PRIVACY POLICY of the Essential School of Painting Ltd
Version 1.0 · Published April 2026
1. Who We Are
The Essential School of Painting Ltd is the data controller responsible for your personal data. We are an independent art school based in Wood Green, London, offering studio-based, online and off-site courses and programmes for adult painters and artists.
Our contact details for data protection matters are:
Registered name: The Essential School of Painting Ltd
Registered address: 47 Radbourne Crescent, London E17 3RR
Studio address: Collage Art Space 5, Coburg Road, Wood Green, London N22 6TZ
Company number: 13261727
VAT registration: 398020289
ICO registration: ZB253159 (registered 28 October 2021)
Email: admin@theesop.com
Telephone: +44 (0)20 8279 0904
2. The Personal Data We Collect
We collect personal data from you directly when you apply for a course, enrol on a programme, contact us, subscribe to our communications, visit our premises, or use our website, and from third parties, where you have authorised this (for example, referees you have provided).
The personal data we collect falls into the following categories. For each category we identify why we collect it and the lawful basis on which we process it.
| Category | Examples | Purpose | Lawful basis |
| Identity and contact | Name, email, telephone, postal address, emergency contact | Enrolment, communication, course delivery | Contract |
| Application and enrolment | Artist statement, portfolio images, practice description, referee details, application responses | Assessing applications, offering places | Contract |
| Financial | Bank transfer details, PayPal and WorldPay transaction records, invoice history, payment plan schedules | Processing fees, tracking payment, financial record-keeping | Contract, legal obligation |
| Health and accessibility | Disclosed medical conditions, accessibility needs, dietary requirements (off-site courses) | Making reasonable adjustments, ensuring safety | Explicit consent; vital interests |
| Images and work | Photographs of you in class, studio images, images of your artwork | Teaching records, promoting the school, exhibition documentation | Consent; legitimate interests |
| Communications | Emails, WhatsApp messages in official ESOP groups, enquiry form submissions | Responding to enquiries, running courses, sharing information | Contract; legitimate interests |
| Website data | IP address, pages visited, referral source, cookies (with consent) | Website function, security, improvement | Legitimate interests; consent |
| Marketing | Newsletter subscriptions, event invitations, course announcements | Keeping you informed of ESOP activities | Consent |
2.1 Special category data
Some of the data we collect, in particular, information about your health, disability, or religious or ethnic background, where you volunteer it, is treated under UK data protection law as “special category data” and attracts additional protection. We only process special category data where you have given us explicit consent, where it is necessary to protect your vital interests, or where processing is otherwise permitted by law.
2.2 Data we do not collect
We do not collect your full credit or debit card details. All card payments are processed by our payment providers; PayPal, WorldPay, and our bank’s secure systems, who act as independent data controllers for that purpose. We do not store card numbers, security codes or expiry dates.
3. How We Use Your Personal Data
We use your personal data for the purposes set out above. In particular, we use it to:
- Assess your application and, where successful, offer you a place on a course
- Deliver the course and related services you have enrolled on
- Communicate with you about practical matters relating to your course, events, exhibitions and changes that affect you
- Process payments and maintain the financial records that HMRC and UK company law require us to keep
- Make reasonable adjustments where you have disclosed a health, accessibility or learning need
- Document teaching and school activities for our own records, and promote the school (where you have consented to the use of your image or your work)
- Improve the school through feedback, evaluation and planning for future courses
- Send you information about future courses, events and activities, where you have opted in to marketing
- Comply with our legal obligations, protect our legitimate interests, and defend or bring legal claims where necessary
We do not use your personal data for any purpose that is incompatible with the purposes set out in this Policy. We do not sell your data. We do not use automated decision-making or profiling.
4. Who We Share Your Data With
We share personal data only where we have a lawful basis to do so, and only with the following categories of recipient:
- Our tutors and staff: your course tutors, the administrative team, and, where appropriate, our Directors. All are bound by confidentiality obligations and, where they are contractors, by signed Non-Disclosure Agreements.
- Payment providers: PayPal and WorldPay, who process online and card transactions on our behalf. Both act as independent data controllers for the purposes of payment processing; their own privacy policies apply to the data they collect in that context. PayPal’s privacy policy is at paypal.com/uk/webapps/mpp/ua/privacy-full and WorldPay’s is at worldpay.com/en-gb/privacy-policy.
- Our accountants and auditors: for the preparation of statutory accounts and tax returns.
- Our website and IT service providers: WordPress hosting, email, cloud storage, and the analytics and form services described in our Cookies Policy.
- Professional advisers: lawyers, insurance providers and similar professionals where we need their advice.
- Regulators and public authorities: where we are legally required to disclose data (for example, to HMRC, or to the police in response to a lawful request).
- Referees and future education providers: where you have asked us to provide a reference for a further course, residency, application or exhibition.
We do not share your data with third parties for their own marketing purposes. Where we share your data with a service provider, we put appropriate contractual protections in place to ensure they handle your data in accordance with UK data protection law.
5. International Transfers
Some of our service providers, in particular, our cloud storage, email and payment platforms, are based outside the United Kingdom, including in the European Economic Area and the United States. Where personal data is transferred outside the UK, we rely on one of the following safeguards:
- Transfer to a country covered by UK adequacy regulations (which includes the EEA)
- Transfer under the UK’s International Data Transfer Agreement or Standard Contractual Clauses
- Transfer under the UK Extension to the EU-US Data Privacy Framework, where the receiving organisation is certified under that framework
We keep the list of service providers under review and will update this Policy if our transfer arrangements change materially.
