The Health & Safety College

1. Introduction
 healthandsafetycollege.com  (“we,” “us,” or “our”) is committed to protecting the privacy and security of personal data that we collect, process, and store in connection with our online courses (“Courses”) sold on a business-to-business basis to customers (“Customer,” “you,” or “your”) in the United Kingdom and globally. This Privacy Policy explains how we collect, use, disclose, transfer, and safeguard your personal data when you engage with us as a Customer, your designated administrators, and your Permitted Users (e.g., your employees, contractors, or agents who access the Courses). We also describe your rights under applicable data protection laws, including the UK Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR).

By entering into an agreement with us for the purchase or use of our Courses, and by providing us (directly or indirectly) with any personal data, you acknowledge that you have read this Privacy Policy and agree to its terms. If you are providing personal data on behalf of your organization, you represent that you have the authority to do so and that the organization has agreed to be bound by this Policy.

2. Definitions

• “Data Controller” means the entity that determines the purposes and means of processing personal data. For the Courses, we (Your Company Name) act as Data Controller for the personal data described in this Policy (except for any personal data that you (as Customer) collect from your own Permitted Users in your capacity as a separate controller).
• “Data Processor” means an entity that processes personal data on behalf of the Data Controller. We will act as a Processor for any personal data that you provide to us for the purpose of delivering Courses (e.g., Permitted User registration data).
• “Personal Data” means any information relating to an identified or identifiable natural person.
• “Special Category Data” means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for uniquely identifying a person, health data, or data concerning a person’s sex life or sexual orientation. Our standard processing for Courses does not intentionally collect Special Category Data, but if you choose to submit any Special Category Data (e.g., for accessibility or medical accommodations), please see Section 6.
• “Processing” means any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, alignment, restriction, erasure, or destruction.
• “Permitted Users” means employees, consultants, contractors, or agents of the Customer who are authorized by the Customer to access and use the Courses.

3. Data Controller and Contact Information

Data Controller:
 healthandsafetycollege.com
 Registered in England and Wales, Company No. [●]
 Registered Office: Innovation Centre 6, Keele University, Staffordshire, UK, ST5 5BG
 Email: [email protected]
 Data Protection Officer (DPO) (if applicable): [Name and Contact Email/Address]

If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of personal data, please contact us at the address or email above.

4. Categories of Personal Data We Collect

We collect and process the following categories of personal data in connection with delivering and administering our Courses to you and your Permitted Users:

1. Contact and Identification Data
   • Name, job title, business email address, business telephone number, business mailing address, and other business-related contact details for your organization’s primary administrator(s) or billing contact(s).
   • For Permitted Users: name, business email address, and (where applicable) username, department, location, and role within your organization.
2. Account and Authentication Data
   • Access Credentials (e.g., username, password, multi-factor authentication details) used by Permitted Users to log in to our Learning Management System (“LMS”).
3. Course Usage and Engagement Data
   • Course enrollment records (which Permitted Users have been enrolled in which Courses).
   • Course progress and completion status (e.g., modules completed, quizzes taken, scores, certificates issued).
   • Time-stamped logs of course access, IP addresses, device information, and usage metrics (e.g., pages viewed, time spent on modules).
4. Customer Business Data
   • In certain cases, you may upload or provide us with your own business data (Customer Data), such as company name, logo, branding guidelines, or any bespoke content that we incorporate into customized Courses.
5. Payment and Billing Data
   • Billing name and address, purchase order references (where applicable), invoicing history, payment history, and VAT or other tax identification numbers.
6. Technical and Analytics Data
   • Cookies, IP addresses, browser type, operating system, device type, and other analytics collected when you or Permitted Users access our website or LMS (see Section 11).
7. Customer Support Data
   • Any correspondence, support tickets, chat logs, or emails exchanged when seeking technical assistance or troubleshooting.
8. Special Category Data (Optional/Minimal)
   • If you or your Permitted Users voluntarily provide any Special Category Data (e.g., to request disability accommodations or indicate health-related needs), we will treat such data with heightened protection (see Section 6).

