Legal Document

Privacy Policy

Effective date: 1 June 2025 Last updated: 1 June 2025 Version: 1.0
Summary for busy people: Paesani collects your name, contact details, and eligibility information to help you access UK university funding. We do not sell your data. We share it only with universities and service providers necessary to help you. You can request deletion of your data at any time. We are governed by UK GDPR and the Data Protection Act 2018.
Section 1

About Us

This Privacy Policy is issued by Paesani Consulting Ltd (trading as "Paesani"), ("Paesani", "we", "us", "our"), an educational advisory service helping individuals in the United Kingdom access government-funded university education through Student Finance England.

For the purposes of UK data protection law, Paesani acts as the Data Controller in respect of personal data collected through this website and our associated services.

Our registered address and data protection enquiries address is:

Paesani Consulting Ltd
66, Paul Street
London, EC2A 4NA
United Kingdom
Company number: 17195580
Email: privacy@paesani.co.uk

Section 2

Information We Collect

We collect personal data in the following ways:

2.1 Information you provide directly

When you complete our eligibility form or application, we collect:

  • Identity data: first name, last name
  • Contact data: email address, telephone number
  • Eligibility data: nationality or immigration status category (British national, EU/EEA national with Pre-Settled/Settled Status, Ukrainian refugee scheme), number of years resident in the UK, highest level of prior education
  • Preference data: courses of interest, preferred mode of study
  • Communications: records of your messages and correspondence with us

2.2 Information collected automatically

When you visit our website, we may automatically collect:

  • Technical data: IP address, browser type and version, operating system, referring URL
  • Usage data: pages visited, time on page, scroll depth, clicks
  • Device data: device type, screen resolution, language settings

2.3 Information from third parties

We may receive data about you from:

  • Referrers: if someone referred you to us, we may receive your name and contact information
  • Analytics providers: aggregated and anonymised information about website usage
  • Partner universities: confirmation of enrolment status for referral payment purposes

2.4 Special category data

We do not intentionally collect special category data (as defined under Article 9 UK GDPR) such as health information, racial or ethnic origin, or biometric data. Information about your immigration status (e.g. Ukrainian refugee scheme) is collected solely to assess eligibility for Student Finance England and is treated with heightened care. If you believe you have provided special category data inadvertently, please contact us immediately at privacy@paesani.co.uk.

Section 3

How We Use Your Information

Purpose Data Used Legal Basis
Assess your eligibility for Student Finance England Identity, eligibility, residence data Contract / Legitimate interest
Contact you about your application Identity, contact data Contract
Refer your application to our partner universities Identity, eligibility, preference data Contract / Consent
Process and pay referral rewards Identity, contact, enrolment confirmation Contract
Send marketing communications (with your consent) Identity, contact, preference data Consent
Improve our website and services Usage, technical data Legitimate interest
Comply with legal obligations Any data required by law Legal obligation
Prevent fraud and protect our services Technical, identity data Legitimate interest

We will not use your data for automated decision-making or profiling that produces legal or similarly significant effects on you.

Section 4

Legal Basis for Processing

Under UK GDPR Article 6, we rely on the following lawful bases:

  • Article 6(1)(a) — Consent: where you have given clear, freely given, specific, informed and unambiguous consent (e.g. for marketing emails, or for sharing data with specific universities). You may withdraw consent at any time by contacting us or using the unsubscribe link in any email.
  • Article 6(1)(b) — Contract: where processing is necessary to perform a contract with you or to take steps at your request prior to entering into a contract (e.g. processing your eligibility assessment and university application).
  • Article 6(1)(c) — Legal obligation: where processing is necessary to comply with a legal obligation applicable to us (e.g. tax, anti-money-laundering).
  • Article 6(1)(f) — Legitimate interests: where processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights. Our legitimate interests include: improving our services, preventing fraud, and ensuring the security of our systems.

Where we rely on legitimate interests, we have conducted a Legitimate Interests Assessment (LIA) and are satisfied that our interests do not override your rights and freedoms. You may request a copy of our LIA by contacting us.

Section 5

Data Sharing & Disclosure

We do not sell, rent, or trade your personal data. We share your data only in the following limited circumstances:

5.1 Partner Universities

With your knowledge and as part of the service, we share relevant application data with our partner universities in order to facilitate your enrolment. We ensure universities we partner with comply with UK data protection law.

5.2 Service Providers (Data Processors)

We engage carefully selected third-party service providers who process data on our behalf under binding data processing agreements. These include:

  • Typeform Inc. — application form and data collection platform
  • Email service provider — for transactional and marketing emails
  • Analytics provider — for anonymised website analytics
  • Payment processor — for referral reward payments
  • IT infrastructure and hosting providers

Each processor is bound by a Data Processing Agreement (DPA) and is required to implement appropriate technical and organisational security measures.

5.3 Legal Requirements

We may disclose your personal data to law enforcement, regulatory authorities, or courts if required to do so by applicable law, judicial order, or in connection with legal proceedings.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your personal data may be transferred to a successor entity, subject to the same privacy protections described in this policy. We will notify you in advance.

