Safeguarding & Data Handling

1. Policy Statement and Purpose

Waypilot (“we”, “us”, “our”) is committed to handling safeguarding-relevant data with appropriate care, access controls, and retention rules. The platform stores data on behalf of tenant schools, including learner records, lesson notes, payment information, communications, and safeguarding concerns logged by tenant staff.

This policy describes how that data is protected, who can access it, how long it is retained, and how Waypilot supports tenant schools in meeting their own safeguarding obligations. It is not a substitute for the safeguarding policy of any individual tenant school — every driving school and solo ADI using the platform remains responsible for their own operational safeguarding practices.

2. Legal and Regulatory Framework

The controls described in this document are informed by relevant UK legislation and guidance, including:

• Children Act 1989
• Children Act 2004
• Working Together to Safeguard Children (latest version)
• Keeping Children Safe in Education (KCSIE), where relevant to referrals involving schools or education settings
• Care Act 2014, including duties relating to adults at risk
• Data Protection Act 2018 and UK GDPR
• The Protection of Vulnerable Groups (PVG) scheme (Scotland) and the Disclosure & Barring Service (DBS) regime (England, Wales, Northern Ireland)
• Any relevant local safeguarding children partnership and adult protection procedures

Many of the obligations above apply directly to the tenant school as the employer or sole trader delivering driving instruction. Waypilot supports tenant schools in meeting these obligations by providing secure storage, controlled access, and reliable audit trails for safeguarding-relevant records.

3. Scope

This policy applies to:

• All data stored on the Waypilot platform on behalf of tenant schools, including learner records, lesson notes, communications, and safeguarding logs
• All users of the platform — tenant school owners, administrators, instructors, front-desk staff, and any other authorised account holders
• Waypilot employees and contractors who operate the platform, provide support, or handle data on behalf of tenants
• Sub-processors and infrastructure providers that store, process, or transmit tenant data (for example, our database host and email provider)

This policy is platform-level. It does not cover the operational safeguarding practices of any individual tenant school, including in-vehicle conduct, instructor recruitment, DBS / PVG checks on tenant staff, or statutory referrals. Those are the responsibility of the tenant school.

4. Definitions

Tenant school: a driving school, driving instructor business, or solo ADI that holds a Waypilot account and uses the platform to manage their operations.

Child: anyone under the age of 18.

Young person: for the purposes of platform features, typically a learner aged 16 to 17 who may lawfully receive driving tuition but is still legally a child for safeguarding purposes.

Vulnerable adult / adult at risk: an adult aged 18 or over who has needs for care and support, is experiencing or is at risk of abuse or neglect, and may be unable to protect themselves because of those needs.

Safeguarding record: any data stored on the platform that relates to a safeguarding concern, disclosure, incident, allegation, or welfare flag. This includes free-text lesson notes tagged as safeguarding, dedicated concern logs, and access restrictions placed on a user account.

Safeguarding: the action taken to protect the health, wellbeing, and human rights of children and adults at risk, enabling them to live free from abuse, harm, and neglect.

5. Roles and Responsibilities

5.1 Waypilot (the platform)

Waypilot is responsible for:

• Storing all tenant data in UK data centres with appropriate encryption at rest and in transit
• Enforcing tenant isolation so that one tenant school cannot access another tenant's data
• Applying role-based access controls so that platform users only see the data their role requires
• Maintaining audit logs of access to safeguarding-relevant records
• Honouring data subject requests (access, correction, deletion) submitted on behalf of a learner by the tenant school that holds their data
• Notifying tenant schools promptly of any security incident affecting their data
• Providing export and deletion tooling so that tenant schools can leave the platform with their data, or remove a learner's data on request

5.2 Tenant schools

Each tenant school is the data controller for the personal data of its learners, parents, instructors, and staff. Tenant schools are responsible for:

• Conducting their own safeguarding risk assessments and maintaining their own operational safeguarding policy
• Carrying out appropriate background checks (DBS, PVG, AccessNI) on their own instructors and staff before they begin working with learners
• Providing safeguarding training to their own instructors and staff — Waypilot does not deliver safeguarding training
• Appointing their own Designated Safeguarding Lead (DSL) or equivalent contact for their school
• Responding to disclosures and making statutory referrals to police, local authority children's services, or adult safeguarding teams
• Configuring their Waypilot account appropriately — for example, setting user roles, restricting access to flagged records, and applying data retention rules consistent with their own policy
• Obtaining parental or guardian consent for any learner under the age of 18 whose record is created on the platform (see section 13)

5.3 Designated contacts

Waypilot is the software provider, not the safeguarding authority for any tenant school. For platform-level security incidents or data subject requests, contact us at the address below. For safeguarding concerns about a specific learner, the relevant tenant school is the right contact — they hold the operational context.

Waypilot security & data contact: [Insert security / data protection contact email]
Waypilot registered address: [Insert company address]

Each tenant school should publish its own DSL contact details in their own safeguarding policy, for example:

Tenant school DSL: [Insert full name]
Role: [Insert role title]
Email: [Insert safeguarding email address]
Phone: [Insert direct safeguarding contact number]

6. Data Protection and the Lawful Basis for Processing

All personal data stored on the platform is processed in line with the UK GDPR and the Data Protection Act 2018. The tenant school is the data controller; Waypilot is the data processor. Our Data Processing Agreement (DPA) sets out the parties' respective obligations and is available on request.

For safeguarding-relevant records, the lawful basis for processing is typically:

• Legal obligation — where the tenant school is required to record a concern by law
• Vital interests — where processing is necessary to protect someone's life
• Legitimate interests — where the tenant school has a legitimate interest in maintaining a safeguarding record and that interest is not overridden by the rights of the individual
• Consent — for example, parental or guardian consent for under-18 learner accounts (see section 13)

Where a safeguarding risk makes it lawful and necessary to share information with statutory agencies without the consent of the individual, the tenant school may direct Waypilot to provide data exports. We will respond to such requests from a verified tenant school contact without undue delay.

7. Access Controls and Role-Based Permissions

The platform applies role-based access controls so that safeguarding-relevant data is only visible to users with a legitimate need. Tenant school owners control which roles exist within their own account.

• Owner / principal: full administrative access to the tenant school's account, including billing, user management, and the ability to export or delete tenant data
• Administrator / office staff: can view and edit learner records, lesson notes, and safeguarding logs as configured by the owner
• Instructor: can view and edit records for learners they are assigned to. Instructors cannot view records of learners they do not teach unless explicitly granted permission
• Read-only / auditor: can view records (for example, a safeguarding lead or external auditor) but cannot edit
• Parent / guardian viewer: a restricted role that can view progress and lesson summaries for a specific under-18 learner (see section 13)

Tenant schools are responsible for assigning roles appropriately and reviewing them when staff change role, leave, or are subject to a safeguarding concern. Section 11 describes what the platform does when an instructor is flagged.

8. Audit Logging

The platform writes an audit log entry for every access, modification, export, or deletion of safeguarding-relevant records. Audit log entries record who acted, what they did, when, and from which IP address.

• Audit logs are retained for a minimum of [Insert retention period — typically 7 years] and are tamper-evident
• Tenant school owners can view audit logs for their own account and export them on request
• Waypilot staff cannot view the contents of safeguarding records without a justified, logged support request from the tenant school, and even then access is restricted to named individuals
• Audit log data itself is treated as confidential and is not used for any purpose other than security, support, and regulatory compliance

9. Logging Safeguarding Concerns on the Platform

Tenant schools can log safeguarding concerns directly in the platform. Concerns are stored in a dedicated area, separately from general lesson notes, and are visible only to users with the appropriate role.

• Each concern record can capture a date, the learner or staff member involved, the nature of the concern, the action taken, and the outcome
• Concerns can be marked as open, under review, referred, or closed — and the status history is preserved
• Concerns can be linked to specific lesson notes, messages, or payment records to give a complete picture for the tenant school's DSL
• Concerns can be exported as a PDF or structured file for sharing with statutory agencies at the tenant school's request

Waypilot does not triage, investigate, or respond to safeguarding concerns. That is the role of the tenant school's DSL and, where appropriate, statutory agencies. The platform provides the record-keeping and reporting tools; the human judgement and referral decisions rest with the tenant school.

