Privacy Notice

Cypad Limited ("We") are committed to protecting and respecting your privacy.
This policy (together with our website terms of use and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

For the purpose of the Data Protection Act 1998 (the Act), the data processor is Cypad Limited, a private limited company, with company number 04335803, having its registered office at 11 Kingsley Lodge, 13 New Cavendish Street, London, W1G 9UG.

Information we may collect from you

We may collect and process the following data about you:

IP addresses

We may collect information about your computer, including where available your IP address, operating system and browser type, for system administration and to report aggregate information to our Local Education Authority (LEA) and School Customers. This is statistical data about our users' browsing actions and patterns, and does not identify any individual.


For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on your browser or the hard drive of your computer. Cookies contain information that is transferred to your computer's hard drive. They help us to improve our site and to deliver a better and more personalised service. Some of the cookies we use are essential for the site to operate.

If you or your child continue to use our services or site, (this includes your usage through the School, its carers or the LEA), you agree to our use of cookies.

You may block cookies by activating the setting on your browser which allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be to access all or parts of our site. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies as soon you visit our site.

Except for essential cookies, all cookies will expire after twelve months.

Where we store your personal data

The data that we collect from you may be transferred to, and stored at, a destination inside the UK or outside the European Economic Area ("EEA"). We will inform the customer of all our processing operations that are outside of the EEA prior to the point in time in which data is processed in those locations. Anonymised test data may also be processed by staff operating outside the EEA who work for us. Such staff maybe engaged in, among other things, the provision of support services or software upgrades. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.

All information you provide to us is stored on our secure system. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

We will do our best to protect your personal data, using encryption, patch management and adequate cyber security where possible. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We cannot fully guarantee the security of your data transmitted to our site. Transmission of information over the internet is never completely secure and malicious hackers are becoming more sophisticated.

Third parties

We use a third party "Simply Hosting" ( to host our servers and databases. All our data is securely located within their facilities based in Reading, UK. All data resides within the EEA. The facilities and staff are ISO27001 certified.

We upload hourly database backups to a third-party cloud provider, "Cloud Direct" ( The backups are protected in transit with military grade 256-bit encryption. The data is stored within facilities based in the UK. All data resides within the EEA. The facilities and staff are ISO27001 certified.

Uses made of the information

We use information held about you in the following ways:

We will only share your data with your child's School, Caterers or LEA. We will never sell or supply your data to any other third parties.

If you are an existing customer, we will only contact you by electronic means (e-mail or SMS) with information about services.

If you are a new customer we will contact you by electronic means only if you have consented to this.

If you do not want us to use your data in this way, or to pass your details on to third parties, please tick the relevant box situated on the form on which we collect your data (the registration form) or notify us by email at

We do not disclose information about identifiable individuals to advertisers.

Disclosure of your information

We may disclose your personal information to any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.

We may disclose your personal information to third parties:

Your rights

You have the right to ask us not to process your personal data for marketing purposes. We will usually inform you (before collecting your data) if we intend to use your data for such purposes or if we intend to disclose your information to any third party for such purposes. You can exercise your right to prevent such processing by checking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by contacting us at

Our site may, from time to time, contain links to and from the websites of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites have their own Privacy Notices and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

General Data Protection Regulations (GDPR)

On 27th April 2016, the European Parliament, Council of the European Union and the European Commission adopted new regulations regarding data protection and the rights of individuals within the European Union. The regulations come into force on the 25th May 2018.

The GDPR regulations will replace and build upon elements of the Data Protection Act 1998 (DPA). GDPR will still be implemented irrespective of Brexit, however we are closely monitoring proposed or actual changes to the regulations and will amend our Privacy Notice and processes to reflect these.

We are prepared to align with and meet the policies and principles, where applicable, set out within the GDPR regulations.

We take information, advice and recommendations from the Information Commissioner's Office (ICO), the UKs independent authority to uphold information rights and data privacy.

For the GDPR regulations under article 37 we have appointed a Data Protection Officer (DPO). The DPO, can be contacted via

Purpose for processing

To provide tablet and web-based solutions for school catering, cleaning, local authorities and service organisations.

To offer school catering services a suite of apps that support the process of providing a school meals service: selecting meals; managing production; recording meals taken; paying for them; providing performance indicators and monitoring the service.

Special categories of data

Special category data is personal data which the GDPR regards as more sensitive, and so requires more protection.

We process two types of special category health information;

Article 9(2) of the GDPR sets out the conditions for the processing of special category data to be lawful.