Section 6

International Transfers

Some of our service providers operate outside the United Kingdom. Where personal data is transferred to countries not recognised by the UK as providing an adequate level of data protection (i.e. not subject to an Adequacy Regulation), we ensure appropriate safeguards are in place in accordance with UK GDPR Article 46, including:

  • International Data Transfer Agreements (IDTAs) — the UK-specific standard contractual clauses approved by the ICO
  • UK Addenda to the EU Standard Contractual Clauses (SCCs)
  • Transfers to countries subject to an Adequacy Regulation

In particular, Typeform Inc. is based in the United States. Data transferred to Typeform is governed by an IDTA or equivalent safeguard. You may request details of the specific mechanism used by contacting us.

Section 7

Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law. Our standard retention periods are as follows:

Data CategoryRetention PeriodBasis
Eligibility enquiry data (no application submitted)12 months from last contactLegitimate interest
Full application data6 years from date of applicationLegal obligation / Contract
Enrolment and referral records6 years from payment dateLegal obligation (financial records)
Marketing consent recordsUntil consent is withdrawn + 1 yearCompliance with ICO guidance
Website analytics data26 monthsLegitimate interest
Correspondence records3 years from last correspondenceLegitimate interest

At the end of a retention period, data is securely deleted or anonymised. If you request deletion of your data before a retention period expires, we will assess whether we are legally required to retain it and inform you of the outcome.

Section 8

Your Rights Under UK GDPR

You have the following rights in respect of your personal data. These rights are not absolute and may be subject to exceptions. We will respond to all valid requests within one calendar month of receipt (extendable by two further months for complex requests).

Right of Access (Article 15)

You may request a copy of the personal data we hold about you (a Subject Access Request).

Right to Rectification (Article 16)

You may request that we correct inaccurate or incomplete personal data we hold about you.

Right to Erasure (Article 17)

You may request deletion of your personal data where there is no overriding legitimate reason for us to retain it.

Right to Restriction (Article 18)

You may request that we restrict processing of your data in certain circumstances (e.g. while a complaint is investigated).

Right to Portability (Article 20)

Where processing is based on consent or contract and carried out by automated means, you may receive your data in a structured, machine-readable format.

Right to Object (Article 21)

You may object to processing based on legitimate interests, including direct marketing. We must stop processing unless we demonstrate compelling grounds.

Right to Withdraw Consent

Where processing is based on consent, you may withdraw it at any time without detriment. Withdrawal does not affect the lawfulness of processing before withdrawal.

Right Not to be Subject to Automated Decisions

You have the right not to be subject to decisions based solely on automated processing that produce significant effects on you. We do not conduct such processing.

To exercise any of these rights, please contact us at privacy@paesani.co.uk with proof of your identity. There is no charge for exercising your rights, except where requests are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

Section 9

Cookies & Tracking Technologies

Our website uses cookies and similar technologies to function and improve your experience. Under the Privacy and Electronic Communications Regulations (PECR), we require your consent for non-essential cookies.

9.1 Strictly Necessary Cookies

These are essential for the website to function and cannot be disabled. They include session management and security cookies. No consent is required.

9.2 Performance & Analytics Cookies

These cookies collect anonymised information about how visitors use the website (e.g. pages visited, error messages). They help us improve site performance. Set by our analytics provider. Require consent.

9.3 Functional Cookies

These cookies remember your preferences (e.g. chosen language). They enhance your experience but are not essential. Require consent.

9.4 Embedded Third-Party Services

Our application form is provided by Typeform Inc. Typeform may set its own cookies when you interact with the form. We recommend reviewing Typeform's Privacy Policy for details.

You may manage your cookie preferences through your browser settings or our cookie consent tool. Note that disabling certain cookies may affect website functionality.

Section 10

Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:

  • Encryption of data in transit using TLS/SSL
  • Access controls and role-based permissions for staff
  • Secure data storage with reputable hosting providers
  • Regular security reviews and staff data protection training
  • Data processor due diligence and contractual obligations

No method of transmission over the internet or electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where required, notify you without undue delay.

Section 11

Third-Party Links

Our website may contain links to third-party websites, including the Student Finance England portal (gov.uk), university websites, and social media platforms. This Privacy Policy applies only to our website. We are not responsible for the privacy practices of third-party sites and encourage you to review their privacy policies before providing any personal data.

Section 12

Children's Privacy

Our services are directed at individuals aged 18 and over. We do not knowingly collect personal data from children under the age of 13. If we become aware that we have inadvertently collected personal data from a child under 13, we will take immediate steps to delete it. If you believe we hold data about a child, please contact us at privacy@paesani.co.uk.

For individuals aged 13–17, we require verifiable parental or guardian consent before processing any personal data. University applications are generally only open to those aged 18 and over.

Section 13

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Update the "Last updated" date at the top of this page
  • Display a prominent notice on our website
  • Where required by law, notify you directly by email

Your continued use of our services after any changes constitutes your acknowledgement of the updated policy. We encourage you to review this policy periodically. Previous versions of this policy are available on request.

Section 14

Contact & Complaints

Data Protection Enquiries

For all data protection matters, Subject Access Requests, or to exercise any of your rights:

Email: privacy@paesani.co.uk

Post: Paesani Consulting Ltd, 66, Paul Street, London, EC2A 4NA, United Kingdom

Please include your full name and a description of your request. We may need to verify your identity before processing your request.

ℹ️

Right to complain to the ICO: If you are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection matters.

Website: ico.org.uk — Helpline: 0303 123 1113
ICO, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concerns before you approach the ICO — please contact us first.