5. Purposes of Processing and Legal Bases

We process the personal data described above for the following purposes, on the corresponding legal bases:

1. Provision of Courses and Performance of Contract (UK GDPR Art. 6(1)(b))
   • To administer and deliver the Courses you have purchased.
   • To create and manage user accounts and Access Credentials for Permitted Users.
   • To monitor course progress, generate course completion certificates, and ensure compliance with service-level commitments.
   • To process payments, issue invoices, and manage billing-related queries.
2. Legitimate Interests of Your Organization and Our Company (UK GDPR Art. 6(1)(f))
   • To maintain and improve the LMS platform, troubleshoot technical issues, and ensure platform security and uptime.
   • To analyze usage metrics and engagement data to enhance the design, content, and delivery of our Courses.
   • To send administrative communications (e.g., password resets, notifications of system maintenance, updates to Terms & Conditions or Privacy Policy).
   • To keep records for accounting, auditing, and compliance purposes.
3. Compliance with Legal Obligations (UK GDPR Art. 6(1)(c))
   • To comply with applicable laws and regulations, including tax, accounting, and anti-money laundering requirements.
   • To respond to lawful data subject requests, subpoenas, court orders, or other legally binding requests for disclosure of personal data.
4. Consent (where applicable) (UK GDPR Art. 6(1)(a))
   • To send marketing or promotional communications (e.g., news about new Courses, events, whitepapers) only if you have provided express consent or if we otherwise have a legitimate interest that does not override your rights (see Section 13).
   • To process any Special Category Data you voluntarily submit, based on your explicit consent (UK GDPR Art. 9(2)(a)).
5. Protection of Vital Interests (UK GDPR Art. 6(1)(d))
   • To protect your vital interests or those of another person in case of an emergency.

6. Processing of Special Category Data

Our standard operations do not require the collection of Special Category Data. However, if you or your Permitted Users choose to provide us with Special Category Data (for example, to request specific accessibility accommodations or to indicate a disability), we will process such data only after obtaining your explicit, documented consent. In such cases:

• We will inform you of the specific purpose(s) for which the Special Category Data is collected.
• We will implement enhanced technical and organizational measures to protect that data (e.g., encryption at rest and in transit, access controls limiting disclosure to those employees or contractors who require access).
• You (or your Permitted User) have the right to withdraw consent at any time. If consent is withdrawn, we will cease processing the Special Category Data and delete it unless we have another lawful basis for continued processing (e.g., compliance with legal obligations).

7. How We Collect Personal Data

1. Directly from You or Your Designated Administrators
   • When you (as the Customer) submit an Order, sign up for an account, or communicate with us via email, telephone, or support portals.
   • When you (or your designated administrator) enroll Permitted Users in a Course and provide their contact information.
2. Automatically via Website or LMS
   • Through cookies, web beacons, log files, and other tracking technologies when you or Permitted Users visit our website or LMS (see Section 11).
   • Via system logs recording IP addresses, device types, browser information, and Course usage metrics.
3. From Third-Party Service Providers
   • If you choose to integrate our LMS with third-party applications (e.g., single sign-on providers, analytics tools), we may receive additional data from those third parties, subject to your prior authorization.
   • If we engage third-party processors for payment processing, email delivery, or cloud hosting, we may obtain transaction or account-related information from them.
4. From Publicly Available or Third-Party Sources
   • In limited cases, we may supplement contact information (e.g., business address, phone number) with data from publicly available sources or licensed business directories, strictly for the purpose of ensuring our records are accurate and up to date.

