Data, Privacy and Cookies Policy


The Boxall Profile® Online (“the website”) provides a bank of assessment tools, resources and functionalities to support education professionals and other professional services to identify and respond to the social, emotional, behavioural and/or mental health difficulties of children and young people.

As part of using the website, organisations will choose and consent to the provision of organisational and personal data (the “data”) through the inputting of relevant information to the website. In doing so, nurtureuk acknowledges that the ownership of the data remains with the administrating organisation (i.e. the organisation that the subscription was purchased for or that has been granted access to the website for research purposes, or the individual account owner that purchased tokens).

By using the Boxall Profile, a subscribing organisation is accepting the Data Processing Agreement within the terms and conditions for use of the service).

While using the website, we will require certain data about your organisation, yourself and the children and young people you wish to assess using the Boxall Profile. We are committed to protecting this information. This document will set out the basis on which we will collect, store and process any personal information we collect from you or that you provide to us.

Any questions regarding this data, privacy and cookies policy or complaints should be sent by email to or by post to:

Data Protection Officer
Nurtureuk, Insight House, Riverside Business Park, Stoney Common Road, Stansted, Essex, CM24 8PL

You can also get in touch with the Information Commissioner’s Office (ICO) for any complaints related to our information rights practices. For up-to-date contact information, please check

Who are we?

The website ( is owned and operated by The Nurture Group Network Limited, trading as nurtureuk Our registered charity numbers are 1115972 (England, Wales and Northern Ireland), SC042703 (Scotland). For more information about the charity, please click here.

What is the Boxall Profile® Online?

The Boxall Profile® Online is the website that hosts the digital version of the Boxall Profile® assessment and stores a range of strategies, resources and tools to support education professionals and other professional services. For more information on the Boxall Profile®, please click here.

Terms used

The terms "nurtureuk", "we", "us", "our" and "ours" when used in this policy mean nurtureuk.

The terms "you", "your" and "yours" when used in this policy means any user of the Boxall Profile® Online.

The terms “pupil”, “child”, “children”, “young person” and “young people” refer to anybody being assessed by an adult (e.g. teacher, school staff, professional services, etc.) using the Boxall Profile® Online.

The term “organisation” means any school, local authority, multi-academy trust, professional service, or individual that has registered and is accessing the website (either following trial use, the purchase of tokens or a subscription, or by taking part in a research project). The organisation is represented by an account administrator (or the “admin user”), who is generally the person who first registers the organisation on the website, but may also be another user that has been granted the rights to administer the account of the organisation.

Data privacy

Data we collect, store and process

Pupil data

Every pupil assessed using the website has their own unique reference or Electronic Boxall Profile® (“EBP”), a unique identifier of the pupil automatically generated by the platform or chosen when a user creates a new pupil’s record (e.g. the pupil’s Unique Pupil Number). Users shall ensure they know the EBP number of each pupil assessed. Users shall also ensure that the same EBP is used when assessing a pupil more than once.

You may choose to provide another identifier for pupil data (such as their unique pupil number or another identifier used by your systems) in addition to the randomly generated EBP to make it easier to use the website and to monitor pupil data. We strongly advise that you do not use an identifier that makes any pupil directly identifiable (such as the pupil's name). Instead, we suggest maintaining an offline list (in a secure location) of all the pupils under your care, with the corresponding EBPs and/or identifiable details for your own reference.

Personal pupil data will never be used by nurtureuk for marketing, communications or research purposes, or shared with any third party without the express consent obtained from the owner of the relevant EBP.

To complete an assessment, we will ask you to provide the mandatory details about the pupil being assessed such as date of birth and gender, year group, class name, current SEBD/SEMH support accessed by the child or young person, nurturing provision accessed, context in which the child or young person is assessed, any individual factors affecting the overall development of the child/young person, for you to understand and record the context in which the pupil is assessed.

User-created website content

The website may allow users to upload content visible to all other users in the learning plan, such as new resources.

