Privacy Policy
How we collect, use and protect your personal data under UK GDPR and the Data Protection Act 2018.
The data controller for the platform is [operator to complete: registered name, address, contact email]. You can contact us using those details for any privacy question or to exercise your rights.
- Account details: your name and email address.
- A password, which we only ever store as a secure one-way hash (we never keep your actual password).
- A record of the confirmations you give when you register: that you accepted these terms, read the risk warning, acknowledged this policy and are 18 or over, each with the date and time.
- Your learning progress: which courses and lessons you have completed, and your quiz and chart-exercise attempts and scores.
- A sign-in session record so we can keep you logged in, which includes your browser’s user-agent and the session timing (see ‘Cookies and local storage’ below).
- A vulnerability status: a single minimised, categorical result (‘clear’ or ‘on hold’) derived from the risk and vulnerability questionnaire.
Importantly, we do not store your raw answers to the vulnerability questionnaire. They are scored the moment you submit them and then discarded. If your answers raise a hold, we keep only one short category describing the type of concern (for example an essential-funds or gambling concern); there is no free text and no stored explanation. That category is treated as sensitive information and is visible only to a single senior safeguarding role, never to ordinary staff, and never to you. In this way we hold as little sensitive information about you as possible (data minimisation).
We do not collect payment or card details, government ID, or your date of birth (the 18-or-over check is a simple confirmation). We do not run advertising or analytics trackers and we do not build marketing profiles about you.
- To create and run your account and deliver the courses: performance of our contract with you.
- To gate content responsibly and safeguard learners through the risk and vulnerability foundation: our legitimate interest in running the platform safely. Because the vulnerability flag may be sensitive information, an additional special-category condition applies. [operator to complete: confirm the lawful basis and special-category condition with your adviser.]
- To keep the platform secure and meet our legal obligations: legitimate interests and legal obligation.
We do not sell your data, and we do not share it with advertisers or data brokers. We rely on a small number of service providers who act only on our instructions:
- A hosting provider that runs the servers and database holding the platform. [operator to complete: provider name and country.]
- Cloudflare R2, when configured, stores the course media (videos and images). This holds course content, not your account data. When you open a lesson or image, your browser loads the file directly from Cloudflare using a short-lived link, so Cloudflare receives your device’s IP address and request details in order to deliver it. [operator to complete: confirm the R2 region and that a data-processing agreement is in place.]
Separately, if you choose to play a video that a lesson or blog post embeds from YouTube or Vimeo, your browser connects to that provider directly. These providers are independent third parties, not our service providers: they receive your IP address and device and request details in order to deliver the video, and handle it under their own privacy policies. This happens only after you click play (see ‘Cookies and local storage’), and is likely to involve a transfer outside the UK. [operator to complete: confirm which embed providers are used and any transfer safeguard.]
A decorative gold-price chart on our public pages uses market data that we fetch on our own server. No personal data about you is sent to that source.
If any provider stores data outside the UK, we put an appropriate transfer safeguard in place. [operator to complete: hosting location and the transfer safeguard used, for example UK adequacy or the ICO International Data Transfer Agreement.]
We keep your account and progress data for as long as your account is active. If you erase your account, we replace your name, email and password with non-identifying placeholders, sign you out everywhere, and fully remove your safeguarding vulnerability flag. For legal-accountability reasons we keep a minimal record that no longer identifies you, such as our administrator audit trail. [operator to complete: any specific retention periods, for example a grace period before deletion or how long audit records are kept.]
We use one automated decision. Your answers to the risk and vulnerability self-assessment are scored automatically, and the result can pause (‘hold’) your progress through the course so we can safeguard you. You are never shown a category or reason, only a supportive clear-or-hold outcome with signposting to support.
If your progress is paused, you can reflect and try the assessment again after a short cool-off, and you can ask us to have a person review the decision and lift the hold. We make no other automated decisions, and we do not profile you for marketing. [operator to complete: confirm with your adviser how this is treated under UK GDPR Article 22 and the special-category condition that applies.]
Under UK GDPR you have the right to:
- Access: get a copy of the personal data we hold about you.
- Rectification: have inaccurate data, such as your name or email, corrected.
- Erasure: have your account erased, so your identifying details are removed.
- Portability: receive your data in a portable, machine-readable format.
- Object: object to processing based on our legitimate interests, including the safeguarding vulnerability flag.
- Restrict: ask us to limit how we use your data while a concern is resolved.
- Automated decisions: ask for a person to review a decision made only by automated means (see ‘Automated decisions’ above).
You can exercise access, portability and erasure yourself at any time from your Your data page. For anything else, contact us using the details above.
You also have the right to complain to the Information Commissioner’s Office (ICO), the UK regulator, at ico.org.uk. We would ask that you contact us first so we can try to help.
We use one cookie: an essential session cookie that keeps you signed in. It is strictly necessary for the platform to work, so it does not require consent.
We also keep two small preferences in your browser’s local storage: your chosen display theme (light or dark) and your response to the cookie notice. These stay on your device, are never sent to us, and are used only to remember your choices, not to track you.
We do not use tracking, advertising or analytics cookies or storage of any kind. Some lessons and blog posts embed videos from YouTube or Vimeo. To protect your privacy we do not load these from the provider until you choose to play them: until you press play, no connection is made to YouTube or Vimeo and none of their cookies can be set. When you do play a video, your browser loads it from the provider, which may then set its own cookies; we use YouTube’s privacy-enhanced no-cookie domain where possible.
We may update this policy from time to time; the current version always appears here. For any privacy question, contact [operator to complete: registered name, address, contact email].
See also our Terms of Use.