Privacy notice

We are The Access Project (TAP, We, Us), and we are based at The Dock, Tobacco Quay, London E1W 2SF. We are a Data Controller, and are committed to protecting your data in line with the General Data Protection Regulation (GDPR).

The central contact for data protection can be contacted through

Processing personal data

We process personal data relating to The Access Project students, tutors, staff, trustees, funders and business partners, in order to run the Access Project and keep people informed about any work that we are completing.

What personal data do we collect and how?

Funders and other partners – We may collect your data from publicly available sources, if you give it to us or if a mutual connection puts us in touch. Typically we collect your name, email address and telephone number financial and credit card information and personal descriptions.

Student applicants – Information on student applicants may be collected from students themselves via an application form, their school and, once selected to the programme,  their parents/ guardians. Data collected includes your name, date of birth, gender, email address, home address, the school you attend, UCAS applications and outcomes, target, predicted and actual grades, information relating to your Free School Meal status, Special Educational Needs status, whether you are in care or a care leaver, ethnicity data and relevant health information.

Non The Access Project students – We may collect anonymised grades from students in the schools we partner.

Volunteers – We use volunteer websites such as, Escape the City, Volunteering Brent, Reach Volunteering – these sites may capture an interested volunteer’s name and email address or phone number and pass this on to us to contact you. We also collect your data when you complete an online application form. Typically we collect your name, date of birth, email address and telephone number, education information and reference details.

Tutors and students, online tuition – We record tutorials occurring online using the company Infiniti for safeguarding purposes. Their privacy policy can be found on the Infiniti platform.

Employees – Typically we collect your name, date of birth, email address, telephone number, nationality, next of kin name and contact details, National Insurance number, bank account details, personal references, ID document details (e.g. passport/ driving license), employment and educational history, a photo of employees for the company website. We also collect special category data with consent (such as health/ medical information). This data is collected from submitted application forms directly from candidates and employees. We may also receive applicant information from recruitment agencies.

Volunteers working with children and Employees – We collect your five year address history, history of name changes, birthplace details, ID documents and information relating to any unspent criminal convictions via the DBS processing company UCheck to process your DBS checks. Their privacy policy can be found on the UCheck website.

What do we do with your data?

We look after your personal data by keeping it up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting it from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect it.

We store your data on the secure cloud-based service Salesforce, we store employee data on the HR platform BambooHR, we use Gmail for email communications and all tutorial recordings are held within the Infiniti platform.

The reasons we use your data are as follows:

To determine your eligibility for commencing with The Access Project

  • We use your grades, your application form answers and recommendations from your teachers as determinants for assessing your eligibility to participate in The Access Project.
  • We prioritise students who are eligible for Free School Meals, Pupil Premium and in care/ care leavers.
  • We use your postcode to determine whether people in your area are likely to go to university using The Office for Students POLAR higher education participation measure. In addition we also use postcode data to determine which category of ACORN neighbourhood our students come from. We use this data to establish eligibility for The Access Project, prioritising those from areas less likely to attend university, and for sharing with evaluation partners to determine the effectiveness of The Access Project.

To enable student-tutor pairings

  • Personal data of tutors may be shared with parents and students; and contact details of students may be provided to tutors.

For administrative purposes 

  • To maintain the passwords/user logins of registered users
  • To send you information which We feel may be of interest to you
  • To enable you to use any services that We may from time to time provide through Our website
  • To investigate and address your queries and questions including those you raise with Us, contact us via
  • Where We have your permission to do so, to send you information about Our products and services
  • For website administration (including to enable Us to respond to any comments on the website or feedback you may give Us)
  • To establish the effectiveness of The Access Project in comparison to peers’ results
  • To process a donation you make

We may also share your personal information with…

  • Schools, in order to inform a school about their pupils’ tutor pairings
  • A university, in order to inform that university about their volunteer tutor pairings. Some university partners may record student data in the Higher Education Access Tracker (HEAT) in order to track long-term outcomes including university progression. You can read more about this here
  • Business partners, in order to allow them to monitor the impact of their company’s volunteer tutors, their school partnership and for visits to their organisation building
  • Law enforcement agencies, regulators, courts or other public authorities where we are required to, or are authorised to by law
  • Tutoring programmes and their business administrators, in order to facilitate them providing high-quality tutoring to help pupils whose education has been affected by the COVID-19 pandemic
  • Student and tutor personal data is shared with our evaluation partners (e.g. UCAS STROBE, FFT Education Datalab) who will use it to conduct impact analyses of our programme
  • Evaluation partners may link this data to other data held in the National Pupil Database, which is managed by the Department for Education
  • Anonymised data is sometimes provided to third parties for purposes of statistical analysis to enable us to assess the impact of our work
  • We use a third party provider, Mailchimp, to deliver our newsletters. You can find more information on the Mailchimp website.

You can read more about how our main service providers comply with GDPR through the following links: 

If we have a contract with another organisation to provide services on our behalf or if we share information with other parties as set out above, we’ll make sure that they also have appropriate security measures in place to only process your personal data in accordance with our instructions and not for any other purpose.

If you are not willing to provide your personal data then you will not be able to benefit from many of our services or participate in our programmes.

What is the legal basis for processing your personal data?

