Privacy Policy Terms of Use &
Data Processing Addendum (DPA)
PRIVACY POLICY
Last updated: 12 May 2026
1. Overview
Stack Integral Limited (“Stack Integral”, “we”, “us” or “our”) is committed to protecting personal data and handling it responsibly.
This Privacy Policy explains how we collect, use, store and protect personal information when you visit stackintegral.com, contact us, interact with our content, submit an enquiry, or use our services.
We provide AI-supported workflow, automation, revenue systems and education-related AI readiness services. Our work may involve business data, customer data, operational data and, where agreed with a school or education setting, education-related data.
We apply the UK GDPR, the Data Protection Act 2018 and applicable privacy laws as our baseline standard.
We do not sell personal data.
2. Scope and Applicability
This Privacy Policy applies to:
Visitors to our website
Individuals who contact us
Individuals who submit forms or enquiries
Clients, prospects, suppliers and business contacts
Users interacting with our content, communications or systems
School leaders, staff, governors, trustees and education contacts
Individuals whose personal data may be processed as part of an agreed client service
This policy does not cover third-party websites, platforms or services that we do not control.
Where Stack Integral processes personal data on behalf of a client, school, trust or organisation, the Data Processing Addendum below also applies.
3. Our Role: Controller and Processor
Stack Integral may act as either a data controller or a data processor depending on the context.
When we act as controller
We act as a data controller when we decide how and why personal data is used. This includes:
Website enquiries
Marketing communications
Client and prospect relationship management
Supplier management
Our own business administration
Website analytics where we control the purpose of processing
When we act as processor
We act as a data processor when we process personal data on behalf of a client, school, trust or organisation under their documented instructions.
This may include:
CRM automation
Lead routing
Follow-up workflows
AI-supported enquiry handling
SMS or email workflow automation
Database reactivation
Reporting dashboards
School AI readiness or implementation support
Education workflow or resource support where personal data is included in scope
Where we act as a processor, the client or school remains responsible for the lawful basis, privacy notices, internal approvals and decisions about how personal data is used.
4. Information We Collect
Personal data you provide to us
We may collect:
Name
Email address
Phone number
Job title
Organisation or school name
Company or school details
Information submitted through website forms
Information provided in emails, calls or messages
Meeting notes or enquiry details
Communication preferences
Any other information you choose to provide
Providing this information is voluntary, but we may not be able to respond to an enquiry or provide services without it.
Information collected automatically
When you visit our website, we may collect:
IP address
Browser type
Device information
Pages visited
Referring URLs
Website interaction data
Cookie and consent preferences
We use this information to operate, secure and improve the website.
Information processed as part of client services
Where we provide services to a client, school, trust or organisation, we may process personal data contained in the systems or workflows they ask us to support.
This may include:
Customer, prospect or lead data
CRM records
Email or SMS communication data
Enquiry records
Quote or proposal information
Workflow status data
Internal notes or task information
Staff or user account information
School operational data
Parent, carer, pupil or staff information where expressly included in the agreed scope
We only process this type of data under the relevant agreement, documented instructions and appropriate safeguards.
5. How We Use Personal Data
We may use personal data to:
Respond to enquiries and communications
Provide information about our services
Arrange calls, audits, consultations or meetings
Deliver services to clients
Design, build, test and improve workflows
Operate AI-supported systems under agreed controls
Manage client relationships
Send service-related communications
Send marketing communications where permitted
Maintain records
Improve our website, services and systems
Monitor security and prevent misuse
Meet legal, contractual and regulatory obligations
We do not use personal data for purposes that are incompatible with the reason it was collected.
6. Lawful Basis for Processing
We rely on one or more lawful bases depending on the context.
Consent
We rely on consent where you have actively agreed to a specific use, such as receiving certain marketing communications or allowing non-essential cookies.
You can withdraw consent at any time.
Contract
We rely on contractual necessity where processing is needed to provide requested services, manage a client relationship or take steps before entering into a contract.
Legitimate interests
We may rely on legitimate interests where processing is necessary for our business operations and does not override your rights and freedoms.
This may include:
Responding to business enquiries
Managing business relationships
Improving our services
Sending relevant B2B communications where permitted
Maintaining security
Keeping appropriate records
Legal obligation
We may process personal data where required to meet legal, tax, accounting or regulatory obligations.
Vital interests
In rare circumstances, we may process personal data where necessary to protect someone’s vital interests, such as where there is an immediate risk to life or safety.
7. AI and Automation Responsibility
Stack Integral designs AI-supported systems with defined boundaries, human oversight and clear escalation points.
AI may be used to support:
Workflow consistency
Enquiry handling
Drafting
Routing
Qualification
Summarisation
Data organisation
Follow-up prompts
Reporting and analysis
AI is not used to remove human accountability from important decisions.
Humans remain responsible for:
Commercial decisions
Sensitive customer conversations
Safeguarding judgement
Educational judgement
Legal or compliance decisions
Final approval where required
Any decision that materially affects an individual
We design systems to support people, not replace responsible human judgement.
8. Education and Schools
Where Stack Integral provides services to schools, colleges, education settings, tutoring organisations or multi-academy trusts, we may process personal data relating to staff, governors, trustees, parents, carers, pupils, prospective pupils or former pupils where this is necessary to deliver the agreed service.
In most education projects, the school or education setting remains the data controller. Stack Integral acts as a data processor and only processes personal data on documented instructions from the school or education setting.
Depending on the agreed project, data may include:
Names and contact details
Role and organisation information
Staff training or CPD records
Communication content
Workflow data
Enquiry data
Parent or carer communications
Pupil-related operational information
Education resource or support information
SEND-related information only where expressly included in scope
Safeguarding-adjacent information only where expressly included in scope
We do not knowingly collect personal data directly from children through this website for marketing purposes.
We do not use pupil data for advertising, resale, unrelated commercial purposes or independent profiling.
Where a project may involve pupil data, SEND-related information, safeguarding-adjacent information, behavioural information or other sensitive context, this must be agreed with the school in advance and handled under appropriate safeguards.
These safeguards may include:
Data minimisation
Access controls
Clear role permissions
Human oversight
Approved tool use
Retention limits
Deletion or return procedures
School-led approval
DPIA support where required
We do not use school, staff, pupil, parent or carer data to train public AI models unless this has been expressly agreed in writing and is lawful for the relevant use case.
9. AI Tool Use and Personal Data
We design AI-supported workflows to avoid unnecessary use of personal data.
Where possible, AI tools are used with anonymised, minimised or non-identifiable information.
Where personal data is required for an agreed workflow, we consider:
The purpose of processing
Whether personal data is necessary
The type and sensitivity of the data
Tool configuration
Retention settings
Access controls
Whether prompts or outputs may be reviewed by humans
Whether data may be used for model training
Whether the tool is appropriate for the client context
We do not intentionally submit personal data into public AI tools where that data may be used to train external models, unless this has been specifically agreed in writing and is lawful for the relevant use case.
AI outputs are used to support workflow consistency, drafting, analysis, routing or triage. They do not replace professional judgement, safeguarding judgement, educational decision-making or human accountability.
10. Cookies and Analytics
We use cookies and similar technologies to operate our website, remember preferences, understand website performance and, where enabled, support marketing.
Essential cookies are used to make the website work.
Analytics and marketing cookies are only used where lawful and where appropriate consent has been obtained.
You can manage your cookie choices through our cookie banner or browser settings.
For more information, please see our Cookie Policy.
11. Marketing Communications
You may receive marketing communications from us if:
You have opted in
You have requested information from us
You have an existing business relationship with us
We have a legitimate interest in contacting you in a B2B context and the law permits this
You can unsubscribe at any time by using the unsubscribe link in our emails or by contacting us.
We do not sell personal data to third parties for marketing.
We do not send marketing communications directly to children.
12. SMS Communications
Where you opt in to receive SMS communications from Stack Integral:
Messages may relate to your enquiry, services, updates or relevant offers
Message and data rates may apply
You may opt out at any time by replying STOP
We do not share phone numbers for third-party marketing without explicit consent
Where SMS workflows are provided for a client, the client is responsible for ensuring that recipients can lawfully be contacted and that appropriate consent, legitimate interest assessment or other lawful basis is in place.
13. Data Retention
We retain personal data only for as long as necessary for the purpose it was collected.
Typical retention periods may include:
Website enquiries: up to 24 months after last meaningful contact
Marketing contacts: until you unsubscribe or object
Client records: for the duration of the client relationship and up to 6 years afterwards where required for legal, tax, accounting or contractual reasons
Contract and invoice records: up to 6 years
Service delivery data: for the period agreed with the client
School or pupil-related data: only for the period agreed with the school or education setting
Cookie consent records: for the period required to evidence consent and manage preferences
Where we act as a processor, data retention is governed by the client’s instructions and the applicable agreement.
We may retain limited records where required to establish, exercise or defend legal claims, comply with law, or maintain suppression lists.
