This policy (together with our end-user licence agreement as set out at EULA ('EULA') applies to your use of our online language learning platform and mobile application (the "Platform").
This page explains:
- About this policy
- When we collect personal data
- What personal data we collect and why
- Who has access to your personal data
- Where we store personal data
- How we keep information safe
- International transfers
- Your rights as a data subject
- Who controls information you provide, and how to get in contact
- Updates to this policy
ABOUT THIS POLICY
This policy explains what personal data we collect, how and why we use it and what we do to keep it safe. It also sets out your rights in relation to your personal data. This policy is designed to ensure that your information is used in a fair, lawful and transparent manner, in accordance with UK and EU data protection laws ('Data Protection Laws').
This policy relates to 'personal data', which means any information which identifies or relates to you (or any other individual). It also uses the term 'processing', which means any operation, action or activity (such as storage, transfer, access, deletion) which involves personal data.
WHEN WE COLLECT PERSONAL DATA
We collect personal data about individuals who register for or use the Platform or communicate with us this includes information:
- provided to us by end users of the Platform (for example, by filling in forms within the Platform);
- generated or collected during the course of using the Platform;
- provided by the institution or organisation which has purchased the licence that allows you to use the Platform; and
- Information within correspondence (such as email signatures and metadata).
For further details about the information collected from and generated by use of the Platform, please see 'What personal data we collect and why' (below).
WHAT PERSONAL DATA WE COLLECT AND WHY
We collect the following information about individual end users of the Platform:
- Information you provide when registering to use the Platform (including name, email address and telephone number).
- Details of your relationship to the institution or organisation which has purchased a licence to the Platform (e.g. if you are a student or employee).
- Details of the device you use to access the platform (e.g. whether you access the Platform via a mobile or desktop computer, and information about your device such as your browser and screen resolution) which we use to optimise your experience of the Platform.
- Information about your language ability and course progress.
- Any feedback or opinions you provide to us about the Platform or our services.
We use this information because to the extent necessary in order fulfil our obligations under the EULA (i.e. to administer your account so you can access the Platform and use the course content within it).
We also use information for our own lawful purposes, such as keeping proper records, administration of our business and in order to maintain and improve Platform and our services (which may involve the user of personal data and/or anonymised data).
In limited circumstances, we may use personal data on the basis of your consent. If we do so, we will always clearly ask for your agreement first. You are, of course, free to refuse this and we will inform you as to what (if any) consequences this might have. You can also withdraw consent at any time.
We may also collect anonymous information about Platform users in order to optimise and improve the Platform and our services This might include IP addresses, browser or device details and the connection type (for example, the Internet service provider used). However, none of this information will by itself directly identify any particular user. We use this information to track visits and pages used on the Platform.
Cookies: If you access the Platform via a website (instead of our mobile app) then we will use "cookies". Web browsers place cookies on hard drives for record-keeping purposes and sometimes to track information. This enables us to recognise end users when they navigate from one page to the next and to configure webpages. These cookies may include:
|session||keeping track of a logged-in user|
|jwt||encrypted shared session information for lesson front-end|
|relsConfig||configuration for lesson front-end|
|course-menu-tabs*||stores which tabs have been selected|
|currentCategory*||storex which category have been selected|
|groupByCriterion*||store which group has been selected|
|searchQuery*||store the term the user searched for|
|upstream||internal proxy server routing cookie|
WHO HAS ACCESS TO YOUR PERSONAL DATA
Personal data you provide to us will be kept private and confidential. Our employees and contractors will be able to access information to the extent necessary for us to use it for the purposes explained earlier in this policy (such as providing you with access to the Platform and its materials).
Course tutors, teachers and coaches will be provided with an end user's name. End users may also choose to provide additional information during the course of interacting with these persons in connection with their learning. Where a subscription has been provided or purchased through an institution or company, that institution or company will usually have access to an end-user's details and information about his or her studies and progress.
We will not disclose or share your personal data other data controllers without your permission. The only exceptions to this are those set out above and where we are legally required to disclose information, or in the event our business is sold and the Platform and services are taken over by another company. We may also be required to share personal information with regulatory authorities in the event of an audit or investigation.
