01.

About this Privacy Statement

Orbital Education Group (“Orbital”, “we”, “us”) is committed to protecting the privacy and personal data of all individuals whose information we process, including pupils, parents and guardians, staff, applicants, visitors and other professional contacts.

Orbital is a UK‑based international education group, with a network of schools and operations across multiple jurisdictions, including Spain, Albania, Hungary, Slovenia, Ecuador, Mexico, Qatar and China.

This Privacy Statement explains how personal data is collected, used and protected at Group level, including personal data collected through our public websites, digital platforms and online communications.

It applies to:

  • visitors to Orbital Education Group websites and other Group‑managed digital platforms;
  • applicants for Group‑level and centrally managed roles;
  • employees, officers, consultants and contracted staff engaged by the Group; and
  • users of Group‑managed IT systems, tools and services.

This statement provides overarching transparency for Group‑level activities and should be read alongside any school‑specific, role‑specific or audience‑specific privacy notices provided at the point personal data is collected. Those local notices apply where individuals interact directly with an Orbital school or local entity and may include additional information required by local law.

02.

Who is responsible for your personal data?

Orbital Education Ltd, registered at Landmark House, Station Road, Cheadle Hulme, SK8 7BS, United Kingdom, acts as the data controller for personal data processed at Group level, including data collected through Group websites, central recruitment, shared IT systems and other centrally managed functions.

Individual schools and local entities within the Group act as independent data controllers in respect of personal data processed for their own educational, safeguarding, employment and operational activities, and are responsible for complying with applicable local data protection laws. Separate school‑level privacy statements explain how local processing is carried out.

For all privacy-related questions, concerns or requests relating to personal data, please contact: datarequests@orbital.education. This contact point should be used for privacy enquiries and data subject rights requests and will coordinate responses with the appropriate Group personnel.

03.

Why, how and for how long do we collect and store personal data?

We collect and process personal data only for clear, specific and legitimate purposes linked to how Orbital operates as an international education group.

We do not process personal data for purposes that are incompatible with these.

In some circumstances, personal data may be obtained from sources other than the individual it relates to. These sources may include referees, previous employers, recruitment agencies, professional advisers, public authorities, or other entities within the Orbital Education Group, where permitted by law.

Retention of personal data

Personal data is stored securely and retained only for as long as necessary.

Retention periods are determined by reference to:

  • the purpose for which the personal data was collected;
  • applicable legal, regulatory and safeguarding requirements;
  • operational, contractual and organisational needs; and
  • the rights and reasonable expectations of the individuals concerned.

By way of example, recruitment data may be retained for a limited period following completion of the recruitment process, and employment-related data retained in line with applicable legal requirements.

Retention is managed in line with applicable legal requirements and internal data management practices.

Website visitors and digital users

We collect limited information about how visitors use our websites and other Group‑managed digital services. This information helps us understand how our websites are used, perform effectively and remain secure.

This may include the use of cookies and similar technologies, which collect information such as:

  • how visitors navigate our websites;
  • whether visits are repeat visits; and
  • how our websites are performing.

When visitors interact with our websites, we may also process certain technical information, such as IP address, browser or device information, session identifiers and cookie preferences. This information is generated automatically and is used to support website functionality, security and performance.

We may also collect personal data where individuals contact us through website forms, subscribe to newsletters, register for events, make enquiries or express interest in employment opportunities within Orbital Education Group.

Where required, visitors are given choices about the use of cookies through a cookie banner or similar tool. Further detail is provided in our Cookie Notice provided by Cookiebot.

Applicants

We collect personal data when you apply for a role with Orbital Education Group, whether applications are made by email, through web‑based systems, or during interviews.

Applicant data is used to:

  • assess suitability for roles;
  • manage recruitment and selection processes;
  • communicate with applicants; and
  • meet legal, regulatory and safeguarding obligations.

Applicant data is retained for a limited period following completion of the recruitment process, in line with applicable legal requirements and internal data management practices.

Where applicants choose to receive updates about future opportunities, limited contact details may be processed using third‑party communication platforms. Individuals can withdraw consent at any time.

Where a conditional offer of employment is made, additional personal data may be collected to carry out pre‑employment and safeguarding checks in accordance with legal requirements.

Marketing and Communications

We may process personal data for marketing, communications and stakeholder engagement purposes, including providing information about Orbital Education Group, our schools, educational programmes, events, recruitment opportunities, newsletters, publications and other Group-related services and activities.

Marketing and communications may be sent by email, telephone, SMS, post, social media or other appropriate communication channels, depending on the nature of the communication and the contact preferences provided.

