Legal
Privacy Policy
mybursary.org and the myBursary platform are operated by Senha Ltd trading as myBursary (“we”, “our” or “us”), a company registered in England and Wales (Company No. 16718889). We provide software that helps schools and colleges administer the 16–19 Bursary Fund on behalf of the Department for Education (DfE). As the operator of that software, we are a controller of personal data under the UK General Data Protection Regulation (UK GDPR) meaning we are legally responsible for deciding how and why it is used.
We want to be straightforward about what data we hold, who sees it, and why. This policy sets all of that out. It covers both our public website at mybursary.org and the platform itself, which institutions access via their own subdomain (for example, yourschool.mybursary.org). If you have questions about anything in it, please get in touch our contact details are at the bottom.
A word on age: our platform is designed for students aged 16 and over. We do not knowingly collect personal data relating to anyone under 16 without the involvement of their institution. If you think data about someone under 16 has reached us, please let us know and we will review and, where appropriate, delete it promptly. Where an institution tells us that a particular student is under 16, we will apply additional care to handling that student’s data and direct any rights requests from a parent or guardian accordingly.
What this policy applies to
This privacy policy covers personal data we collect and process through mybursary.org and the myBursary platform. It applies whether you are a student using the platform to submit a bursary application, a member of staff at an institution administering the fund, or simply a visitor browsing our public website.
It does not cover third-party websites that we may link to. Those websites have their own privacy policies, which we encourage you to read before providing any information to them.
Where an institution has engaged us to run their bursary process, that institution also has obligations as a data controller in its own right. We deal with this further in the section on Institutions as separate controllers below.
Personal data we collect about you
The personal data we collect depends on how you interact with us. For students, that typically means the information needed to complete and support a bursary application. For institution staff and administrators, it means account and usage information. For website visitors, it is limited to technical information and any message you choose to send us.
Across those groups, the personal data we may collect includes:
- Your name, email address and other contact details
- Your institution affiliation and, for staff, your role within it
- Account credentials and authentication information (we store only a hashed version of your password; we never store it in readable form)
- Identity and eligibility information provided as part of a bursary application which may include your date of birth, National Insurance number, household income details, and any supporting documents you upload as evidence
- Bank account details you provide for payment purposes; these are stored encrypted at rest using industry-standard encryption and are accessible only to authorised platform staff
- Details of the awards you have applied for or received, including payment and attendance records
- Records of any communications you send to us or to your institution through the platform
- Information about how you use the platform, including which pages you visit and actions you take
- Technical data about the device and browser you use to access the platform, including your IP address, browser type and operating system
- Your responses to any feedback or satisfaction surveys we may send
Some of this information particularly account details and the information needed to process your application is required for us to provide the service. Where you have a genuine choice about whether to provide something, we will say so at the point of collection.
Sensitive personal data
Some of the personal data collected through bursary applications is of a particularly sensitive nature. Eligibility for the 16–19 Bursary Fund often depends on household income, receipt of means-tested benefits, or specific personal circumstances for example, whether a student is a care leaver or in receipt of Employment and Support Allowance or Personal Independence Payment.
Information of this kind may reveal details about a person’s financial situation, family circumstances, health or disability. Under UK GDPR, data revealing health or disability status is classified as special category personal data and attracts additional legal protections. Where we handle such information, we do so only to the extent necessary to process the relevant application, and only on the basis of explicit consent from the applicant or, where applicable, because processing is necessary for reasons of substantial public interest (administering a government-funded bursary scheme under Schedule 1, Part 2 of the Data Protection Act 2018).
We require institutions to collect only the evidence they genuinely need to assess eligibility. Evidence documents uploaded to the platform are stored securely and are accessible only to authorised staff at the relevant institution and to us for the purposes of operating and supporting the platform.
How your personal data is collected
Most of the personal data we hold comes directly from you when you register for an account, complete or update an application, upload supporting documents, or contact us with a query or feedback. For staff and administrator accounts, the relevant institution typically initiates account creation.
