The Student Room Group Privacy Notice

1 Introduction

Welcome to The Student Room Group privacy notice.

1.1 Scope and aim

This notice applies to data processed in connection with:

  • The Student Room discussion app

The above are together referred to as "websites" in the rest of this notice.

The Student Room Group Limited respects your privacy. We are committed to protecting your personal data when you use our websites. This privacy notice will inform you how we look after your personal data. It will tell you about your rights. It will also say how UK data protection law protects you.

1.2 Data controller and Data Protection Officer (DPO)

The Student Room Group Ltd is the controller for data collected through the websites and is responsible for your personal data. It will be referred to as TSR Group, "we", "us" or "our" in this privacy notice.

TSR Group postal address: Imperial House, 2nd Floor, 40-42 Queens Road, Brighton, BN1 3XB

TSR Group phone: 0800 999 3222

Data Protection Officer Email address: [email protected]

The best way to contact us is via our DPO email address.

1.3 Updates to this notice and your data

The privacy notice was last updated on: 19/05/2023.

TSR Group may update this privacy notice at any time. We do this to ensure it is correct and a true reflection of how TSR Group process your personal data.

We encourage you to regularly check this page for any changes. This helps you to stay informed about how we are using and protecting your personal data.

It is also important that the personal data we hold about you is accurate and up-to-date. We may ask you to confirm or update your data when you use our websites and services.

Please also keep us informed if your personal data changes during your relationship with us. You can do this through your account with us or by getting in touch.

1.4 Third-party links

Our websites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

We do not control these third-party websites and are not responsible for their privacy notices. When you leave our websites, we encourage you to read the privacy notice of every website you visit.

2 Data collection and data uses

2.1 The data we collect about you

Personal data means any information about an individual from which that person can be identified.

It does not include data where the identity has been removed (anonymous data).

Processing personal data may involve its collection, use, storage and transfer.

We process different kinds of personal data about you. We have grouped the data into these categories:

  • Identity Data: e.g. username, first name, last name, date of birth and gender.
  • Contact Data: e.g. email address and telephone numbers.
  • Technical Data: e.g. internet protocol ("IP") address, your login data, browser type and version, time zone settings, browser plug-in types and versions, operating system and the devices you use.
  • Geographic Data: e.g. locations worked out from your IP address and location data you provide, post code, country of residence.
  • Profile Data: e.g. your username and password, your education, your interests, preferences, content you create, feedback and survey responses.
  • Usage Data: e.g. how, when and which parts of our websites and services you use.
  • Marketing and Communications Data: e.g. marketing preferences and interactions with the emails we send you.
  • Education data: e.g. universities you’re interested in, years you want to start university study, university open days you are interested, courses and qualifications you are studying at any level, your grades.
  • Video Data: e.g. if you upload a video to our platforms, otherwise share videos with us or interact with videos on our websites (this does not include linking to third party videos hosted on third-party websites and linked to on our websites).

2.1.1 Aggregated Data

We also collect, use and share aggregated data.

Aggregated data may be worked out from your personal data. It is not considered personal data in law. This is because it can no longer identify you.

For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.

We may combine Aggregated Data with your personal data. This may mean it can directly or indirectly identify you. If it does identify you, we treat the combined data as personal data.

2.1.2 Special category personal data

Special Categories of Personal Data include details about:

  • your race or ethnicity,
  • religious or philosophical beliefs,
  • sex life,
  • sexual orientation,
  • political opinions,
  • trade union membership,
  • information about your health
  • genetic and biometric data.

We do not routinely process this data about you. We also do not routinely collect any information about criminal convictions and offences.

However, in using our websites, members may choose to make content which contains special categories of data. Members may also choose to publicly share this data on our websites.

Doing this is optional, for example, when writing and submitting a post.

Any other time we process special categories of data we will inform you that we are processing special categories of data. The processing will be optional, and we will ask for your consent to allow us to process the data. Surveys and research are examples of this.

2.2 How we collect your data

We use different methods to collect data from and about you including:

2.2.1 Direct interactions

By filling in forms on our websites, you may give us your data in these categories:

  • Identity,
  • Contact,
  • Profile,
  • Geographic,
  • Marketing and Communications; and
  • Education

This includes personal data you provide when you:

  • use our tools, products, services or websites,
  • create an account on our websites,
  • update an account on our websites,
  • request marketing to be sent to you,
  • enter a competition or promotion,
  • take part in a survey or market research,
  • give us feedback,
  • make an enquiry to a university,
  • download a prospectus; or
  • book on to an open day.

2.2.2 Automated technologies or interactions

As you use our websites, we may automatically collect Technical and Usage Data.

