This notice explains how Woodrup Creation Group Ltd (“WCG”, “we”, “us”) processes personal data across our website and products: WCG Digital, Postilion, Child Protect Online, Little Listeners Club and WCG-BiOS. We take privacy seriously because two of our products deliberately involve children — and one of them processes safeguarding incident data from schools.
Controller: Woodrup Creation Group Ltd, a company registered in England and Wales, company number 14982110.
Registered office: [CONFIRM: full registered address, London].
ICO registration: [CONFIRM: ICO data-protection registration reference — required before we may process personal data].
Contact for privacy questions: privacy@wcg.digital (or create@wcg.digital).
We process different categories of data depending on the product. Each row below is a separate processing activity with its own lawful basis under the UK GDPR.
| Activity | Data | Lawful basis | Retention |
|---|---|---|---|
| Website waitlists & contact forms | Name, work email, organisation, free-text notes | Legitimate interest (responding to enquiries) | 24 months from last contact |
| Postilion pilot & subscription | Business contact, fleet metadata, depot details | Contract (B2B) | Duration of contract + 7 years (tax records) |
| Child Protect Online — pupil safeguarding signals | Pseudonymised pupil identifier, device metadata, incident metadata classified by category; special-category data where applicable | Performance of a contract with the school (controller-to-controller or joint controller — see DPA) | Defined in the school’s DPA; default 1 academic year unless required for ongoing safeguarding |
| Little Listeners Club — device interactions | Child voice samples (on-device by default), parent account, optional parent voice sample for narration | Explicit parental consent | Until consent withdrawn or device returned; voice samples deleted on parent request |
| WCG-BiOS — build log subscribers | Name, email, sector, team size | Consent (newsletter) | Until you unsubscribe |
Child Protect Online only processes pupil data under a written Data Processing Agreement (DPA) with the school, in line with KCSIE 2024, the DfE’s filtering and monitoring standards, and the ICO’s Age-Appropriate Design Code. We do not market to children, and we do not use pupil data to train general-purpose AI models. Schools receive a DPIA pack before any data flows.
Little Listeners Club requires explicit parental consent for every device. The default mode keeps voice samples on the device. If you choose to record a parent voice for narration, that recording stays under your control: you can delete it at any time and it is not used to train shared models.
Resend processes email in the United States. Where personal data leaves the UK we rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses. Plausible is hosted in the EU.
Under UK GDPR you have the right to access, rectify, erase, restrict, port and object to processing of your personal data, and to withdraw consent. Email privacy@wcg.digital and we will respond within one calendar month.
You also have the right to complain to the Information Commissioner’s Office (ico.org.uk). We would appreciate the chance to address concerns first.
We follow industry-standard controls: encrypted transport (TLS 1.2+), encryption at rest in GCP-managed services, least-privilege access, audit logging, and a documented incident-response process. Pilot agreements with schools include breach-notification commitments aligned to UK GDPR Article 33.
If we materially change how we process data, we will update this notice and, for existing users, notify by email.
28 May 2026 · v1.0 · Reviewed by [CONFIRM: name & role]