14. International Data Transfers
Personal data may be transferred to and processed in countries outside the UK or European Economic Area where our service providers operate.
Where required, we use appropriate safeguards such as:
UK International Data Transfer Addendum
Standard Contractual Clauses
Adequacy regulations
Equivalent lawful transfer mechanisms
Where we act as a processor, international transfers are handled in accordance with the relevant agreement and documented instructions.
15. Your Rights
Subject to applicable law, you may have the right to:
Access your personal data
Request correction of inaccurate data
Request deletion of your data
Restrict processing
Object to processing
Withdraw consent
Request data portability
Object to direct marketing
Not be subject to solely automated decisions with legal or similarly significant effects
To exercise your rights, contact:
We may need to verify your identity before responding.
Where Stack Integral acts as a processor, we may need to refer your request to the relevant client, school or organisation acting as controller.
15a. Right to Complain
You have the right to lodge a complaint with the Information Commissioner’s Office if you believe your personal data has been handled unlawfully.
ICO website: ico.org.uk
ICO helpline: 0303 123 1113
We would appreciate the opportunity to address your concerns before you contact the ICO.
16. Security
We use appropriate technical and organisational measures to protect personal data.
These may include:
Access controls
Secure systems
Password protection
Encryption where appropriate
Data minimisation
Role-based access
Secure sharing procedures
Monitoring and logging where appropriate
Personnel confidentiality obligations
Supplier due diligence
Incident response procedures
No system is completely secure. Please do not send sensitive information by unencrypted email unless necessary and agreed.
17. Children’s Data
Our website and marketing are intended for adults, including business owners, organisational decision-makers, school leaders, staff, governors and trustees.
We do not knowingly collect personal data directly from children through our website for marketing purposes.
Where we work with schools or education settings, we may process children’s personal data only where instructed by the school or education setting and only for the agreed educational, operational or safeguarding-compatible purpose.
Children’s data is treated with additional care.
Where children’s data is included in scope, we apply appropriate safeguards, which may include:
Data minimisation
Access controls
Clear role permissions
Appropriate security measures
Human oversight
Approved tool use
Clear deletion or return procedures
Where required, the school or education setting is responsible for ensuring that appropriate privacy notices, lawful basis assessments, parental communications, DPIAs and internal approvals are in place.
We do not use children’s data for advertising, resale, unrelated profiling or public AI model training.
18. Policy Updates
We may update this Privacy Policy periodically.
Changes will be posted on this page with an updated “Last updated” date.
Where changes are material, we may take additional steps to notify affected individuals or clients where appropriate.
19. Contact
For questions about this Privacy Policy or how we handle personal data, contact:
Stack Integral Limited
Email: [email protected]
Website: stackintegral.com
Company No: 17014408
ICO Registration Number: ZC110679
DATA PROCESSING ADDENDUM (DPA)
Last updated: 12 May 2026
This Data Processing Addendum (“DPA”) forms part of any agreement between Stack Integral Limited (“Processor”, “Stack Integral”, “we”, “us” or “our”) and the client, school, trust or organisation (“Controller”, “Client” or “you”) where Stack Integral processes personal data on behalf of the Controller.
1. Purpose and Scope
This DPA governs the processing of personal data by Stack Integral on behalf of the Controller in connection with the provision of AI-supported workflow, automation, revenue systems, education readiness, implementation and related services.
It applies where Stack Integral acts as a data processor under:
UK GDPR
EU GDPR where applicable
Data Protection Act 2018
Other applicable data protection laws
Where Stack Integral processes personal data for its own purposes, such as website enquiries or its own marketing, it acts as a controller and those activities are governed by the Privacy Policy above.
2. Roles and Responsibilities
Controller
The Controller:
Determines the purposes and means of processing personal data
Confirms it has a lawful basis for the processing
Confirms it has the right to share personal data with Stack Integral
Provides appropriate privacy notices to data subjects
Handles data subject rights requests unless otherwise agreed
Ensures special category, children’s, SEND or safeguarding-related data is only shared where lawful and necessary
Ensures internal approvals, DPIAs and governance steps are completed where required
Processor
Stack Integral:
Processes personal data only on documented instructions from the Controller
Does not determine the Controller’s purposes for processing
Applies appropriate technical and organisational safeguards
Ensures authorised personnel are bound by confidentiality
Assists the Controller with compliance obligations where reasonably possible
Notifies the Controller if, in our opinion, an instruction appears to infringe applicable data protection law
3. Subject Matter, Duration, Nature and Purpose of Processing
Subject matter
The subject matter of processing is the provision of services agreed between Stack Integral and the Controller.