10. Handling Disclosures Logged in Notes

Tenant school staff may record a disclosure made by a learner, a parent, or a third party in lesson notes, in-app messages, or voicemail transcriptions. The platform supports this in three ways:

• Tagging as a safeguarding concern: a user with the appropriate role can promote a free-text note to a dedicated safeguarding record, which moves it to the access- controlled area described in section 9
• Preserving original wording: the original wording of a disclosure is preserved exactly as it was entered. The platform does not summarise, redact, or alter safeguarding records on the tenant school's behalf
• Audit trail: any later access, edit, or export of the record is logged (see section 8)

The platform does not provide prompts, scripts, or advice on how to respond to a disclosure in the moment. Tenant schools should ensure their own staff are trained to receive disclosures appropriately before relying on the platform to record them.

11. Access Restrictions for Flagged User Accounts

Where a tenant school raises a safeguarding concern about one of its own instructors or staff, the tenant school owner can immediately restrict that user's platform access without deleting the underlying records. Restricted accounts have the following behaviour on the platform:

• The user is signed out of active sessions and cannot sign back in
• The user's historical lesson notes, messages, and learner records are preserved (for evidence and audit purposes) but become visible only to the tenant school owner and administrator roles
• The user's scheduled lessons are surfaced to the tenant school for reassignment
• All access to the historical record is logged in the audit trail

This is a platform-level account restriction. It is not a substitute for the tenant school's own HR, employment, or referral processes, and it does not affect any DBS, PVG, or statutory agency process. Tenant schools remain responsible for deciding what to do with the instructor outside the platform.

12. Data Retention and Deletion

Default retention rules apply to all data on the platform, including safeguarding records. Tenant schools can override the default for their own account within the limits of applicable law.

• Lesson notes and progress data: retained for the life of the learner's record on the platform, plus [Insert default retention — typically 6 years] after the last lesson, in line with HMRC and consumer-contract guidance
• Safeguarding concern records: retained for [Insert retention — typically 7 years] from the date the record was last updated, in line with typical local authority and insurance expectations
• Payment records: retained for [Insert retention — typically 6 years] in line with HMRC requirements
• Communications (SMS, email, in-app messages): retained for [Insert retention — typically 24 months] unless flagged as a safeguarding record, in which case the longer safeguarding retention applies
• Audit logs: retained for a minimum of [Insert retention — typically 7 years]

When a tenant school cancels their account, or asks for a learner's record to be removed, the platform provides a documented export and a secure deletion process. Deletion is completed within 30 days unless legal hold applies.

13. Under-18 Learners and Parent / Guardian Consent

A learner under the age of 18 cannot hold a Waypilot account in their own right. Tenant schools that teach under-18 learners are responsible for obtaining appropriate parental or guardian consent before creating a learner record on the platform.

The platform supports under-18 learner accounts with the following built-in safeguards:

• Parent / guardian contact is required at the time the learner record is created
• Direct communication with the learner is restricted to the tenant school's approved channels — for example, lessons booked through the parent's account or a shared family login
• The parent / guardian viewer role can be granted on the learner's record so the parent or guardian can see lesson summaries, progress, and payments
• Marketing and review requests are disabled by default for under-18 learner records
• Lesson notes containing safeguarding-relevant detail are visible to the parent / guardian viewer at the tenant school's discretion, and any disclosure that names the parent or guardian as a possible risk is automatically restricted from the parent / guardian viewer

Waypilot does not provide a consent form. Tenant schools are responsible for obtaining and retaining evidence of parental or guardian consent, and for telling parents or guardians what data is held and why.

14. Confidentiality of Safeguarding Records

Safeguarding records are sensitive and are handled on a strict need-to-know basis at every level of the platform.