It is your responsibility to ensure that you do not provide any personal information when creating content that is shared with other users on the website, including pupils’ names, nicknames or initials as well as personal or organisational information. Nurtureuk will endeavour to delete any user-created content that contains any identifiable information. However nurtureuk cannot be held responsible for any personal information users have inputted when creating content on the website.

If you have created website content that contains identifiable information please remove the content accordingly using the editing options or get in touch at to request the removal of the item created.

User data

When setting up and using your account with us, we ask you to provide the following mandatory details: email address, full name, organisation details, phone number, billing information and payment details for processing purchases through our website. This is to be able to identify you when you get in touch as well as to comply with the financial and audit rules.

If you choose to invite other users to access your organisation and/or benefit from your subscription, please note they will be able to access the following details: organisation’s name and details, administrator's full name and email address. They may access additional data depending on the roles you have assigned them. Please see the section ‘Keeping your data safe’ below for more information.

When you engage with us, for example, access our information, use our website, report a problem with our website or want to complain, we may collect and process personal information about you. Depending on your activity, this personal information may include your name, email address, telephone number or financial details you have provided. When you contact us, we will ask you a few questions to be able to identify you, your organisation and your user account. We may keep a record of that correspondence.

By submitting this personal information you enable us to support you effectively and/or provide you with the information, services, products or support you selected or requested. We may also collect details of your visits to our website, including but not limited to traffic data, location data, weblogs, and other communication data and the resources that you have accessed.

To help us create a more effective website that reflects users' needs, we may also use cookie files to collect and record information about how our site is used and collect your IP address (a number that identifies a specific internet connection) for system administration and to report aggregated information. Unless you register and sign in to your user account, cookie files and IP addresses will not identify you as an individual. For more information on cookie files and IP addresses, please read our cookies policy. By continuing to use our website, you agree to our use of cookies.

Keeping your data safe

It is your responsibility to protect your pupils’ data, personal data or organisational data inputted and stored on the website against unauthorised access. Please refrain from sharing your password/username or access to your user account to any other person or organisation. Please also ensure you sign out when you finish using the website on a shared computer and ensure you do not opt for devices to remember your access details if they are accessed by other individuals.

It is the responsibility of the administrator user to ensure any user linked to the organisation should be allowed to access or see the data the organisation has created or stored on the website. Different user roles are available to ensure members of an organisation can access the information relevant to them e.g. financial details for a user with a finance role, pupils’ data for teaching staff and so on. It is the responsibility of the administrator user to ensure that every user using the website as part of their organisation has been allocated the correct role and does not access sensitive information that they should not be able to access. You can find information about the different types of roles and their rights via our frequent asked questions area of the website, Help Centre (powered by Zendesk) or by contacting us directly.

Data ownership

Any organisational or personal data entered by a user and stored on the website remains the property of the administrating organisation the user belongs to, or the owner of the individual account that purchased tokens to allow the user to complete the assessments.

An EBP and all the associated pupil data and Boxall Profile® assessments entered by a user on the website are owned by the administrating organisation, i.e. the organisation that purchased access to the website via a subscription or tokens.

The data created by any user belongs to the organisation the user is part of. If individual users choose to delete or unlink their account to their parent organisation, or if the admin user chooses to remove a user from their organisation, any pupil data created or edited by the individual user will remain accessible and owned by the parent organisation. As a consequence of deleting or unlinking their account, users will not have access to any pupil data owned by the organisation.

The admin user of one organisation may choose to merge their organisation with another organisation. For example, an individual user who previously assessed pupils using tokens may want to merge with another user to create a school’s organisation. Admin users may want to fully, or partially, merge their organisation:

Deleting data

You have the right to delete or edit any data you have inputted or stored on the website, with the exceptions noted below.

