Legal
Privacy Policy
mybursary.org and the myBursary platform are operated by Senha Ltd trading as myBursary (“we”, “our” or “us”), a company registered in England and Wales (Company No. 16718889). We provide software that helps schools and colleges administer the 16–19 Bursary Fund on behalf of the Department for Education (DfE). As the operator of that software, we are a controller of personal data under the UK General Data Protection Regulation (UK GDPR) — meaning we are legally responsible for deciding how and why it is used.
We want to be straightforward about what data we hold, who sees it, and why. This policy sets all of that out. It covers both our public website at mybursary.org and the platform itself, which institutions access via their own subdomain (for example, yourschool.mybursary.org). If you have questions about anything in it, please get in touch — our contact details are at the bottom.
A word on age: our platform is designed for students aged 16 and over. We do not knowingly collect personal data relating to anyone under 16 without the involvement of their institution. If you think data about someone under 16 has reached us, please let us know and we will review and, where appropriate, delete it.
What this policy applies to
This privacy policy covers personal data we collect and process through mybursary.org and the myBursary platform. It applies whether you are a student using the platform to submit a bursary application, a member of staff at an institution administering the fund, or simply a visitor browsing our public website.
It does not cover third-party websites that we may link to. Those websites have their own privacy policies, which we encourage you to read before providing any information to them.
Where an institution has engaged us to run their bursary process, that institution also has obligations as a data controller in its own right. We deal with this further in the section on Institutions as separate controllers below.
Personal data we collect about you
The personal data we collect depends on how you interact with us. For students, that typically means the information needed to complete and support a bursary application. For institution staff and administrators, it means account and usage information. For website visitors, it is limited to technical information and any message you choose to send us.
Across those groups, the personal data we may collect includes:
- Your name, email address and other contact details
- Your institution affiliation and, for staff, your role within it
- Account credentials and authentication information (we store only a hashed version of your password; we never store it in readable form)
- Identity and eligibility information provided as part of a bursary application — which may include your date of birth, National Insurance number, household income details, and any supporting documents you upload as evidence
- Details of the awards you have applied for or received, including payment records
- Records of any communications you send to us or to your institution through the platform
- Information about how you use the platform, including which pages you visit and actions you take
- Technical data about the device and browser you use to access the platform, including your IP address, browser type and operating system
- Your responses to any feedback or satisfaction surveys we may send
Some of this information — particularly account details and the information needed to process your application — is required for us to provide the service. Where you have a genuine choice about whether to provide something, we will say so at the point of collection.
Sensitive personal data
Some of the personal data collected through bursary applications is of a particularly sensitive nature. Eligibility for the 16–19 Bursary Fund often depends on household income, receipt of means-tested benefits, or specific personal circumstances — for example, whether a student is a care leaver or in receipt of Employment and Support Allowance or Personal Independence Payment.
Information of this kind may reveal details about a person’s financial situation, family circumstances, health or disability. Under UK GDPR, data revealing health or disability status is classified as special category personal data and attracts additional legal protections. Where we handle such information, we do so only to the extent necessary to process the relevant application, and only on the basis of explicit consent from the applicant or, where applicable, because processing is necessary for reasons of substantial public interest (administering a government-funded bursary scheme).
We require institutions to collect only the evidence they genuinely need to assess eligibility. Evidence documents uploaded to the platform are stored securely and are accessible only to authorised staff at the relevant institution and to us for the purposes of operating and supporting the platform.
How your personal data is collected
Most of the personal data we hold comes directly from you — when you register for an account, complete or update an application, upload supporting documents, or contact us with a query or feedback. For staff and administrator accounts, the relevant institution typically initiates account creation.
We also collect limited information indirectly. When you use our website or platform, standard web server logs record information such as your IP address, the pages you request and the time of your visit. We may also use cookies to maintain your login session and to understand aggregate patterns of platform usage — see Cookies below for more detail.
In some cases, an institution may share personal data about you with us directly — for example, by uploading a list of enrolled students or by linking your school email address to a portal account before you have logged in for the first time.
How and why we use your personal data
Data protection law requires us to have a lawful basis for every use we make of personal data. The main bases we rely on are: your consent; the performance of a contract with you or your institution; compliance with a legal obligation; and our legitimate interests (or those of a third party), where those interests are not outweighed by your rights and interests.
