Privacy policy
Last updated June 2026
Who we are
Passdesk is a software platform used by independent driving schools (each, a "school") to manage their learners, instructors, lessons, purchases, and progress records. Each school is the "data controller" for data it collects; Passdesk Ltd is the "data processor" operating the service on their behalf.
Passdesk Ltd is registered in England & Wales, company number 17193377, with registered office at 71-75 Shelton Street, Covent Garden, London WC2H 9JQ. It is registered with the UK Information Commissioner's Office under registration number ZC142229. For data-protection questions email privacy@passdesk.co.uk.
This policy describes what personal data we hold, why we hold it, the lawful basis under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, and the rights you have over it.
Data we collect
Account data — your name, email, phone number, address, password hash, role and the school you belong to. Supplied by you on signup or by a school administrator when they invite you.
Learner profile — date of birth, provisional licence number, theory and practical test dates, medical self-declarations, and emergency contact or guardian details where you are under 18. Used to schedule lessons, comply with DVSA rules, and run safeguarding procedures. The optional medical information is “special category” health data: we store it only with your explicit consent, encrypt it at rest, and share it only with your instructor(s) so they can keep you safe during lessons.
Instructor compliance — ADI / PDI badge number, badge expiry, DBS check date and certificate number, insurance policy number and expiry. Stored to prove DVSA compliance during inspections.
Lessons, progress and purchases — when lessons were booked and completed, ratings and notes on competencies, products you bought, amounts paid, and the status of each purchase.
Technical data — the JWT session cookie / token issued when you sign in, the IP address you signed in from (in access logs kept for up to 30 days), and the user-agent of your browser. No analytics or advertising cookies are used.
Why we use it
To operate the service you or your school asked us to provide — book and run driving lessons, record progress, process purchases, and keep the inspectors' paperwork up to date. The lawful basis is contract for anything necessary to deliver the service, legal obligation for records we must keep (tax, DVSA, DBS), and legitimate interests for security logging and fraud prevention. For the optional health information in your learner profile — a “special category” of data — our additional condition for processing is your explicit consent (UK GDPR Article 9(2)(a)), which you give when you save it and can withdraw at any time by removing it.
We never sell your data or share it with advertisers.
Who we share it with
Within Passdesk, data is only visible to staff at your school and to Passdesk Ltd support acting on the school's instructions. To run the service we use a small set of vetted sub-processors — for database and application hosting, our CDN, card payments, transactional email, SMS, error monitoring, maps and address lookup, and business verification — each bound by a data-processing agreement and receiving only the data its function needs. The current list is published on our security page. We also disclose data to regulators or law enforcement where we are legally required to do so.
International transfers
Your data is stored and primarily processed in the UK. Some of our sub-processors are based in the United States — for example our payment, email, SMS, error-monitoring, maps and CDN providers. Where they process personal data outside the UK, those transfers are protected by appropriate UK GDPR safeguards: the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, or, where the provider is certified, the UK Extension to the EU–US Data Privacy Framework. We transfer only the minimum data each provider needs, and never to a provider without such safeguards in place.
Anonymised industry insights
Passdesk may use anonymised, aggregated data — never tied to a named learner, instructor, school, or licence number — to publish industry insights such as average lessons-to-test, regional pass-rate trends, theory category difficulty, and similar benchmarks. Properly anonymised data falls outside the scope of UK GDPR personal data (ICO Anonymisation Code of Practice).
Concretely, we strip every direct identifier (name, email, phone, postcode beyond the outward code, licence number, date of birth beyond age-at-test), aggregate to groups of at least 20 records before publication, and never re-identify. We may publish these in blog posts, white papers, sector reports, or share them with research partners on the same anonymised basis. If you'd prefer your school's records be excluded from these aggregates entirely, email privacy@passdesk.co.uk and we'll exclude you.
Learners under 18
Passdesk Solo accepts self-serve signups from learners aged 17 and over (the age at which a UK provisional driving licence becomes available). If a learner is under 18 at signup, we require a parent or guardian email and send a one-time confirmation link to that address before the platform charges any card or activates the trial. The under-18 account stays inactive — and no card is ever charged — until a parent or guardian visits the link and confirms. We record the confirmation timestamp, the IP address it was received from, and the policy version in force at the time as evidence of consent (UK GDPR Article 7).
Where a school invites an under-18 learner to a paid Passdesk school account, the school itself collects guardian contact details on the learner record and the school is the data controller for that consent. Either way, parents / guardians can ask us to delete their child's data at any time via the contact details below.
We do not knowingly accept self-serve signups from anyone under 17. If you believe a child under 17 has registered, contact us at the email below and we will delete the account.
How long we keep it
Active account data is retained while your account is active. If you stop using the service, we flag your records for review after 3 years of inactivity; records with no legal retention requirement are then deleted. Financial records (purchases, invoices) are retained for 7 years as required by HMRC. Audit logs are retained for 2 years.
Your rights
Under UK GDPR you have the right to: access the data we hold about you; correct inaccurate data; request erasure of data we no longer need; restrict processing; object to processing based on legitimate interests; and receive a portable copy of the data you provided to us.
You can export a copy of your data at any time from the My account page. For erasure, correction or any other subject-access request, email privacy@passdesk.co.uk.
Cookies
We use one essential cookie for sign-in (the session JWT). No analytics, advertising or tracking cookies are set. Under the UK Privacy and Electronic Communications Regulations (PECR), essential cookies do not require opt-in consent; we still show a one-off banner the first time you visit so you know we set it.
Complaints
If you think we have mishandled your data, please email privacy@passdesk.co.uk first. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk/make-a-complaint.
Contact
For anything relating to the Passdesk platform itself, contact privacy@passdesk.co.uk.
About references to the DVSA
Passdesk is an independent product and is not affiliated with, endorsed by, or sponsored by the Driver and Vehicle Standards Agency (DVSA). Where the site describes features as "DVSA-aligned" or references the DVSA driving-test syllabus, theory categories, or test centres, those references describe the public information published by the agency that Passdesk's tools are built to mirror — not any endorsement or partnership.