Privacy Policy

Last Updated: 31 May 2026

1. Introduction

The Refract Foundation (‘Refract’, ‘we’, ‘our’, ‘us’) is committed to protecting the privacy and personal information of individuals and organisations who interact with our programmes, research, events and services.

This privacy policy outlines how we collect, use, store, share and protect information in accordance with applicable legislation, such as the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA).

By using our services, participating in our programmes and research, attending our events or visiting our website, you acknowledge the practices described in this policy.

2. Who We Are

The Refract Foundation is a youth-led initiative focused on improving digital literacy, digital inclusion, online safety and access to digital skills for young people in the West Midlands.

Refract Foundation operates under the fiscal sponsorship of Hack Club, a United States 501(c)(3) nonprofit organisation (EIN 81-2908499). Fiscal sponsorship relates primarily to financial administration and does not generally affect the day-to-day operation of Refract Foundation’s programmes, research activities, or data processing practices.

Depending on the nature of a programme, event, or research activity, Refract Foundation may work with educational institutions, partner organisations, or service providers who process information in accordance with their own legal obligations and privacy practices.

For privacy-related enquiries, you should contact: dpo@refractfoundation.org.

3. Scope

This privacy policy applies to:

• The Refract Foundation Website
• The Digital Literacy Census
• Research projects
• Events and workshops
• School engagement activities
• Communications with Refract
• Applications, registrations and forms
• Other services operated by Refract

4. Information We Collect

Information You Provide

We may collect information including:

• Name
• Email address
• School, college or organisation
• Event registration details
• Application information
• Correspondence with us
• Feedback and research responses

Technical Information

When using our website or digital services, we may collect:

• IP address
• Browser information
• Device information
• Operating system information
• Website usage statistics
• Analytics information
• Security logs

Research Information

The Digital Literacy Census may collect information relating to:

• Digital skills
• Technology access
• Online safety awareness
• Confidence using technology
• Digital learning experiences
• Attitudes towards digital technology

The Census may also collect optional demographic information such as:

• Year group
• Gender
• Ethnicity
• Additional learning needs
• Indicators of economic disadvantage
• Other equality and inclusion information

Unless explicitly stated otherwise, the Census is designed not to collect names, email addresses, student identifiers, home addresses or other directly identifying information.

Participants should not include identifying information within free-text responses.

5. How We Use Information

We may use information to:

• Deliver programmes and services
• Conduct research and analysis
• Improve educational initiatives
• Measure impact and outcomes
• Produce reports and recommendations
• Communicate with participants and partners
• Organise events and activities
• Support funding and grant applications
• Improve our services
• Meet legal obligations
• Protect the security and integrity of our systems

6. Legal Bases for Processing

Where UK GDPR applies, we process information under one or more of the following lawful bases:

Consent

Where an individual voluntarily provides information or agrees to participate in a survey, programme or activity.

Legitimate Interests

Where processing is necessary to support educational research, programme delivery, impact measurement, organisational administration, safeguarding or service improvement.

Legal Obligations

Where processing is required to comply with applicable laws or regulations.

Public Interest

Where activities contribute to educational improvement, digital inclusion, public benefit or research purposes.

7. The Digital Literacy Census

Purpose

The Digital Literacy Census is a research initiative designed to better understand:

• Digital access
• Digital skills
• Digital confidence
• Online safety knowledge
• Technology use among young people

The findings are intended to support educational improvement, digital inclusion initiatives, policy development, and programme planning.

While the Digital Literacy Census is designed to minimise the collection of personal data and does not intentionally collect directly identifying information, certain combinations of demographic responses may constitute personal data under applicable legislation. Refract Foundation therefore treats Census responses with appropriate safeguards.

Voluntary Participation

Participation is voluntary.

Participants may choose not to answer individual questions where appropriate, including by selecting “Prefer not to say” where available.

Reporting

Results are generally analysed and reported in aggregated form.

Reports may be produced at:

• School level
• Trust level
• Local authority level
• Regional level

The purpose of reporting is to identify trends, gaps, opportunities, and recommendations.