Legitimate interests warrant a little explanation. When we rely on this basis, we carry out a balancing assessment to check that our use of your data is proportionate and does not override your interests. Examples include preventing fraud, keeping the platform secure, understanding how the service is used so we can improve it, and communicating with institutions about service matters. We have published our full Legitimate Interests Assessment, which sets out the three-part test we apply for each processing activity that relies on this basis.
| What we use your personal data for | Our legal basis |
|---|---|
| Creating and managing your account, including authentication and session management | Performance of a contract with you (or with the institution on whose platform you are registered) |
| Enabling students to submit, update and track bursary applications, and enabling institution staff to review, assess and process those applications | Performance of a contract; and/or legitimate interests (providing the service to institutions as required under their DfE funding agreements) |
| Processing payments and maintaining award and payment records | Performance of a contract; compliance with a legal obligation (DfE audit and record-keeping requirements) |
| Sending you notifications relating to your account or application — for example, status updates, document requests or award decisions | Performance of a contract with you |
| Providing technical support, investigating reported issues and responding to queries | Legitimate interests (maintaining and improving the platform) |
| Monitoring platform security, detecting and investigating suspicious activity, and enforcing multi-factor authentication for staff accounts | Legitimate interests (protecting the platform, institutions and students from unauthorised access and fraud) |
| Analysing usage patterns and improving the reliability, performance and design of the platform | Legitimate interests (running and improving our business) |
| Complying with legal or regulatory obligations, including responding to lawful requests from courts or regulators | Compliance with a legal obligation |
| Sending service and product communications to institution contacts (see Marketing below) | Legitimate interests (communicating with people who have engaged with us) |
Institutions as separate controllers
When a school or college uses myBursary to administer their bursary fund, the institution is also a data controller in relation to their students’ personal data. This means they have their own legal responsibilities for how that data is used — and their own privacy notice should explain those responsibilities to students.
We act as a data processor on behalf of each institution when we process their students’ data. We do so only on the institution’s documented instructions, under a data processing agreement, and we implement the technical and organisational safeguards described in this policy. If you are a student and have questions about how your institution handles your personal data, you should contact them directly.
Marketing
We may use contact details held for staff and administrator accounts to send occasional communications about myBursary — for example, notices of new features, changes to the platform or guidance relevant to administering the 16–19 Bursary Fund. We rely on legitimate interests for this: the people we contact are professional users of the platform who have engaged with us in a business context, and the content is directly relevant to their use of it.
We do not send marketing communications to students, and we will never sell or share personal data with any third party for their own marketing purposes.
You can stop receiving marketing communications from us at any time by contacting us at [email protected] or by using the unsubscribe link included in any such email.
Who we share your personal data with
We share personal data only where there is a genuine need to do so and, in every case, only under appropriate contractual safeguards. Our routine recipients are:
- Cloud infrastructure and storage providers, who host the platform and store data on our behalf under data processing agreements. We use Cloudflare for both our content delivery network and object storage (for uploaded evidence documents and static assets). Our platform and database are hosted on cloud infrastructure in the UK or EEA.
- Amazon Web Services (Simple Email Service), which we use to send transactional notifications such as password reset emails and application status updates. AWS is a US-headquartered company; transfers rely on the UK Addendum to the EU Standard Contractual Clauses.
- Error monitoring and performance tooling, used to detect and diagnose technical issues; data shared with these tools is limited to technical identifiers and stack traces.
- The institution that has engaged myBursary to manage their bursary process. Staff and administrators at that institution can access data relating to their own students within their institution’s portal. They cannot access data belonging to other institutions.
From time to time, we or the third parties above may also share personal data with our external auditors and professional advisors (who are bound by confidentiality obligations), with law enforcement agencies or courts where we are required to by law, or with any party that acquires ownership or control of our business (subject to standard confidentiality protections). In the last case, we would inform you of any change in controller before it takes effect.
If you would like to know more about who we share data with in any particular context, please contact us.
How long your personal data will be kept
We do not keep personal data for longer than is necessary for the purpose it was collected for. The relevant period depends on the type of data involved.
Bursary application and award records are subject to DfE audit requirements. Institutions are required to retain evidence of eligibility assessments and payments for a minimum of six years from the end of the academic year to which the award relates (and longer if an audit or investigation is ongoing). We retain data on the platform for the same minimum period to enable institutions to meet those obligations.
Account data for active users is retained for as long as the account remains in use and for up to seven years after it is closed, to comply with financial record-keeping obligations. Inactive accounts that have never been associated with a submitted application are deleted after two years.
Server and access logs, which record information such as IP addresses and page requests, are retained for up to twelve months and then deleted.
Marketing preferences and contact records for institution staff are retained while the relationship is active and for a reasonable period afterwards, or until you opt out — whichever comes first.
At the end of the applicable retention period, we securely delete or irreversibly anonymise the data in question.
Transferring your personal data out of the UK
Some of our infrastructure providers have servers or operations outside the United Kingdom. In particular, Cloudflare — who provide our content delivery network and object storage — is a US-headquartered company. Where data is processed in the United States or other countries outside the UK, we rely on appropriate transfer mechanisms to ensure an equivalent level of protection applies.