We’re legally required to hold some personal information to fulfil our statutory obligations – for example, we're required to hold some information related to financial transactions. We may also be required to hold some data to meet other legal or contractual requirements, and in some cases where a separate data processing agreement (for example, with your employer, or with an organisation that has commissioned services on your behalf) covers the use of all or some of your data.

For pupil data, the admin user or super-user of your organisation can delete Boxall Profile® assessments or EBP records directly from their dashboard, irrespective of who created them.

Any data you have provided on the website including pupil data, personal or organisation data will be stored securely on our servers as long as it is needed for you and your organisation to use the website effectively, as well as for any relevant communication, research and improvement purposes.

If you are the admin user of an organisation, you will need to contact nurtureuk to delete your account. Deleting your account will lead to the deletion of your organisation’s account and any data owned by your organisation, unless you appoint someone else as the admin user. If you choose to delete your account without appointing another admin user, your personal data as well as any organisation and pupil data linked to your account will be deleted from the website and from our servers according to data-protection rules. None of the users belonging to your organisation will be able to access the organisation. However, their user accounts will not be deleted. If you are a user belonging to an organisation, only your personal data will be deleted; your organisational data as well as any pupil data you have inputted will remain accessible to users linked to your organisation with the relevant access rights unless the admin user chooses to delete the information.

If you no longer wish nurtureuk to store or use your information, you can contact our Data Protection Officer to request the deletion of your account. In such circumstances, you will no longer be able to access your account, the organisation you belong to or the information stored on your account.

We reserve the right to delete or archive the data associated with your account in line with the policy set out below.

We will not delete or archive data from active subscriptions. We may delete or archive data if a subscription has been inactive (with no logins or assessments completed) for two years. Other agreements may apply that will extend this period.

How we may use information

We may use any information you provide on the website in the following ways:

  1. To allow you to participate in interactive features on our website, when you choose to do so. For example, we may generate reports or paid invoices or help you complete forms by pre-filling them, using information you have previously provided.
  2. To help administer user accounts and answer user queries.
  3. To inform you about updates made to the Boxall Profile® Online that are relevant to our users.
  4. To provide you with information (including marketing, fundraising or campaigning activities), services or products you have requested.
  5. To process personal information and information about organisations for the purposes of customer analysis and direct marketing to help us with our activities and to provide you with the most relevant information, such as surveys.
  6. To analyse and improve the services offered on our website by providing you with the most user-friendly navigation experience we can for your computer or other internet device.
  7. With your IP address and anonymised information about your access and use of features, your device and your browser, to identify your approximate location, analyse usage patterns, block disruptive use, and to establish the number of visits to the website from different countries and locations, or using different devices, for research and security purposes.
  8. To investigate research questions related to children and young people’s mental health; wellbeing; social, emotional and behavioural difficulties; nurture groups; or the Boxall Profile®.
  9. As part of our wider research focus and to improve future products, when we may use anonymised data to analyse historic trends and updating the Boxall Profile® norms.

Identifiable pupil data (e.g. pupil identifiers) cannot usually be downloaded by nurtureuk’s web administrators or user support services for research purposes, unless it has been entered in the incorrect field. However, we can see this information on individual accounts, so we can provide you with high-quality customer service.

User queries

We endeavour to provide the best user support to ensure users are able to access and use the website effectively. For any queries, please visit our Help Centre at If you don't find the information there, please contact us directly via Help or, or give us a call us at +44 (0) 20 3962 0886.

We endeavour to answer user queries within five working days. However this duration may be extended during periods of increased activity such as before or after school holidays, when the number of user requests significantly increases.

To provide the most effective user support we may ask you to provide personal, organisation or pupil information that will help us answer your query. On occasion we may ask you to provide a proof of identity before we disclose personal information to you.

Organisations have access to a broad range of information about their accounts and interactions. On request, any user whose personal information we hold may request a copy of that information. In addition, on request, we will anonymise, amend or erase any personal information we hold in relation to a user or an organisation. Pupils and/or parents cannot request us access to their own/pupil’s personal details, but on request a user can access this information on their behalf using the options available on your account.

