Privacy Policy


Ark Curriculum Plus is a programme of Ark UK Programmes. Ark UK Programmes is the organisation which is in charge of your personal information. This means that Ark UK Programmes is called the ‘Data Controller’. The postal address for Ark UK Programme is The Yellow Building, 1 Nicholas Road, London, W11 4AN. 

All personal data is held in compliance with UK Data Protection legislation, the UK General Data Protection Regulation and with all other laws concerning the protection of personal information, including the Privacy & Electronic Communications Regulations 2003. 

We take your data protection seriously, and this Privacy Notice is designed to explain how we use any personal information we collect about you. 

If you want to contact us about your personal information you can contact our data protection lead by emailing . You can also email Ark UK Programmes’ Data Protection Officer using the email address

The personal data we process may be shared with third parties, where it is necessary for us to do so and we have a lawful basis to do so.  


We have the legal requirement, a contractual obligation and a legitimate interest to collect and process your personal data, including those in relation to the following:  

  • Delivery of the MyMastery digital platform services. 
  • Enable agreed contacts at schools and MATs to access data about how users at their  organisation are using MyMastery. These contacts include the school’s nominated Mastery  Lead and Senior Leader. 
  • Keep customers informed about the running of the service and events.  
  • To enable participation in a competition or complete a survey
  • Process payments for services. 
  • Assess the quality of our services. 

We have a good reason for having this information which means it is lawful and so we do not usually need consent to use this information. Sometimes we may want to use data differently and in these cases we may need to gain consent from a user. Where we ask for consent, users can change their mind at any time.  


This includes the following information: 

  • Contact details and contact preferences.  
  • Bank details for payment processing. 

If you are a registered user of MyMastery, or have expressed an interest in Ark Curriculum Plus programmes on our website, and have given us consent to contact you, we may occasionally send you an email to tell you about new features, ask for feedback or keep you up to date with our programme of work.  

If you no longer wish to hear from us, you can unsubscribe quickly and easily using the link at the bottom of our emails, or email and we will remove you from the list. 


Like most websites, we use cookies to improve user experience and to provide essential functionality. You can disable cookies in your browser if you wish to, although this may mean that some features on this website will not work as they should. Cookies are small files saved to your computer’s hard drive that track, save and store information about your interactions and usage of the website. 

Third party websites 

We cannot be held responsible for the privacy policies and practices of other sites even if you access these sites using links on the Ark Curriculum Plus website. We recommend that you check the privacy policy of each site you visit and contact the owner or operator if you have any questions or concerns. 


We only keep your information for as long as we need to, or for as long as the law requires us to. We have established a retention schedule. Please see Storing Data below.   


  • Article 6 1(a) of the GDPR which allows processing with your consent. 
  • Article 6 1(b) of the GDPR which allows processing that is necessary for the performance of a contract. 
  • Article 6 1(c) of the GDPR which allows processing that is necessary to comply with a legal obligation. 
  • Article 6 1(f) of the GDPR which allows processing that is in our legitimate interest to do so. 

The processing of personal data and the identification of a relevant lawful basis of processing is subject to an ongoing review and is consistently being reviewed as part of our efforts to adhere to the principles of data protection. 


Personal data is processed using a combination of cloud-based information management systems, cloud storage and sharing facilities, on local file servers and in paper copies. In accordance with data protection legislation it is only retained for as long as is necessary to fulfil the purposes for which it was obtained, and not kept indefinitely.  

We have a policy which explains how long we keep information relating to partner schools that we work with. It is called a Data Retention Schedule, and details can be found in the below table. 

Ark Curriculum Plus Data Retention Schedule 

Document category and basic description 

Ark Curriculum Plus Retention Period 

Customer Data: 

CRM data – inclusive of Name, Email address, mobile number, address, emails and phone call summaries 

Until no longer needed or requested to be deleted 

Platform data – inclusive email address, first and second name 

Retained whilst organisation remains a customer. Once an organisation requests all records to be deleted, data will be removed from the back-ups within 45 days

Metrics data 

Retained whilst organisation remains a customer or deleted by user. Once an organisation requests all records to be deleted, data will be anonymised 

Signed Customer Agreements 


Survey data
Retained for 5 years to allow year-on-year comparisons or until requested to be deleted
Competition data
Retained in line with the CRM data retention policy listed above

Non-customer data: 

Name, email address 

Kept until person unsubscribes / requests to be removed from system 

Supplier contracts 


Survey data
Retained for 5 years to allow year-on-year comparisons or until requested to be deleted
Competition dataRetained in line with the name, email address data retention policy listed above

The following document categories are covered under Ark Central Data Retention Schedule and you can request a copy of this schedule by emailing Corporate/ Constitutional, Insurance, Health and Safety, Pension records, Employees/ Administration. 

