On this page
1. Who we are
BespokeLMS is a trading name of Teach HQ Limited, a company registered in England and Wales (Company No. 14516976), with its registered office at Moor Park House, Bawtry Road, Wickersley, Rotherham, S66 2BL, United Kingdom.
For the purposes of UK GDPR and the Data Protection Act 2018, Teach HQ Limited is the data controller for personal data collected through this website and via our direct relationship with customers.
Where BespokeLMS hosts a learning management system on behalf of a client organisation, we act as a data processor for that client's learner data. In those cases, the client is the data controller and their own privacy policy applies to their learners.
Your use of BespokeLMS is also governed by our Terms of Service.
Questions about this policy? Email us at privacy@bespokelms.com.
2. Data we collect
We collect personal data in the following contexts:
Website visitors
- Contact form submissions — name, work email address, organisation name, and your message.
- Demo bookings — name, job title, work email, organisation, and team size.
- Analytics — anonymised page views, session duration, and referral source via privacy-first analytics (no personally identifiable information stored).
Customers and trial users
- Account information — name, work email address, job title, and organisation name.
- Billing information — company address and VAT number (payment card data is handled directly by our payment processor and never touches our servers).
- Usage data — feature usage, login events, admin actions, and error logs, used to support you and improve the product.
- Support correspondence — emails and support tickets you send us.
Learners on client-managed platforms
When we operate an LMS instance on behalf of a client, learner data (such as names, progress records, and quiz scores) is processed on that client's behalf. We do not access, use, or analyse this data for our own purposes. The client's privacy policy governs that data collection.
3. How we use your data
We use your personal data only for the following purposes:
- Delivering the service — to provision and maintain your BespokeLMS account, authenticate logins, and provide platform features.
- Customer support — to respond to enquiries, troubleshoot problems, and help you get the most from the platform.
- Billing and invoicing — to manage your subscription, process renewals, and send payment receipts.
- Product communications — to notify you of new features, security patches, and planned maintenance. You may opt out of marketing emails at any time.
- Legal obligations — to comply with UK tax law, respond to lawful requests from regulators, or resolve disputes.
- Product improvement — to understand how the platform is used (using aggregated, anonymised data) so we can make it better.
We will never sell your data, use it for advertising unrelated to BespokeLMS, or share it with third parties for their own marketing purposes.
4. Lawful basis for processing
Under UK GDPR, we rely on the following lawful bases:
| Activity | Lawful basis |
|---|---|
| Providing and maintaining your account | Performance of a contract |
| Billing and invoicing | Performance of a contract / Legal obligation |
| Responding to support enquiries | Legitimate interests (providing contracted support) |
| Product update notifications | Legitimate interests (keeping customers informed) |
| Marketing emails to prospects | Consent (given when submitting our contact form) |
| Security logging and fraud prevention | Legitimate interests |
| Analytics on our website | Legitimate interests (privacy-first, no PII stored) |
5. Data sharing
We share personal data only with the following categories of third party, and only to the extent necessary to deliver our service:
- Cloud infrastructure — our platform is hosted on enterprise cloud providers (currently within the UK/EEA). All providers are bound by Data Processing Agreements.
- Payment processing — subscription payments are handled by our payment provider (currently Stripe). No card data passes through our systems.
- Email delivery — transactional emails (receipts, reset links, notifications) are sent via our email service provider.
- Customer support tooling — support tickets are managed via a helpdesk platform. Only the minimum data required is shared.
- Legal and regulatory authorities — we will disclose data where required by law, regulation, or court order.
We do not share your data with data brokers, advertising networks, or social media platforms.
6. Data retention
- Active account data — retained for the duration of your subscription.
- After account closure — we retain your account data for 30 days, during which time you may reactivate your account or request an export. After 30 days your data is securely deleted. You may request immediate deletion at any time.
- Financial records — invoices and payment records are retained for 7 years to comply with UK HMRC requirements.
- Support records — kept for 2 years after resolution to allow follow-up and quality review.
- Contact form submissions — if no contract is established, data is purged after 12 months of inactivity.
- Learner data (processor role) — retained and deleted in accordance with the client's instructions and their data retention schedule.
7. Your rights
Under UK GDPR you have the following rights. We will respond to all requests within one calendar month.
- Right of access — request a copy of the personal data we hold about you.
- Right to rectification — ask us to correct inaccurate or incomplete data.
- Right to erasure — request deletion of your personal data where we have no legal obligation to retain it.
- Right to restriction — ask us to pause processing of your data while a dispute is resolved.
- Right to data portability — receive your data in a structured, machine-readable format.
- Right to object — object to processing based on legitimate interests (including direct marketing).
- Rights related to automated decision-making — we do not use your data for solely automated decisions that produce legal or significant effects.
To exercise any of these rights, email privacy@bespokelms.com with your request. We may need to verify your identity before responding.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) — the UK's data protection supervisory authority — at ico.org.uk or on 0303 123 1113.
8. Cookies
We use a small number of cookies on this website:
| Cookie | Purpose | Duration |
|---|---|---|
_session | Keeps you logged in to your BespokeLMS account | Session / 30 days |
_csrf | Protects against cross-site request forgery | Session |
_analytics | Privacy-first page view analytics (no PII, no cross-site tracking) | 12 months |
We do not use advertising cookies or third-party tracking pixels. You can disable analytics cookies by adjusting your browser settings — this will not affect your use of the platform.
For full details of every cookie we set, how long it lasts, and how to control it, please see our Cookie Policy.
9. Security
We take the security of your data seriously and apply the following measures:
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted using AES-256.
- Access to production systems is restricted to authorised personnel, protected by multi-factor authentication.
- We perform regular security reviews and penetration testing.
- Passwords are stored as salted hashes — never in plaintext.
- Our infrastructure providers maintain industry-standard security certifications (ISO 27001, SOC 2 Type II).
In the event of a personal data breach that is likely to affect your rights and freedoms, we will notify you and the ICO within 72 hours of becoming aware, as required by UK GDPR.
10. International transfers
We store and process data primarily within the United Kingdom and the European Economic Area. Some of our third-party service providers may process data in other countries.
Where data is transferred outside the UK or EEA to a country without an adequacy decision, we ensure appropriate safeguards are in place — typically UK International Data Transfer Agreements (IDTAs) or EU Standard Contractual Clauses (SCCs).
You can request details of the specific safeguards in place for any transfer by emailing privacy@bespokelms.com.
11. Changes to this policy
We review this policy at least annually and whenever our data practices change in a material way. The "Last updated" date at the top of this page reflects the most recent revision.
If we make significant changes — for example, changes that affect what data we collect or with whom we share it — we will notify active customers by email at least 30 days before those changes take effect.
Continuing to use BespokeLMS after the effective date of a change constitutes acceptance of the updated policy. If you do not agree with a change, you have the right to close your account and request deletion of your data before the change takes effect.
12. Contact us
For any privacy-related questions, requests, or concerns, please contact us:
We aim to resolve all privacy requests promptly and in good faith. Where you are not satisfied with our response, you have the right to escalate your complaint to the ICO.