How we will contact you

We will contact you by phone or email only if any instances in this policy applies. You can contact us to change your contact preferences by emailing or calling +44 (0) 20 3962 0886.

We will never contact you to send you information about promotional and marketing materials from Boxall Profile® Online team or from nurtureuk by email or phone unless you have given us your prior permission when signing up to the website.

How we handle your information and other organisations

Secure Socket Layer (SSL) encryption is used on the website to encrypt the information you provide us. This ensures that the data is collected and stored securely.

Only our nurtureuk approved support staff and/or the technical collaborators can access your data under the following circumstances:

Nurtureuk will not rent or sell your personal information to other organisations for use by them in their own direct marketing activities.

We may disclose your personal information to third parties if we are under a duty to disclose or share your personal data in order to comply with any legal obligation; or in order to enforce or apply our terms of use for this website or other agreements; or to protect the rights, property or safety of nurtureuk, our donors or others; when you act in a professional capacity, we may share the details of the account with the headteacher of the school or director of the organisation. This includes exchanging information with other companies and organisations for the purposes of fraud detection and protection.

We may be required to share some personal information with our auditors or insurers as part of audit or investigations into insurance claims, but we will always do so to the minimum degree possible, and under conditions of confidentiality. Also, if we investigate a complaint, we will need to share personal information with the organisation concerned and with other relevant bodies if applicable. Further information is available on request about the factors we shall consider when deciding whether information should be disclosed.

How we handle direct debit or credit card information

Nurtureuk will ensure that sensitive information such as debit cards, credit cards or personal information will be collected and stored securely. We and our partners always use SSL encryption to encrypt data sent between the customer and us or our partners.

Nurtureuk is Payment Card Industry (PCI) compliant and uses external PCI compliant providers to collect this data on our behalf. We do not store PCI data on our own systems. We use GoCardless to collect Direct Debit and Stripe to accept and process payments.

To protect yourself when sending us sensitive information, please ensure that you use devices running supported operating systems and browsers that are regularly updated, and incorporate some form of malware protection. Only connect your devices to networks that you trust. We are not responsible for the security of your own devices or network.

How we handle data for research purposes

We use the website to collect and analyse data for research purposes. Nurtureuk uses the data to better understand the SEMH difficulties experienced by children and young people in the UK and beyond, in order to raise awareness of pupils’ needs in education and at the government-level. All data used for research purposes is anonymised and only used once all personally-identifiable information has been removed and data has been aggregated, so that no findings released by nurtureuk can be attributable to a specific pupil, a specific user or a specific organisation.

We will not disclose any identifiable information about individual EBPs or group of EBPs with other parties without consent. We use aggregated and anonymised data related to EBPs for research purposes, create awareness of social, emotional and mental health difficulties among the public at large and relevant authorities. For any other purposes, you will be asked for consent.

We may ask you to complete surveys that we use for research and user experience improvement purposes, although you do not have to respond to them.

Securing your passwords

Your password is encrypted and stored securely on our servers. We do not keep a record of your password. Please refrain from sharing your password details with nurtureuk staff when sending queries or calling regarding your account.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website, you are responsible for keeping the password confidential. You agree not to share that password with anyone else.

Where we store information and details of sub-processors of data

For the Boxall Profile® Online, nurtureuk uses Internet Service Providers and servers located within the UK, and all data related to children and young people is held solely on these servers. All our servers are located in the UK, and all data is encrypted at rest and in transit. Our servers are secured by the hosting organisation in line with the following certifications for data security: SOC 1 Type II, SOC 2 Type II, ISO/IEC 27001:2013, PCI-DSS.

In addition to the standard protection offered by our hosting organisation, we contract with a third-party specialist organisation to test the security of our platform at least annually, and ensure that any recommendations are acted upon within reasonable time. Nurtureuk ensures that your personal information is held by our Internet Service Providers in compliance with UK data protection law, including the Data Protection Act 2018 and the UK GDPR.

