top of page

Privacy Policy

How MN handles your data

MN Awards Privacy Policy

Effective date: Sep 2025

(UK GDPR & Data Protection Act 2018; PECR for cookies)

 

1) Who we are (Data Controller)

Controller: MN Awards Ltd (“MN Awards”, “we”, “us”, “our”)
Registered office: Cromer Studios, Holy Cross Church, Cromer St, London, WC1H 8JU
Company number: 13359479
Email: office@mnawards.co.uk
Phone: +44 (0)207 052 4587
Privacy Lead: Thomas Newton, Managing Director, operations@mnawards.co.uk

We are not currently required to appoint a statutory Data Protection Officer (DPO) and keep this under review.

Controller relationships. Where your school/centre collects candidate or pupil data and supplies it to us (e.g., exam entries or club registers), the school/centre is a separate controller for its own processing. We act as controller for the data we receive and process to deliver our services; where we act only on a school’s written instructions for a specific task, we act as processor for that task.

 

2) Scope

This notice covers personal data processed through:

  • our websites, forms and member/teacher areas (including www.mnawards.co.uk),

  • delivery of our qualifications, assessments, moderation and certification,

  • appeals/EARs/complaints handling,

  • CPD training, workshops, events and MN Co-Curricular clubs accessed via our site,

  • customer support and marketing communications.

Applies to: teachers & centre staff, candidates (students) and parents/guardians, and website visitors.

 

3) The data we collect

3.1 Teachers & centre staff

  • Identity & contact: name, work email, phone, role, school/centre details.

  • Account & usage: login credentials, roles/permissions, activity logs, support tickets.

  • Bookings/commercial: CPD registrations, invoices and payment status (Stripe Connect). (We do not store full card numbers.)

3.2 Candidates (students) & parents/guardians

  • Identity: name, date of birth, school/centre, candidate ID, ULN (where available; optional).

  • Assessment & certification: entries, grades, feedback, digital mark sheets, certificates.

  • Artefacts & recordings: scripts or uploaded materials; audio/video performance recordings used for assessment evidence, internal moderation/QA and appeals.

  • Parent/guardian contact details (where required).

  • Optional: pronouns.

  • Special category (limited/optional): ethnicity used only for equalities monitoring (see §6.1).

3.3 Website, members area & communications

  • Device and log data (IP address, browser, pages, interactions).

  • Cookies/analytics/ads via Google Tag Manager (GTM), Google Analytics 4 (GA4) and, where enabled, Google Ads/remarketing (see §7).

  • Enquiry and sign-up forms; newsletter preferences.

  • Operational emails (e.g., scheduling, amendments, routine support).

3.4 Sources

  • From schools/centres acting on a learner’s or pupil’s behalf.

  • Directly from teachers, candidates, parents/guardians.

  • Automatically through site/portal usage.

  • From payment and email service providers when you transact or subscribe.

 

4) Why we use your data & lawful bases

  • Contract (Art. 6(1)(b)) – create/manage accounts; register/deliver assessments; moderate/standardise; issue results/certificates; provide support; manage CPD bookings.

  • Legal obligation (Art. 6(1)(c)) – UK legal/regulatory requirements (audit, tax, regulator requests, safeguarding where applicable).

  • Legitimate interests (Art. 6(1)(f)) – operate, secure and improve services; quality assurance; prevent misuse/fraud; necessary service communications; B2B marketing to schools/centres with an easy opt-out.

  • Consent (Art. 6(1)(a)) – non-essential cookies/analytics/advertising, and direct marketing to parents/students or others where consent is required. You can withdraw consent at any time.

Automated decision-making. We do not make decisions using solely automated processing that produce legal or similarly significant effects.

 

5) What we do with your data (purposes)

  • Accounts & centres: verify users; manage centre profiles; provide teacher portals; support users.

  • Assessment & certification: register candidates; schedule/record assessments; moderate/quality-assure; issue results/certificates; manage EARs and appeals.

  • Quality assurance: sampling, standardisation and internal moderation using assessment evidence.

