Privacy policy
Last updated: 3 May 2026 · Terms of service · Sub-processors
Journey ("we", "us") provides software for UK apprenticeship training providers to manage learners, employers, evidence, on-the-job training, reviews, and end-point assessment. This page explains what personal data we process and how we look after it. It is written to be readable; legal terms are linked where relevant.
Who is the data controller?
For data about your training provider's apprentices, employer contacts and staff, your training provider is the controller and Journey is the processor acting on its instructions. For data about your direct interactions with Journey (account creation, billing), Journey is the controller.
What we collect
- Account data: name, email, organisation, role.
- Apprentice records: learner identifiers, employer affiliation, programme, progress, on-the-job hours, evidence uploads, review notes, EPA outcomes, ILR-relevant fields.
- Operational data: audit log of significant actions (who did what and when), AI usage metering, billing status, support tickets.
- Cookies: a strictly-necessary session cookie to keep you signed in; optional analytics cookies only after consent via the banner.
Lawful basis
We process apprentice and employer data on behalf of your training provider under a Data Processing Addendum (Article 28 UK GDPR). Your provider's lawful basis is typically performance of the apprenticeship contract and compliance with funding-rule obligations. Account and billing data is processed on the basis of contract.
How long we keep it
We retain apprentice records for the duration of the apprenticeship plus the period required by ESFA / DfE funding rules (typically 6 years from the end date). Audit logs are append-only and retained for 7 years. You can request deletion of an individual learner under "Right to erasure" below; requests are balanced against funding-rule retention obligations.
Where it lives
Data is stored in PostgreSQL hosted in the UK / EU. Backups are encrypted at rest. We do not sell personal data, ever.
AI features
AI features (review summaries, gateway readiness commentary, funding-risk explanations) send minimal redacted context to a third-party LLM. No personal evidence content is sent without an explicit user action. AI calls are rate-limited and metered per tenant.
Your rights (UK GDPR)
- Access: request a copy of your data.
- Rectification: correct anything inaccurate.
- Erasure: ask us to delete your data subject to retention obligations.
- Portability: per-apprentice data can be exported as a JSON bundle from the apprentice page (Subject Access Request).
- Objection / restriction: ask us to stop or limit a particular use.
To exercise any right, contact your training provider's data protection lead. They can also raise a request with us on your behalf.
Contact
Email privacy@journey.app. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk.