Data controller
The data controller for myBursary's own website, marketing, and business operations is:
Senha Ltd
Company number: 16718889
71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
View ICO register entry
What personal data we collect
Students and bursary applicants
When a student applies for a bursary through a myBursary-powered portal, their institution (not myBursary) is the data controller for that application data. myBursary processes it as a data processor under our DPA. Data collected at the point of application includes:
- Full name, date of birth, and student ID
- Contact details (email address, phone number, home address)
- Course and year of study
- National Insurance number (optional, for income verification)
- Household composition and gross income information
- Evidence documents: proof of identity, proof of address, financial evidence (benefit letters, tax credit notices, bank statements, P60/P45)
- Self-reported support needs and specific cost information
- Declaration statements and submission timestamps
- Assessor notes and decision records added by institution staff
Institution staff and administrators
When an institution subscribes to myBursary, we collect data about the staff members who use the platform:
- Name and job title
- Work email address and phone number
- Employer institution name and address
- Account credentials (password stored as a salted bcrypt hash - never in plaintext)
- Roles and permissions within the system
- Activity logs: login timestamps, actions taken, decisions recorded
- Support communications (emails, tickets)
Website visitors
When you visit mybursary.org without an account, we collect:
- Technical data: IP address, browser type and version, operating system, referring URL
- Usage data: pages viewed, time on page, clicks, scroll depth - via privacy-first analytics
- Form submissions: if you contact us or request a demo, we collect your name, email, and message
We do not use advertising tracking pixels or sell visitor data to third parties.
Lawful basis for processing
Under UK GDPR Article 6, we process personal data on the following lawful bases:
| Processing activity | Lawful basis | Article reference |
|---|---|---|
| Operating bursary applications on behalf of institutions | Performance of a contract (with the institution); legitimate interests (students) | Art. 6(1)(b), 6(1)(f) |
| Managing staff accounts and platform access | Performance of a contract | Art. 6(1)(b) |
| Audit trail and compliance logging | Legal obligation (DfE - formerly ESFA - 16–19 Bursary Fund guidance) | Art. 6(1)(c) |
| Marketing communications to existing customers | Legitimate interests | Art. 6(1)(f) |
| Marketing to new prospects | Consent (obtained at sign-up or demo request) | Art. 6(1)(a) |
| Website analytics | Legitimate interests (privacy-preserving analytics, no individual profiling) | Art. 6(1)(f) |
Where we process special category data (financial hardship indicators, disability status implied by certain benefit types), we rely on substantial public interest under UK GDPR Article 9(2)(g) and Schedule 1 of the Data Protection Act 2018 (administration of social assistance).
How we use personal data
To deliver the bursary management service
- Receiving and storing bursary applications submitted by students
- Enabling authorised staff to review, assess, and decide on applications
- Calculating award amounts and generating payment schedules
- Sending automated notifications to students about their application status
- Generating audit-ready reports and evidence bundles for DfE - formerly ESFA - inspections
- Maintaining an immutable audit trail of all decisions and actions
To run our business
- Processing subscription payments and issuing invoices
- Providing customer support and answering queries
- Notifying customers of platform updates, scheduled maintenance, and security notices
- Sending product news and feature announcements (opt-out available at any time)
To improve the platform
- Aggregated and anonymised usage analytics to understand which features are most used
- Error monitoring and performance measurement (no individual user profiling)
Who we share personal data with
We do not sell personal data. We share it only with the following categories of recipient, and only to the extent necessary:
| Recipient | Purpose | Safeguards |
|---|---|---|
| Subscribing institutions (the schools and colleges who use myBursary) | They are the data controller for their students' applications; we share data back to them to enable assessment and payment | DPA in place; access restricted to named authorised staff |
| Cloud infrastructure provider (UK-region servers) | Hosting, storage, and computing | DPA in place; UK/EEA data residency; ISO 27001 certified |
| Email delivery provider | Sending transactional emails (confirmations, status updates) to students and staff | DPA in place; data processed only to deliver the email, not retained |
| Payment processor | Processing subscription payments from institutions (card data never touches our servers) | PCI DSS Level 1 compliant; DPA in place |
| Error monitoring service | Detecting and diagnosing software errors | Personal data scrubbed before transmission; DPA in place |
| Regulators and law enforcement | When legally required (e.g. court order, ICO investigation) | We will notify the affected institution where legally permitted to do so |
A full list of sub-processors is maintained and available to subscribing institutions on request. We will provide 30 days' notice before adding any new sub-processor that processes student data.
How long we keep data
| Data category | Retention period | Reason |
|---|---|---|
| Bursary applications and decisions | 6 years from the end of the academic year | DfE - formerly ESFA - audit requirements; Limitation Act 1980 |
| Uploaded evidence documents (ID, financial records) | 3 years from the application decision date, unless the institution specifies shorter | Post-audit evidence retention guidance |
| Payment records | 7 years from payment date | HMRC record-keeping requirements |
| Staff account data | Duration of the subscription + 12 months | Support and dispute resolution |
| Audit logs | 6 years | Regulatory compliance |
| Marketing contact data | Until opt-out, or 3 years of inactivity | ICO direct marketing guidance |
| Website analytics | 13 months (aggregated only; no individual records retained) | Trend analysis |
When data is deleted, it is securely erased from all live systems and backup media within 90 days of the scheduled deletion date. Institutions may request earlier deletion by contacting us.
International transfers
All bursary application data is stored and processed on servers located in the United Kingdom. We do not transfer this data to countries outside the UK except where a sub-processor's infrastructure requires it (e.g. global CDN edge nodes), in which case UK GDPR-compliant transfer mechanisms are in place (Standard Contractual Clauses or adequacy decision).
Marketing and analytics data may be processed by sub-processors with infrastructure in the EU (which has an adequacy decision from the UK). We do not transfer any data to the United States or other non-adequate third countries without first confirming appropriate safeguards.
Security measures
We take the security of personal data seriously. Our measures include:
- Encryption in transit: All data transmitted between users and our servers uses TLS 1.2 or higher
- Encryption at rest: Database storage uses AES-256 encryption; uploaded documents are encrypted at the file level
- Access controls: Role-based access; institution staff can only access their own students' data; all admin access is logged
- Authentication: Multi-factor authentication available for all admin accounts; session tokens expire after inactivity
- Infrastructure: Regular security patches; automated vulnerability scanning
- Staff training: All myBursary employees complete data protection training on joining and annually thereafter
- Incident response: A documented breach response procedure; ICO notification within 72 hours of discovery where required
Full technical security details are available in our Security overview.
Cookies and tracking
We use a minimal number of cookies on mybursary.org:
| Cookie name | Type | Purpose | Duration |
|---|---|---|---|
sessionid |
Essential | Maintains your login session in the admin portal | Session / 14 days with "remember me" |
csrftoken |
Essential | Prevents cross-site request forgery attacks | 1 year |
_mb_analytics |
Analytics | Privacy-preserving page view counting (no fingerprinting, no cross-site tracking) | 13 months |
cookie_consent |
Functional | Stores your cookie preference | 1 year |
We do not use advertising cookies, social media tracking pixels, or any third-party analytics that identify individual users.
Your data protection rights
Under UK GDPR, you have the following rights. These apply to data for which myBursary is the controller. For student application data, the relevant controller is your institution - please contact them first.
- Right of access (Article 15): You can request a copy of the personal data we hold about you. We will respond within one calendar month.
- Right to rectification (Article 16): You can ask us to correct inaccurate or incomplete data.
- Right to erasure (Article 17): You can ask us to delete your data in certain circumstances - for example, if we no longer need it or you withdraw consent. Legal retention obligations may prevent immediate deletion.
- Right to restrict processing (Article 18): You can ask us to limit how we use your data while a dispute is resolved.
- Right to data portability (Article 20): Where processing is based on consent or contract, you can request your data in a structured, machine-readable format.
- Right to object (Article 21): You can object to processing based on legitimate interests, including direct marketing (which we will always honour immediately).
- Rights related to automated decision-making (Article 22): We do not make legally significant decisions about individuals using automated means without human review.
To exercise any of these rights, email [email protected]. We will verify your identity before processing the request. We will not charge a fee unless requests are manifestly unfounded or excessive.
Children's data
The 16–19 Bursary Fund is specifically designed for students aged 16–19, some of whom are legally minors. Where a student is under 18, all data is processed under the authority and control of the subscribing institution, who are responsible for obtaining appropriate parental consent where required by their own policies and applicable law.
myBursary does not allow students under 16 to create accounts or submit applications. Students must be in post-16 education to be eligible for the bursary.
We take particular care with the data of minors. Evidence documents belonging to under-18 students have additional access controls applied and are not accessible by myBursary staff without explicit written authorisation from the institution.
Changes to this policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:
- Update the effective date at the top of this page
- Notify subscribing institutions by email at least 14 days in advance of the change taking effect
- Post a notice in the admin dashboard for 30 days
Previous versions of this policy are available on request by emailing [email protected].
Contact us & complaints
If you have any questions about this policy or want to exercise your rights, please get in touch:
Data Protection contact
We aim to respond to all privacy queries within 5 working days.
71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ
ico.org.uk/make-a-complaint · 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO - please reach out to us first.