This may include:
AI-supported workflow design
CRM automation
Enquiry handling workflows
Lead routing and qualification
Follow-up automation
Database reactivation
SMS or email workflow support
Reporting and dashboards
School AI readiness support
Education workflow support
Operational process improvement
Duration
Processing lasts for the term of the agreement, unless a different retention or deletion period is agreed in writing.
Nature of processing
Processing may include:
Collection
Recording
Organisation
Structuring
Storage
Retrieval
Consultation
Use
Analysis
Matching
Routing
Transmission
Restriction
Deletion
Return
Purpose of processing
The purpose of processing is to deliver the agreed services and support the Controller’s workflows, operations, communications, reporting and agreed AI-supported processes.
4. Categories of Data and Data Subjects
Categories of data subjects
Depending on the agreed services, data subjects may include:
Client employees, contractors and authorised users
Customers
Prospects
Leads
Business contacts
Website or enquiry submitters
Suppliers
School staff
Governors
Trustees
Parents, carers and guardians
Pupils, prospective pupils or former pupils, where expressly included in scope
Other individuals whose data is included in systems or workflows provided by the Controller
Categories of personal data
Depending on the agreed services, personal data may include:
Names
Contact details
Job titles
Organisation or school information
CRM records
Communication content
Enquiry details
Lead status
Quote or proposal status
Customer history
Notes, tags and workflow fields
Interaction metadata
System activity
Staff training or participation data
Education-related operational data
Parent, carer or pupil-related information where expressly included in scope
Special category or sensitive data
Special category, safeguarding-adjacent, SEND-related, health-related, behavioural or highly sensitive data must only be processed where:
It is expressly included in the agreed scope
The Controller confirms it is lawful and necessary
Appropriate safeguards are in place
Access is limited to those who need it
Retention and deletion rules are clear
5. Lawful Processing and Confidentiality
Stack Integral shall:
Process personal data only on documented instructions from the Controller
Ensure personnel with access to personal data are subject to confidentiality obligations
Not disclose personal data to third parties except as permitted under this DPA, the main agreement, the Controller’s instructions or applicable law
Take reasonable steps to ensure that any person acting under our authority processes personal data only as instructed
6. Sub-Processors
The Controller gives Stack Integral general written authorisation to engage sub-processors where necessary to deliver the agreed services.
Sub-processors may include providers of:
Hosting
CRM systems
Automation platforms
Email tools
SMS or communication tools
Analytics
Secure storage
AI tools
Project management tools
Integration services
Stack Integral will:
Conduct appropriate due diligence on sub-processors
Ensure sub-processors are subject to appropriate data protection obligations
Remain responsible for sub-processor compliance where required by law
Make sub-processor information available on request
Notify the Controller of material changes where required by the agreement
Current or potential sub-processors may include, depending on the agreed service:
HubSpot
Google Workspace
Microsoft 365
OpenAI or other agreed AI providers
GoHighLevel or website/form providers
Twilio or other SMS providers
Make, Zapier, n8n or other automation providers
Analytics or consent management providers
Other tools agreed with the Controller during onboarding or implementation
The actual sub-processors used for a specific client will depend on the agreed project and tool stack.
7. International Data Transfers
Where personal data is transferred outside the UK or European Economic Area, Stack Integral will ensure appropriate safeguards are in place where required.
These may include:
UK International Data Transfer Addendum
Standard Contractual Clauses
Adequacy regulations
Equivalent lawful transfer mechanisms
Stack Integral will not make international transfers contrary to the Controller’s documented instructions.
8. Security Measures
Stack Integral implements appropriate technical and organisational measures to protect personal data.
These may include:
Access controls
Role-based permissions
Secure authentication
Secure infrastructure
Data minimisation
Encryption where appropriate
Confidentiality obligations
Supplier due diligence
Monitoring and logging where appropriate
Secure data sharing practices
Regular review of workflows and access
Incident response procedures
Detailed security information may be provided on reasonable request.
9. Data Subject Rights
Stack Integral will assist the Controller, where reasonably possible, in responding to data subject rights requests.
This may include requests for:
Access
Rectification
Erasure
Restriction
Objection
Data portability
Withdrawal of consent
Objection to direct marketing
Rights relating to automated decision-making
If Stack Integral receives a request directly in relation to personal data processed on behalf of the Controller, we will refer the request to the Controller unless legally prohibited from doing so.
