Privacy Policy

1. Who We Are

School Beyond Limitations Ltd (“SBL”, “we”, “our” or “us”) is a holistic international online school registered in England and Wales.

Registered company name: School Beyond Limitations Ltd

Registered office: 2nd Floor, National House, 60-66 Wardour Street, London, W1F 0TA, United Kingdom

Directors: Martina Geromin, Katharina Ferster

Data protection contact: hello@school-beyond-limitations.com

As a UK-registered company operating with servers hosted in Germany and serving a global user base including users in the European Economic Area (EEA), we are subject to both the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (EU GDPR 2016/679), as applicable.

We do not have a designated Data Protection Officer (DPO). Questions regarding this Privacy Policy should be directed to the address above.

2. Scope of This Policy

This Privacy Policy applies to all personal data collected through:

  • our website and any associated subdomains;
  • enrolment, registration, and payment processes;
  • the delivery of our educational programmes via Zoom and Google Workspace for Education;
  • our email marketing communications;
  • our advertising activities on Meta (Facebook/Instagram) and Google Ads.

SBL’s services are directed at parents and legal guardians (“Parents”) who enrol their children (“Students”) aged 4 and above in our programmes. Parents are the contracting party and data subjects in the primary sense. Where children provide personal data as part of their participation in lessons (e.g., appearing on video during Zoom sessions, using a Google Workspace for Education account), this is addressed specifically in Section 9 below.

3. Data Controller

School Beyond Limitations Ltd is the data controller for personal data processed under this Policy. This means we determine the purposes and means of processing your personal data.

For personal data processed via Google Workspace for Education, Google acts as a data processor on our behalf, in accordance with a Data Processing Agreement.

4. Personal Data We Collect

4.1 Data You Provide Directly

  • Full name and contact details (email address, telephone number, postal address) of the Parent/Guardian;
  • Child’s first name, age/date of birth, and year group;
  • Information submitted via contact or enrolment forms;
  • Correspondence and communications with our team;
  • Billing information (name, address) for invoice-based payment — we do not collect or store credit or debit card numbers; payment is processed via bank transfer initiated by you.

4.2 Data Collected Automatically

  • IP address and device/browser information when you visit our website;
  • Cookie data and usage analytics via Google Analytics 4 (GA4);
  • Behavioural and interaction data via Meta Pixel (Facebook/Instagram advertising pixel);
  • Engagement data from email campaigns (open rates, clicks) via KlickTipp and GoHighLevel.

4.3 Data Generated Through Service Delivery

  • Video/audio session data arising from live classes conducted via Zoom (retained only if a session is recorded with prior notice);
  • Work, communications, and activity data within Google Workspace for Education accounts assigned to Students;
  • Attendance and progress records maintained by our teaching team.

5. Legal Basis for Processing

We process personal data only where we have a lawful basis to do so under UK GDPR / EU GDPR Article 6 (and Article 9 where special category data is involved). The bases we rely on are:

  • Contract performance (Art. 6(1)(b)): To enrol your child, deliver educational services, issue invoices, and manage your account.
  • Legal obligation (Art. 6(1)(c)): To comply with applicable UK and EU law, including tax, financial record-keeping, and child safeguarding obligations.
  • Legitimate interests (Art. 6(1)(f)): To operate and improve our services, prevent fraud, conduct internal analytics, and communicate service updates. We only rely on this basis where our interests are not overridden by your rights and freedoms.
  • Consent (Art. 6(1)(a)): For non-essential cookies, Meta Pixel tracking, and marketing communications via email. You may withdraw consent at any time (see Section 11).

Where we process personal data about children, we obtain verifiable parental consent and take additional protective measures as described in Section 9.

