This page explains:
- About the Service
- How and why we use personal data
- When we collect personal data
- Why we collect personal data
- Who has access to your personal data
- How long we store personal data for
- How we keep personal data safe
- International transfers
- Your rights as a data subject
- Who controls information we collect
This policy governs the use of your ‘personal data’, which means any information that identifies or relates to you (or any other identifiable individuals). It uses the term ‘processing’, which means any operation, action or activity (such as storage, transfer, access, deletion) which involves personal data.
This policy explains what personal data we collect, how and why it is used and how it is kept safe. It also sets out your rights in relation to your personal data. This policy is designed to ensure that your information is used in a fair, lawful and transparent manner, in accordance with UK data protection laws including the UK Data Protection Act 2018 (‘Data Protection Laws’).
2. ABOUT THE SERVICE
The Service is made available by [CUSTOMER NAME] and allows you, the end user, to access online language learning programs and resources. When using the Service you will provide and generate personal data (such as your name, profile information and study data) which we need to process in order to provide the Service. Please note, this policy only relates to the Service and it does not govern any other collection or use of your personal data by [CUSTOMER NAME]. This policy should therefore be read in conjunction with [CUSTOMER NAME]’s own privacy notice [which is available at [WEBSITE ADDRESS]].
The Service is provided in conjunction with Reallyenglish.com Limited (the “Platform Provider”) which operates and administers the platform used to provide the Service. Any personal data inputted by you or [CUSTOMER NAME] will be collected and processed by the Platform Provider in order to provide the Service and operate the platform. Unless the context requires otherwise, references to ‘we’, ‘us’ and ‘our’ in this policy includes both [CUSTOMER NAME] and the Platform Provider, both of whom will be controllers. Further information can be found in paragraph 11 of this policy.
3. HOW AND WHY WE USE PERSONAL DATA
The table below provides an overview of what personal data is collected from students and other users (such as administrative users), why it is collected, and how it is used.
|Types of personal data collected||When the data is collected||Purpose for collection||Legal basis for processing|
|Name, email address and password.||Upon registration.||To identify end users and provide the Service.||
The processing is necessary for the performance of a contract (such as the End User Licence Agreement) to which you are a party.
|Avatar details.||(Optional) during the Writing for Business course.||To provide the end user with an avatar at their request.||The processing is necessary for our legitimate interests (being the provision of the Service and the Platform Provider’s operation and development of the underlying platform).|
|Personal data within correspondence (e.g. email signatures and metadata).||When you contact us, for example if you lodge a support request, provide feedback or opinions.||To communicate with end users and keep a record of our communications and Service.|
|Information about your language ability and course progress.||When you use the Service.||To provide the Service and enable end users to use its functionality.|
Details of your association with [CUSTOMER NAME] (e.g. whether you are a current student or an administrative user) will also be provided to the Platform Provider.
In addition, the Platform Provider may:
- Collect technical information in order to optimise and improve the Service. This might include internet protocol addresses details of your browser, device or connection type. This information will not readily or directly identify any particular user and it is collected in order to monitor how the platform is used and to optimise the way that information is presented.
- Anonymise personal data and technical data, and combine this information with anonymised information about other users. The resulting information will not identify any particular person and will be used for various purposes including research, development and marketing of the platform.
4. WHEN WE COLLECT PERSONAL DATA
We collect personal data about individuals who register for or use the Service or communicate with us. This includes information:
- Provided to us by end users of the Service (for example, by filling in registration forms).
- Generated or collected during the use of the Service.
- Information within correspondence (such as email signatures and metadata).
5. WHY WE COLLECT PERSONAL DATA
Your personal data is used for a range of purposes, which are summarised in the table in paragraph 3. Our lawful bases for using personal data are as follows:
- The personal data needs to be used to enter into or perform contractual obligations with you (including under the End User Licence Agreement). This includes administering your account so that you can access the Service and use course content.
- The information needs to be used for our legitimate interests (or those of a third party, including the Platform Provider). These will be specific lawful interests, such as keeping proper records, the administration of our business and to maintain and improve the Service. We will only use personal data on this basis if our use is not outweighed by your own rights and interests.
- In limited circumstances, personal data may be used on the basis of your consent. In these cases your consent will always be clearly requested. You are, of course, free to refuse consent and you will be informed as to what (if any) consequences this might have. You can also withdraw consent at any time.
6. WHO HAS ACCESS TO YOUR PERSONAL DATA
Personal data you provide will be kept private and confidential and only used as set out in this policy. Any personal data provided or generated by your use of the Service will be available to us and our employees and contractors will be able to access information to the extent necessary for us to use it for the purposes explained earlier in this policy (such as providing you with access to the Service).
Course tutors, teachers and coaches will be provided with an end user’s name. End users may also choose to provide additional information during the course of interacting with these persons in connection with their learning. However, as with any online services, you should not disclose any personal information which is not necessary and you should not provide personal contact information or other details.
