Schudio Ltd - Customer Privacy Notice

This notice explains how Schudio Ltd collects, uses, stores and protects personal data relating to customers, prospective customers and other business contacts.

Last updated
01/04/2026

Company
Schudio Ltd (Company No. 07779198)

1. About this notice

At Schudio Ltd, we care about your privacy and are committed to protecting your personal data.

This Customer Privacy Notice explains how we collect, use, store and protect personal data when you interact with us, whether you contact us about our services, request a demo, buy from us, attend training, use one of our platforms, or visit our website.

2. Who we are

Schudio Ltd is the organisation responsible for your personal data in the situations covered by this notice, unless we tell you that we are processing data on behalf of one of our customers.

Company name: Schudio Ltd
Company number: 07779198
Registered office: Suite 2, First Floor, Windsor House, Ackhurst Business Park, Foxhole Road, Chorley, PR7 1NY
Operating address: Enterprise House, Peel Hall Business Village, Peel Road, Blackpool, FY4 5JX
Telephone: 0333 577 0753

Schudio Ltd is listed on the ICO record of fee payers. Registration Number: ZA449216

3. Key contact details

If you have any questions about this notice or about how we use your personal data, you can contact us using the details below:

Schudio Data Privacy Manager: Karen Tabeart

Email address: karen@schudio.com

Schudio Data Protection Officer: Darren Rose
Address: 50b Manchester Road, Slaithwaite, Huddersfield, HD7 5JA
Email address: Darren.rose@dhrconsultancy.co.uk

4. Who this notice applies to

This notice applies to customers, prospective customers, customer contacts, training users, subscribers, and other people who interact with Schudio in a business context.

Where we process personal data only on behalf of a school, trust, or other customer under their instructions, we may be acting as a processor rather than a controller. In those cases, the customer's own privacy information may also apply.

5. The personal data we collect

Depending on how you use our website and services, we may collect:

• identity and contact details, such as your name, organisation, job title, email address and telephone number;
• account, profile and service data, including usernames, service history, support records, preferences and feedback;
• billing, finance and transaction records relevant to the services you buy from us;
• communications data, including emails, forms, calls, enquiries and support requests;
• technical and usage data such as IP address, browser type, device information, pages visited and how you use our website and services; and
• marketing and communications preference data, including consents and unsubscribe records.

Our main website is not intended for children, and we do not knowingly collect children's personal data through the website unless this is made clear in a specific service context.

6. How we collect your data

We collect personal data directly from you when you contact us, fill in a form, request information, ask for a quote or demo, subscribe to updates, purchase a service, enrol on training, or communicate with us about support or delivery.

We also collect certain technical information automatically when you use our website through cookies, server logs and similar technologies. In some cases, we may receive your details from another person in your organisation where they provide your information in connection with a service enquiry, contract, booking or support request.

7. How we use your personal data

We use personal data to:

• respond to enquiries and provide demonstrations, proposals and pre-contract information;
• deliver our products and services;
• manage customer accounts and relationships;
• process invoices, payments and financial records;
• provide support, training and service communications;
• improve our website, products and services;
• manage security, access control and incident response; and
• comply with legal, regulatory and contractual requirements.

8. Our lawful bases for processing

Depending on the circumstances, we rely on one or more of the following lawful bases under the UK GDPR:

• performance of a contract;
• steps taken at your request before entering into a contract;
• compliance with a legal obligation;
• our legitimate interests in operating, improving and securing our business and services; and
• your consent, where consent is required by law.

Where we rely on legitimate interests, we do so in a proportionate way and only where our interests are not overridden by your rights and freedoms.

Where we use consent, you may withdraw your consent at any time by contacting us on the number provided in section 3.

9. Marketing communications

We may send you updates about Schudio services, training, events or resources where we are allowed to do so by law.

Where the Privacy and Electronic Communications Regulations (PECR) require consent for electronic marketing, we will ask for it. Where marketing is permitted without prior consent, we will still identify ourselves clearly and give you a simple way to opt out.

You can opt out of marketing communications at any time by using the unsubscribe link in an email or by contacting us.

10. Who we share personal data with

We may share personal data with trusted service providers who help us run our business and deliver our services, such as payment providers, finance systems, communications tools, training platforms, support tools, hosting providers and professional advisers.

We may also share personal data where required by law, to protect our legal rights, or in connection with a business reorganisation, investment or sale.

Where a third-party processes personal data on our behalf, we require them to protect it and to process it only in accordance with applicable law and our instructions.

A list of third party processors can be provided upon request.

11. Geographical location of data stored by Schudio

Customer data, including hosted websites, are primarily stored within the United Kingdom within an ISO 27001 certified data centre, however some data including that stored on the Thinkific learning platform, communications or design tools are located on Amazon AWS and Microsoft 365 services located in Europe, Canada and the United States.

12. International transfers

Currently Schudio transfers data outside of the United Kingdom in line with the safeguard requirements required under the Data Protection Act 2018 including:

Adequacy status – for organisations located within the European Economic Area and Canada.

UK Extension to the EU-US Data Privacy Framework – for organisations located in the US.

13. Automated decision making and Artificial intelligence

Schudio does not employ any automated decision making or artificial intelligence-based tools which would result in a legal or detrimental effect on you.

14. How we protect personal data

We take appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Key risks considered include:

• Unauthorised access
• Credential compromise
• Brute-force attacks
• Software vulnerabilities
• Malware and ransomware
• Device loss or theft

Safeguards implemented include:

• Multi-Factor Authentication (MFA)
• Strong password policies (minimum 12 characters)
• Account lockout controls
• Firewalls and malware protection
• Regular patching and vulnerability monitoring
• Role-based access control and least privilege
• Separation of standard and administrator accounts
• Secure remote working controls
• Incident and breach management procedures

Schudio Ltd completes yearly a Cyber Essentials assessment with the latest being completed in April 2025.

All data centre’s used in the delivery of Schudio hosting packages or services are certified to either ISO 27001 or SOC 2 certification and employ AES 256-bit encryption.

15. How long we keep your data

We keep personal data only for as long as necessary for the purpose it was collected and for any legal, regulatory, tax, accounting or reporting requirements.

Where applicable, we may keep basic customer information, including contact, identity, financial and transaction data, for up to six years after a customer relationship ends, in line with our legal and business record-keeping obligations. Retention periods may vary depending on the type of data and the service involved.

16. Your rights

Under UK data protection law, you may have the right to:

• request access to your personal data;
• request correction of inaccurate or incomplete personal data;
• request erasure in certain circumstances;
• object to certain processing, including direct marketing;
• request restriction of processing in some cases;
• request transfer of certain personal data; and
• withdraw consent where processing relies on consent.

Please note if you use your right of access Schudio will use a reasonable and proportionate approach to fulfilling your request which will involve only searching locations where there is a likelihood of your data being present but with consideration of the burden involved in conducting the search.

To exercise any of your rights, please contact us using the key contact details provided in section 2.

17. Complaints

If you have any concerns about how we use your personal data, please contact us first so that we can try to resolve the issue.

You also have the right to complain to the Information Commissioner's Office (ICO), the UK regulator for data protection matters.

18. Changes to this notice

We may update this Customer Privacy Notice from time to time to reflect changes in our services, legal requirements, regulatory guidance, or how we process personal data.

The latest version will always be published on our website.

Customer Privacy Notice 2026