Legal
Privacy policy.
Bedford – School for the Creator Economy
Effective date: 9 June 2026
Bedford (“Bedford”, “we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains what personal data we collect when you visit our website at learnbedford.com or use the Bedford learning platform, how we use it, who we share it with, and the rights you have under data protection law.
This policy is provided to fulfil our transparency obligations under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR) and the Privacy and Electronic Communications Regulations (PECR).
If anything in this policy is unclear, or you would like to exercise your rights, contact our Data Protection team at privacy@learnbedford.com.
1. Who we are
Bedford is the data controller for the personal data we collect about you. That means we decide why and how your personal data is processed.
| Item | Detail |
|---|---|
| Trading name | Bedford – School for the Creator Economy |
| Website | learnbedford.com |
| Privacy contact | privacy@learnbedford.com |
| Data Protection Officer | Our DPO can be reached at privacy@learnbedford.com |
Our registered address and full company details are published in the footer of our website.
2. Personal data we collect
We only collect the personal data we need to deliver, secure, and improve the Bedford service. The categories of personal data we may collect about you are set out below.
| Category | Examples |
|---|---|
| Account data | Name, email address, username and password (passwords are stored only in hashed form). |
| Profile data | Professional background, skills, areas of expertise and profile photo (for mentors and learners). |
| Learning data | Course progress, AI interaction history, assessment results and mentor feedback. |
| Payment data | Billing name, billing address and payment instrument details. Card details are processed by a PCI-DSS compliant payment processor and are not stored in full by Bedford. |
| Communications | Messages sent through the platform, support requests and email correspondence with us. |
| Technical data | IP address, device type, browser, operating system and platform usage logs. |
| Marketing preferences | Whether you have opted in to receive marketing communications and your channel preferences. |
3. How we use your personal data and our lawful bases
Under the UK GDPR and EU GDPR we must have a lawful basis for processing your personal data. The table below sets out the purposes for which we use your data and the lawful basis we rely on for each.
| Purpose | Lawful basis |
|---|---|
| Providing and personalising the Bedford learning platform and AI-powered learning tools. | Performance of a contract with you (Article 6(1)(b)). |
| Matching learners with mentors and supporting mentorship sessions. | Performance of a contract with you (Article 6(1)(b)). |
| Processing payments and managing billing. | Performance of a contract (Article 6(1)(b)) and compliance with legal obligations such as tax and accounting (Article 6(1)(c)). |
| Sending essential service communications such as account notifications, security alerts and receipts. | Performance of a contract (Article 6(1)(b)). |
| Improving our platform through aggregated analytics and product research. | Our legitimate interests in improving and securing our service (Article 6(1)(f)). We carry out a balancing test before relying on this basis. |
| Detecting and preventing fraud, abuse and security threats. | Our legitimate interests in protecting the platform and our users (Article 6(1)(f)). |
| Sending marketing communications about Bedford courses, events and updates. | Your consent (Article 6(1)(a)). You can withdraw consent at any time. |
| Complying with legal obligations including tax, fraud prevention and regulatory requests. | Compliance with a legal obligation (Article 6(1)(c)). |
| Using AI features to personalise your learning experience and generate recommendations. | Performance of a contract (Article 6(1)(b)). Where automated decision-making applies, see section 9. |
4. Who we share your personal data with
We do not sell your personal data. We share it only with carefully selected recipients who help us deliver the service or where we are required to do so by law.
- Mentors. If you are a learner, your profile and progress data are shared with your assigned mentor so they can support your learning.
- Payment processors. Payment data is shared with our PCI-DSS compliant payment processor to complete transactions.
- Cloud infrastructure and hosting providers. Our data is stored and processed on infrastructure operated by reputable cloud providers acting as our processors.
- AI service providers. Anonymised or pseudonymised learning data may be processed through third-party AI APIs to power platform features.
- Analytics providers. Aggregated and anonymised usage data is shared with analytics tools that help us understand how the platform is used.
- Professional advisers. Lawyers, auditors and insurers, where necessary and under appropriate confidentiality obligations.
- Legal and regulatory authorities. Where we are required to disclose information by law, court order, or to comply with a regulatory request.
Every third party that processes personal data on our behalf is bound by a written data processing agreement that meets the requirements of Article 28 of the UK GDPR.
5. International transfers
Some of the providers we rely on are based outside the United Kingdom and the European Economic Area (EEA), including in the United States. When we transfer personal data outside the UK or EEA we use one of the following safeguards required by the UK GDPR:
- a UK or EU adequacy decision, where the destination country has been recognised as providing an adequate level of protection;
- the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or the EU Standard Contractual Clauses (SCCs); or
- another lawful safeguard, such as Binding Corporate Rules, where appropriate.
We carry out transfer impact assessments where required and review them at least annually. You can request more information about our international transfers and the safeguards we use by contacting privacy@learnbedford.com.
6. How long we keep your personal data
We keep your personal data only for as long as we need it for the purposes set out in this policy, and then delete or anonymise it. The standard periods we apply are:
| Type of data | Retention period |
|---|---|
| Account data | Held while your account is active and for 2 years after account closure. |
| Learning data and progress records | 5 years from your last active use of the platform. |
| Payment records | 7 years, to comply with tax and financial regulations. |
| Marketing preferences | Until you withdraw consent or close your account. |
| Website analytics data | Anonymised after 26 months. |
| Support communications | For the duration of the issue and up to 3 years after resolution. |
Where we are required by law to keep data for longer (for example, financial records), we will retain it for the period required and then delete it.
7. Your rights
Under data protection law you have the following rights in relation to your personal data:
- Right of access. You can ask for a copy of the personal data we hold about you and information about how we use it.
- Right to rectification. You can ask us to correct inaccurate or incomplete data.
- Right to erasure. You can ask us to delete your personal data in certain circumstances (“the right to be forgotten”).
- Right to restriction. You can ask us to limit how we use your data in certain circumstances.
- Right to data portability. You can ask for your data in a structured, commonly used and machine-readable format.
- Right to object. You can object to processing based on our legitimate interests, and to direct marketing at any time.
- Rights relating to automated decision-making. You have rights where decisions are made about you solely by automated means and have a legal or similarly significant effect (see section 9).
- Right to withdraw consent. Where we rely on consent, you can withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal.
To exercise any of these rights, email privacy@learnbedford.com or use the privacy controls in your account settings. We will acknowledge your request within 5 business days and respond within one calendar month. For complex or high-volume requests we may extend this by a further two months and will tell you within the first month if we need to do so.
We may need to verify your identity before responding so that we do not disclose your data to anyone else. There is normally no fee, but we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive.
8. Cookies and similar technologies
We use cookies and similar technologies on our website and platform. Cookies fall into the following categories:
| Category | Purpose |
|---|---|
| Strictly necessary | Required for the platform to function, including authentication and security. These do not require your consent. |
| Preferences | Remember your settings and personalisation choices. Set only with your consent. |
| Analytics | Help us understand how the platform is used so we can improve it. Set only with your consent. |
| Marketing | Used to deliver relevant advertising and measure campaign performance. Set only with your consent. |
When you first visit our website you will see a cookie banner allowing you to accept all cookies, reject non-essential cookies, or customise your preferences. Non-essential cookies are not set until you give consent. You can change or withdraw your cookie preferences at any time using the “Cookie Settings” link in the website footer.
Our full cookie list, including cookie names, providers, purposes and retention periods, is published in our Cookie Policy on the Bedford website.
9. AI features and automated decision-making
Bedford uses AI to personalise your learning experience, including learner progress assessments, mentor matching recommendations and personalised learning path generation. We will tell you when AI or automated processing is involved in a decision that affects you, and explain in accessible language how those recommendations are generated.
Where a decision about you is made solely by automated means and has a legal or similarly significant effect on you, you have the right to:
- request human review of the decision;
- express your point of view; and
- contest the decision.
You can exercise these rights by contacting privacy@learnbedford.com. Before launching any new AI feature that may significantly affect users we conduct a Data Protection Impact Assessment, and we test our AI models for bias.
10. Children
The Bedford platform is intended for users aged 16 and over. We ask all new users to confirm their age during registration and we do not knowingly collect personal data from anyone under 16 without verifiable parental or guardian consent.
If you believe a child under 16 has provided personal data to us without appropriate consent, please contact privacy@learnbedford.com and we will delete the data and close the account promptly.
Where we knowingly process personal data of users under 18, we apply heightened protections, including stricter access controls, no commercial profiling of children, and review of AI personalisation features for age appropriateness.
11. SMS and Text Message Communications
If you provide your phone number and consent to receive text messages from Bedford, we may use that number to send advisor call reminders, enrollment follow-up, cohort updates, and other Bedford Studio communications. Message frequency may vary. Message and data rates may apply. You can reply STOP to opt out at any time, or HELP for assistance. Consent to receive text messages is not a condition of purchase or enrolment.
Bedford does not sell, rent, or share mobile phone numbers or SMS opt-in consent data with third parties or affiliates for their own marketing or promotional purposes. We may share mobile information only with service providers who assist us in delivering SMS communications, and only to the extent necessary for them to provide those services on our behalf. Any such provider is bound by a written data processing agreement in accordance with Article 28 of the UK GDPR.
12. How we protect your personal data
We use appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure or destruction. These measures include encryption in transit and at rest, access controls, regular security testing, staff training, and contractual safeguards with our processors.
In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the UK Information Commissioner’s Office (ICO) within 72 hours and, where the risk is high, will tell you without undue delay.
13. Changes to this policy
We may update this Privacy Policy from time to time, for example to reflect changes in the way we process personal data or in the law. The “Effective date” at the top of this policy shows when it was most recently revised. Where the changes are significant, we will let you know by email or through a notice on the platform before the changes take effect.
14. How to contact us and make a complaint
If you have any questions about this policy or how we handle your personal data, contact our Data Protection team at privacy@learnbedford.com. We aim to resolve any concern you raise.
You also have the right to complain to a data protection supervisory authority. In the United Kingdom this is the Information Commissioner’s Office (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Helpline: 0303 123 1113 · www.ico.org.uk
If you are based in the EEA, you can also contact the data protection authority in the EU member state where you live, work, or where the issue arose.