Unless specifically set out in this policy, your personal data will not be disclosed or shared with other data controllers without a proper lawful basis in accordance with data protection laws. For example, where disclosure is legally required, or in the event of a business sale or other corporate transaction which may transfer control of the Service or the platform, or if the sharing of personal information is required by regulatory authorities in the event of an audit or investigation. Your data may also be shared with our support provider, [RESELLER NAME] if you encounter a technical issue in relation to the Platform that needs support in order to be resolved. Further details of the support provider [can be found WEBSITE/CONTACT DETAILS OR will be provided when you raise a support request].
Some of the third parties who provide services to us may have access to your personal data. This includes software providers (such as Microsoft), cloud service providers and IT support services. However, these third parties will only process personal data (which may include your information) for specified purposes and in accordance with strict instructions.
Third-party service providers (such as providers of technical support services) are required to provide guarantees that your personal data will be kept safe and will have to enter into a written contract which protects your personal data and prevents it from being used for any unauthorised purpose.
7. HOW LONG WE STORE PERSONAL DATA FOR
Personal data is stored for as long as is necessary for the purposes described in this policy (or for related compatible purposes such as complying with applicable legal, accounting, or record-keeping requirements).
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
If you delete your account, or your licence to access the Service is terminated or expires then [CUSTOMER NAME] may retain information about your course progress; however, the Platform Provider will typically erase all information relating to you and your studies from the Platform within 6 months.
8. HOW WE KEEP PERSONAL DATA SAFE
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed. This includes both physical security measures (such as keeping paper files in secure, access-controlled premises) and electronic security technology (such as sophisticated encryption protocols, digital back-ups and anti-virus protection).
We limit access to your personal data to those employees, agents, contractors and other third parties who need it for the purposes set out in this policy. They will only process your personal data on our instructions and they are subject to legal and contractual confidentiality obligations.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach when we are legally required to do so.
9. INTERNATIONAL TRANSFERS
We normally only store personal data within the UK or the European Economic Area (EEA). However, some of the technology and support services we use are provided by international organisations and/or companies which are based outside the UK or the EEA. Before using such service providers, we take steps to make sure that any personal data they process is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:
- Ensuring the recipient is in a country which the UK or the EU (as applicable) has deemed provides adequate protection for personal data; or
- Implementing appropriate safeguards such as requiring the recipient to enter into Standard Contractual Clauses approved by the appropriate data protection supervisory authorities.
The only other time we will transfer data outside the UK or EEA is if a derogation (i.e. an exception) under Data Protection Laws has been permitted and the transfer is either necessary and made for the purposes of that exception or with your explicit consent.
10. YOUR RIGHTS AS A DATA SUBJECT
Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:
- The right to access your personal data. This enables you to receive a copy of the personal data we hold about you.
- The right to request correction or completion of personal data. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- The right to request erasure of your personal data. This enables you to ask us to delete or remove personal data (though this may not apply where we have a good, lawful reason to continue using the information in question). You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- The right to object to processing of your personal data. You can object to us processing personal data on the basis of our legitimate interests or for direct marketing.
- The right to restrict how your personal data is used. You can limit how we use your information (which means we’ll restrict how we use the data so that it’s stored securely and will typically only be accessed in case of a legal claim).
- The right to have a portable copy or transfer your personal data.We will provide you, or (where technically feasible) a third party, with a copy of your personal data in a structured, commonly used, machine-readable format. Note this only applies to automated information which we process on the basis of your consent or in order to perform a contract.
- The right to withdraw consent. If we are relying on consent to process your personal data, you have the right to withdraw that consent at any time.
Responding: We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.
We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.
Fees for making a request: You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
How to make a request: If you want to exercise any of the rights described above, please contact [CUSTOMER NAME] at [ADDRESS] or [EMAIL]. You can also contact the Platform Provider direct using the contact details in the next section. You have the right to complain to a data protection supervisory authority (which, in the UK, is the ICO) if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. If you are in the UK, please visit https://ico.org.uk for further information.
11. WHO CONTROLS INFORMATION WE COLLECT
The Service is provided by [CUSTOMER NAME] a provider of [language learning and educational services] which can be contacted at [ADDRESS] or [EMAIL]. [IF IN THE UK - [CUSTOMER NAME] is registered as a data controller with the UK Information Commissioner’s Office with registration number [NUMBER].
The Platform Provider is Reallyenglish.com Limited (further information on which can be found at https://www.reallyenglish.com). Reallyenglish.com is registered as a data controller with the UK Information Commissioner’s Office with registration number ZA530952. The Platform Provider’s email address is: firstname.lastname@example.org
For the purposes of applicable data protection and privacy laws [CUSTOMER NAME] and, the Platform Provider will each be controllers of your personal data, meaning we each make decisions about how and why we use your personal data and each have responsibilities to keep your data safe and ensure your rights are protected. [CUSTOMER NAME] and the Platform Provider have entered into a detailed written data sharing agreement to ensure that your personal data is kept safe and your rights under Data Protection Laws are protected.