This policy (together with our end-user licence agreement as set out at https://blog.reallyenglish.com/eula ("EULA") applies to your use of our online language learning platform and mobile application (the "Platform").
This page explains:
This policy explains what personal data we collect, how and why we use it and what we do to keep it safe. It also sets out your rights in relation to your personal data. This policy is designed to ensure that your information is used in a fair, lawful and transparent manner, in accordance with UK and EU data protection laws ("Data Protection Laws").
This policy relates to 'personal data', which means any information which identifies or relates to you (or any other individual). It also uses the term "processing", which means any operation, action or activity (such as storage, transfer, access, deletion) which involves personal data.
We collect personal data about individuals who register for or use the Platform or communicate with us this includes information:
For further details about the information collected from and generated by use of the Platform, please see 'What personal data we collect and why' (below).
We collect the following information about individual end users of the Platform:
We use this information because to the extent necessary in order fulfil our obligations under the EULA (i.e. to administer your account so you can access the Platform and use the course content within it).
We also use information for our own lawful purposes, such as keeping proper records, administration of our business and in order to maintain and improve Platform and our services (which may involve the user of personal data and/or anonymised data).
In limited circumstances, we may use personal data on the basis of your consent. If we do so, we will always clearly ask for your agreement first. You are, of course, free to refuse this and we will inform you as to what (if any) consequences this might have. You can also withdraw consent at any time.
We may also collect anonymous information about Platform users in order to optimise and improve the Platform and our services This might include IP addresses, browser or device details and the connection type (for example, the Internet service provider used). However, none of this information will by itself directly identify any particular user. We use this information to track visits and pages used on the Platform.
Cookies: If you access the Platform via a website (instead of our mobile app) then we will use "cookies". Web browsers place cookies on hard drives for record-keeping purposes and sometimes to track information. This enables us to recognise end users when they navigate from one page to the next and to configure webpages. These cookies may include:
|session||keeping track of a logged-in user|
|jwt||encrypted shared session information for lesson front-end|
|relsConfig||configuration for lesson front-end|
|course-menu-tabs*||stores which tabs have been selected|
|currentCategory*||storex which category have been selected|
|groupByCriterion*||store which group has been selected|
|searchQuery*||store the term the user searched for|
|upstream||internal proxy server routing cookie|
Personal data you provide to us will be kept private and confidential. Our employees and contractors will be able to access information to the extent necessary for us to use it for the purposes explained earlier in this policy (such as providing you with access to the Platform and its materials).
Course tutors, teachers and coaches will be provided with an end user's name. End users may also choose to provide additional information during the course of interacting with these persons in connection with their learning. Where a subscription has been provided or purchased through an institution or company, that institution or company will usually have access to an end-user's details and information about his or her studies and progress.
We will not disclose or share your personal data other data controllers without your permission. The only exceptions to this are those set out above and where we are legally required to disclose information, or in the event our business is sold and the Platform and services are taken over by another company. We may also be required to share personal information with regulatory authorities in the event of an audit or investigation.
Some of the third parties who provide services to us may have access to personal information we control. This includes software providers (such as Microsoft), cloud service providers and IT support services. However, these third parties will only process personal data (which may include your information) on our behalf for specified purposes and in accordance with our strict instructions.
We only use third party service providers who have provided sufficient guarantees, as required by data protection law, that your personal data will be kept safe. We always ensure there is a written contract in place which protects your personal data and prevents it from being used for any purpose other than providing services to us, in accordance with Data Protection Laws.
We only retain personal data for as long as is necessary for the purposes described in this policy (or for related compatible purposes such as complying with applicable legal, accounting, or record-keeping requirements).
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from its unauthorised use or disclosure, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
If you delete your account, or your licence to access the Platform is terminated or expired then we will typically erase all information relating to you and your studies within 6 months.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, damaged or destroyed, altered or disclosed. This includes both physical security measures (such as keeping paper files in secure, access-controlled premises) and electronic security technology (such as sophisticated encryption protocols, digital back-ups and anti-virus protection).
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to legal and contractual confidentiality obligations.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority of a breach when we are legally required to do so.
We normally only store personal data within the European Economic Area (EEA). However, some of the technology and support services we use are provided by international organisations and/or companies which are based outside the EEA. Before using such service providers, we take steps to make sure that any personal data they process is adequately protected and transferred in accordance with Data Protection Laws, usually by one or more of the following methods:
The only other time we'll transfer data outside the EEA is if a derogation (i.e. an exception) under Data Protection Laws, and the transfer is either necessary and made for the purposes of that exception or with your explicit consent.
Data Protection Laws provide you with certain rights in relation to your personal data. These are as follows:
Responding: We try to respond to all personal data requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. Please also bear in mind that there are exceptions to the rights above and some situations where they do not apply.
We may need to request additional information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you to clarify your request.
Fees for making a request: You will not normally have to pay a fee to access your personal data (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
How to make a request: If you want to exercise any of the rights described above, please contact us using the details set out at the end of this policy. You have the right to complain to a data protection supervisory authority (which, in the UK, is the ICO) if you are not satisfied with our response to a data protection request or if you think your personal data has been mishandled. For further information on how to make a complaint, please visit https://ico.org.uk.
The Platform is owned and operated by Reallyenglish.com Limited, a company registered in England and Wales with registered number 03895911, having its registered office at 1 Primrose Street, London, England, EC2A 2EX.
For the purposes of applicable data protection and privacy laws, Reallyenglish.com Limited is a controller of your personal data. This means that it is responsible for deciding how and why personal data is used, for keeping it safe and for responding to data subject requests. Reallyenglish.com is registered as a data controller with the Information Commissioner's Office (ICO) with registration number Z6565319.
If you have questions about this policy or your personal data, please contact us by writing to the office address above or by emailing firstname.lastname@example.org with the subject line "Data Protection".
We will update this policy from time to time. The current version will always be posted on our website. This policy was last updated on 15 June 2018.