6. How We Use Your Data

We use the personal data we collect for the following purposes:

  • Enrolling and administering Student accounts and educational programmes;
  • Delivering live online lessons via Zoom and Google Workspace for Education;
  • Communicating with Parents about their child’s progress, class schedules, and updates;
  • Sending marketing and promotional emails to opted-in Parents via KlickTipp and GoHighLevel;
  • Processing and recording invoice-based payments and maintaining financial records;
  • Displaying targeted or retargeted advertising via Meta Ads and Google Ads;
  • Measuring website traffic and user behaviour via Google Analytics 4;
  • Improving our website, content, and service offering;
  • Responding to enquiries, complaints, and exercising or defending legal claims;
  • Complying with safeguarding, tax, and other legal obligations.

7. Third-Party Service Providers (Processors)

We share personal data with the following third-party service providers, solely to the extent necessary for the purposes described in this Policy. All processors have been vetted and are bound by appropriate data processing agreements.

Zoom Video Communications, Inc. (USA)

Purpose: Live online class delivery. Data: Names, video/audio during sessions, IP addresses. Transfer mechanism: Standard Contractual Clauses (SCCs). Privacy Policy: zoom.us/privacy

Google LLC — Google Workspace for Education (USA)

Purpose: Student and teacher accounts, file storage, collaboration tools. Data: Student names, email addresses, work files and activity within Google Workspace. Note: Core services contain no advertising. Transfer mechanism: SCCs + EU adequacy mechanisms. Privacy Policy: workspace.google.com/terms/education_privacy

Google LLC — Google Analytics 4 (USA)

Purpose: Website analytics. Data: Anonymised/pseudonymised usage data, IP addresses (truncated). Transfer mechanism: SCCs. We have enabled IP anonymisation. Consent required: Yes (non-essential cookie).

Meta Platforms Ireland Ltd (Ireland/USA)

Purpose: Advertising, audience targeting, conversion tracking via Meta Pixel. Data: Hashed behavioural/event data from website visitors. Transfer mechanism: SCCs. Consent required: Yes. Privacy Policy: facebook.com/privacy

KlickTipp GmbH (Germany)

Purpose: Email marketing automation, subscriber management. Data: Email address, first name, opt-in timestamp, engagement data. Server location: Germany. Privacy Policy: klicktipp.com/datenschutz

HighLevel Inc. — GoHighLevel (USA)

Purpose: CRM, sales pipeline management, email and SMS marketing. Data: Contact details, communication history, opt-in records. Transfer mechanism: SCCs. Privacy Policy: gohighlevel.com/privacy-policy

We do not sell, rent, or trade your personal data to any third party for their own marketing purposes.

8. International Data Transfers

Our website and services involve the transfer of personal data to countries outside the UK and EEA, in particular the United States, where several of our technology providers are headquartered. We ensure such transfers are lawful by relying on one or more of the following mechanisms:

  • Standard Contractual Clauses (SCCs) approved by the European Commission and/or UK International Data Transfer Agreements (IDTAs);
  • Adequacy decisions, where applicable;
  • Binding Corporate Rules, where applicable.

Our website and backend infrastructure are hosted on servers located in Germany (within the EEA), ensuring primary data residency within a jurisdiction that provides a high level of data protection.

9. Children’s Personal Data

SBL provides educational services to children from the age of 4 years. We take the protection of children’s personal data extremely seriously. The following additional measures apply:

  • Parental consent: All enrolments require the active consent of a parent or legal guardian. Parents are the contracting party and primary data subject. We do not knowingly collect data directly from children without parental authorisation.
  • Minimisation: We collect only the minimum data necessary about each child — principally first name, age/year group, and participation data required to deliver the educational service.
  • Google Workspace for Education: Where Student Google Workspace accounts are created, these are educational accounts governed by Google’s Workspace for Education Privacy Notice. Core services do not serve advertising to primary or secondary school students. We configure these accounts with appropriate admin restrictions.
  • Zoom sessions: Parents are informed in advance if any session is to be recorded. Recordings are stored securely and deleted once no longer needed for educational purposes. We do not record sessions without prior notification.
  • No profiling: We do not subject children to automated decision-making or profiling.
  • UK Children’s Code / Age Appropriate Design Code: Where our services are accessed by children in the UK, we apply the principles of the ICO’s Children’s Code, including high privacy defaults, data minimisation, and no behavioural advertising directed at children.

10. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies. We distinguish between:

  • Strictly necessary cookies: Essential for the website to function. No consent required.
  • Analytics cookies (Google Analytics 4): Used to understand website usage. IP anonymisation is enabled. Require your consent.
  • Marketing/advertising cookies (Meta Pixel): Used to track conversions and build advertising audiences. Require your consent.

On your first visit, you will be presented with a cookie consent banner. You may accept, reject, or customise your cookie preferences at any time. Withdrawing consent does not affect the lawfulness of processing prior to withdrawal.

For a full list of cookies used, including their names, providers, purposes, and retention periods, please refer to our Cookie Declaration available on our website.

11. Your Rights

Depending on your location and the applicable data protection law (UK GDPR or EU GDPR), you have the following rights:

  • Right of access (Art. 15): To receive a copy of the personal data we hold about you.
  • Right to rectification (Art. 16): To have inaccurate or incomplete data corrected.
  • Right to erasure (Art. 17): To request deletion of your personal data, subject to legal retention obligations.
  • Right to restriction (Art. 18): To request that we limit the processing of your data in certain circumstances.
  • Right to data portability (Art. 20): To receive your data in a structured, machine-readable format where processing is based on consent or contract.
  • Right to object (Art. 21): To object to processing based on legitimate interests or for direct marketing purposes.
  • Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting prior processing. To unsubscribe from marketing emails, click the unsubscribe link in any email or contact us directly.
  • Right not to be subject to automated decision-making: We do not make solely automated decisions that significantly affect you.

To exercise any of the above rights, please contact us at hello@school-beyond-limitations.com. We will respond within one calendar month. We may need to verify your identity before fulfilling your request.

If you are a parent exercising rights on behalf of your child, please indicate this clearly in your request.

12. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law.

  • Enrolment and account data: Retained for the duration of the educational relationship, plus 6 years thereafter (UK statutory limitation period).
  • Financial and invoicing records: Retained for 7 years in accordance with UK tax and accounting obligations (Companies Act 2006 / HMRC requirements).
  • Marketing data (email): Retained until you unsubscribe or withdraw consent, plus a reasonable period to maintain suppression records.
  • Website analytics data: Retained in anonymised form for up to 26 months (Google Analytics default).
  • Zoom recordings (where applicable): Deleted within 90 days of the session unless required for an ongoing dispute or legal obligation.
  • Cookie consent records: Retained for 3 years as evidence of consent.

13. Data Security

We implement appropriate technical and organisational measures to protect personal data against unauthorised access, accidental loss, destruction, or disclosure. These include:

  • Encrypted data transmission (TLS/SSL) for all web and email traffic;
  • Access controls and role-based permissions for staff accessing personal data;
  • Use of trusted, industry-standard third-party platforms (Google, Zoom, KlickTipp) with their own robust security programmes;
  • Regular review of data processing arrangements and third-party processors;
  • Staff awareness of data protection obligations.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, and you directly where the risk is high, in accordance with UK GDPR Art. 33 and 34.

14. Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with the relevant supervisory authority:

UK (primary):

Information Commissioner’s Office (ICO)

Website: ico.org.uk  |  Helpline: 0303 123 1113

EU (for EEA-based users):

Your national data protection authority. A list of EU supervisory authorities is available at: edpb.europa.eu

We would, however, appreciate the opportunity to address your concerns directly before you contact a supervisory authority. Please reach out to us first at hello@school-beyond-limitations.com.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. The current version will always be available on our website. Where changes are material, we will notify you by email or via a prominent notice on our website prior to the change becoming effective.

The date at the top of this document indicates when it was last revised.

16. Contact Us

For any questions, concerns, or requests relating to this Privacy Policy or the processing of your personal data, please contact:

School Beyond Limitations Ltd

2nd Floor, National House

60-66 Wardour Street

London, W1F 0TA

United Kingdom

Email: hello@school-beyond-limitations.com

Subscribe for News & Updates

Legal Notice   Privacy Police

© Copyright - School Beyond Limitations