This can include data about your equipment, browsing actions and usage patterns. We collect this personal data by using cookies, server logs and other similar technologies.

We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for TUG and our cookie policy for TSR for further details.

2.2.3 Third parties. We may receive personal data about you from third parties, including:

  • Technical Data from analytics providers: e.g. Google and data management platforms.
  • Identity, Contact and Profile Data when you choose to register on our site via Facebook, Google or other third-party log-in providers
  • Geographic data worked out from your IP address: e.g. from geo-identification services.

2.3 How we use your data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to enter into a contract with you or have already entered into a contract with you.
  • Where it is necessary for our legitimate interests (or those of a third party or yourself) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

2.3.1 Legal bases

Consent - sometimes, we may rely on consent as a legal basis for processing your personal data. When we do, we will ask you to give your consent. Doing so will always be optional. 

For example, we may ask for consent for sending seasonal marketing communications to you via email or text message.

We will also ask for your consent if you complete a form to make an enquiry to a university or book on to an open day to allow us to share your personal data with a specific university.

When we rely on consent, you have the right to withdraw that consent at any time by contacting us.

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.

We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

2.3.2 Purposes for which we will use your personal data

The table below has a description of all the ways we use your personal data. It includes details of which legal bases we rely on to do so. When we rely on legitimate interests to process personal data, we have identified what those interests are.

Note that we may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data.

Please contact us if you need details about the specific lawful basis we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To register you as a new member Identity, Contact, Technical, Usage, Geographic, Marketing and Communications Performance of a contract with you

To manage our relationship with you which will include:

- Notifying you about changes to our terms or privacy policy

- Password changes and notifications

Identity, Contact, Technical, Profile, Usage, Marketing and Communications

Performance of a contract with you

Necessary to comply with a legal obligation

Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

Necessary for your legitimate interests (to enable you keep access to your accounts and personal data)
To enable you to partake in a prize draw, competition or complete a survey Identity, Contact, Profile, Usage, Video, Marketing and Communications

Performance of a contract with you

Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data, community moderation) Identity, Contact, Technical, Geographic

Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

Necessary to comply with a legal obligation
To deliver relevant website content and advertisements and emails to you and measure or understand the effectiveness of the products advertising we serve to you Identity, Contact, Technical, Profile, Education, Usage, Marketing and Communications

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business, to inform our marketing strategy and serve you better and more relevant content)

To use data analytics to improve our website, products/ services, marketing, customer relationships and experiences Identity, Technical, Education, Profile, Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our websites updated and relevant, to develop our business and to inform our marketing strategy)

Personalisation of our websites and email experience with our websites Identity, Contact, Technical, Profile, Usage, Education, Marketing and Communications

Necessary for our legitimate interests (to develop our products/services, grow our business and serve you better and more relevant content)

To deliver seasonal specific email and SMS products to you Identity, Contact, Education, Marketing and Communications

Sometimes, we may request consent for non-regular/seasonal products that we may wish to deliver to you from time to time

Third Party use of data, including sharing personal data with universities and for the delivery of certain adverts on our website

Identity, Profile, Technical, Usage, Education, Geographic We will always gain consent for use of your data by third parties

The following sections go into more detail on specific data uses.

2.3.3 Electronic communications and personalisation of content

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which content, products, services and offers may be relevant for you.

When we do this with the content you see on our websites, we call this personalisation. When we do this with email or SMS, we call these marketing communications.

Receiving these marketing communications from us is part of being a member of our websites. You will receive them to the email address and mobile phone number you gave us when you became a member of our websites. If you have opted out of receiving some or all marketing communications from us, you will not receive them.

2.3.4 Third-party marketing and advertising

We will get your explicit opt-in consent before we share your personal data with any company or organisation outside the TSR Group for marketing purposes.

For third party marketing and advertising, we gain consent via the privacy message we show you when you first visit our website. You may have seen similar messages on other websites as we use the Quantcast Choice consent management platform for this.

You can reactivate the message to manage your consent at any time by clicking on the ‘Ad Privacy Settings’ link in the site footer on The Student Room. The Uni Guide currently does not display third party adverts that use personal data.

2.3.5 University enquiries, prospectus downloads and open day bookings

Form for university enquiries, prospectus downloads and open day bookings will ask you for consent to share your data with the higher education provider(s) you have chosen.

This allows us to share the data you entered in the form with the provider(s). While it is option to give this consent, you will not be able to submit the forms without giving it.

2.3.6 Affiliates

Sometimes you may find links to retailers in articles or threads. Sometimes, we may receive a small commission from the retailer if you make a purchase after clicking one of these links.

The main service used for this is Skimlinks. You can opt out of this at any time by going to their website.

