Privacy policy

Mastery Science Customer Privacy Notice

This privacy notice tells you what to expect us to do with your personal information. It covers information collected when placing orders with Mastery Science Ltd, subscribing to newsletters, taking part in education research projects, or visiting the website

Contact details

·       Data controller: Mastery Science Ltd.

·       Registered address: 1-2 Johnston Road

·       Woodford Green, Essex, IG8 0XA

·       Telephone: 07757939007.

·       Email: tony@masteryscience.com.

·       Data Protection Officer: Dr Tony Sherborne, tony@masteryscience.com

 

What information we collect, use, and why

·       Order processing and customer management: names, school or organisation, contact details, purchase history, delivery details, communications related to orders, and payment confirmations handled by secure payment providers. Card details are handled by our secure payment providers and are not stored in full by Mastery Science.

·       Educational research and curriculum development: teacher questionnaire responses, professional opinions, curriculum feedback, that is collected in anonymised form for analysis, together with project consent records. We do not collect special category data for research; if a future study proposes this, we will seek explicit consent and provide a projectspecific information sheet.

·       Newsletters and marketing: email address, name, preferences, subscription status, and basic engagement metrics such as opens and clicks for campaign management.

·       Website analytics and security: anonymised IP addresses, browser and device data, page views, session duration, approximate location at city level, and basic security logs for fraud and abuse prevention.

 

Our lawful bases for the collection and use of your data

Under UK data protection law, we have a “lawful basis” for collecting and using your personal information.

Purpose

Main data used

Lawful basis

Order processing and customer management

Contact and order details; delivery information

Contract; Legal obligation for financial records

Educational research and curriculum development

Teacher survey responses; anonymised student data; consent records

Consent (withdrawable at any time)

Newsletters and marketing

Email, name, preferences, engagement

Consent for mailing list; Legitimate interests for limited messages to existing customers (optout anytime)

Website analytics and security

Anonymised IP, device/browser, usage data

Legitimate interests (proportionate analytics and security)

To exercise any right or to withdraw consent, email tony@masteryscience.com; we respond within one month after verifying identity.

Where we get personal information from

·       Directly from individuals via website forms, email, phone, or events and training sessions.

·       From schools and school staff members when orders are placed or enquiries are made on behalf of a school.

·       From research project participation where individuals provide responses or feedback voluntarily with project information sheets and consent.

·       From website analytics tools that collect usage data with cookie controls explained in the cookies section below

 

Who information is shared with

·       Payment processors that securely process transactions and confirmations for orders.

·       Shopify as the customer and order management system for online purchases and account data.

·       Email marketing platform MailerLite used to send newsletters and manage subscriptions and suppression lists.

·       Google Workspace (secure business email and file storage), and cloud storage for encrypted backup and recovery

·       Survey platform Google Forms and Airtable to collect research responses and manage questionnaires for education studies.

·       Couriers and fulfilment services to deliver physical materials where applicable for orders.

·       Accountants and professional advisers for statutory financial reporting and compliance purposes.

·       Academic collaborators who may receive only anonymised research data when relevant to publications or study reporting

 

How information is kept secure

·       Twofactor authentication is enabled on systems that store personal data, including email, customer databases, and cloud storage.

·       Encryption is used for data in transit and at rest where supported by the relevant platforms and devices.

·       Access to systems is limited to the director for daytoday operations, applying the principle of least privilege.

·       Regular backups, software updates, and reasonable technical and organisational measures are applied to maintain confidentiality, integrity, and availability.

·       We review access rights quarterly and test backups and security updates on a rolling schedule.

 

Cookies and website analytics

·       Cookies and analytics tools are used to operate and improve the site, and to understand which pages are most helpful to visitors, with controls available through the cookie banner and browser settings and with Google Analytics configured to anonymise IP addresses.

·       Further details are available in the separate cookie notice linked from the website footer or cookie banner, and preferences can be updated at any time.

·       You can change cookie preferences any time via the cookie banner or your browser settings; essential cookies operate for core site functions only.

 

International transfers

·       Some service providers may store or access data outside the UK or EEA (for example, US‑based email, analytics, or cloud services).

·       Where this occurs, we use Standard Contractual Clauses and conduct transfer assessments, and we apply additional security measures where needed to ensure an equivalent level of protection.

·       Details of current transfers and safeguards are available on request

 

How long information is kept – retention schedule

·       Customer orders, invoices, and payment records: 6 years from the end of the financial year they relate to, to comply with accounting and tax requirements.

·       School and teacher contact details for customers: 3 years after the last meaningful interaction or account closure, with periodic review and removal of outdated records.

·       Prospective contacts who are not customers: 24 months from the last interaction, or sooner if objection or optout is received, with suppression lists kept to respect optouts.

·       Newsletter subscriber records: until consent is withdrawn or after 3 years of inactivity, whichever is sooner, with easy unsubscribe in every email.

·       Research participant data that could identify a person: project end plus 2 years, then deletion or anonymisation, with anonymised datasets kept for research value where appropriate.

·       Research consent records and key code files: project duration plus 6 years to evidence consent and any withdrawals.

·       Website analytics and security logs: 12–24 months rolling to support trend analysis and security, using minimisation and anonymisation where possible.

·       Customer support correspondence: 3 years after the case is closed unless needed for a live dispute or legal obligation.

·       We review this schedule annually and delete or anonymise personal information securely when the retention period ends.

·       Data protection request logs and decisions: 3 years after the request is completed to evidence timely handling and outcomes

 

Your  data protection rights

 

·       Your right of access - You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. Read more about the right of access.

·       Your right to rectification - You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. Read more about the right to rectification.

·       Your right to erasure - You have the right to ask us to delete your personal information. Read more about the right to erasure.

·       Your right to restriction of processing - You have the right to ask us to limit how we can use your personal information. Read more about the right to restriction of processing.

·       Your right to object to processing - You have the right to object to the processing of your personal data. Read more about the right to object to processing.

·       Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. Read more about the right to data portability.

·       Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. Read more about the right to withdraw consent.

If you make a request, we must respond to you without undue delay and in any event within one month. To make a data protection rights request, please contact us using the contact details at the top of this privacy notice. We may request reasonable information to verify identity before acting on a request to protect personal data.

 

How to complain

·       Questions or concerns can be raised with Mastery Science Ltd using the contact details at the top of this notice, including the DPO email privacy@masteryscience.com for privacy matters.

·       If concerns remain, a complaint can be lodged with the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, helpline 0303 123 1113, or via the ICO website complaint service.

Last updated 1st October 2025, and this notice will be reviewed and updated when services or data uses change or at least annually to keep information accurate and clear.