  • CPD & events: manage training bookings and attendance.

  • Payments: process fees and reconcile accounts via Stripe Connect.

  • Communications: necessary service messages; CPD/resources/news where permitted.

  • Analytics & improvement: measure site usage (consent-based) to fix issues and improve content.

  • Security & compliance: protect our services; handle incidents; fulfil legal/regulatory duties.

 

6) Special category & children’s data

6.1 Ethnicity (special category)

Processed only for equalities monitoring (e.g., to check for bias and improve fairness).
Art. 9 basis: Substantial Public Interest – equality of opportunity/treatment (UK GDPR Art. 9(2)(g); DPA 2018 Sch. 1, para 8).
We maintain an Appropriate Policy Document, restrict access, keep it separate from assessment decisions, and follow defined retention (see §10A5).

6.2 Children’s data

We primarily receive pupil/candidate data via schools/teachers. Where consent is required (e.g., special category data or publicity), we obtain parent/guardian consent through the centre. We minimise data about children and restrict access to those who need it. We do not offer online accounts directly to children under 13.

 

7) Cookies & similar technologies (PECR)

7.1 Cookie categories

  • Essential cookies – required for security and core site features.

  • Analytics & Advertising cookies (non-essential) – via GTM, GA4 and, where enabled, Google Ads/remarketing to understand site usage and measure campaigns. These run only with your consent. You can change your choices at any time via the “Cookie settings” link in the footer.

7.2 GA4/Tag Manager/Ads configuration

  • Retention: GA4 user/event data kept for 14 months with “reset on new activity” enabled.

  • Consent gating: Tags are configured to fire only after consent; non-essential cookies are blocked by default until you accept.

  • Remarketing/Ads: We may link GA4 to Google Ads to run remarketing and measure campaigns. Advertising tags fire only if you consent to Advertising cookies. We do not create or use ad audiences without consent.

  • No PII to analytics/ads: We never send plain or hashed personal identifiers (e.g., names, emails, phone numbers, member IDs) to Google Analytics or Google Ads via GTM.

  • Do Not Track/GPC: Not acted upon at this time.

A detailed Cookie Policy listing cookie names, purposes and lifespans is linked from our banner.

 

8) Who we share data with (processors/recipients)

We do not sell personal data. We share only what’s necessary with trusted service providers (processors) under contract:

  • Wix.com Ltd. – website/CMS/hosting; cookie banner/forms.

  • Google LLC – Google Analytics 4, Tag Manager, Google Ads (remarketing/measurement); Google Workspace email.

  • Stripe – payments via Stripe Connect (we do not store full card details).

  • Zoom Video Communications – secure cloud recordings for assessment evidence.

  • Wix Email Marketing – newsletters/updates to opted contacts.

We may also share with approved examiners/moderators, with regulators or public bodies on lawful request, and with professional advisers (auditors, legal, insurers) where necessary.

 

9) International transfers

Some providers may process data outside the UK/EEA (e.g., in the United States). Where this occurs, we use approved safeguards such as the UK–US Data Bridge / Data Privacy Framework, Standard Contractual Clauses (with UK Addendum), and appropriate technical/organisational measures.

 

10) How long we keep your data (retention)

We apply defined retention aligned with Ofqual obligations and operational needs. Unless stated, periods run from certification date (for learner records) or case closure (for complaints/appeals). Any category may be paused under a legal/regulatory hold. “Delete” means secure deletion or irreversible anonymisation.

A. Learners, exams & certification

  1. Learner profile & certification register (identifier, name, DOB, centre link, grades, certificate refs; ULN where available): Indefinite – life-long verification/re-issue; multi-grade progression.

  2. Certificates & digital mark sheets: Indefinite – audit trail and re-issue.

  3. Assessment evidence – scripts/artefacts: Delete when the teacher accepts the exam outcome (final outcome sits in certificate/mark sheet).

  4. Performance recordings (Zoom cloud): 90 days; longer only for ongoing appeal/complaint/investigation; then secure deletion. Not used for marketing or published.