TSR Group is also a participant in the Amazon Services LLC Associates Program. This an affiliate advertising program designed to provide a means for websites to earn advertising fees by advertising and linking to

These posts and articles are not usually sponsored by the retailers, publishers, promoters or manufacturers. If they are, it will be clearly stated. All editorial decisions are made solely by TSR Group.

2.3.7 Opting out

You can ask us to stop sending you marketing communications at any time. You can also withdraw any consent you have given us at any time. You can do either of these things by:

  • logging into your accounts on our websites and editing your preferences in the marketing preference centre
  • following the opt-out links on any marketing message sent to you
  • contacting us at any time

If you opt out of marketing communications, we will still process personal data to manage your account with us, such as sending password reset emails.

Details of how to opt out of third-party advertising and affiliate links is included in the sections above.

2.3.8 Cookies

You can set your browser to refuse some or all browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our websites may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy for The Uni Guide and our cookie policy for The Student Room.

2.3.9 Other uses of your personal data

Your personal data will not be used for any other purpose without your explicit consent, unless permitted or required by law.

2.4 Change of purpose

We will only use your personal data for the purposes for which we collected it, unless:

  • we reasonably consider that we need to use it for another reason; and
  • that reason is compatible with the original purpose.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

You can contact us if you wish to get an explanation about how the processing for the new purpose is compatible with the original purpose, please contact us.

Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law. The processing will remain in compliance with the above rules.

2.5 If you fail to provide personal data

Where we need to collect personal data

  • by law, or
  • under the terms of a contract we have with you

and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. Examples of contracts include to provide you with goods or services.

In this case, we may have to cancel a product or service you have with us. We will notify you if this is the case at the time.

3 International transfers

Your personal data will normally remain inside the UK or the European Economic Area (EEA). Sometimes we may need to transfer your data to other places. If we do, will always ensure appropriate safeguards are in place. Section 4 includes details of any international transfers.

4 Sharing your data

We will not share any of your personal data without your consent, except in the circumstances listed below.

4.1  Third-party data processors

We may use third-party data processors to conduct specific activities. We will ensure contracts are in place with all third-party processors. The contacts will contain all the clauses required by data protection law. Our current categories of data processors are:

Email service providers

  • E.G. Salesforce Marketing Cloud, MailGun
  • They send the emails from us to you – both marketing communications and those helping you manage your account; or help us manage and verify email addresses.
  • Locations: EEA or US based (transferred based on EU-US Privacy Shield, binding corporate rules or standard contractual clauses)

Survey and quiz tools

  • E.G. SurveyMonkey, Mopinion, GetFeedBack, Apester
  • We use these to enable you to partake in surveys and quizzes and help us gather feedback.
  • Location: EEA or US based (transferred based on EU-US Privacy Shield, binding corporate rules or standard contractual clauses)

Data and analytics service providers

  • E.G. Google Analytics, Google Optimize, Permutive
  • We use these to collect data on site visitors and pageviews to understand our audience and improve our websites and the services we offer you.
  • Location: EEA or US based (transferred based on EU-US Privacy Shield, binding corporate rules or standard contractual clauses)

Website maintenance tools and I.T. and development services

  • We use these to administer, protect, develop and improve our websites; and to manage our I.T. systems.
  • Location: EEA or US based (transferred based on EU-US Privacy Shield)

SMS service provider

  • We use these services to send SMS messages.
  • Locations: EEA based

Hosting service providers 

  • E.G. Amazon Web services (AWS)
  • We use these to host our websites and data.
  • Location: EEA or US based (transferred based on EU-US Privacy Shield)

Ad serving providers

  • E.G. Google Ad Manager, Google Video and Display 360, Facebook
  • We use these to deliver relevant advertising to you on, and off, our websites and understand the effectiveness of the adverts.
  • Location: EEA or US based (transferred based on EU-US Privacy Shield)

Personalisation tools

  • We use these to personalise what you see on our websites and in emails to ensure it is as relevant for you.
  • Location: EEA or US based (transferred based on EU-US Privacy Shield)

Geo-identification service

  • E.G. MaxMind
  • We use this to find out your approximate location, based on your IP address, so we can deliver more relevant ads, content and emails to you.
  • Location: US based (transferred based on EU-US Privacy Shield)

Customer relationship management systems

  • E.G. Salesforce CRM
  • We use these to manage your enquiries to universities, requests for prospectuses and registrations for open days.
  • Location: UK and US based (transferred based on EU-US Privacy Shield)

Professional advisors

  • E.G. lawyers, bankers, auditors and insurers who provide consultancy, legal, insurance and accounting services.
  • Location: United Kingdom based

4.2  Sub-contractors

TSR Group may use a sub-contractor to conduct specific tasks. If this includes the processing of personal data, the sub-contractor is treated the same as other staff at TSR Group. This ensures the same legal requirements are in place to protect your personal data. They are always based in the EEA.