We also collect limited information indirectly. When you use our website or platform, standard web server logs record information such as your IP address, the pages you request and the time of your visit. We may also use cookies to maintain your login session and to understand aggregate patterns of platform usage see Cookies below for more detail.
In some cases, an institution may share personal data about you with us directly for example, by uploading a list of enrolled students or by linking your school email address to a portal account before you have logged in for the first time.
Where an institution has enabled MIS (Management Information System) integration, we may also receive personal data about students and staff directly from the institution’s school information system via Wonde, a third-party MIS connector service. This may include student names, email addresses, dates of birth and attendance summaries, and staff names and email addresses. Data is retrieved only on the documented instruction of the institution and is used solely to populate or update records on the platform. The institution remains the data controller in respect of the underlying MIS data; we act as a processor. Wonde in turn acts as a sub-processor operating under its own contractual obligations to schools. You can read Wonde’s privacy policy at wonde.com/privacy.
Where an institution has enabled single sign-on (SSO), students and staff may choose — or be required — to authenticate using their existing Google or Microsoft institutional account. When SSO is used, the relevant identity provider sends us your name, email address and a unique account identifier so we can locate or create your platform account. We do not receive your Google or Microsoft password, and we retain only the information needed to link your institutional account to your myBursary account. SSO is configured and enabled by the institution; if you have questions about why SSO is required at your institution, please contact them directly.
How and why we use your personal data
Data protection law requires us to have a lawful basis for every use we make of personal data. The main bases we rely on are: your consent; the performance of a contract with you or your institution; compliance with a legal obligation; and our legitimate interests (or those of a third party), where those interests are not outweighed by your rights and interests.
Legitimate interests warrant a little explanation. When we rely on this basis, we carry out a balancing assessment to check that our use of your data is proportionate and does not override your interests. Examples include preventing fraud, keeping the platform secure, understanding how the service is used so we can improve it, and communicating with institutions about service matters. We have published our full Legitimate Interests Assessment, which sets out the three-part test we apply for each processing activity that relies on this basis.
| What we use your personal data for | Our legal basis |
|---|---|
| Creating and managing your account, including authentication and session management | Performance of a contract with you (or with the institution on whose platform you are registered) |
| Enabling students to submit, update and track bursary applications, and enabling institution staff to review, assess and process those applications | Performance of a contract; and/or legitimate interests (providing the service to institutions as required under their DfE funding agreements) |
| Processing payments and maintaining award, payment and attendance records | Performance of a contract; compliance with a legal obligation (DfE audit and record-keeping requirements) |
| Sending you notifications relating to your account or application for example, status updates, document requests or award decisions | Performance of a contract with you |
| Providing technical support, investigating reported issues and responding to queries | Legitimate interests (maintaining and improving the platform) |
| Monitoring platform security, detecting and investigating suspicious activity, and enforcing multi-factor authentication for staff accounts | Legitimate interests (protecting the platform, institutions and students from unauthorised access and fraud) |
| Analysing usage patterns and improving the reliability, performance and design of the platform | Legitimate interests (running and improving our business) |
| Complying with legal or regulatory obligations, including responding to lawful requests from courts or regulators | Compliance with a legal obligation |
| Sending service and product communications to institution contacts (see Marketing below) | Legitimate interests (communicating with people who have engaged with us) |
Institutions as separate controllers
When a school or college uses myBursary to administer their bursary fund, the institution is also a data controller in relation to their students’ personal data. This means they have their own legal responsibilities for how that data is used and their own privacy notice should explain those responsibilities to students.
We act as a data processor on behalf of each institution when we process their students’ data. We do so only on the institution’s documented instructions, under a written data processing agreement, and we implement the technical and organisational safeguards described in this policy. If you are a student and have questions about how your institution handles your personal data for example, how long they keep your evidence documents or who within the institution can see them you should contact them directly.
If you ask us to handle a rights request and we determine that the institution is the relevant controller for the data in question, we will refer you to the institution and let you know we have done so.
Automated decision-making
UK GDPR gives you rights in relation to decisions made about you solely by automated means (without human involvement) where those decisions have a significant effect on you. We want to be clear about how this applies to our platform.