10. Data Breach Notification
In the event of a personal data breach affecting personal data processed under this DPA, Stack Integral will:
Notify the Controller without undue delay after becoming aware of the breach
Provide available information to support the Controller’s compliance obligations
Take reasonable steps to contain, investigate and mitigate the breach
Cooperate with the Controller’s reasonable requests relating to the breach
The Controller is responsible for determining whether notification to the ICO, another regulator or affected individuals is required, unless otherwise required by law.
11. Data Retention, Return and Deletion
Upon termination of services, or upon written instruction from the Controller, Stack Integral will delete or return personal data processed on behalf of the Controller, unless retention is required by law.
Where deletion is requested, we will take reasonable steps to delete personal data from active systems and instruct relevant sub-processors to do the same where applicable.
Some data may remain temporarily in backups or logs until overwritten according to normal retention cycles, unless earlier deletion is technically feasible.
12. Audits and Compliance
Stack Integral will:
Maintain appropriate records of processing activities where required
Provide reasonable information to demonstrate compliance with this DPA
Cooperate with audits where required by applicable law
Ensure audits are subject to reasonable notice, confidentiality and security requirements
Avoid unnecessary disruption to services or other clients
Where an independent audit, certification or security report is available, this may be provided instead of direct audit access where appropriate.
13. Assistance with DPIAs and Prior Consultation
Where reasonably possible, Stack Integral will assist the Controller with:
Data protection impact assessments
Risk reviews
Security assessments
AI governance reviews
Prior consultation with a regulator where required
This assistance may be subject to reasonable scope, timing and fees depending on the nature of the request.
14. Liability
Each party’s liability under this DPA is subject to the limitations set out in the main agreement, except where prohibited by law.
Nothing in this DPA limits liability where liability cannot legally be limited.
15. Education Services Schedule
This section applies where Stack Integral provides services to a school, college, education setting, tutoring organisation or multi-academy trust.
15.1 Controller and processor roles
The school, trust or education setting is normally the data controller.
Stack Integral acts as data processor unless otherwise agreed in writing.
The school remains responsible for:
Lawful basis
Privacy notices
Parent, carer, pupil or staff communications
DPIAs where required
Internal approvals
Safeguarding procedures
SEND governance
Appropriate use of education records
Decisions about pupil support, safeguarding or educational outcomes
15.2 Pupil data
Stack Integral will only process pupil data where:
It is expressly included in the agreed scope
The school has confirmed that processing is lawful and necessary
The data is limited to what is needed
Access is restricted
Appropriate safeguards are in place
Stack Integral will not use pupil data for:
Advertising
Resale
Unrelated commercial purposes
Independent profiling
Public AI model training
Direct marketing to pupils
15.3 SEND, safeguarding and sensitive information
SEND-related, safeguarding-adjacent, health-related, behavioural or other sensitive pupil information must only be processed where expressly agreed.
Where such data is included, the school must identify:
The purpose of processing
The categories of data involved
Who may access the data
Any safeguarding escalation requirements
Retention and deletion rules
Whether a DPIA is required
Stack Integral does not replace the role of the DSL, SENCO, teachers, governors, school leaders or safeguarding professionals.
15.4 AI use in education projects
Where AI tools are used in education projects, Stack Integral will aim to ensure that:
Personal data is avoided unless necessary
Data is minimised
Sensitive data is not used unless expressly agreed
Tools are selected and configured with appropriate safeguards
Human oversight remains in place
AI outputs are reviewed by appropriate school staff where required
AI does not make final safeguarding, SEND, disciplinary or educational decisions
15.5 Direct contact with pupils, parents or carers
Stack Integral will not directly contact pupils, parents or carers unless instructed by the school and only within the agreed scope.
Where communication workflows involve parents or carers, the school remains responsible for ensuring that messages are lawful, appropriate and aligned with school policies.
15.6 Retention and deletion
Pupil, parent, carer, staff or education-related data will be retained only for the period agreed with the school.
At the end of the service, data will be deleted or returned according to the school’s documented instructions, unless retention is legally required.
15.7 Safeguarding escalation
If Stack Integral becomes aware of information that may indicate an immediate risk to a child or vulnerable person, Stack Integral will follow the safeguarding escalation route agreed with the school or education setting.
Stack Integral does not provide safeguarding advice and does not replace statutory safeguarding duties.
16. Contact
For data protection or DPA-related enquiries:
Stack Integral Limited
Email: [email protected]
Website: stackintegral.com
Company No: 17014408
ICO Registration Number: ZC110679
Stack Integral
Privacy Policy | Cookies | Terms of Use | Sources and References | Contact Us
© 2026 Stack Integral. All rights reserved.