Introduction
At B.A. Academy, we take privacy and data protection seriously. This Privacy Policy explains how we collect, store, use, and share personal data when you register children for our afterschool and holiday activities.
B.A. Academy is operated by:
B A Education Services Ltd (Company No. 16043267)
B A Education London Ltd (Company No. 16797519)
Both companies act as Data Controllers (jointly) for the purposes of UK data protection law.
Personal Data We Collect
We collect and process the following information when you register:
- Parent / Guardian Details: Name, email address, phone number, and contact details.
- Child Details: Name, school, age, year group.
- Medical & Allergy Information: Only where required for safety reasons.
- Emergency Contact Information: For use if parents cannot be reached.
- Payment Information: Processed via Stripe – we never see or store full card numbers.
Payment Processing & Stripe
We use Stripe to process payments securely. Depending on the club or region, bookings may be processed by one of our two Stripe accounts:
- B A Education Services Ltd – Stripe Account A
- B A Education London Ltd – Stripe Account B
We do not store card details, but we retain booking records for financial and safeguarding purposes.
Why We Collect Your Data (Lawful Basis)
We process data under the following UK GDPR lawful bases:
- Contract: To manage bookings and provide childcare services.
- Legal obligation: Child safety and safeguarding responsibilities.
- Vital interests: Medical or emergency data needed to protect a child.
- Legitimate interests: Ensuring safe and efficient delivery of our services.
- Consent: Only for optional marketing communications.
How We Protect Your Data
- Secure password-protected systems
- Restricted access to staff with a genuine need to know
- Regular system and security reviews
- Use of secure, GDPR-compliant software providers
- Data encryption where appropriate
Children’s Medical & Safeguarding Data
Medical and allergy information is treated as sensitive personal data. It is only accessed by staff who need it to:
- ensure a child’s safety
- manage emergencies
- comply with safeguarding obligations
It is never used for marketing or shared unnecessarily.
Data Retention
We keep data only as long as necessary for:
- Legal and tax requirements (up to 7 years)
- Safeguarding and incident records (statutory periods)
- Service delivery and booking history
You may request deletion of data that is no longer required.
Cookies & Website Tracking
We use cookies and analytics tools to understand how visitors use our website and to improve our services. These do not identify children directly.
Your Data Rights
Under the UK GDPR, you have the right to:
- Access your personal data
- Request correction of inaccurate data
- Request data deletion (where legally allowed)
- Restrict certain processing
- Object to processing
- Withdraw consent (for marketing)
- Make a complaint to the ICO
Sharing Your Data
We do not sell or trade data.
We may share data only with:
- Stripe (for payment processing)
- Activity staff (for registers & safety)
- Emergency services (if required)
- Professional advisers (e.g. accountants)
International Transfers
Where any data is processed outside the UK (e.g. via Stripe), this is protected under approved safeguards, such as Standard Contractual Clauses.
Updates to This Policy
Any changes to this Privacy Policy will be posted on our website, with a revised “Last Updated” date.
Contact Us
To exercise any data rights, or if you have privacy concerns, please contact us using the details on our website.
You also have the right to contact the UK Information Commissioner’s Office at: www.ico.org.uk