Legal Document

Privacy Policy

Effective: 12/03/2026 Version 1.0 Medvia Consulting Ltd · CRN 17088948

This Privacy Policy explains how Medvia Consulting Ltd collects, uses, stores, and protects your personal data, and sets out your rights under UK data protection law.

Medvia Consulting Ltd · CRN 17088948 20 Wenlock Road, London, N1 7GU info@medviaconsulting.co.uk www.medviaconsulting.co.uk

This policy applies to all clients, students, prospective clients, school partners, and visitors to our website. Please read it carefully. By using our services or website, you acknowledge you have read and understood this policy.

1. Who We Are

Medvia Consulting Ltd ("the Company", "we", "us", "our") is a company registered in England and Wales under company number 17088948. Our registered office is at 20 Wenlock Road, London, N1 7GU.

We are the data controller in respect of any personal data you provide to us or that we collect in connection with our services and website. This means we determine the purposes and means by which your personal data is processed.

You can contact us at any time regarding this policy or your personal data at info@medviaconsulting.co.uk.

We are registered with the Information Commissioner's Office (ICO) as a data controller. Our ICO registration number is ZC105495 .

2. Data We Collect

2.1 Client and Student Data

When you enquire about or purchase one of our programmes, we may collect:

  • Full name (client and/or student)
  • Email address and telephone number
  • Date of birth and age (to confirm eligibility for programmes)
  • School or sixth form name and year group
  • Academic grades, predicted grades, and examination results
  • Personal statement drafts and supporting documents
  • Extracurricular activities and work experience details
  • Details of universities applied to or under consideration
  • UCAS application information and admissions test scores
  • Any other personal information you choose to share with us in the course of receiving our services

2.2 Payment Data

We process payments via third-party payment platforms. We do not store your payment card details. Any payment data is processed and held by the relevant payment provider in accordance with their own privacy policy.

2.3 Communication Data

We retain records of communications between you and us, including emails, messages, and notes from consultations, for the purpose of delivering and administering our services.

2.4 Website and Technical Data

When you visit our website, we or our third-party service providers (including Squarespace) may automatically collect certain technical information, including your IP address, browser type and version, pages visited, time and date of your visit, and referring website. This is collected via cookies and similar technologies — see Section 9.

2.5 School Partnership Data

Where we work with schools or sixth forms, we may collect contact details of staff members and, with appropriate consent, limited information about student cohorts for the purpose of delivering workshop and partnership programmes.

3. How We Collect Your Data

We collect personal data through the following means:

  • Directly from you when you submit an enquiry form on our website
  • When you book a discovery call or consultation via our appointments system
  • When you purchase a programme and complete our onboarding process
  • Through email correspondence and consultation sessions
  • From documents and materials you share with us as part of your programme
  • Automatically via cookies and analytics tools when you browse our website
  • From schools or educational institutions where we have an established partnership and appropriate arrangements are in place

4. Our Lawful Basis for Processing

Under the UK General Data Protection Regulation (UK GDPR), we are required to identify a lawful basis for each type of processing we carry out. The table below sets out the personal data we process and the lawful basis we rely on in each case.

Purpose of ProcessingData InvolvedLawful Basis
Delivering our advisory programmes and servicesName, contact details, academic data, personal documentsContract performance (Article 6(1)(b) UK GDPR)
Responding to enquiries and providing pre-sale informationName, email, enquiry detailsLegitimate interests (Article 6(1)(f)) — to respond to prospective clients
Processing payments and managing accountsName, email, payment confirmationContract performance (Article 6(1)(b))
Sending service-related communications (appointment reminders, updates)Name, email, programme detailsContract performance (Article 6(1)(b))
Marketing communications (where consent given)Name, emailConsent (Article 6(1)(a))
Complying with legal obligationsName, financial recordsLegal obligation (Article 6(1)(c))
Improving our services and internal quality assuranceAnonymised programme and outcome dataLegitimate interests (Article 6(1)(f))
Processing data of students under 18 with parental consentStudent personal and academic dataConsent via parent/guardian (Article 6(1)(a))

Where we rely on legitimate interests as our lawful basis, we have carried out a balancing test and are satisfied that our interests do not override your rights and freedoms. You may request further information about this balancing test by contacting us.

5. How We Use Your Data

We use the personal data we collect for the following purposes:

  • To deliver and administer the programme you have purchased, including preparing your Admissions Report, conducting consultations, and providing ongoing advisory support
  • To communicate with you about your programme, appointments, and any updates relevant to your application
  • To process payments and maintain accurate financial records
  • To respond to your enquiries before, during, and after your programme
  • To send you marketing communications about our services, where you have provided consent to do so
  • To improve the quality of our services using anonymised and aggregated data
  • To comply with our legal and regulatory obligations
  • To enforce our Terms and Conditions where necessary

We will not use your data for any purpose that is incompatible with the purposes for which it was originally collected, without first informing you and, where required, obtaining your consent.

6. Sharing Your Data

We do not sell, rent, or trade your personal data. We may share your data with third parties only in the following limited circumstances:

6.1 Service Providers

We use a small number of trusted third-party platforms to operate our business. These include our website platform (Squarespace), scheduling and appointment tools, and payment processors. These providers act as data processors on our behalf and are contractually required to handle your data securely and only in accordance with our instructions.

6.2 Legal Requirements

We may disclose your personal data where we are required to do so by law, regulation, or court order, or where disclosure is necessary to protect the rights, property, or safety of the Company, our clients, or others.

6.3 Business Transfer

In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the relevant third party. We will notify you in advance of any such transfer and of any changes to this Privacy Policy that may result.

We will never share your personal data with third parties for their own marketing purposes.