The myBursary platform uses automated logic to support the administration of bursary applications for example, to validate that a form has been completed correctly, to route an application to the appropriate review stage, or to flag applications that may require additional evidence. However, all decisions about whether to approve, reject or defer a bursary application are made by authorised staff at the relevant institution. No bursary outcome is determined solely by automated means.
We may use automated checks to detect activity that could indicate fraud or unauthorised access to the platform. Where such checks flag a concern, a member of our team reviews the flag before any action is taken.
Marketing
We may use contact details held for staff and administrator accounts to send occasional communications about myBursary for example, notices of new features, changes to the platform or guidance relevant to administering the 16–19 Bursary Fund. We rely on legitimate interests for this: the people we contact are professional users of the platform who have engaged with us in a business context, and the content is directly relevant to their use of it.
You can stop receiving marketing communications from us at any time by contacting us at [email protected] or by using the unsubscribe link included in any such email.
What we will never do:
- Send marketing to students registered on the platform
- Sell, rent or share personal data with any third party for their own marketing purposes
- Use student eligibility or financial data for any commercial profiling
- Contact any user in a way that misrepresents who we are or why we are writing
Who we share your personal data with
We share personal data only where there is a genuine need to do so and, in every case, only under appropriate contractual safeguards. The table below lists our current sub-processors and other routine recipients.
| Recipient | Purpose | Data involved | Location |
|---|---|---|---|
| The institution using myBursary | Administering bursary applications for their own students | All student application data within that institution’s portal. Institutions cannot access data belonging to other institutions. | UK |
| Cloudflare | Content delivery network; object storage for uploaded evidence documents and static assets (Cloudflare R2) | Uploaded files; web request metadata (IP address, request path) | US-headquartered; data may transit global CDN edge nodes. Transfer mechanism: UK Addendum to EU Standard Contractual Clauses |
| Amazon Web Services Simple Email Service (SES) | Sending transactional notifications such as password reset emails, account invitations and application status updates | Email address; notification content | US-headquartered. Transfer mechanism: UK Addendum to EU Standard Contractual Clauses |
| Application hosting and database provider | Hosting the platform and storing the application database | All platform data | UK or EEA |
| Sentry (Functional Software, Inc.) | Error monitoring and performance diagnostics: detecting and diagnosing technical faults in the platform | Technical identifiers, error stack traces, and request metadata. We configure
Sentry with send_default_pii=False; no student personal data is
intentionally transmitted. |
US-headquartered. Transfer mechanism: UK Addendum to EU Standard Contractual Clauses |
| Google LLC (Google Analytics 4) | Analytics on the public mybursary.org website only: understanding aggregate traffic patterns to improve the site | Anonymous/pseudonymous usage data (page views, session duration, referral source). IP anonymisation is enabled. Analytics cookies are only set after visitor consent. Google Analytics is not active on institution subdomains and does not process student personal data. | US-headquartered. Transfer mechanism: UK Addendum to EU Standard Contractual Clauses. Only applies to mybursary.org public website visitors who have given cookie consent. |
| Wonde (Arbor Education Partners Ltd) | MIS integration — retrieving student and staff data from the institution’s school information system on the institution’s instruction | Student names, email addresses, dates of birth and attendance summaries; staff names and email addresses. Data is fetched only for institutions that have enabled MIS integration. | UK. Wonde processes data under a data-sharing agreement with the institution and a sub-processing agreement with us. |
| Google LLC / Microsoft Corporation | Single sign-on (SSO) identity verification where an institution has enabled SSO for their platform | Name, email address and unique account identifier returned by the identity provider at sign-in. We receive no passwords and retain only what is needed to match the SSO identity to a myBursary account. | US-headquartered. Transfer mechanism: UK Addendum to EU Standard Contractual Clauses. Only applies to institutions with SSO enabled. |
From time to time, we or the third parties above may also share personal data with our external auditors and professional advisors (who are bound by confidentiality obligations), with law enforcement agencies or courts where we are required to by law, or with any party that acquires ownership or control of our business (subject to standard confidentiality protections). In the last case, we would inform you of any change in controller before it takes effect.
