Privacy Policy

1. Introduction

Compliance College Ltd ("we", "us", "our") is a company registered in England & Wales. We are committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, store and protect your personal data when you use our website, learning platform, and related services (collectively, the "Platform"). It applies to all visitors, learners, company administrators, and training centre partners.

We act as the data controller for the personal information described in this policy. We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Information We Collect

Personal Data

When you register for an account, enrol on a course, or contact us, we may collect:

• Full name, email address, and phone number
• Job title and employer details
• Postal address (where required for certificate delivery)
• Professional qualifications and membership numbers

Learning Data

As you use our Platform, we collect data related to your learning activities:

• Course progress and completion status
• Assessment scores and attempts
• Certificate records and verification IDs
• Time spent on modules and learning resources

Payment Data

Payments are processed securely through our payment provider, Stripe. We do not store your full card details on our servers. We retain only:

• Transaction reference numbers
• Last four digits of the payment card (for your reference)
• Billing address and invoice records

Technical Data

We automatically collect certain technical information when you visit our Platform:

• IP address and approximate geolocation
• Browser type and version
• Operating system and device type
• Pages visited, referral source, and session duration
• Cookie and similar technology identifiers (see Section 8)

3. How We Use Your Data

We use the personal data we collect for the following purposes:

• Provide training services — Deliver courses, track your progress, and manage your account
• Issue certificates — Generate, store, and enable verification of your course completion certificates
• Communicate about courses — Send enrolment confirmations, progress reminders, and completion notifications
• Regulatory compliance — Meet our legal obligations to awarding bodies, HMRC, and regulatory authorities
• Improve our services — Analyse usage patterns to enhance the Platform experience
• Customer support — Respond to your enquiries and resolve issues
• Marketing communications — Send promotional content about courses and services (opt-in only; you can unsubscribe at any time)

4. Legal Basis for Processing

We rely on the following legal bases under UK GDPR to process your personal data:

• Contract performance — Processing necessary to fulfil our agreement with you when you enrol on a course or create an account
• Legitimate interests — Processing necessary for our legitimate business interests, such as improving our Platform, preventing fraud, and ensuring security
• Consent — Where you have given explicit consent, such as for marketing communications and optional analytics cookies
• Legal obligation — Processing necessary to comply with legal and regulatory requirements, including tax law and awarding body regulations

5. Data Sharing

We may share your personal data with the following categories of recipients:

• Certificate verification — Your certificate ID and course title are accessible via our public verification portal. No other personal data is disclosed through this service.
• Awarding bodies — We share learner data with accreditation partners including NEBOSH, IOSH, City & Guilds, and other awarding organisations as required for certification and quality assurance
• Payment processor — Stripe processes payment transactions on our behalf under their own privacy policy
• Analytics provider — Google Analytics receives anonymised usage data to help us understand how the Platform is used
• Hosting and infrastructure — Our hosting providers process data on our behalf under strict data processing agreements

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are as follows:

• Account data — Retained while your account is active, plus 2 years after your last login to allow for re-activation
• Certificate records — Retained for 7 years from the date of issue, in line with regulatory requirements from awarding bodies
• Payment and transaction records — Retained for 6 years as required by HMRC for tax and accounting purposes
• Marketing preferences — Retained until you unsubscribe or withdraw consent
• Technical and analytics data — Retained for up to 26 months in aggregated or anonymised form

After the applicable retention period, personal data is securely deleted or anonymised.

7. Your Rights (GDPR)

Under UK GDPR, you have the following rights in relation to your personal data:

• Right of access — Request a copy of the personal data we hold about you
• Right to rectification — Request correction of inaccurate or incomplete data
• Right to erasure — Request deletion of your personal data (subject to legal retention requirements)
• Right to restrict processing — Request that we limit how we use your data
• Right to data portability — Receive your data in a structured, machine-readable format
• Right to object — Object to processing based on legitimate interests or for direct marketing
• Right to withdraw consent — Withdraw consent at any time where processing is based on consent

8. Cookies

Our Platform uses cookies and similar tracking technologies to enhance your experience, analyse usage, and support our marketing efforts.

We use essential cookies that are necessary for the Platform to function, as well as optional analytics and marketing cookies that require your consent.

For full details about the cookies we use, including how to manage your preferences, please refer to our Cookie Policy.

9. International Transfers

Your personal data is primarily processed and stored within the United Kingdom and the European Economic Area (EEA).

In cases where data may be transferred outside the UK/EEA (for example, through the use of cloud services), we ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner's Office (ICO), or transfers to countries with an adequacy decision.

10. Children's Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal data from children under 16.

If you are a parent or guardian and believe your child has provided us with personal data, please contact us at dpo@compliancecollege.co.uk and we will take steps to delete such information promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or regulatory guidance.

Where changes are significant, we will notify you by email and/or by posting a prominent notice on our Platform. We encourage you to review this page periodically for the latest information.

The "Last updated" date at the top of this page indicates when this policy was most recently revised.

12. Contact Us

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us:

• Data Protection Officer
  Email: dpo@compliancecollege.co.uk
• Postal address
  Compliance College Ltd, 42 Regent Street, London, W1B 5TH, United Kingdom
• Phone
  +44 (0)20 7946 0321