Trust Centre

Security, privacy and compliance — the short version

Everything a UK school's DPO, IT lead or bursar needs to review The Business School in one page. The full policy PDFs live on the Documents page.

Status at a glance

Controller
TBS Education Ltd Oy
Helsinki, Finland · Business ID 3614159-3
Data residency
EU (Frankfurt)
Netlify Edge + Neon Postgres
UK GDPR
Compliant
UK Data Protection Act 2018
ICO Registration
ZC133810
Registered · TBS Education Ltd Oy · April 2026
Cisco Talos
Categorised: Education
Verified 1 May 2026 · ticket 7158965
Securly
Educational Games
Both domains verified 4 May 2026 · ticket 1058793
Accessibility
WCAG 2.2 AA target
Statement on this page

What students share with the product

Nickname only. Students choose a nickname to join a session. No real name, email, school email or date of birth is collected from the student.
No pupil accounts. There is no account creation for students. Access is a 6-digit PIN shared by the teacher. Sessions end — no persistent pupil record.
No third-party trackers. No Google Analytics, Facebook Pixel or advertising trackers on student-facing pages.
No device fingerprinting. No cookies beyond a session cookie needed to keep the student connected to the active session.

Sub-processors

ProcessorRoleRegionData
Netlify Website + edge functions EU (Frankfurt) HTTP logs (IP, user-agent, URL). No personal student data.
Neon Postgres database EU (Frankfurt, eu-central-1) Session state, teacher email, student nickname only.
Anthropic AI-report generation (Claude API) EU endpoint Aggregated game decisions per student (no identifying info) for report text.

Documents

Four PDFs your data-protection officer will review. The one-page summary unblocks most DPO approvals without deeper reading.

One-page summary

Data Protection Summary (2026)

What we collect, where it's stored, retention, contact. Written for busy DPOs.

Download PDF
Privacy Policy

Privacy Policy (2026)

Full privacy policy — data subject rights, lawful basis, retention, transfers.

Download PDF
Article-28 DPA

Data Processing Agreement (2026)

Controller/processor DPA ready for schools to sign. Sub-processors listed.

Download PDF
Internal

Internal Data Policies (2026)

Access controls, incident response, staff training, retention.

Download PDF

Accessibility statement

We aim for WCAG 2.2 AA conformance across both the marketing site and the live classroom simulation. Current known gaps (being addressed in Wave 3, May 2026):

If a specific adjustment is needed for a pupil or pilot, email sakari.laajoki@gmail.com and we will prioritise it.

Security

HTTPS is enforced site-wide. For a security issue, email security@thebusiness.school or see security.txt.

Safeguarding and AI safety

AI-generated feedback reports run through Anthropic's Claude API with the teacher's session data only. No chat or free-text input from students reaches the model. No personal identifiers are sent. Output is shown only to the teacher and the individual student. This aligns with KCSIE 2024/25 §143 and the DfE Generative AI Product Safety Expectations.

Data-protection enquiries

Controller: TBS Education Ltd Oy · Business ID 3614159-3 · Helsinki, Finland

UK ICO Registration: ZC133810 · verify on the ICO public register

Email: sakari.laajoki@gmail.com

We aim to respond within 72 hours. For subject access requests, data-deletion requests, or DPA-signing requests, please reference your school name in the subject line.