8. Disclosure of Personal Data

We do not sell personal data. We will disclose personal data to the following categories of recipients, strictly to the extent necessary:

1. Internal Staff and Authorized Personnel
   • Employees, contractors, and agents who need access to personal data to perform their job functions (e.g., system administrators, support staff, finance and billing teams, instructional designers).
2. Service Providers and Subprocessors
   • Cloud Hosting and Infrastructure Providers: (e.g., AWS, Microsoft Azure, Google Cloud) that host our website, LMS, and databases.
   • Payment Processors: (e.g., Stripe, PayPal) to handle invoicing and payments.
   • Email and Communications Providers: (e.g., SendGrid, Mailgun) for sending notifications, password-reset emails, and administrative messages.
   • Learning Technology Subprocessors: (e.g., video streaming/CDN providers, analytics platforms, assessment/quiz engines) that assist in delivering Courses and tracking usage.
   • Professional Service Providers: (e.g., auditors, legal counsel, accountants) when required for compliance, auditing, or legal advice.
   • All subprocessors we engage are bound by written contracts obligating them to maintain confidentiality, implement appropriate security measures, and process personal data only on our documented instructions.
3. Affiliates and Group Companies
   • If we are part of a corporate group or if we acquire or merge with another entity, we may share data within the group for administrative, technical, or compliance purposes, provided they comply with this Privacy Policy.
4. Legal and Regulatory Authorities
   • To comply with applicable laws, regulations, court orders, or governmental requests (e.g., tax authorities, law enforcement). We will notify you unless prohibited by law or court order.
5. Third Parties in Connection with a Business Transaction
   • In the event of a sale, merger, acquisition, reorganization, or liquidation, personal data may be transferred to the prospective buyer or successor entity, subject to confidentiality obligations and user notice.

Before disclosing any personal data to third parties, we will ensure that appropriate contractual safeguards or other measures are in place to protect the data and comply with Data Protection Laws.

9. International Data Transfers

Because we offer Courses to a global audience, personal data may be transferred and stored outside your country of residence, including to jurisdictions that do not provide the same level of data protection as the UK or the European Economic Area (“EEA”). Examples include:

• Cloud Hosting Providers: Our servers or data centers may be located in the United States, Ireland, Germany, or other jurisdictions.
• Subprocessors: Some of our subprocessors (e.g., email service providers, payment processors, analytics platforms) may operate data centers outside the UK/EEA.

Whenever we transfer personal data outside the UK or EEA, we ensure that appropriate safeguards are in place, such as:

• Adequacy Decisions: Where transfers are made to countries recognized by the UK government or the European Commission as providing an adequate level of protection (e.g., the USA for certain providers certified under the UK US Data Privacy Framework).
• Standard Contractual Clauses (SCCs): For transfers to recipients in countries without an adequacy decision, we rely on UK-approved SCCs binding the recipient to protect personal data in accordance with UK GDPR requirements.
• Binding Corporate Rules (BCRs): Where applicable, if we transfer data within our corporate group under approved BCRs.

You may request additional information about the specific safeguards we use by contacting us at [email protected] .com.

10. Data Security Measures

We implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, but are not limited to:

1. Access Controls:
   • Role-based access controls (RBAC) ensuring that employees and subprocessors can only access personal data necessary for their specific roles.
   • Unique user IDs and strong password requirements for internal systems and the LMS (including enforced periodic password changes and optional multi-factor authentication).
2. Encryption:
   • Encryption of personal data in transit using HTTPS/TLS.
   • Encryption of sensitive data at rest (e.g., database encryption keys managed by industry-standard key management systems).
3. Network and Infrastructure Security:
   • Firewalls, intrusion detection/prevention systems (IDS/IPS), and secure network segmentation.
   • Regular vulnerability scanning, penetration testing, and patch management.
4. Physical Security:
   • Robust physical security measures at data centers used by our cloud hosting providers (e.g., CCTV, access badges, biometric controls).
5. Backup and Disaster Recovery:
   • Regular backups of personal data and business-critical information, stored securely and tested periodically.
   • Disaster recovery plans to ensure continuity of service and data restoration in the event of an incident.
6. Employee Training and Policies:
   • Mandatory data protection and security training for employees.
   • Internal policies on data handling, incident reporting, remote access, and device usage.
7. Incident Response:
   • A documented incident response plan detailing the procedures for identifying, containing, investigating, and remediating security incidents and data breaches.
   • Notification obligations in the event of a personal data breach affecting the rights and freedoms of individuals, in accordance with UK GDPR (within 72 hours to the Information Commissioner’s Office where required, and to affected data subjects if there is a high risk).

