Brilliant Bricks UK Limited customer privacy notice

Introduction

Welcome to the Brilliant Bricks privacy policy.

Brilliant Bricks respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website and tell you about your privacy rights and how the law protects you.

This privacy notice tells you what to expect us to do with your personal information.

Contact details
What information we collect, use, and why
Lawful bases and data protection rights
Where we get personal information from
How long we keep information
Who we share information with
Sharing information outside the UK
How to complain

Contact details

Email

sarah@brilliantbricks.co.uk

What information we collect, use, and why

We collect or use the following information for student education and welfare:
	Names and contact details for students/children Names and contact details for parents, guardians, carers Date of birth Dietary requirements (including vegetarian, vegan, gluten free and religious requirements) Payment details and financial information including transactions Special Educational Needs and Disabilities (SEND) or additional support information (includes reasonable adjustments and special educational needs and disabilities)
We also collect or use the following special category information for student education and welfare. This information is subject to additional protection due to its sensitive nature:
	Health information
We collect or use the following personal information for dealing with queries, complaints or claims:
	Names and contact details Purchase or service history Witness statements and contact details Correspondence Special Educational Needs and Disabilities (SEND) or additional support information (includes reasonable adjustments and special educational needs and disabilities)
We also collect the following special category information for dealing with queries, complaints or claims. This information is subject to additional protection due to its sensitive nature:
	Health information
We collect or use the following information for information updates or marketing purposes:
	Names and contact details Marketing preferences Website and app user journey information Records of consent, where appropriate
We collect or use the following information for recruitment purposes:
	Contact details (eg name, address, telephone number or personal email address) National Insurance number Copies of passports or other photo ID Employment history (eg job application, employment references or secondary employment) Right to work information Details of any criminal convictions (eg DBS, Access NI or Disclosure Scotland checks)

Lawful bases and data protection rights

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.

Which lawful basis we rely on may affect your data protection rights which are set out in brief below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:

Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.
Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.
Your right to erasure – You have the right to ask us to delete your personal information. Read more about the right to erasure.
Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.
Your right to object to processing – You have the right to object to the processing of your personal data. Read more about the right to object to processing.
Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.
Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Our lawful bases for the collection and use of your data

Our lawful bases for collecting or using personal information for student education and welfare are:

Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.

Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.

Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

- We collect and use personal information to provide our educational activities and childcare services, ensure children’s safety and wellbeing, manage bookings and memberships, and meet our legal responsibilities (such as safeguarding). Our lawful bases include: • Contract – to deliver services you’ve requested • Legitimate interests – to run and improve our services • Legal obligation – where safeguarding or regulatory duties apply • Consent – for things like photos or optional communications If we need to collect health or SEND-related information, we do so with your explicit consent or where necessary to protect a child’s health or wellbeing.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for dealing with queries, complaints or claims are:

Contract – we have to collect or use the information so we can enter into or carry out a contract with you. All of your data protection rights may apply except the right to object.
Legal obligation – we have to collect or use your information so we can comply with the law. All of your data protection rights may apply, except the right to erasure, the right to object and the right to data portability.
Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:
We collect and use personal information to respond to questions, resolve complaints, and manage safeguarding or legal concerns. Our lawful bases include: • Legitimate interests – to manage and improve our services • Legal obligation – where safeguarding or legal duties apply • Contract – if the issue relates to a service you’ve booked • Vital interests – if someone is at risk and we need to act quickly If a concern includes sensitive information (such as health or SEND needs), we process that with your explicit consent or where necessary to protect someone’s wellbeing.
Vital interests – collecting or using the information is needed when someone’s physical or mental health or wellbeing is at urgent or serious risk. This includes an urgent need for life sustaining food, water, clothing or shelter. All of your data protection rights may apply, except the right to object and the right to portability.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Our lawful bases for collecting or using personal information for information updates or marketing purposes are:

Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.

Legitimate interests – we’re collecting or using your information because it benefits you, our organisation or someone else, without causing an undue risk of harm to anyone. All of your data protection rights may apply, except the right to portability. Our legitimate interests are:

- We may use your contact details to send you updates about our services, such as new clubs, membership offers, or events. We do this: • With your consent – when you sign up to hear from us (for example, via our website or waitlist) • Under legitimate interests – if you’re an existing customer and we’re telling you about similar services You can unsubscribe at any time using the link in our emails or by contacting us. We do not use health or SEND information for marketing purposes. If we use customer data for targeted advertising (like Facebook custom audiences) in future, we will update our privacy notice and ensure it meets data protection rules.

