Privacy Notice

Cypad Limited ("We") are committed to protecting and respecting your privacy.
This policy (together with our website terms of use and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

For the purpose of the Data Protection Act 1998 (the Act), the data processor is Cypad Limited, a company registered in England and Wales with Company Number 04335803, having its registered office at 11 Kingsley Lodge, 13 New Cavendish Street, London, W1G 9UG.

Information we may collect from you

We may collect and process the following data about you:

IP addresses

We may obtain information about your activity on the Cypad website or software, through your I.P address.
An I.P address is a unique set of numbers that identifies devices over the internet.
This helps our development team to troubleshoot, if an issue is raised, to ensure the optimum user experience.
Using the I.P we can perform system administration and report aggregate statistics to understand users' browsing actions and patterns, without identifying any individual.
With the I.P we determine;


We may obtain information about your activity on the Cypad website or software, through cookies.
A cookie is a small file which is stored on the internet browser (example: Explorer, Chrome, Firefox) used on your device.
Our system will issue cookies as soon you visit our site. Except for essential cookies, all cookies will expire after twelve months.

Cookies carry useful data;

Cookies help us to improve our site and to deliver a better and more personalised service. Some of the cookies we use are essential for the site to operate.

You may block cookies by changing the settings on your browser, (each browser varies) to refuse the storage of all or some cookies. However, if you use your browser settings to block all cookies (including essential cookies) you may not be to access all or parts of our site.

If you or your child continue to use our services or site, (this includes your usage through the School, its carers or Contract Caterer), you agree to our use of cookies.

Where we store your personal data

All Cypad data currently resides within the U.K.

The data that we collect from you may be transferred to, and stored at, an alternate destination inside or outside the European Economic Area ("EEA"). We will inform the customer of all our processing operations that are outside of the EEA prior to the point in time in which data is processed in those locations. By submitting your personal data, you agree to this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Notice.

All our servers and subsequent data is securely hosted by "Simply Hosting" (
The Data is held within their facilities based in Reading, UK. All data resides within the EEA.
The facilities and staff are ISO27001 certified.
Staff at Simply Hosting do not have access to your personal data.

We upload hourly database backups to a third-party cloud provider, "Cloud Direct" (
The backups are protected in transit with military grade 256-bit encryption.
The data is stored within facilities based in the UK. All data resides within the EEA. The facilities and staff are ISO27001 certified.
Staff at Cloud Direct do not have access to your personal data.

Numeric and anonymised test data may also be processed by staff operating outside the EEA who work for Cypad Ltd. Such staff maybe engaged in, among other things, the provision of support services or software upgrades.

How we secure your data

All data you provide to us is stored securely on our system.

Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. The security of your Personal Information is important to us, but please be aware that no method of transmission over the internet, or method of electronic storage, is 100% secure. We cannot guarantee its absolute security; however, we have applied the necessary industry standard security measures to protect your Personal Information.

Your credentials

Where we have given you (or where you have chosen) a username and password which enables you to access certain parts of our site, you are responsible for keeping these credentials confidential. We ask you not to share a password with anyone.

Uses made of the information

We use information held about you in the following ways:

We will only share your data with your child's School, or Contract Caterer. We will never sell or supply your data to any other third parties.
We do not disclose information about identifiable individuals to advertisers.

We will only contact you by electronic means (e-mail or SMS) with information about services, such as;

If you do not want us to use your data in this way;

New customer - Please decline this Privacy Notice to exit the service and your data will not be processed.

Existing customer - Please refer to the section in this Privacy Notice ‘Access to information – Subject Access Requests’ to invoke your right to stop us processing your data, and at your request erase that data.
Please be aware that if we erase your data, you will not be able to use Cypad software again, until you submit a new registration. Please notify us by email, specifying your request, at

Disclosure of your information

We may disclose your personal information to any member of our group, which means our subsidiaries, our holding company and its subsidiaries, as defined in section 1159 of the Companies Act 2006.

"Group" means the Company, any subsidiary or any holding company from time to time of the Company. Group Companies include:

The development teams across the Group companies are managed by the Parent Pay group and are instructed and audited by the Chief Operating Officer at Parent Pay. Where Cypad requires technical expertise, we draw upon Parent Pay and vice versa. Parent Pay are investing in Cypad I.T Infrastructure to improve performance and security and to guarantee this upgrade, group development staff require access to the customer data at a database level but will seldom require access to personal information.

Your rights

Cypad does not currently conduct direct marketing. However, we will usually inform you (before collecting your data) if we intend to use your data for such purposes. You can exercise your right to prevent such processing by contacting us at

Our site may, from time to time, contain links to and from the websites of our partner networks and affiliates. If you follow a link to any of these websites, please note that these websites have their own Privacy Notices and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal data to these websites.

General Data Protection Regulations (GDPR)

On 27th April 2016, the European Parliament, Council of the European Union and the European Commission adopted new regulations regarding data protection and the rights of individuals within the European Union. The regulations come into force on the 25th May 2018.

The GDPR regulations will replace and build upon elements of the Data Protection Act 1998 (DPA). GDPR will still be implemented irrespective of Brexit, however we are closely monitoring proposed or actual changes to the regulations and will amend our Privacy Notice and processes to reflect these.

We are prepared to align with and meet the policies and principles, where applicable, set out within the GDPR regulations.