11. Use of Cookies and Tracking Technologies

When you (or Permitted Users) visit our website or access our LMS, we use cookies and similar tracking technologies to collect certain technical and analytics data. Cookies are small text files stored on your device by your browser. You may control or delete cookies through your browser settings.

1. Essential Cookies (strictly necessary)
   • Used to authenticate users, maintain session information, and ensure basic functionality of our LMS and website (e.g., “session_id,” “csrftoken”).
   • Cannot be disabled without affecting your ability to use our services.
2. Performance and Analytics Cookies (optional)
   • Used to collect aggregated, anonymized information about website and LMS usage and performance (e.g., Google Analytics, Matomo).
   • Enable us to understand how visitors use our services, which pages are most popular, and where performance improvements are needed.
   • You can opt out by disabling cookies in your browser or using the opt-out mechanisms provided in our cookie banner (if applicable).
3. Functional Cookies (optional)
   • Enhance user experience by remembering preferences, language settings, or video playback settings.
   • You may choose to disable these cookies, but certain features of the website or LMS may not function properly.
4. Third-Party Cookies
   • We may allow certain third parties (e.g., content delivery networks, embedded video providers, social media plugins) to place cookies on your device when you visit our website.
   • We do not have control over how these third parties use their cookies. Please refer to their respective privacy policies for more information.

12. Data Retention

We retain personal data only for as long as is necessary to fulfill the purposes for which it was collected (as set out in Section 5), to comply with our legal obligations, to resolve disputes, and to enforce our agreements. Retention periods vary based on the type of data:

1. Account, Billing, and Contract Data
   • Retained for a minimum of 7 years (or longer if required by applicable tax or accounting laws) after termination or expiration of the relevant contract.
2. Course Usage and Performance Data
   • Retained for the duration of the Term and for up to 2 years thereafter for record-keeping, audit, and reporting purposes.
3. Contact and Identification Data (Administrators and Permitted Users)
   • Retained for the duration of the Term and for up to 2 years after last activity, unless a longer retention is required to comply with legal obligations or defend legal claims.
4. Technical and Analytics Data
   • Aggregated, anonymized analytics data may be retained indefinitely for product improvement and statistical analysis.
   • Individual log files (e.g., IP addresses, device data) may be retained for up to 12 months, unless longer retention is required to investigate security incidents or for legal compliance.
5. Customer Support Data
   • Retained for up to 2 years after resolution of the support ticket, unless needed for legal or compliance reasons.
6. Special Category Data
   • Retained only for as long as necessary to fulfil the explicit purpose (e.g., processing an accommodation request) and then deleted promptly unless a longer period is mandated by law.

When data is no longer required, we securely delete or anonymize it in accordance with industry best practices.

13. Rights of Data Subjects

Under the UK Data Protection Act 2018 and UK GDPR, data subjects (i.e., your administrators and Permitted Users) have the following rights with respect to their personal data that we process:

1. Right to Access (Subject Access Request)
   • The right to request confirmation of whether we are processing personal data concerning them, and, if so, to obtain a copy of that personal data and certain supplementary information.
2. Right to Rectification
   • The right to request that we correct inaccurate or incomplete personal data without undue delay.
3. Right to Erasure (“Right to Be Forgotten”)
   • The right, in certain circumstances, to request deletion of personal data (e.g., where the data is no longer necessary for the purposes for which it was collected, or consent is withdrawn and no other legal basis for processing exists).
4. Right to Restriction of Processing
   • The right to request that we restrict the processing of personal data under certain conditions (e.g., while a dispute over accuracy is being resolved).
5. Right to Data Portability
   • The right to receive personal data they have provided in a structured, commonly used, machine-readable format and to transmit that data to another controller, where technically feasible and where processing is based on consent or contract.
6. Right to Object
   • The right to object, on grounds relating to their particular situation, to processing based on our legitimate interests or for direct marketing purposes. If an objection is made, we will cease processing personal data unless we can demonstrate compelling legitimate grounds or need to establish, exercise, or defend legal claims.
7. Right to Withdraw Consent
   • Where processing is based on consent (e.g., for marketing communications or processing Special Category Data), the right to withdraw consent at any time. Withdrawal will not affect the lawfulness of processing prior to withdrawal.
8. Right to Complain to a Supervisory Authority
   • The right to lodge a complaint with the Information Commissioner’s Office (ICO) in the UK (https://ico.org.uk), or any local data protection authority in your jurisdiction, if they believe their personal data is being misused.