For more information on our use of legitimate interests as a lawful basis you can contact us using the contact details set out above.

Where we get personal information from

Directly from you

Parents or carers

Local authorities or local councils

Other education establishments

Suppliers and service providers

We collect and use personal information about children who attend our clubs, parties, and activities. This includes their name, age, emergency contacts, and any relevant health or SEND needs. We usually ask parents or guardians to provide this information. If we collect information directly from a child, we explain it in a way they can understand and only collect what’s necessary for the activity. We do not use children’s information for marketing or share it for commercial purposes.

How long we keep information

Data Type	Purpose	Retention Period	Justification
Child registration forms (including contact & medical info)	Safe delivery of services and safeguarding	Until end of child’s participation + 1 year	Allows time for dispute resolution and continuity for repeat customers
Health/SEND info (e.g. allergies, additional needs)	Ensure safety and appropriate support during sessions	Until end of activity/booking + 1 year	Minimise holding sensitive data beyond need
Safeguarding records or incident reports	Legal duty to retain child protection records	Until the child turns 25	Based on NSPCC and government safeguarding guidance
Booking & payment records (parents)	Service delivery, account management, legal recordkeeping	6 years	Required for tax/audit purposes (per HMRC)
Email marketing consent records	Track lawful basis for contacting individuals	Until unsubscribed or 2 years after last engagement	Demonstrates consent & helps maintain a clean list
Customer queries or complaints	Service monitoring, legal defence, or safeguarding	3 years	ICO-recommended minimum unless linked to safeguarding
Photos/media (with consent)	Marketing or parent engagement	2 years, unless used in ongoing marketing	Review annually; delete if no longer used or consent withdrawn
Membership or club attendance records	Track participation and manage capacity	3 years	Operational reference; can be anonymised after 1 year

Who we share information with

Data processors

Google Workspace (cloud services, US-based)

This data processor does the following activities for us: Hosts our business emails and securely stores documents and administrative records.

Pebble (party booking system, UK-based)

This data processor does the following activities for us: Manages party bookings and stores related parent and child information.

MailerLite (email marketing provider, EU-based)

Sends marketing emails and updates to subscribers who have opted in.

Admin support (virtual assistant services, UK-based)

Assists with admin tasks including responding to parent enquiries and managing booking data, under our instruction.

Others we share personal information with

Parents and carers

Local authorities

Organisations we need to share information with for safeguarding reasons

Legal bodies or authorities

Relevant regulatory authorities

Professional consultants

Other relevant third parties:

- - Social services \/ safeguarding partners – If there is a safeguarding concern that requires professional involvement
  - Schools (UK-based) – To coordinate after-school clubs, attendance, and child safety (only with necessary staff).
  - Emergency services (UK-based) – In the event of a medical emergency or serious incident affecting a child.

Sharing information outside the UK

Where necessary, we will transfer personal information outside of the UK. When doing so, we comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation name: Google LLC

Category of recipient: Cloud services \/ email and document storage

Country the personal information is sent to: United States

How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)

Organisation name: MailerLite UAB

Category of recipient: Email marketing platform

Country the personal information is sent to: Lithuania (EU)

How the transfer complies with UK data protection law: The country or sector has a UK data bridge (also known as Adequacy Regulations)

Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.

For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.

Organisation name: Google LLC (and its sub-processors)

Category of recipient: Cloud infrastructure and storage services

Country the personal information is sent to: United States (with global sub-processing)

How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)

Organisation name: MailerLite UAB (MailerLite EU version)

Category of recipient: Email marketing and campaign management services

Country the personal information is sent to: Lithuania

How the transfer complies with UK data protection law: The country or sector has a UK data bridge (also known as Adequacy Regulations)

How to complain

If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.

If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

Website: https://www.ico.org.uk/make-a-complaint

Last updated

30^th June 2025

Brilliant Bricks UK Limited customer privacy notice

Introduction

Welcome to the Brilliant Bricks privacy policy.

Contact details

Email

What information we collect, use, and why

Lawful bases and data protection rights

Our lawful bases for the collection and use of your data

Where we get personal information from

How long we keep information

Who we share information with

Data processors

Others we share personal information with

Sharing information outside the UK

How to complain

Last updated

Subscribe to Our Newsletter

Quick Links

Follow