Under UK GDPR, we can transfer personal data outside the UK only where:
- the UK government has made an adequacy decision in respect of the destination country, meaning it has assessed that country’s data protection laws as providing a standard broadly equivalent to UK law;
- appropriate safeguards are in place — for example, the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, which we include in our contracts with relevant providers; or
- a specific exception under UK GDPR applies in the circumstances.
If you would like more detail on the specific transfer mechanisms we use for any of our providers, please contact us.
Cookies and other tracking technologies
A cookie is a small text file that a website places on your device. We use a limited set of cookies, all serving a specific purpose.
Strictly necessary cookies keep the platform functioning. These include session cookies (which maintain your login between page loads) and a CSRF token cookie (which protects against cross-site request forgery attacks). Without these, the platform cannot operate and they cannot be disabled.
Functional cookies remember your preferences — for example, whether you have dismissed a notice or set a display preference.
Analytics cookies help us understand, in aggregate, how the platform is used. Where we share data with analytics providers, we do so in anonymised or aggregated form where possible.
You can manage or disable non-essential cookies through your browser settings. Be aware that disabling cookies will affect your ability to log in and use the platform.
Your rights
UK data protection law gives you a number of rights in relation to your personal data. These are summarised below. Most can be exercised free of charge, though we may charge a reasonable fee or decline a request that is manifestly unfounded or excessive.
| Right | What it means in practice |
|---|---|
| Access | To ask us for a copy of the personal data we hold about you, along with information about how we use it |
| Correction | To ask us to correct personal data that is inaccurate or to complete data that is incomplete |
| Erasure | To ask us to delete your personal data where there is no longer a legitimate reason for us to hold it — subject to our legal and regulatory obligations to retain certain records |
| Restriction | To ask us to stop actively processing your personal data in certain circumstances, for example while you contest its accuracy |
| Portability | To receive a copy of personal data you have provided to us in a structured, machine-readable format, in certain circumstances |
| Objection | To object to our processing of your personal data where we rely on legitimate interests, including objecting to direct marketing |
| Withdraw consent | Where we rely on your consent, to withdraw it at any time — without affecting the lawfulness of processing that took place before withdrawal |
For more detail on each right — including when they apply and when they do not — the ICO publishes helpful guidance at ico.org.uk.
To exercise any of your rights, please email us using the contact details below. Please include enough information to identify yourself and describe the right you want to exercise. We may need to ask you for additional information to verify your identity before we can act on your request. We will respond within one month (or sooner where possible).
Where your data is held on behalf of an institution (for example, your school or college) and the institution is the relevant controller, we will direct your request to them where appropriate.
Keeping your personal data secure
We take security seriously — particularly given that the platform handles financial eligibility data that students may reasonably consider sensitive.
At the technical level, the platform enforces multi-factor authentication (MFA) for all staff and administrator accounts; staff cannot access student data without it. Connections to the platform are encrypted in transit using TLS. Passwords are hashed using a strong one-way algorithm and are never stored in readable form. Uploaded evidence documents are held in isolated, access-controlled object storage with no public URLs; access is granted only through short-lived signed URLs generated at the point of access. Student data is scoped strictly by institution — no institution can see another’s data.
At the organisational level, we limit access to personal data to staff who genuinely need it to operate and support the platform. We maintain internal procedures for identifying, responding to and (where legally required) reporting suspected data security incidents. Where a breach is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and will inform affected individuals without undue delay.
No system can guarantee complete security. If you have concerns about the security of your account, please contact us at [email protected] and we will respond promptly.
How to complain
If you have any concerns about how we handle your personal data, please contact us in the first instance — we would rather resolve the issue directly and will do our best to do so.
You also have the right to complain to the Information Commissioner’s Office (ICO), the UK’s data protection regulator. We are registered with the ICO under registration number ZC012206. The ICO can be contacted online at ico.org.uk/make-a-complaint or by telephone on 0303 123 1113.
Changes to this privacy policy
We update this policy as the platform evolves and as the law changes. When we make material changes — for example, where we begin processing personal data in a new way or engage a new category of third-party provider — we will publish the updated policy on this page and, where it significantly affects your rights, notify you by email or via a notice on the platform. The version date at the top of this page tells you when the policy was last revised.
We are monitoring the implementation of the Data (Use and Access) Act 2025, which received Royal Assent in June 2025 and will progressively amend aspects of UK data protection law. We will update this policy as those changes take effect.
How to contact us
If you have questions about this policy, want to exercise a right under data protection law, or have a concern about how we handle your personal data, please contact us:
Senha Ltd t/a myBursary71–75 Shelton Street, Covent Garden, London WC2H 9JQ
Company No. 16718889 · Registered in England & Wales
ICO registration: ZC012206
Email: [email protected]
We aim to respond to all queries within five working days.