How to Exercise Your Rights:
 To exercise any of these rights, data subjects should submit a written request to [email protected] or contact us at [Registered Address]. We may require additional information to verify the identity of the requester. We will respond to valid requests without undue delay and, in any event, within one month of receipt (or within an extended period of up to two months where complexity or volume of requests so warrants, with notice to the requester).

14. Marketing Communications and Opt-Out

1. B2B Communications:
   • We may send you (as a Customer or designated administrator) non-promotional, administrative communications related to your account, Courses, billing, or legal notices without prior consent because these are necessary to perform our contract with you.
2. Marketing and Promotional Communications:
   • With your consent (or pursuant to a legitimate interest assessment that does not override your rights), we may send you information about new Courses, promotions, events, webinars, whitepapers, or other marketing materials.
   • You may opt out of marketing communications at any time by clicking the “Unsubscribe” link in the email or by contacting us at [email protected] .com. Once you opt out, we will cease sending promotional messages, but you will continue to receive transactional or operational messages (e.g., billing notices, service updates).

15. Third-Party Links and Integrations

1. Third-Party Website Links:
   • Our website or LMS may contain links to third-party websites or resources (e.g., documentation, partner portals). We are not responsible for the privacy practices or content of those third parties. We recommend that you read the privacy policies of any third party before providing personal data.
2. Single Sign-On (SSO) and SAML/SCIM Integrations:
   • If you choose to enable SSO or SCIM provisioning, we may receive authentication and directory data from your identity provider (e.g., Okta, Azure AD, OneLogin). You authorize us to use this data solely to authenticate your Permitted Users and manage user accounts in our LMS.
   • The terms governing the identity provider’s processing of personal data are governed by your agreement with that provider.

16. Children’s Data

Our Courses and website are intended for business and professional users only. We do not knowingly collect or solicit personal data from individuals under the age of 16. If we discover that we have collected personal data from a minor (under 16) without appropriate parental or guardian consent, we will delete that data as soon as possible. If you believe we might have any personal data from a minor, please contact us at [email protected] .com.

17. Automated Decision-Making and Profiling

We do not use automated decision-making or profiling to make decisions that produce legal or similarly significant effects concerning individuals (e.g., automated judgments on creditworthiness or employment suitability). Any automated analytics or reporting we perform on usage data is used solely for aggregate insights and platform improvement, not to make individual determinations about your Permitted Users.

18. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or technological advances. When we make material changes, we will notify you by:

• Posting the updated Privacy Policy on our website and LMS homepage with a new effective date;
• Sending a notification via email to your designated administrator(s) at least 30 days before the changes take effect, if required by law.

Your continued use of our Courses or website after the effective date of any revisions indicates your acceptance of the updated Privacy Policy.

19. Contact Us

If you have any questions, comments, or requests concerning this Privacy Policy or our privacy practices, please contact us at:

Data Protection Officer (DPO) / Privacy Team
 healthandsafetycollege.com
 Email: [email protected]
 Address: Innovation Centre 6, Keele University, Staffordshire, UK, ST5 5BG
 

Annex A – Details of Third-Party Subprocessors

Note: We may add or remove subprocessors over time. If we do so, we will update this table and notify you if the change materially affects your data protection rights.

Annex B – Data Retention Schedule (Examples)