7. International Data Transfers

Some of the third-party service providers we use may process personal data outside the United Kingdom. Where this is the case, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements, such as the use of the International Data Transfer Agreement (IDTA) or equivalent mechanisms approved by the ICO.

Squarespace, Inc., our website platform, is based in the United States. Squarespace processes data in accordance with UK GDPR and has implemented appropriate transfer mechanisms. Full details can be found in Squarespace's own privacy policy.

If you would like further information about the safeguards we have in place for international transfers, please contact us at info@medviaconsulting.co.uk.

8. How Long We Keep Your Data

We retain personal data only for as long as is necessary for the purposes for which it was collected, and in accordance with our legal obligations. Our standard retention periods are as follows:

  • Client and student programme data (including Admissions Reports, consultation notes, and correspondence) — retained for 3 years from the end of the programme, to allow for any queries, complaints, or Interview Assurance claims
  • Financial records and payment information — retained for 7 years in accordance with HMRC requirements
  • Enquiry and pre-sale correspondence — retained for 12 months from the date of enquiry where no programme is purchased
  • Marketing consent records — retained until consent is withdrawn, plus 12 months thereafter for compliance evidence
  • Website analytics data — retained in accordance with our third-party providers' standard retention periods (typically 26 months)

At the end of the relevant retention period, personal data will be securely deleted or anonymised. If you request deletion of your data before the end of a retention period, we will comply unless we are required by law to retain it.

9. Cookies

Our website uses cookies and similar tracking technologies. Cookies are small text files placed on your device when you visit a website. They help the website function, improve your experience, and allow us to understand how the site is used.

9.1 Types of Cookies We Use

  • Strictly necessary cookies — essential for the website to function. These cannot be disabled.
  • Analytics cookies — help us understand how visitors interact with our website (e.g. pages visited, time spent). These are set by Squarespace and/or Google Analytics. We only set these cookies with your consent.
  • Functional cookies — remember your preferences to improve your experience. Set with your consent.

9.2 Your Cookie Choices

When you first visit our website, you will be presented with a cookie banner giving you the opportunity to accept or decline non-essential cookies. You can change your cookie preferences at any time by clearing your browser cookies and revisiting our site, or by adjusting your browser settings.

Please note that disabling certain cookies may affect the functionality of our website.

9.3 Third-Party Cookies

Our website is built on the Squarespace platform. Squarespace may set its own cookies for website functionality and analytics purposes. Please refer to Squarespace's Cookie Policy for full details.

10. Your Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to certain exemptions, but we will always respond to your request within one calendar month.

Right of Access

You have the right to request a copy of the personal data we hold about you (a Subject Access Request).

Right to Rectification

You have the right to ask us to correct any inaccurate or incomplete personal data we hold about you.

Right to Erasure

You have the right to ask us to delete your personal data where there is no compelling reason for us to continue processing it.

Right to Restrict Processing

You have the right to ask us to restrict how we use your data in certain circumstances, for example while a complaint is being investigated.

Right to Data Portability

Where processing is based on consent or contract, you have the right to receive your data in a structured, commonly used, machine-readable format.

Right to Object

You have the right to object to processing based on legitimate interests, and to object to direct marketing at any time.

Right to Withdraw Consent

Where processing is based on your consent, you may withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing prior to withdrawal.

Rights re: Automated Decisions

You have the right not to be subject to solely automated decisions that have a significant effect on you. We do not carry out automated decision-making.

To exercise any of these rights, please contact us at info@medviaconsulting.co.uk. We may ask you to verify your identity before processing your request. There is no charge for exercising your rights in most circumstances.

11. Children's Data

A significant proportion of our clients are students under the age of 18. We take the protection of children's personal data very seriously.

Where a Student is under 18, we require a parent or legal guardian (the "Client") to enter into our agreement on their behalf. By doing so, the Client provides consent on behalf of the Student for the processing of their personal data as described in this policy.

We will not knowingly collect personal data from a person under the age of 18 without verifiable parental or guardian consent. If you believe we have inadvertently collected such data without appropriate consent, please contact us immediately at info@medviaconsulting.co.uk and we will take prompt steps to delete it.

We do not use children's personal data for marketing purposes.

Our processing of children's data is carried out in accordance with the ICO's Children's Code (Age Appropriate Design Code) where applicable.

12. How We Keep Your Data Secure

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, loss, destruction, or alteration. These include:

  • Use of secure, password-protected email and communication channels
  • Storage of data on platforms with industry-standard security (including Squarespace and Google Workspace)
  • Limiting access to personal data to those within the Company who need it to deliver services
  • Regular review of our data handling practices
  • Use of encrypted connections (HTTPS) on our website

No method of electronic transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your data, we cannot guarantee absolute security. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the ICO as required by law, without undue delay and within 72 hours of becoming aware of the breach.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, services, or legal obligations. The current version will always be available on our website at www.medviaconsulting.co.uk, with the effective date clearly displayed.

Where we make material changes to this policy, we will use reasonable efforts to notify existing clients by email. We encourage you to review this policy periodically.

Continued use of our services following notification of an updated policy constitutes acceptance of the revised terms.

14. Contact & Complaints

14.1 Contact Us

If you have any questions about this Privacy Policy, wish to exercise any of your data rights, or have a concern about how we handle your personal data, please contact us:

We will acknowledge your request within 3 working days and aim to respond in full within one calendar month.

14.2 Complaints to the ICO

If you are not satisfied with our response to any data protection concern, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent data protection supervisory authority.

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would, however, appreciate the opportunity to address your concern directly before you contact the ICO, so please reach out to us in the first instance.

This Privacy Policy was last updated on . Version 1.0. Medvia Consulting Ltd, CRN 17088948.