We take information, advice and recommendations from the Information Commissioner's Office (ICO), the UKs independent authority to uphold information rights and data privacy.

For the GDPR regulations under article 37 we have appointed a Data Protection Officer (DPO). The DPO, can be contacted via

Purpose for processing

To provide tablet and web-based solutions for school catering, cleaning, local authorities and service organisations.

To offer school catering services a suite of apps that support the process of providing a school meals service: selecting meals; managing production; recording meals taken; paying for them; providing performance indicators and monitoring the service.

Special categories of data

Special category data is personal data which the GDPR regards as more sensitive, and so requires more protection.

We process two types of special category health information;

Article 9(2) of the GDPR sets out the conditions for the processing of special category data to be lawful.

We process special category data on the basis set out in Article 9(2)(g): “processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject”.

The processing of allergen and dietary information is necessary for reasons of substantial public interest, to safeguard the health of data subjects.

Access to information - Subject Access Requests

A Subject Access Request (SAR), is a written, signed request from a data subject to identify what personal data an organisation is processing on their behalf, why that organisation holds it, and who it is disclosed to. This right, commonly known as subject access, is set out in section 7 of the Data Protection Act (1998). Cypad recognises the rights of the data subject under the GDPR.

In accordance with GDPR, a Subject Access Request is no longer subject to a fee, as incurred under the DPA. However, Cypad has a right to charge a reasonable fee, should the requests from the Data Subject be manifestly unfounded or excessive, in particular because of their repetitive character. For the same reasons, Cypad can refuse the request. However, Cypad must respond to all written requests within one calendar month stating our progress or the reasons for the refusal, or any charge that may be incurred. Cypad can extend the time to deal with the request by two further months considering the complexity and number of requests, so long as we respond to the initial request within one calendar month and state the reasons for the delay. Cypad will authenticate all individuals requesting data, by either contacting the Data Controller (Contract Caterer), or requesting photographic I.D.

All data associated with the Subject Access Request will be stored within our Zendesk support system, with a unique reference code for that Data Subject, and will include the initial request, email correspondence, photographic identification and responses. This will be kept for one year, following a completed response or resolution and deleted.

If you wish to exercise your right of access, please email and we will supply you with an Access Request Form. Data subjects can also submit request by post to: Cypad Ltd, Monarch House, Queen Charlotte Street, Bristol, BS1 4EX. The Subject Access Request Form is a guideline for a Data Subject to use their rights and what data they are requesting. The ICO states that there is no legally prescribed form nor can Cypad force the Data Subject to use our in-house form, however should the data subject choose not to use our guideline form, then we will be requesting further information by phone with similar questions.

The Data Subject ("You"), may not be aware of the rights you have under GDPR. This policy sets out the additional rights which a living natural person or individual can exercise once GDPR comes into force. The rights which you the Data Subject wish to exercise must be defined within the Subject Access Request.

Download the Subject Access Request Form

Rights of the natural person

  1. The right to be informed
  2. Cypad will inform data subject(s) about the reasons for which their data is processed. This must be explicit and transparent through the company Privacy Notice. The Privacy Notice must be easily accessible.

  3. The right of access
  4. Cypad will confirm with the data subject(s) whether we process their data. In the event, we do process that data, we must provide the data subject(s) access to that data in a readable and portable format such as excel or .csv.

  5. The right of rectification
  6. Data subject(s) have a right to have their personal data rectified, if the data is inaccurate or incomplete. If the data has been shared with a third party, that data must also be rectified. Cypad will perform the rectification and inform the data subject to whom the data has been disclosed.

  7. The right to erasure
  8. Otherwise known as "The right to be forgotten", Cypad must enable data subject(s) to request that their personal data is deleted or removed from Cypad Personal Information Management systems (PIMS). Cypad will endeavour to remove all identifiable instances of the data subject from Cypad where the data subject exists. Cypad reserves the right to preserve aspects of the data, if;

  9. The right to restrict processing
  10. Data subject(s) have the right to block or suppress processing personal data. In this situation, Cypad can continue to hold the data which has been processed already, however, Cypad must not further process data on behalf of the data subject(s). This means Cypad must disable accounts or records for that data subject or apply the necessary changes to the functionality of the software, to prevent further data processing on behalf of that data subject.

  11. The right to data portability
  12. Cypad must provide the data subject(s) data in an easily accessible, portable and legible format.Examples of portable data can include, but are not limited to:

    The data must be provided to the data subject in a safe and secure way, typically encrypted with a password. Cypad adheres to a document encryption policy, referenced within the Cypad Information Security & Business Continuity Policy. We encrypt all documents with personally identifiable information with a password before submitting to the relevant individual(s).

  13. The right to object
  14. Data subject(s) can object to Cypad data processing on grounds relating to their "particular situation". The following reasons are valid to object;

    If the Data subject exercises their right to object, Cypad must stop processing their data (as defined in 5. The right to restrict processing) unless we can show that; The processing is based on legitimate interests, such as:

    If Cypad stops processing for the reasons above, then it must be "explicitly brought to the attention of the data subject and shall be presented clearly and separately from any other information".

  15. Rights in relation to automated decision making and profiling
  16. Individuals have the right not to be subject to a decision when:

    Cypad must ensure that individuals can:

Changes to our Privacy Notice

Any changes we may make to our Privacy Notice in the future will be posted on this page.


Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to