Where required by applicable law, we will obtain consent before sending marketing communications. Individuals may withdraw consent or opt out of receiving marketing communications at any time by using the unsubscribe option provided in the communication, updating their communication preferences or contacting us directly.

Withdrawal of consent will not affect the lawfulness of processing carried out before consent was withdrawn.

We do not sell personal data to third parties for marketing purposes. Personal data used for marketing and communications is managed in accordance with applicable data protection requirements, consent records, communication preferences and retention practices.

Employees and contracted staff

We collect and process personal data during recruitment, onboarding and throughout the course of employment or engagement.

Employee and contractor personal data is processed for purposes including:

  • managing employment and contractual relationships;
  • administering pay, benefits, pensions and workforce processes;
  • complying with legal, regulatory and safeguarding requirements; and
  • supporting organisational planning and management.

Where lawful and appropriate, this may include special category personal data, such as health information or criminal records information. Such data is processed subject to additional safeguards and access controls.

Employment‑related records are retained in accordance with applicable legal requirements and internal data management practices.

Users of our IT Systems

Personal data is generated and processed through the use of Group‑managed IT systems, tools and networks. This information is used to:

  • maintain the security, integrity and resilience of systems and networks;
  • prevent unauthorised access, misuse or security incidents;
  • support monitoring, diagnostics and troubleshooting; and
  • ensure compliance with acceptable use and information security requirements.

Access to IT systems data is restricted to authorised personnel and protected by appropriate technical and organisational security measures.

Lawful bases for processing

We process personal data only where we have a valid lawful basis under applicable data protection law. Depending on the context, this may include:

  • performance of a contract;
  • compliance with legal obligations;
  • safeguarding and public interest grounds;
  • legitimate interests, such as operating and securing our systems; and
  • consent, where required.

Where processing is based on consent, this may be withdrawn at any time.

Children’s personal data

We recognise that personal data relating to children requires particular care and protection. Personal data relating to pupils is primarily processed by individual schools acting as independent data controllers, in accordance with their local privacy statements and safeguarding obligations. Group-level processing involving children's data is limited and subject to appropriate safeguards.

04.

Who do we share information with?

We limit the sharing of personal data to what is necessary and lawful. This may include sharing information with:

  • other Orbital Education Group entities;
  • trusted service providers;
  • professional advisers; and
  • public bodies or regulators where required.

Personal data may also be shared in connection with corporate transactions, subject to appropriate confidentiality and data protection safeguards.

Where possible, information shared for reporting or statistical purposes is anonymised or aggregated.

We do not sell personal data.

05.

International data transfers

As an international group, personal data may be transferred to, stored in or accessed from countries outside the United Kingdom or the country in which the data was originally collected.

Where international transfers take place, we ensure that appropriate safeguards are in place to protect personal data. These may include adequacy regulations, standard contractual clauses, internal Group standards or other lawful transfer mechanisms.

06.

Your data protection rights

Under UK GDPR, individuals have rights in relation to their personal data, including the right to:

  • access personal data we hold about them;
  • request correction of inaccurate or incomplete data;
  • request deletion of personal data where appropriate;
  • request restriction of processing in certain circumstances;
  • object to certain processing activities;
  • receive a copy of data provided in a portable format; and
  • withdraw consent where processing is based on consent.

Requests can be made by contacting datarequests@orbital.education. We may need to verify identity before responding.

We will respond to requests in accordance with applicable legal requirements. Where permitted by law, we may refuse a request or charge a reasonable administrative fee where a request is manifestly unfounded, excessive or repetitive.

You have the right to raise a complaint with us regarding how your personal data is handled, and we will investigate and respond in accordance with our complaints procedure.

If you are dissatisfied with how your request is handled, you have the right to raise a concern with the UK Information Commissioner’s Office (ICO):

https://ico.org.uk/.

07.

Automated decision‑making

We do not use personal data for automated decision‑making or profiling that produces legal or similarly significant effects on individuals.

08.

Data security

We implement appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage.

These measures include access controls, system protections, staff training and contractual safeguards with third‑party providers.

09.

Data protection governance

Orbital Education Group operates a group‑wide data protection framework supported by policies, procedures and oversight mechanisms designed to ensure compliance with applicable data protection requirements.

10.

Changes

This Privacy Statement is reviewed at least annually and may be updated to reflect changes in law, regulation, technology or how we operate. The most current version will always be available through the Group’s official channels.

This Privacy Statement was last updated on 01 June 2026.