Access to your data within the website is restricted to a small group of trained nurtureuk administrators, with multiple levels of security protection to prevent unauthorised access.

By submitting your personal information to our website, you agree to the transfer, storing or processing of data to locations within the UK or European Economic Area (EEA), or, in the case of your name, username, email address, payment and organisation details, outside of the EEA, solely under the terms of the data processing agreements we have made with the sub-processors listed below. We will always take all steps reasonably necessary to ensure that this data is treated securely and in accordance with this policy, and in line with UK data protection regulations, including the Data Protection Act 2018 and the UK GDPR, and we will always ensure that the data processing agreements we enter into with sub-processors will include terms to protect and minimise any risks to data, and will, if they cover transfers outside of the UK and EEA, include as a minimum the EU or UK Standard Contractual Clauses approved by the ICO. When you (or another user you are working on behalf of) use these services, we may also issue an additional privacy notice that relates to a specific programme (for example, a programme of work commissioned by a third party) through which the service is delivered. Any additional terms within these privacy statements, along with any relevant terms within data processing agreements that we have with your employer, or with a third party commissioning our services on your behalf, should be considered part of this policy.

To manage contact data and our relationships with customers, members and partners, we use Salesforce CRM, a customer relationship management tool. The data we may collect may include personal details including your name and email address, your relationship to an organisation, your job title, details of your use of nurtureuk products and services, including bookings for training courses and sessions. This data is processed and stored within cloud-based Salesforce CRM servers based in the EEA. Data is stored encrypted (at rest when stored on the servers, in the database, in search index files, and in the file system).

We use Zendesk, a customer support tool, to provide support on the use of this website, or if you email one of our email addresses through this website. The data we collect and process in this way may include your name and email address, your relationship to an organisation, the content of your original enquiry or customer service query, along with any replies to resolve your query, which may include additional data you choose to share (for example, any additional information within your email signature). We strongly suggest that you do not share sensitive information or financial information when requesting customer support. Once received by us, this data is processed and stored safely in encrypted form in the UK or EEA.

To manage payments within this website, we use Stripe, a cloud-based payment platform. For more information on how Stripe handles this data, please view the Stripe privacy policy here. Please note that Stripe may transfer data outside of the UK and European Economic Area for storage or processing, but will do so with adequate safeguards, or your express permission. In its processing agreements with users and processors, Stripe uses the Standard Contractual Clauses approved by the ICO, which provide a high level of protection. Nurtureuk has assessed the level of risk associated with this transfer of data as very low.

We use GoCardless, a payment platform, to process direct debit payments related to the Boxall Profile® Online. GoCardless will process and store your data safely on servers within the EEA. For more information on how GoCardless may collect, store or process your information, click here.

As part of our administration of the site, or If you opt in to be contacted by us for marketing emails, we use Mailchimp, an e-mail tool, to manage mailing lists and to send emails to you. The data that is held on Mailchimp servers may include your name, your email address, the identify of your employer or another organisation you are connected to. This data may be processed and stored safely in encrypted form outside the UK or EEA. Our data processing agreement with Mailchimp includes the EU Standard Contractual Clauses approved by the Information Commissioner’s Office, which offer essentially equivalent protection as under the UK GDPR.

As part of our administration of the site, we use Postmark, an e-mail tool, to manage mailing lists and to send emails to you. The data that is held on Postmark servers may include your name, your email address, the identify of your employer or another organisation you are connected to. This data may be processed and stored safely in encrypted form outside the UK or EEA. Our data processing agreement with Postmark includes the EU Standard Contractual Clauses approved by the Information Commissioner’s Office, which offer essentially equivalent protection as under the UK GDPR.