6. How Long We Keep Your Personal Data
We keep your personal data only for as long as we need it for the purposes set out in this Policy, and then only for as long as required by law. Our standard retention periods are set out below.
| Data type | Retention period |
| Student enrolment records, course records | For the duration of the course and for 7 years after course completion |
| Financial records (invoices, receipts, payment plans) | 7 years from the end of the tax year in which the transaction occurred (HMRC requirement) |
| Unsuccessful applications | 12 months from the decision, unless the applicant reapplies |
| Health and accessibility information | For the duration of the course, then deleted unless retention is required by law |
| Marketing consent records | Until you withdraw consent, or for 3 years of no engagement |
| Images of you and your work (with consent) | Retained for the ongoing history of the school unless you withdraw consent |
| CCTV and studio security footage (where in use) | 30 days, unless required for a specific investigation |
| Website analytics and cookies | As set out in the Cookies Policy; typically 26 months maximum |
Where a longer retention period is required by law, we will retain the data only for that period. Where we retain anonymised or aggregated data for statistical purposes, that data is no longer personal data and the retention limits above do not apply to it.
7. Your Rights
Under UK data protection law, you have the following rights in relation to your personal data:
| Your right | What it means |
| Right to be informed | To know how your data is collected and used (this Policy fulfils that duty) |
| Right of access | To request a copy of the personal data we hold about you (a Subject Access Request) |
| Right to rectification | To ask us to correct information that is inaccurate or incomplete |
| Right to erasure | To ask us to delete your personal data where we no longer have a lawful basis to hold it |
| Right to restrict processing | To ask us to limit the way we use your data in particular circumstances |
| Right to data portability | To receive the data you have provided us in a portable machine-readable format |
| Right to object | To object to processing based on legitimate interests, or for marketing purposes |
| Rights relating to automated decision-making | ESOP does not use automated decision-making or profiling |
| Right to withdraw consent | Where we process data on the basis of your consent, you can withdraw it at any time |
To exercise any of these rights, please contact us at admin@theesop.com. We will respond within one month of receiving your request, although we may extend that period by a further two months for complex or multiple requests, we will always let you know if we need longer. There is normally no charge for exercising your rights, but we may charge a reasonable fee for requests that are manifestly unfounded or excessive.
Some of these rights are not absolute, for example, we may need to retain certain data to comply with our legal obligations even if you ask us to erase it. Where we are unable to fulfil a request in full, we will explain why.
8. How We Keep Your Data Secure
We take appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, alteration or disclosure. These measures include:
- Access controls; staff and contractors only access the data they need to perform their role
- Secure cloud services with strong authentication and encryption in transit and at rest
- A rule that all communication with students goes through ESOP-authorised channels (school email addresses and official ESOP group chats), not personal accounts
- Signed Non-Disclosure Agreements with all tutors, administrators and contractors who have access to personal data
- Regular review of our processes, and staff guidance on handling personal data responsibly
- Paper records kept in locked storage at our premises, with only authorised staff holding keys
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify the UK Information Commissioner’s Office within 72 hours of becoming aware of it, and we will notify you directly if the risk is high.
9. Photography, Images and Your Work
We take photographs and video recordings of studio activity, exhibitions, visiting artist talks and other school events. These may be used for teaching records, institutional history, exhibition documentation, and, with your consent, for promoting the school on our website, printed publications and social media.
Before using an image of you, or an image that prominently features your work, for promotional purposes, we will seek your consent. Where you are not the primary subject of an image, we rely on our legitimate interest in documenting the school’s life, but we will remove or crop an image on reasonable request.
You retain the copyright in the work you create during the course. Video or audio recording of teaching by ESOP tutors or visiting artists is not permitted without the express prior consent of the tutor and the school.
10. Marketing Communications
We send marketing communications only where you have opted in to receive them. You can opt out at any time by clicking the unsubscribe link in any marketing email, or by contacting admin@theesop.com.
Operational communications about a course you are enrolled on are not marketing and will be sent to you regardless of your marketing preferences, because they are necessary to deliver the course you have contracted for.
11. Cookies and Website Data
Our website uses cookies and similar technologies. Full details are set out in our Cookies Policy, available at: https://theessentialschoolofpainting.com/the-essential-school-of-painting-cookie-policy/
You can accept, reject or customise your cookie preferences through the cookie banner on the site, and change your preferences at any time through the Cookie Settings link in the website footer.
12. Children
ESOP’s courses are designed for adults aged 18 and over. We do not knowingly collect personal data from children under 18 except where a young person aged 16–17 has been enrolled with the written consent of a parent or guardian.
13. Complaints and Further Information
If you have a question about this Policy, or a concern about how we have handled your personal data, please contact us first at admin@theesop.com. We will do our best to resolve the matter promptly and fairly.
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office:
- Website: ico.org.uk
- Helpline: 0303 123 1113
- Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
We would always appreciate the chance to address your concerns before you approach the ICO, and we encourage you to contact us first.
14. Changes to This Policy
We review this Policy regularly and will update it from time to time to reflect changes in law, in our practices, or in the services we use. Where we make material changes we will publish the updated Policy on our website with a new version number and effective date, and, where appropriate, notify you directly.
The version of this Policy that applies to you is the version published on the ESOP website at the time of your most recent interaction with the school.
Version 1.0 · Published April 2026 · Review cycle: annual, each April · Owner: T. Andrew E. Wamae, Director