Some of the third parties who provide services to us may have access to personal information we control. This includes software providers (such as Microsoft), cloud service providers and IT support services. However, these third parties will only process personal data (which may include your information) on our behalf for specified purposes and in accordance with our strict instructions.
We only use third party service providers who have provided sufficient guarantees, as required by data protection law, that your personal data will be kept safe. We always ensure there is a written contract in place which protects your personal data and prevents it from being used for any purpose other than providing services to us, in accordance with Data Protection Laws.
HOW LONG WE STORE PERSONAL DATA FOR
We only retain personal data for as long as is necessary for the purposes described in this policy (or for related compatible purposes such as complying with applicable legal, accounting, or record-keeping requirements).
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
If you delete your account, or your licence to access the Platform is terminated or expired then we will typically erase all information relating to you and your studies within 6 months.
HOW WE KEEP PERSONAL DATA SAFE
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed. This includes both physical security measures (such as keeping paper files in secure, access-controlled premises) and electronic security technology (such as sophisticated encryption protocols, digital back-ups and anti-virus protection).
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to legal and contractual confidentiality obligations.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach when we are legally required to do so.
We normally only store personal data within the European Economic Area (EEA). However, some of the technology and support services we use are provided by international organisations and/or companies which are based outside the EEA. Before using such service providers, we take steps to make sure that any personal data they process is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:
- ensuring the recipient is in a country which the EU Commission has deemed provides adequate protection for personal data;
- implementing appropriate safeguards such as requiring the recipient to enter into Standard Contractual Clauses approved by the appropriate data protection supervisory authorities; or
- (if the recipient is based in the USA) transferring personal data to recipients who are certified under the EU-US Privacy Shield scheme. For example, we software services provided by the Microsoft Corporation, which is registered under the Privacy Shield scheme.
The only other time we'll transfer data outside the EEA is if a derogation (i.e. an exception) under Data Protection Laws, and the transfer is either necessary and made for the purposes of that exception or with your explicit consent.
YOUR RIGHTS AS A DATA SUBJECT
Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:
- The right to access your personal data. This enables you to receive a copy of the personal data we hold about you.
- The right to request correction or completion of personal data. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data (though this may not apply where we have a good, lawful reason to continue using the information in question). You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- The right to object to processing of your personal data. You can object to us processing personal data for legitimate interests purposes or for direct marketing.
- The right to restrict how your personal data is used. You can limit how we use your information (which means we'll restrict how we use the data so that it's stored securely and will typically only be accessed in case of a legal claim).
- The right to have a portable copy or transfer your personal data. We will provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to automated information we process on the basis of your consent or in order to perform a contract.
- The right to withdraw consent. If we are relying on consent to process your personal data, you have the right to withdraw that consent at any time.
Responding: We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.
We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.
Fees for making a request: You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
How to make a request: If you want to exercise any of the rights described above, please contact us using the details set out at the end of this policy. You have the right to complain to a data protection supervisory authority (which, in the UK, is the ICO) if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. For further information on how to make a complaint, please visit https://ico.org.uk.
WHO CONTROLS INFORMATION YOU PROVIDE, AND HOW TO GET IN CONTACT
The Platform is owned and operated by Reallyenglish.com Limited, a company registered in England and Wales with registered number 03895911, having its registered office at 1 Primrose Street, London, England, EC2A 2EX.
For the purposes of applicable data protection and privacy laws, Reallyenglish.com Limited is a controller of your personal data. This means that it is responsible for deciding how and why personal data is used, for keeping it safe and for responding to data subject requests. Reallyenglish.com is registered as a data controller with the Information Commissioner's Office (ICO) with registration number Z6565319.
If you have questions about this policy or your personal data, please contact us by writing to the office address above or by emailing firstname.lastname@example.org with the subject line "Data Protection".
UPDATES TO THIS POLICY
We will update this policy from time to time. The current version will always be posted on our website. This policy was last updated on 15 June 2018.