  5. Equality & bias monitoring (identifiable): 6 years after certification; aggregated/anonymised reports up to 10 years.

  6. Appeals, EARs & complaints (case files/correspondence): 3 years after resolution (then minimise; retain outcome record).

B. Centres, accounts & communications

  1. Centre information (centre name, main contact, address, contact details): Indefinite for regulatory monitoring.

  2. Centre contracts/agreements: 6 years after contract end (unless malpractice/legal hold).

  3. Operational emails with student data: 12 months, unless filed into an active case (then follow that case’s retention).

C. Website & marketing

  1. GA4 analytics: 14 months (reset on activity).

  2. Wix form submissions (general enquiries not leading to enrolment): 12 months, then delete.

  3. CRM/newsletter contacts (teachers/leads): retained until opt-out, with 24-month inactivity purge. We keep a suppression list to honour future opt-outs.

  4. Cookie consent logs: 24 months.

D. Finance, HR & safeguarding

  1. Finance records (invoices, payments, bank recs): 6 years from financial year end (HMRC).

  2. Recruitment – unsuccessful candidates: 12 months, then delete.

  3. Staff HR/contractor records: 6 years after engagement ends.

  4. Safeguarding/incident records (after-school clubs/exams): until the subject’s 25th birthday.

E. Governance & compliance

    1. DSR log & breach log: 6 years.

    2. Security/access logs: retained per platform for security operations.

 

11) Marketing

11.1 Service communications

  • We send service messages needed to operate your account, assessments, clubs and bookings.

11.2 Marketing to schools (B2B)

  • We contact teachers, school leaders and centre staff at work contact details about MN Awards qualifications, CPD, MN Co-Curricular clubs and resources.

  • Lawful basis: Legitimate interests (B2B). We assess necessity and minimal impact; every message includes a clear unsubscribe.

  • Channels: email (including Wix Email Marketing), phone/LinkedIn, event follow-ups, occasional postal.

  • Sources: public school websites/directories, event sign-ups, referrals, prior enquiries/bookings.

  • Tracking: We may record opens/clicks to understand engagement; you can opt out at any time.

  • Retention: contacts are kept until opt-out with a 24-month inactivity purge; we maintain a suppression list to honour future opt-outs.

11.3 Marketing to parents/students & other individuals

  • For direct marketing to parents/students or other non-B2B contacts, we rely on consent. You can withdraw consent at any time via the email footer or by contacting us.

 

12) MN Co-Curricular (clubs delivered in schools)

What this covers. Co-curricular clubs and workshops (e.g., Filmmaking, Animation, TV Presenting) are delivered on school premises and accessed/managed via our website/portal.

Controller roles.

  • The school/centre is a separate controller for pupil information; it collects and provides to us for club delivery and safeguarding.

  • MN Awards is controller of the information we process to run clubs, deliver the edited film to the school/parents, support teachers and operate our website/portal. For any task we perform solely on a school’s instructions, we act as processor.

12.1 Data we collect for Co-Curricular

  • Pupil/participant data (from the school): name, class/year, school/centre, club enrolment and attendance. (ULN not expected for clubs.)

  • Parent/guardian contact (where provided by the school): name and email/phone for logistics.

  • Teacher/leader data: name, work contact details, school role.

  • Learning artefacts: footage/images recorded during sessions; scripts or planning sheets.

  • Website/portal: device/cookie/analytics data per §7 when teachers access club pages.

We do not ask pupils to create MN accounts or provide personal emails for club access.

12.2 Why we use it & lawful bases

  • Run the club (register attendees, schedule, communicate, deliver edited film): Contract/legitimate interests.

  • Teacher support & QA: Legitimate interests.

  • Safety/safeguarding: Legitimate interests / vital interests where appropriate.

  • Publicity use of pupil images (if requested outside school channels): Consent (via the school/parent) — optional and separate from club delivery.

  • Website analytics for club pages: Consent (non-essential cookies) per §7.