• Tenant school users can only see safeguarding records within their own tenant. There is no cross-tenant visibility
• Waypilot support staff cannot read safeguarding records without a logged, justified access request from a verified tenant school contact
• Safeguarding records are never used for marketing, analytics, or model training
• Where there is a safeguarding risk, relevant information may be shared lawfully with statutory agencies — either directly by the tenant school, or via a documented export request submitted to Waypilot

15. Online and Digital Safeguarding in the Platform

The platform is itself a digital product, and the digital safeguarding of its features is part of our core responsibility. The following controls apply:

• All traffic is encrypted in transit (TLS 1.2 or higher); all data is encrypted at rest
• Authentication is required for every account, with multi- factor authentication available (and required for admin roles)
• Session cookies use the __Host- prefix withSecure, HttpOnly, and SameSite=Strict attributes
• In-app messaging between tenant school staff and learners is kept inside the platform — users cannot be moved to a hidden channel by a malicious actor
• File uploads are scanned for malware, and links shared in messages are checked against threat intelligence
• Inappropriate image sharing is a misuse of the platform. Tenant schools can flag a message and the platform can preserve it as evidence while restricting the sender's access (see section 11)
• Direct contact details (personal phone numbers, personal email addresses) are not exposed to learners in the platform interface

16. Code of Conduct for Platform Users

All users with a Waypilot account — tenant owners, administrators, instructors, and any other authorised role — must use the platform professionally and lawfully. The platform is a work tool, not a personal channel.

Users must:

• Act professionally, respectfully, and lawfully in all platform communications
• Keep lesson-related communication focused on instruction, scheduling, payments, and welfare
• Report safeguarding concerns promptly through the tenant school's own process and, where the platform supports it, log the concern in the dedicated safeguarding area
• Use only the channels provided by the platform — personal messaging apps, disappearing-message apps, and unrecorded channels must not be used to bypass platform oversight
• Protect their own credentials and never share accounts

Users must not:

• Engage in sexualised, flirtatious, or inappropriate communication with learners
• Request secrecy from learners, or use hidden or unapproved channels to bypass professional oversight
• Share offensive, discriminatory, or explicit material through the platform
• Use their access to view records they have no operational reason to view — the audit log will record any such access

Breach of this code of conduct may result in account suspension at the tenant school's request, and where the breach also amounts to a safeguarding concern, the platform can apply the access restrictions described in section 11.

17. Whistleblowing and Reporting Concerns About the Platform

Anyone — tenant school user, learner, parent, or member of the public — can report a concern about how the platform is being used, or about a safeguarding issue that the platform may be able to help with.

• Concerns about a specific instructor or learner should be raised with the relevant tenant school first
• Concerns about the platform itself — for example, a suspected data breach, a misuse of the platform, or a vulnerability — can be reported to Waypilot at [Insert security contact email]
• We maintain a coordinated vulnerability disclosure policy and a security.txt file at /.well-known/security.txt
• No one will be subject to detriment for raising a genuine safeguarding or security concern in good faith

Local authority safeguarding contacts (general reference):
Children's Services: [Insert local authority children's safeguarding duty team contact details]
Adult Safeguarding Team: [Insert local authority adult safeguarding contact details]
Police (non-emergency): 101
Emergency: 999

18. Sub-Processors and International Data Transfers

All tenant data is stored in UK data centres. Where a sub- processor is based outside the UK, we use UK GDPR-compliant transfer mechanisms (such as the UK International Data Transfer Agreement or the EU/UK Data Privacy Framework) and publish the list of sub-processors at /legal/sub-processors.

Tenant schools are notified at least 30 days before any new sub- processor is added that handles their data, and may object on reasonable grounds.

19. Review and Monitoring

• This policy is reviewed at least annually, and sooner if legislation, guidance, or platform risk changes
• Security incidents, near misses, and lessons learned may trigger an earlier review
• Access control and audit log effectiveness is reviewed periodically
• Policy updates are reflected in the public version of this document and, where material, communicated to tenant schools directly

Policy owner (Waypilot): [Insert name / role]
Policy approved by: [Insert approving authority]
Review date: [Insert review date]
Version: [Insert version number]

Each tenant school using Waypilot should also maintain and publish their own operational safeguarding policy, covering the matters set out in section 5.2 above.