If you would like to know more about who we share data with in any particular context, please contact us.
How long your personal data will be kept
We do not keep personal data for longer than is necessary for the purpose it was collected for. The relevant period depends on the type of data involved.
| Category of data | Retention period | Reason |
|---|---|---|
| Bursary application and award records (including uploaded evidence, payment records and attendance records) | Minimum 6 years from the end of the relevant academic year; longer if an audit or investigation is ongoing | DfE audit requirements. Institutions are required to retain eligibility evidence for this period; we retain data on the platform to enable institutions to meet those obligations. |
| Account data for active users | For the life of the account, then up to 7 years after closure | Financial record-keeping obligations |
| Inactive accounts never associated with a submitted application | 2 years from last login, then deleted | No continuing purpose once an account is dormant and unlinked to a claim |
| Server and access logs (IP addresses, page requests, timestamps) | Up to 12 months, then deleted | Security monitoring and incident investigation |
| Marketing preferences and contact records for institution staff | While the relationship is active, plus a reasonable period thereafter, or until you opt out whichever comes first | Legitimate interests in maintaining the business relationship |
At the end of the applicable retention period, we securely delete or irreversibly anonymise the data in question. Where data is held in backups, those backups are purged on a rolling basis in line with our retention schedules.
Transferring your personal data out of the UK
Some of our infrastructure providers have servers or operations outside the United Kingdom. In particular, Cloudflare and Amazon Web Services are US-headquartered companies. Where data is processed in the United States or other countries outside the UK, we rely on appropriate transfer mechanisms to ensure an equivalent level of protection applies.
Under UK GDPR, we can transfer personal data outside the UK only where:
- the UK government has made an adequacy decision in respect of the destination country, meaning it has assessed that country’s data protection laws as providing a standard broadly equivalent to UK law;
- appropriate safeguards are in place for example, the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, which we include in our contracts with relevant providers; or
- a specific exception under UK GDPR applies in the circumstances.
The specific transfer mechanism used for each provider is listed in the sub-processors table above. If you would like more detail on any of these arrangements, please contact us.
Cookies and other tracking technologies
A cookie is a small text file that a website places on your device. We use a limited set of cookies, all serving a specific purpose. The table below describes the cookies currently set by the myBursary platform.
| Cookie | Type | Purpose | Duration |
|---|---|---|---|
sessionid |
Strictly necessary | Maintains your login session between page loads. Without this cookie the platform cannot function. | Session (deleted when you close your browser, or after 2 weeks of inactivity) |
csrftoken |
Strictly necessary | Protects form submissions against cross-site request forgery attacks. Without this, form submissions cannot be processed securely. | 1 year |
| MFA and authentication cookies | Strictly necessary | Set by our authentication system (django-allauth) to manage multi-factor authentication state and verified device trust. | Session or short-lived |
| Functional preference cookies | Functional | Remember interface preferences such as dismissed notices or display settings. | Up to 1 year |
Strictly necessary cookies cannot be disabled as they are essential for the platform to operate. Functional cookies can be managed or cleared through your browser settings, though doing so may affect your experience. We do not currently use third-party advertising or cross-site tracking cookies.
You can manage cookies through your browser settings. Be aware that disabling session cookies will prevent you from logging in to the platform.
Your rights
UK data protection law gives you a number of rights in relation to your personal data. These are summarised below. Most can be exercised free of charge, though we may charge a reasonable fee or decline a request that is manifestly unfounded or excessive.
| Right | What it means in practice |
|---|---|
| Access | To ask us for a copy of the personal data we hold about you, along with information about how we use it |
| Correction | To ask us to correct personal data that is inaccurate or to complete data that is incomplete |
| Erasure | To ask us to delete your personal data where there is no longer a legitimate reason for us to hold it subject to our legal and regulatory obligations to retain certain records |
| Restriction | To ask us to stop actively processing your personal data in certain circumstances, for example while you contest its accuracy |
| Portability | To receive a copy of personal data you have provided to us in a structured, machine-readable format, in certain circumstances |
| Objection | To object to our processing of your personal data where we rely on legitimate interests, including objecting to direct marketing |
| Withdraw consent | Where we rely on your consent, to withdraw it at any time without affecting the lawfulness of processing that took place before withdrawal |
| Automated decision rights | To request human review of any decision made solely by automated means that significantly affects you. As explained in the automated decision-making section, all application decisions on myBursary are made by humans, so this right is unlikely to arise in practice. |
For more detail on each right including when they apply and when they do not the ICO publishes helpful guidance at ico.org.uk.
How to exercise your rights
To exercise any of your rights, please email us at [email protected] with the subject line “Data rights request”. Please include:
- Your full name and the email address associated with your account (if you have one)
- The right you wish to exercise and, where relevant, the specific data you are asking about
- Your institution, if applicable
We will acknowledge your request within five working days. We may need to ask you for additional information to verify your identity before we can act on your request this is to protect you against someone else requesting access to your data. We aim to respond fully within one month of receiving your request (or, for complex requests, within three months where we notify you of the extension).
There is no charge for exercising your rights in ordinary circumstances. If a request is manifestly unfounded or excessive for example, highly repetitive we may charge a reasonable fee or decline the request, and will tell you why.
Where your data is held on behalf of an institution and the institution is the relevant controller, we will direct your request to them where appropriate and inform you we have done so.
Keeping your personal data secure
We take security seriously particularly given that the platform handles financial eligibility data that students may reasonably consider sensitive.
At the technical level:
- Multi-factor authentication (MFA) is enforced for all staff and administrator accounts. Staff cannot access student data without it.
- Encryption in transit: all connections to the platform use TLS. Data is not transmitted in plain text.
- Encryption at rest: passwords are hashed using a strong one-way algorithm and are never stored in readable form. Bank account details are stored using industry-standard field-level encryption.
- Access-controlled file storage: uploaded evidence documents are held in isolated, private object storage with no public URLs. Access is granted only through short-lived signed URLs generated at the point of access.
- Institution isolation: student data is scoped strictly by institution. No institution can see another’s data.
- Rate limiting and fraud detection: the platform applies automated controls to detect and limit suspicious activity such as account takeover attempts.
At the organisational level, we limit access to personal data to staff who genuinely need it to operate and support the platform. We maintain internal procedures for identifying, responding to and (where legally required) reporting suspected data security incidents. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and will inform affected individuals without undue delay.
No system can guarantee complete security. If you have concerns about the security of your account or wish to report a vulnerability, please contact us at [email protected] and we will respond promptly.
How to complain
If you have any concerns about how we handle your personal data, please contact us in the first instance we would rather resolve the issue directly and will do our best to do so. We will acknowledge your complaint within five working days and aim to resolve it within 30 days.
You also have the right to complain to the Information Commissioner’s Office (ICO), the UK’s data protection regulator, at any time you do not need to have complained to us first. We are registered with the ICO under registration number ZC012206. The ICO can be contacted online at ico.org.uk/make-a-complaint or by telephone on 0303 123 1113.
Changes to this privacy policy
We update this policy as the platform evolves and as the law changes. When we make material changes for example, where we begin processing personal data in a new way or engage a new category of third-party provider we will publish the updated policy on this page and, where it significantly affects your rights, notify you by email or via a notice on the platform. The version date at the top of this page tells you when the policy was last revised. If you would like a copy of a previous version, please contact us.
We are monitoring the implementation of the Data (Use and Access) Act 2025, which received Royal Assent in June 2025 and will progressively amend aspects of UK data protection law. We will update this policy as those changes take effect.
How to contact us
If you have questions about this policy, want to exercise a right under data protection law, or have a concern about how we handle your personal data, please contact us:
Senha Ltd t/a myBursary71–75 Shelton Street, Covent Garden, London WC2H 9JQ
Company No. 16718889 · Registered in England & Wales
ICO registration: ZC012206
Email: [email protected]
We aim to respond to all queries within five working days.