No solely automated decisions with legal/similar effect for Co-Curricular.

12.3 Photos/video captured in clubs

  • Purpose: classroom learning, assembling the end-of-term edited film for parents, and teacher reflection.

  • Storage: working copies on MN’s secure workspace; final storage on a school-owned external drive or school platform, per centre policy. We do not store footage on personal devices.

  • Marketing: not used unless a separate, explicit publicity consent is in place.

12.4 Retention for Co-Curricular

  • Working footage (MN copies): retained only until the edited film is delivered to the school/parents, then deleted within 90 days, unless a concern/incident requires longer retention.

  • Edited films: stored by the school as controller per its policy.

  • Club registers & routine comms: 12 months after the club ends, unless the school retains longer as its controller.
    (See §10 for general retention and legal/regulatory holds.)

12.5 Sharing & transfers

  • We may share Co-Curricular data with the school/centre (delivery/safeguarding) and with processors listed in §8 (e.g., Wix website, Google for email/analytics with consent, Stripe if you pay us directly for clubs, Zoom if a remote session occurs). Transfers and safeguards follow §9.

12.6 Security (clubs)

  • We use managed devices for staff, role-based access, and platform encryption in transit/at rest. Classroom footage is transferred securely; working copies are purged after edit/delivery (see 12.4).

13) Security

We use organisational and technical measures proportionate to risk, including role-based access controls; named collaborators only in Wix CMS with least-privilege permissions; periodic access reviews and immediate removal on staff leavers; encryption in transit (HTTPS/TLS) and platform encryption at rest; secure hosting and backups; vulnerability/patch management; and admin protections (e.g., multi-factor authentication where available such as for Zoom). Exports from Wix that include student data are restricted to our Google Shared Drive (not personal “My Drive”), with restricted sharing and “block download/print/copy” for viewer links. Staff devices use screen-lock; local storage of student data is not permitted. We conduct due diligence on processors and bind them by contract.

If we identify a personal data breach that may risk your rights and freedoms, we will notify the ICO and affected individuals where required by law.

 

14) Your rights

Under UK data protection law, you can:

  • Access your data and receive a copy,

  • Rectify inaccurate or incomplete data,

  • Erase data in some circumstances,

  • Restrict or object to certain processing (incl. direct marketing),

  • Data portability for the information you provided,

  • Withdraw consent where processing relies on consent, and

  • Complain to the Information Commissioner’s Office (ICO) at ico.org.uk.

We aim to respond within one month and may need to verify your identity.

 

15) International users

Our services are designed for the UK. If you access them from outside the UK/EEA, your data may be processed in or transferred to the UK and other countries per §9.

16) Third-party links

Our site may link to third-party sites. Those sites operate under their own privacy policies; we are not responsible for their practices.

 

17) Changes to this policy

We may update this policy from time to time. We will post the new version here and, for significant changes, notify account holders by email. The “Effective date” above shows when this version took effect.

18) Contact us

For questions or to exercise your rights:
Email: office@mnawards.co.uk
Post: MN Awards Ltd, Cromer Studios, Holy Cross Church, Cromer St, London, WC1H 8JU
Phone: +44 (0)207 052 4587

 

Appendix A – Summary of processors/recipients

  • Wix.com Ltd. – website/CMS/hosting; cookie banner/forms.

  • Google LLC – GA4, Tag Manager; Google Workspace email.

  • Stripe – payments via Stripe Connect.

  • Zoom Video Communications – assessment recordings (cloud).

  • Wix Email Marketing – newsletter/comms.

Full details, including transfer safeguards and sub-processors, are available on request.

Appendix B – Cookie/consent summary (high level)

  • Essential cookies – always on (security, load balancing, session).

  • Analytics cookies – consent-based (GTM/GA4). Retention 14 months (reset on activity).

  • Consent management – via Wix Cookie Banner with a persistent “Cookie settings” control in the footer.

  • GPC/Do Not Track – currently not acted upon.
    A separate Cookie Policy lists individual cookies, purposes and lifespans.

bottom of page