Transfer outside of the European Economic Area (EEA)    

We do not normally transfer your information to a different country outside the EEA. However, some of our external third-party support partners are based outside the EEA so their processing of personal data will involve a transfer of data outside the EEA. Whenever we transfer personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented, including:    

  • We will only transfer personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.  
  • Where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe and Standard Contractual Clauses. 


We do not share information about customers with anyone without permission unless the law says we can or should. We use three cloud-based platform providers who would have access to data as part of their service provision to us: 

  • CDSM – Schools who join Ark Curriculum Plus programme receive access to our MyMastery learning platform. We will share information with our third-party digital platform provider for the purpose of providing this service. The digital platform provider is the “Data Processor” and Ark Curriculum Plus remains the “Data Controller” in this instance. 
  • SalesForce – Our customer information management system used to coordinate our order processing activities, customer information and marketing campaigns. Our work with Salesforce is supported by a third party support provider, Impact Box, who accesses data to as part of their development support. 
  • Campaign Monitor, Form Assembly, Conga and Survey Monkey – We use these industry standard platforms to manage business processes such as our marketing and emails, the signing of Agreements and surveys.. 

We may also share personal data with:    

  • Ark and Ark Schools as a part of Ark.  
  • For schools who have agreed to be part of an EEF project or trial (only), the Education Endowment Foundation and the Department for Education.
  • Suppliers and service providers – to enable them to provide the service we receive from them.  
  • Financial organisations, professional advisers and consultants including our auditors.  
  • Police forces, courts, tribunals. 


Any and all breaches of the GDPR, including a breach of any of the data protection principles shall be reported as soon as it is/they are discovered, to the Ark Curriculum Plus Data Protection Officer. 

The Data Protection Officer will then assess the extent of the breach and take the appropriate steps and precautionary measure to mitigate any risks to affected individuals. 


Customers have the right to do the following with regards to their own data and their child’s data on their behalf:    

  • Ask us for a copy of the information we have about you. This is called a ‘subject access request’. 
  • Ask us to correct any information we have about if you think it is wrong. 
  • Ask us to erase information about you (although we may have good reasons why we cannot do this). 
  • Ask us to limit what we are doing with your information.  
  • Object to what we are doing with your information. 
  • Ask us to transfer your information to another organisation in a format that makes it easy for them to use.  

If you make a subject access request, and if we do hold information about you, we will: 

  • Give you a description of it. 
  • Tell you why we are holding and processing it, and how long we will keep it for. 
  • Explain where we got it from, if not from you. 
  • Tell you who it has been, or will be, shared with. 
  • Let you know whether any automated decision-making is being applied to the data, and any consequences of this. 
  • Give you a copy of the information in an accessible format. 
  • More information about your rights is available in our data protection policy. To request a copy, email us at  

Ark Curriculum Plus and Ark UK Programmes aims to comply fully with its obligations under the GDPR. If you have any questions or concerns regarding Ark management of personal data including your child’s data subject rights or your data subject rights, please contact the Data Protection Officer ( who is responsible for ensuring Ark UK Programmes is compliant with the UK GDPR. If Ark holds inaccurate information about you, please contact Ark Curriculum Plus and / or the Data Protection Officer ( explaining what the problem is and where appropriate provide with any evidence to show what the information should say. Keep copies of the correspondence. If after a reasonable amount of time (28 days is recommended) the information has not been corrected, a complaint can be made. If you feel that your questions / concerns have not been dealt with adequately on any data protection matter, please get in touch with us and the matter will be escalated to our Ark Director of Governance. If you remain unhappy with our response or if you need any advice you can contact the Information Commissioner’s Office (ICO). Please visit their website ( for information on how to make a data protection complaint or contact the ICO at If you are not happy with the outcome, you may wish to contact the Information Commissioner’s Office: the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Telephone – 01625 545 745.