If you request an invoice for a purchase of a product or service from within this website, we will use a third-party service provider to process this request. As part of this processing, your name, email address and relationship to an organisation may be collected and stored by our provider, to service these requests, and to meet requirements in law, such as retention of sales records for VAT purposes. To manage invoicing and customer data related to these requests, we use Iplicit, a cloud-based accounting system. If your data is held on this system, it is stored securely on servers within the UK or EEA.

We use Google Cloud and Google Workspace services to store and process some information related to your use of nurtureuk services, and to store emails you may send to us through this website, and some forms you may complete within the website. This data may be stored on Google cloud-based servers within the UK or EEA, encrypted at rest.

How to access your personal information

You have a right to know if nurtureuk is storing any of your personal data, and a right to be provided with that information promptly(with some exceptions, as specified under the UK GDPR).

You can request what kind of information we hold on you by using the contact details provided at the beginning of this policy.

We do not charge for this. It helps us to find your information if you provide us with the relevant details for the nature of your contact with us.

We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

At any point while we are in possession of or processing your personal data, you have the following rights:

All of the above requests will be forwarded on should there be a third party involved in the processing of your details.

Updates or changes to this policy

We reserve the right to make changes to this policy. Each time you visit this site you should read our policy to check that no changes have been made to any sections that are important to you. However, we endeavour to inform you when we made changes to the content of this information.

Cookies policy

We use cookies on our website so that we can tailor the content to you, ensure the website is working the way it should and make improvements.

A cookie is a small file that is sent to your device such as your computer, tablet or mobile phone which contains information that allows us to recognise that you have used our website before. Cookies are safe and secure and are commonly used on websites.

A cookie typically contains:

How cookies work

When you visit the website, the page that you see and cookies are downloaded to your device. Your browser and our web server exchange the cookie and we use this number to recognise you when you return to our site or browse from page to page. Only the server that sends a cookie can read it, and therefore use that cookie.

This file is stored on your device’s hard drive. All websites can send a cookie to your browser if your browser settings allow it. Many websites do this to track online traffic flow.

Types of cookies

Cookies can be categorised depending on their life span:

  1. Session or temporary cookies: these cookies expire when you close your browser or when the session times out.
  2. Persistent or permanent cookies: these are usually stored on your hard disk and survive across multiple sessions and have a longer expiration date.

The types of cookies we use are:

Third-party cookies on our website

We use Stripe, a payment platform. To read more about how Stripe uses cookies, view the Stripe cookies policy here.

We use GoCardless, a payment platform. To read more about how GoCardless uses cookies, view the GoCardless cookies information here.

We use Google Analytics, a web-analytics package, to collect and analyse anonymised data on how users use our website, including information on your IP address, approximate location, date and time of accessing, and device and browser type. To find out more about the cookies Google Analytics uses, please view the Google Inc. privacy policy here. We may use Google Tag Manager to collect, analyse and act on information about how you use our website for marketing purposes. To find out more about the cookies Google Tag Manager uses, please view the Google privacy policy here.

We may use Google Optimize, a web experiment product, to collect anonymised information about how you use our websites, and to present different versions of our website to you, so we can measure the effectiveness of improvements and improve the service we provide. To read more about how Google Optimize uses cookies, please view supporting information from Google here.

We use Zendesk, a customer support product, to provide support to our users. To read more about how Zendesk uses cookies, please click here.

We use Hotjar to better understand our customers' needs and to improve their online experience. Hotjar is a technology service that tells us about people’s behaviour on our website: how much time they spend on which pages, which links they click, what they do and don’t like etc. Using cookies and other technologies, Hotjar gathers the following information about each visitor to our site:

Hotjar stores this information for us in a pseudonymised user profile. Hotjar is contractually forbidden to sell any data collected on our behalf. For further information, please see the 'about Hotjar' section of Hotjar’s support site.

Controlling or deleting cookies

You can control and disable cookies through your browser settings. All browsers are different, so visit to find out more.

View Privacy Policy This website uses cookies to collect and analyse information about the users of this website.
By clicking on any link on this website, you are providing consent for us to set cookies.