We process special category data on the basis set out in Article 9(2)(g): “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

The processing of allergen and dietary information is necessary for reasons of substantial public interest, to safeguard the health of data subjects.

Access to information - Subject Access Requests

A Subject Access Request (SAR), is a written, signed request from a data subject to identify what personal data an organisation is processing on their behalf, why that organisation holds it, and who it is disclosed to. This right, commonly known as subject access, is set out in section 7 of the Data Protection Act (1998). Cypad recognises the rights of the data subject under the GDPR.

In accordance with GDPR, a Subject Access Request is no longer subject to a fee, as incurred under the DPA. However, Cypad has a right to charge a reasonable fee, should the requests from the Data Subject be manifestly unfounded or excessive, in particular because of their repetitive character. For the same reasons, Cypad can refuse the request. However, Cypad must respond to all written requests within one calendar month stating our progress or the reasons for the refusal, or any charge that may be incurred. Cypad can extend the time to deal with the request by two further months considering the complexity and number of requests, so long as we respond to the initial request within one calendar month and state the reasons for the delay. Cypad will authenticate all individuals requesting data, by either contacting the Data Controller who is providing the Cypad service, or requesting photographic I.D.

All data associated with the Subject Access Request will be stored within our Zendesk support system, with a unique reference code for that Data Subject, and will include the initial request, email correspondence, photographic identification and responses. This will be kept for one year, following a completed response or resolution and deleted.

If you wish to exercise your right of access, please email and we will supply you with an Access Request Form. Data subjects can also submit request by post to: Cypad Ltd, Monarch House, Queen Charlotte Street, Bristol, BS1 4EX. The Subject Access Request Form is a guideline for a Data Subject to use their rights and what data they are requesting. The ICO states that there is no legally prescribed form nor can Cypad force the Data Subject to use our in-house form, however should the data subject choose not to use our guideline form, then we will be requesting further information by phone with similar questions.

The Data Subject ("You"), may not be aware of the rights you have under GDPR. This policy sets out the additional rights which a living natural person or individual can exercise once GDPR comes into force. The rights which you the Data Subject wish to exercise must be defined within the Subject Access Request.

Download the Subject Access Request Form

Rights of the natural person

  1. The right to be informed
  2. Cypad will inform data subject(s) about the reasons for which their data is processed. This must be explicit and transparent through the company Privacy Notice. The Privacy Notice must be easily accessible.

  3. The right of access
  4. Cypad will confirm with the data subject(s) whether we process their data. In the event, we do process that data, we must provide the data subject(s) access to that data in a readable and portable format such as excel or .csv.

  5. The right of rectification
  6. Data subject(s) have a right to have their personal data rectified, if the data is inaccurate or incomplete. If the data has been shared with a third party, that data must also be rectified. Cypad will perform the rectification and inform the data subject to whom the data has been disclosed.

  7. The right to erasure
  8. Otherwise known as "The right to be forgotten", Cypad must enable data subject(s) to request that their personal data is deleted or removed from Cypad Personal Information Management systems (PIMS). Cypad will endeavour to remove all identifiable instances of the data subject from Cypad where the data subject exists. Cypad reserves the right to preserve aspects of the data, if;

  9. The right to restrict processing
  10. Data subject(s) have the right to block or suppress processing personal data. In this situation, Cypad can continue to hold the data which has been processed already, however, Cypad must not further process data on behalf of the data subject(s). This means Cypad must disable accounts or records for that data subject or apply the necessary changes to the functionality of the software, to prevent further data processing on behalf of that data subject.

  11. The right to data portability
  12. Cypad must provide the data subject(s) data in an easily accessible, portable and legible format.Examples of portable data can include, but are not limited to:

    The data must be provided to the data subject in a safe and secure way, typically encrypted with a password. Cypad adheres to a document encryption policy, referenced within the Cypad Information Security & Business Continuity Policy. We encrypt all documents with personally identifiable information with a password before submitting to the relevant individual(s).

  13. The right to object
  14. Data subject(s) can object to Cypad data processing on grounds relating to their "particular situation". The following reasons are valid to object;

    If the Data subject exercises their right to object, Cypad must stop processing their data (as defined in 5. The right to restrict processing) unless we can show that; The processing is based on legitimate interests, such as:

    If Cypad stops processing for the reasons above, then it must be "explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information".

  15. Rights in relation to automated decision making and profiling
  16. Individuals have the right not to be subject to a decision when:

    Cypad must ensure that individuals can:

Changes to our Privacy Notice

Any changes we may make to our Privacy Notice in the future will be posted on this page.


Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to