4.3  Regulators or other authorities

Sometimes, official regulators or authorities may legally require information about our data processing. This will rarely require us to share personal data. If we need to share personal data, we will only ever share the minimum data the law requires us to share.

4.4  Limitations on additional sharing

If we need to share your personal data with any other third party, you will be told in advance. This will usually be at the time we collect the data. An example would be a survey or research where the personal data would be shared with a third party involved with the research. In these cases, we will explain what personal data will be shared and why. You will have the option to refuse to share your personal data.

5 Data security

We have put in place appropriate technical and organisational security measures. This is to prevent misuse of your data, including:

  • your data being lost or changed
  • your data being seen by someone who should not have access
  • your data being used in ways not listed here

Only people at TSR Group and third parties who have a need to use your data will have access to it. They will only process your personal data on the instruction of TSR Group. They will also be subject to a duty of confidence.

We have put in place procedures to deal with any suspected personal data breach. This includes processes to notify you and any applicable regulator of a breach where we are required to do so.

6 Data retention

We will only keep your personal data for as long as we need to fulfil the purposes we collected it for. This includes meeting all legal, accounting, and reporting requirements.

To decide how long we keep personal data, we look at:

  • the amount, nature, and sensitivity of the personal data,
  • the potential risk of harm from unauthorised use or disclosure of your personal data,
  • the purposes for which we process your personal data,
  • whether we can achieve those purposes through other means, and
  • the applicable legal requirements.

Sometimes, we may aggregate or anonymise your personal data. This means the data can no longer be associated with you. In these situations, the data is no longer personal data. We can keep using this data and do not need to delete it.

There are two exceptions to the above rules:

  1. You request the deletion of all your personal data (see Your legal rights below for further information)
  2. There is another legal basis for keeping any of the data for longer, for example, the establishment or defence of a legal claim

7 Children's Information

In the UK a child is defined as being over the age of 13 for data protection laws. Our websites are not aimed at people below the age of 13. Most products and services are aimed at people aged 15 and above. People aged under 13 are unable to register to become a member of our websites.

We therefore do not knowingly process the personal data of any children.

This privacy notice has also been reviewed to ensure people aged 15 or above can understand it.

8 Your legal rights

Under certain circumstances, you have rights about your personal data under UK law.

No fee usually required: you will not usually have to pay a fee to exercise these rights. However, if a request is clearly unfounded, repetitive, or excessive, we may decide to charge a reasonable to fee before proceeding.

Time limit to respond: we will usually respond within 30 days unless the request is particularly complex. In this case, we will notify you to keep you updated.

What we may need from you: when using these rights, we may also request more information from you. This will be to confirm your identity and to ensure the security of personal data.

  • Informed: you have the right to be informed about what personal data is processed, what it is used for, why we are processing it, who is processing it and your legal rights. This privacy notice is our way of informing you of this. We may also inform you at other times, such as when collecting data from you.
  • Consent: where we rely on your explicit consent as the legal basis for processing your data. You have the right to withdraw that consent at any time and object to us processing your data.
  • Access: you have a right to request a copy of the personal data we hold about you at any time. This is also known as a data subject access request.
  • Correction: you have the right to request we correct any incomplete or inaccurate data we hold about you. We may need to confirm any changes to data you request are correct.
  • Erasure: you have the right to request we delete any personal data we hold about you. Sometimes this might not be possible, e.g. if we are required by law to keep certain records, in which case we will tell at the time of your request.
  • Objection to processing: in some situations you have the right to object to the processing. For example, where we are relying on legitimate interests to process personal data or where we are using your data for direct marketing. In some cases, we may demonstrate that we have compelling legitimate grounds to continue to process your data which override your rights and freedoms.
  • Restriction of processing: you have the right to request we stop processing your data if:
    • You want us to establish the data’s accuracy
    • Where our use of the data is unlawful, but you don’t want us to delete it
    • Where you need us to hold the data, even if we no longer require it, as you need to establish, exercise or defend a legal claim
    • You have objected to our use of your data, but we need to verify overriding legitimate grounds.
  • Data portability: you have the right to receive a copy of the personal data you have provided us, should you wish to transfer it to another data controller. The data we provide should be in a structured machine-readable format.
  • Withdraw consent: at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Please contact our Data Protection Officer if you wish to exercise any of these rights.

Email: [email protected]

You have the right to make a complaint at any time to the Information Commissioner's Office ("ICO"). The ICO is the UK supervisory authority for data protection issues (

Before you contact the ICO we would like the chance to deal with your concerns. Therefore, please do contact us first so we can try and resolve your concerns.