Privacy Policy

We are RestorativU (“we”, “us”, “our”) a company registered in England and Wales (No. 15782616).

We provide and operate the website, web applications and mobile applications used to support mentoring, restorative and social support programmes delivered by partner programme organisations.

Depending on the programme involved, personal data may be processed by RestorativU in connection with the operation of the platform and related systems, and by partner organisations delivering services through the platform.

This Privacy Policy supplements any other privacy or fair processing notices we may provide from time to time.

We receive personal data in several ways, including:

• directly from individuals when they provide information to us, including during account setup, communication with staff, form completion, file uploads, feedback or reporting issues with the website or applications;
• automatically when you use our website or applications (for example via cookies and technical logs);
• and from partner organisations or institutions that refer cases to us or supply case records.

We only collect personal data that is necessary for the purposes explained in this policy.

We are not responsible for the information that may be collected by third parties by clicking on links to third party websites, plug-ins, and applications.

The types of personal data we process include (but are not limited to):

• Contact and identification details (name, phone, email, postal address, date of birth);
• Referral and case information (referral notes, case history, session notes, attendance, outcomes);
• We may also collect limited information about parents, guardians, or other authorised representatives where they are involved in a participant’s involvement in a programme;
• Media files uploaded by participants or mentors (photos, audio files, and - where consented - video recordings);
• Employee/mentor records related to participation in the project (identification, role, training, attendance);
• Website and app technical data - cookies (IP address, browser type, device information, time zone, cookies, session identifiers);
• Payment-related data where a participant funds a course (processed via external providers).

Cookies and similar technologies

We use cookies that are necessary for the website to function properly and, in some cases, to understand general usage patterns.

Some features on the website, such as embedded videos (for example, from Vimeo), are provided by third parties. These services may place their own cookies when you access or interact with that content.

We do not use cookies for advertising or profiling purposes. You can manage cookies through your browser settings, although disabling certain cookies may affect how the website works.

You can find more detailed information in our Cookie Policy

Special note on recordings and minors

Some sessions may be recorded (audio and, where consent is given, video) and stored securely for the purposes of supervision and quality assurance. Recordings are only made with consent; for minors parental or guardian consent is required. Recordings are encrypted, access is restricted, and they are not shared with auditors unless expressly required and subject to agreed safeguards.

We use personal data to support the delivery of mentoring, restorative and social support programmes through the platform, including case management, referrals, enrolment, safeguarding, reporting and related operational activities. Our primary legal bases are the performance of a contract or service under Article 6(1)(b) GDPR and our legitimate interests under Article 6(1)(f) in supporting and improving programme delivery through the platform. Where special category data is processed, we rely on explicit consent under Article 9 GDPR or another applicable legal condition. For minors, parental or guardian consent is obtained in accordance with Article 8 GDPR. Where information relating to criminal convictions or offences is processed, this is done only where necessary for programme delivery and in line with Article 10 GDPR and the Data Protection Act 2018.

Where a programme requires payment, we process limited payment-related information (such as payment confirmation and status) for the purpose of enrolment and access to services. Payment transactions are handled by an external payment provider and we do not store full card details within our systems. In programmes delivered in partnership with organisations/institutions, we may provide limited status updates confirming whether a participant has commenced and/or completed the programme. Detailed mentoring notes and internal assessments are not routinely shared unless required by law or safeguarding obligations.

Examples of how we use data: managing referrals and appointments; supporting case work and follow-up; internal quality and training; reporting to external reviewers engaged for programme monitoring or auditing purposes.

We use personal data for the reasons explained above. If we ever need to use it for a different reason, we will ensure this is lawful and inform you where required.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We do not sell personal data. We share information only where necessary and under appropriate safeguards. Recipients may include:

• Programme staff and authorised personnel involved in programme delivery or platform operations (including mentors, coordinators, practitioners, directors, IT personnel and authorised contractors);
• Partner organisations or institutions that refer individuals to a programme or are involved in supporting a case, where information sharing is necessary for service delivery or safeguarding. Depending on the programme, this may include updates on engagement, attendance or outcomes;
• External reviewers (contracted auditing entity), where required by contract;
• Subcontractors who process data on our behalf, acting as processors under GDPR Article 28, including hosting providers (for example: Amazon Web Services, Axe Edge Limited, G Suite, Heroku), payment processors and platforms used to deliver online sessions;
• Public authorities, where we are legally required to disclose information (for example safeguarding or law enforcement requests);
• Professional advisers, such as legal or insurance advisers, where necessary to obtain advice or manage risk;
• Third parties involved in a potential sale, restructuring or transfer of the business, where personal data may be disclosed as part of due diligence, subject to appropriate safeguards;
• Public authorities or partner organisations involved in the delivery, safeguarding or oversight of a programme, where information sharing is necessary for those purposes. In such cases, each organisation determines independently the purposes and means of its own processing activities.

We use a combination of technical and organisational safeguards to protect personal data against unauthorised access, misuse, loss or disclosure. This includes encryption (in transit and at rest), role-based access controls, audit logging, and the prohibition of storing personal data on unsecured removable media. Regular backups and secure deletion procedures are in place. Only authorised staff and contracted processors may access personal data on a need-to-know basis.

Personal data is stored primarily within the UK and the European Economic Area. In some cases, when we use external service providers (for example cloud hosting, video communication or embedded media platforms), certain limited technical data may be processed outside these territories. Where this happens, we ensure that appropriate safeguards are in place in line with Art. 44–49 of the GDPR, including the use of standard contractual clauses or other recognised transfer mechanisms. Further information about these safeguards may be obtained by contacting us.

We keep personal data for as long as it is required for programme delivery, safeguarding obligations, or legal requirements. As a general rule, we retain case and participant records for seven (7) years after case closure. Employee records are retained for seven (7) years after the end of employment or project involvement. Cookies and technical data are session-based and are not retained beyond the active browser session. Aggregated or anonymised datasets used for reporting and research may be retained indefinitely if individuals cannot be identified.

At the end of the retention period, personal data is securely deleted or irreversibly anonymised using appropriate methods.

You have rights under data protection law. You can:

• Request access to the personal data we hold about you and obtain information about how it is processed;
• Request correction of inaccurate or incomplete data;
• Request deletion of your data where the legal conditions are met;
• Request restriction of processing in certain circumstances;
• Object to processing based on legitimate interests;
• Request portability of your personal data in a commonly used machine-readable format.

To exercise any of these rights, please contact us at info@restorativu.com . We will normally respond within one month.

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK, or with your local data protection authority.

Requests relating to data protection rights should be sent to info@restorativ.co. We may need to verify the requester’s identity before responding and will handle each request in line with our internal procedures, including consultation with the relevant internal data protection lead where appropriate.

We may update this policy from time to time, for example if our services change or if the law requires it. The latest version will always be available on our website. We will publish the date of the latest revision on this page and, where appropriate, notify users of significant changes.

Further operational details about our data handling practices are set out in our Annex

info@restorativu.com

Address

Piccadilly Cottage, Ascott,
Oxford, Oxfordshire,
United Kingdom,
OX44 7UJ

RestorativU

15782616

Last updated: 15/06/2026