Use of Census Data

Information collected through the Digital Literacy Census may be used to:

• Produce reports
• Conduct statistical analysis
• Identify trends
• Support educational improvement
• Inform policy discussions
• Support funding applications
• Measure programme impact
• Develop future initiatives

8. Sharing Information

We may share information where necessary with:

• Schools
• Colleges
• Academy trusts
• Local authorities
• Government organisations
• Charities and non-profit organisations
• Research institutions
• Strategic partners
• Technology providers
• Professional advisers
• Funders

Where possible, information shared externally will be anonymised, aggregated, pseudonymised or otherwise minimised.

Digital Literacy Census findings may be shared with third parties for educational, research, policy, funding, impact measurement or public benefit purposes.

We may publish reports, statistics, dashboards, and research findings based on Census data. Such publications will be designed to prevent the identification of individual participants.

We do not sell personal information.

9. Data Processors and Service Providers

We may use trusted third-party service providers to support:

• Website hosting
• Survey delivery
• Data storage
• Analytics
• Email communications
• Event registration
• Research activities

Examples of services we may use include:

• Tally for surveys, registrations, and data collection
• Airtable for data management, analysis, and project administration
• Vercel and GitHub for web hosting
• Purelymail and tawk.to for communications
• Analytics providers
• Cloud storage and productivity platforms

These providers may process information on our behalf and are required to implement appropriate safeguards.

We remain responsible for ensuring that information processed on our behalf is handled appropriately and securely.

10. International Transfers

Some organisations that provide services to Refract Foundation may process or store information outside the United Kingdom.

For example, cloud-based software providers may operate internationally and use data centres located in multiple countries.

Where personal information is transferred internationally, we take reasonable steps to ensure appropriate safeguards are in place. These safeguards may include:

• Transfers to countries recognised as providing an adequate level of protection under applicable data protection laws.
• Standard contractual clauses or equivalent legal mechanisms.
• Contractual requirements relating to confidentiality, security, and data protection.
• Additional technical and organisational safeguards where appropriate.

We seek to ensure that any international transfers are conducted in a manner that protects the rights and freedoms of individuals and complies with applicable legal requirements.

Further information regarding international transfers may be requested using the contact details provided in this Privacy Policy.

11. Data Retention

We retain information only for as long as reasonably necessary for the purposes outlined in this policy, including research, analysis, reporting, programme delivery, legal compliance, safeguarding, and organisational administration.

Retention periods may vary depending on the nature of the information and the purpose for which it was collected.

Where information is no longer required, we will take reasonable steps to securely delete, anonymise, or otherwise dispose of it.

Aggregated, anonymised, statistical, or research data may be retained indefinitely for educational, historical, research, public interest, or longitudinal analysis purposes.

12. Data Security

We implement appropriate technical and organisational measures to protect information from:

• Unauthorised access
• Accidental loss
• Misuse
• Disclosure
• Alteration
• Destruction

Access to personal information is restricted to authorised individuals who require access for legitimate organisational purposes.

While we take reasonable precautions, no system can guarantee absolute security.

13. Children’s Information

Many Refract programmes involve young people.

We are committed to handling information relating to children responsibly and in accordance with applicable laws and safeguarding requirements.

Where activities are conducted through schools or educational institutions, we may rely on arrangements established with those organisations regarding participation and data collection.

14. Your Rights

Subject to applicable law, individuals may have the right to:

• Request access to personal information
• Request correction of inaccurate information
• Request deletion of information
• Request restriction of processing
• Object to certain processing activities
• Request data portability
• Withdraw consent where consent is relied upon

Requests may be submitted by emailing dpo@refractfoundation.org.

15. Complaints

If you have concerns about how information has been handled, please contact us first by emailing dpo@refractfoundation.org.

You may also lodge a complaint with the Information Commissioner’s Office (ICO) if you believe data protection laws have been breached.

16. Changes to This Policy

We may update this Privacy Policy from time to time.

Any updates will be published on our website with a revised effective date.

17. Contact

Privacy enquiries: dpo@refractfoundation.org

General enquiries: hello@refractfoundation.org

Website: refractfoundation.org