To process your data lawfully, we rely on the following grounds:

  • Consent of the data subject – In regards to sending marketing emails and when processing special category data
  • Processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract – This basis is used for processing data relating to staff, students on the programme and volunteer tutors who are part of the programme
  • Legitimate interests – We may process personal data where, when weighed against your rights as a data subject, it is in our legitimate interest to do so.

Specifically, The Access Project uses this basis in the following situations and for the following legitimate interests:

  • Receiving grades and university application information from schools and sharing student and tutor data with evaluation partners and universities, in order to facilitate the efficient operation of The Access Project, track long-term outcomes including university progression and provide students with effective tuition
  • Providing parents with the name and place of work of the tutor their child is matched with, to keep them informed in the matching process
  • Using staff bios and a photo supplied by them on our website
  • Further information for volunteers can be found in our volunteer privacy notice.

If you object to us using your data where we are relying on our legitimate interests as explained above please contact

  • Legal obligation – Where The Access Project needs to use your information in order to comply with a legal obligation, for example to report a concern about student wellbeing to Children’s Services when required, we may also have to disclose your information to third parties such as the courts, the local authority or the police where legally obliged to do so.

Special category data

We may, with your consent, process “special categories” of personal data (sensitive personal data) for students and staff such as ethnicity data for equality and diversity purposes, and health information for medical purposes. We will never share this information without your consent.

We won’t do anything with your information you wouldn’t reasonably expect. If you have any queries regarding how we process your data, please contact us at

We will only hold your information for as long as is necessary in line with our retention policy, which is usually for as long as you have an active relationship with The Access Project or as long as the law requires.

Transfers outside of the EEA 

In this section, we provide information about the circumstances in which your personal data may be transferred and stored in countries outside the European Economic Area (EEA).

We may share personal information to third parties outside of the European Economic Area (EEA). Any personal information transferred will only be processed on our instruction and we ensure that information security at the highest standard would be used to protect any personal information as required by the Data Protection laws. Where personal data is transferred outside of the EEA to a country without an adequacy decision, we will ensure appropriate safeguards are in place prior to the transfer. These could include Standard Contractual Clauses

For more information about transfers and safeguarding measures, please contact us using the information provided in this policy.

Using our website

Your personal data may be collected via the website in two ways:

  • Web-server logs
  • The entering of name, email addresses, mobile phone numbers.

In addition, we may gather personal data:

  • From the personal data you provide to us
  • From our suppliers who we appoint on our behalf to run campaigns on social media or other forums.

Web server logs

When you visit this website, your visit is logged by our web server as is the case with most websites. This log information is statistically analysed by our staff to show trends in the use of the website, such as the popularity of particular pages.

This log information does not identify you personally. It does not identify your email address. It may include the IP address and/or fully qualified domain name of the computer you use. You should be aware that this information might identify the company you work for (if you access the website from your place of work), or your Internet Service Provider (ISP).

We may log clicks on the links to other websites that are included in our website. This is to help us determine the popularity of such links. Since this link-logging is included in our web logs, it will record the identity of the computer making the request but does not identify you personally.

If you access our website by way of a hardware firewall, a proxy server or any other kind of router (such as a dial-up modem connection at your ISP) then it is the address of the router that will appear in our logs and not the address of your computer.


During the course of your use of the website you may be requested to enter your email address and/or mobile phone number to use a service we provide. This information will only be used in accordance with the terms of this Privacy notice. If you do not want to provide this information, you will not be able to use some of our services.


Our site uses cookies and other tracking technologies. To read how cookies and tracking technologies work and what they are used for on this site and to see a list of the companies that use these cookies and technologies and how they use them please read our Cookie policy. Please continue to use this website as normal if you are happy with the current cookie settings. You can change your cookies preferences or disable cookies via your browser.

Hyperlinks to other websites

This website contains hyperlinks to websites owned and operated by third parties. These websites have their own privacy policies and terms of use and We urge you to review them. They will govern the use of personal data you submit whilst visiting these websites. The Access Project does not accept any responsibility or liability for the privacy practices of such third party websites and your use of such websites is at your own risk.


We use Hotjar in order to better understand our users’ needs and to optimise this service and experience. Hotjar is a technology service that helps us better understand our users experience (for example how much time they spend on which pages, which links they choose to click, what users do and don’t like) and this enables us to build and maintain our service with user feedback.

Hotjar uses cookies and other technologies to collect data on our users’ behaviour and their devices. In particular they collect: device’s IP address (captured and stored only in anonymised form), device screen size, device type, browser information, geographic location (country only), preferred language used to display our website. Hotjar stores this information in a pseudonymised user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user.

For further details, please see Hotjar’s privacy policy by clicking on this link. You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.

Your rights and your personal data

You have rights regarding your personal data. You can:

  • Request a copy of your data that we hold
  • Request that we correct any personal data that is incorrect or out of date
  • Request your personal data is deleted if it is no longer necessary for us to process it
  • Withdraw your consent to the processing at any time
  • Request your personal data is transferred to another data controller (this is called data portability)
  • Request a restriction is placed on further processing your data
  • Object to how your personal data is processed.

If you have a concern about the way we are collecting or using your personal data, you should raise your concern with us or directly to the Information Commissioner’s Office or another relevant supervisory authority.

This policy was last updated in February 2023.