top of page

Privacy Policy

1. Introduction & Who We Are

Thornbury Nest Day Nursery (“we”, “us”, “our”) is committed to protecting and respecting your privacy. This policy explains how we collect, use, disclose, store and protect personal information about children enrolled with us, their families and carers, and any other individuals whose information we process in connection with our nursery services.
We are the data controller for the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 when we determine the purposes and means of processing your personal data.

2. Purpose of this Policy
This policy sets out:

  • what types of personal data we collect;

  • how we collect it;

  • how and why we use that data;

  • who we might share it with;

  • how long we keep it;

  • your rights in relation to your personal data.

3. Information We May Collect
We may collect and process the following personal data about you and/or your child:

  • Identity Data: names, date of birth, gender, relationship to child, unique identifiers, photographic ID where required.

  • Contact Data: home address, telephone numbers, email(s).

  • Child Data: child’s name, date of birth, gender, language, development information, medical/allergy/dietary information, immunisation records, doctor/GP details, records of accidents/incidents, photographs (for learning journals or promotional materials, if consented).

  • Financial Data: banking or payment card details if you pay us direct, fees and invoicing information.

  • Transaction Data: details of services you have bought from us, attendance records, amendments and changes.

  • Technical/Usage Data: for the website and/or parent-portal access, browser type, IP address, time zone, referral source, pages visited, time on site etc.

  • Marketing & Communication Data: your preferences in receiving marketing (if applicable), emails or newsletters you signed up to, opt-in consents.

  • Safeguarding/Regulatory Data: data required or used to meet our safeguarding obligations, regulatory submissions (e.g., to the Information Commissioner's Office, local authority or inspectors), and any other required professional records.

4. How We Collect Personal Data
We obtain personal data:

  • directly from you (e.g., when you enrol your child, complete forms, communicate with us by phone, email or in person);

  • via our website or online forms (e.g., parent portal, enquiries, contact forms);

  • from third parties (for example first-aid providers, local authorities, external services we engage, other nurseries/schools transferring records) where applicable;

  • automatically via cookies or similar technologies when you visit our website (see our Cookies Policy for more detail).

5. How We Use Your Personal Data & Lawful Bases
We will only process personal data when we have a lawful basis to do so, which will typically include:

  • Performance of a contract: e.g., to provide nursery services to you and your child; managing enrolment, attendance, fees and payments.

  • Legal obligation: e.g., safeguarding children, health & safety records, regulatory reporting.

  • Legitimate interests: e.g., administering and improving our nursery services, technology maintenance, website security, internal record-keeping, direct communications (unless overridden by your rights).

  • Consent: e.g., for marketing communications or processing sensitive personal data (e.g., health, religious beliefs) where required and where we have asked for and you have given consent.

The purposes for which we may use your personal data include (but are not limited to):

  • Registering your child and administering our contract with you;

  • Providing, managing and delivering our nursery services;

  • Managing payments, invoicing and debt recovery;

  • Managing our relationship with you, including communicating with you about changes to services, terms or this policy;

  • Safeguarding, health and safety and regulatory compliance;

  • Analyzing how our website and services are used to improve how we operate;

  • Sending you marketing or newsletters where you have opted in (you can always opt out);

  • Running our IT systems and infrastructure securely, including security monitoring, backups and incident-handling.

6. Sharing Your Personal Data
We may share personal data with:

  • Staff and managers of the nursery who need access to the information to perform their duties;

  • External suppliers/service providers (e.g., software providers, payment processors, inspection bodies, cleaning services) who process data on our behalf and under our instructions;

  • Local authority or regulatory bodies (e.g., the Office for Standards in Education, Children’s Services and Skills (Ofsted), Local Safeguarding Children’s Board) when required or permitted by law;

  • Other educational settings or child-care providers if your child moves or attends other settings and you have consented to the transfer;

  • In the event of a business sale or restructure, your personal data may be transferred as part of the business assets.

We require all third-party processors to maintain appropriate safeguards and to comply with data-protection law.

7. International Transfers
While most of our processing is within the UK, if we transfer personal data outside the UK or the European Economic Area (EEA), we will ensure that adequate safeguards are in place (e.g., standard contractual clauses, approved countries) so that your rights and protections remain.

8. Data Security
We implement appropriate technical and organisational measures to protect your personal data from unauthorised access, accidental loss, disclosure or alteration. Access to personal data is restricted on a need-to-know basis, and all staff are subject to confidentiality obligations. We also have procedures in place to manage and respond to personal data breaches and will notify you and the regulator where legally required.

9. Data Retention
We will retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including meeting legal, accounting, tax, regulatory and safeguarding requirements. When data is no longer required, we will securely delete or anonymise it.

When determining retention periods we consider: the nature and sensitivity of the data; the risk of harm from unauthorised use or disclosure; the purposes for which we process the data; and whether those purposes can be achieved by other means.

10. Your Rights
Under UK data-protection law you have several rights in relation to your personal data, including to:

  • Request access to the personal data we hold about you (a “data subject access request”);

  • Request correction of inaccurate or incomplete personal data;

  • Request erasure of your personal data (in certain circumstances);

  • Object to processing (particularly in relation to direct marketing or where we rely on legitimate interests);

  • Request restriction of processing;

  • Request the transfer of your personal data to another party (data portability) in certain circumstances;

  • Withdraw your consent at any time where we rely on consent for processing (this will not affect the lawfulness of processing prior to withdrawal).

To exercise any of these rights, please contact us (see Section 12). We will respond to your request within statutory timeframes (typically one month) unless an extension is permitted by law. We may request proof of identity before complying.

11. Cookies & Website
Our website may use cookies and similar tracking technologies to collect technical/usage data as described above. Please refer to our separate Cookies Policy for further detail about the types of cookies we use, how you can control them, and your choices regarding them.

12. Contacting Us & Complaints
If you have any questions about this policy or our processing of your personal data, you can contact our Data Protection Coordinator at:
Thornbury Nest Day Nursery
Maria Bustamante
admin@thornburynest.com
 

If you believe we have not handled your personal data appropriately, you also have the right to lodge a complaint with the Information Commissioner’s Office: www.ico.org.uk.

13. Changes to This Privacy Policy
We may update this policy from time to time. The “Last updated” date below will indicate when it was most recently revised. We will notify you of any material changes (for example via our website or email). Please review this policy periodically to stay informed.
Last updated: 28th October 2025

14. Glossary of Key Terms

  • “Personal data” means any information about an identifiable living individual.

  • “Processing” means any operation performed on personal data (e.g., collection, storage, use, disclosure).

  • “Data controller” means the organisation which determines the purposes and means of processing personal data.

  • “Data processor” means a third-party organisation that processes personal data on behalf of the controller.

  • “Legitimate interests” means our interest in conducting and managing our business to enable us to provide you with nursery services and a secure experience, and we ensure that those interests are not overridden by your rights and freedoms.

bottom of page