Policy Version: 2.0

(Updated April 2026 for UK GDPR, Data Protection Act 2018, and Data (Use and Access) Act 2025 Compliance)

Next Review Date: January 2027

Contact UsFF

This website uses cookies to ensure you get the best experience. Learn more