USER PRIVACY NOTICE

Last updated [16.1.25]

Flourish Learning (“we”, “our”) is committed to ensuring that your privacy and personal data are protected. This privacy notice (“Notice”) describes how we collect, use, disclose and otherwise process your personal data through your use of our websites, learner management systems and online platforms at flourish.co.uk, as well as our social media pages and accounts (collectively, our “Website”) and your use of the training courses and other services we provide primarily through our Website.

We (Flourish Learning Ltd, who registered office is at Switch House Suite B2, First Floor, Northern Perimeter Road, Bootle, England, L30 7PT) are a limited company incorporated in England and Wales with the company number 06158047 and we are the controller of the processing activities described in this Notice. As a controller, we decide why and how your personal data is processed.

We work with other, more independent organisations in connection with some of the processing activities described in this Notice, such as social media platforms and our group companies. Where that information is collected and sent to other organisations for processing that is in both our and their interests, or where we make decisions together in relation to the processing, we will be ‘joint controllers’ with the organisations involved. As joint controllers, we and those organisations will be jointly responsible to you under data protection laws for this processing. Please see the relevant privacy policy below relating to organisations with whom we are joint controllers.

This Notice will be relevant to you as a user of our Website (including learners, administrator users or those just visiting) when you access our Website including the training courses we provide.  Please read this Notice carefully to ensure you understand how we use and treat your personal data and the rights you have in relation to your personal data.

If you are a contractor, references to your employer in this Notice, refer to the organisation for whom you work or that has engaged to provide services.

 

1.              PERSONAL DATA WE COLLECT FROM YOU  

Personal data means any information which identifies or relates to you either on its own or in combination with other information.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Contact Data including email address, residential address and telephone numbers.
  • Identity Data including your first name, last name, any previous names, username (or similar identifier) and password, title, date of birth and gender and information relating to your employer.
  • Profile Data including your employment history, interests and preferences (including in relation to marketing you wish to receive from us and our third party partners, and your communication preferences generally), and feedback and survey responses, as well user accounts falling within your administration group where you are an administrator.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access the Website.
  • Training Data includes details about training courses completed or ongoing with us, including course name, type, completion date, progress status, and results, certifications and awards.
  • Transactional Data includes details of purchases and payments made by you including those you make on behalf of your employer.
  • Usage Data includes information about how you interact with and use our Website, training products and services.

We do not process any personal data that qualifies as sensitive/special category data or criminal offence/conviction data under data protection laws, nor do we knowingly collect personal data from children. If we do so in the future, our use of such information will be described in a supplementary policy that we provide to you.

We may receive your Contact Data and Identity Data directly from your employer as described in their privacy notices, however the majority of the personal data we receive from you directly is obtained on a voluntary basis.

Where we need to collect your personal data under the terms of a contract we have or may have with your employer and you fail to provide that data when requested, we may not be able to perform or enter into that contract (for example, to provide our training services). In this case, we may have to cancel, or exclude you from receiving, services from us.

 

2.              HOW WE COLLECT YOUR PERSONAL DATA

We use different methods to collect personal data from and about you including through:

  1. Your direct interactions with us.This includes personal data you provide when you:
    • register as a user on our Website and create an account;
    • receive training services through the Website including Click-Learning, our learner management system;
    • interact with our services;
    • submit information via our Website including posts you make to our social media pages;
    • correspond with use via phone, email, direct messages (for example, on social media) or in another way, for example using the contact information we make available online or via our service desk;
    • use or otherwise interact with our Website, including via live chat where available in our Website;
    • subscribe to our publications or otherwise request marketing to be sent to you; or
    • participate in a competition, promotion or survey we conduct. 
  1. Automated technologies or interactions.As you interact with our Website, we will automatically collect Technical Data about your equipment and browsing actions. We collect this personal data by using cookies, server logs and other similar technologies.
  2. Third parties or publicly available sources. We may obtain the following personal data about you from the following sources:
Third Party NameCategories of Data Collected
Your previous, current or prospective employer

 

Identity Data
Data providers

 

Identity Data

 

3.              HOW AND WHY WE USE YOUR PERSONAL DATA 

The law requires us to have a legal reason (known as a ‘lawful basis’) for collecting and using your personal data. We rely on one or more of the following lawful bases:

Where necessary to perform a CONTRACT with you

We may process your personal data where we need to perform a contract with you or take steps you request before we enter into that contract. For example, we rely on this basis when you purchase training services from us as a sole trader, when we maintain your account as a learner in accordance with our Terms of Use, or where you make a sales enquiry in respect of services you wish to receive.  We may also rely on this basis to administer competitions and promotions that you enter from time to time, and distribute prizes, in accordance with the relevant terms and conditions, including any personal information contained in any competition entries you submit.

Where you have provided CONSENT  

We may use and process your personal data where you have consented for us to do so for the following purposes:

  • where you are an individual or unincorporated business (e.g. sole trader), to contact you with marketing information about our services, or our third party partners where you have expressly consented to us doing so; and
  • to use non-essential cookies on our Website, as further described in our Cookie Policy.

You may withdraw your consent for us to use your data in any of these ways at any time. Please see Section 10 (Your Rights) for further details.

Where necessary to comply with our LEGAL OBLIGATIONS

We will use your personal data to comply with our legal obligations:

  • to keep a record relating to the exercise of any of your rights relating to our processing of your personal data;
  • to comply with a request from you in connection with the exercise of your rights (for example where you have asked us not to contact you for marketing purposes, we will keep a record of this on our suppression lists in order to be able to comply with your request);
  • to anonymise or delete your personal data when it is no longer required for the purposes described in this Notice;
  • to comply with court orders or other notices where we are required to do so to comply with the law; and
  • to handle and resolve any complaints we receive relating to our processing of your personal data as described in this Notice.

Where there is a LEGITIMATE INTEREST

We may use and process your personal data where it is necessary for us to pursue our legitimate interests as a business, or that of a third party, for the following purposes:

Processing necessary for us to operate the administrative and technical aspects of our business efficiently and effectively:

  • to administer and maintain our Website and other services, including to personalise our Website for our users and customers and to enable use of the services available on our Website, troubleshooting, testing, statistical purposes;
  • for the prevention of fraud and other criminal activities;
  • for network and information security in order for us to take steps to protect your information against loss or damage, theft or unauthorised access;
  • to maintain the security of our staff, customers, venues, systems, premises or property and to investigate any actual, suspected or threatened breach of that security;
  • for efficiency, accuracy or other improvements of our products, services, business processes, databases and systems, for example, by combining systems or consolidating records we hold about you;
  • for the purposes of corporate restructure or reorganisation or sale of our business or assets;
  • for cookies that are essential for our Website to function properly, as described in our Cookie Policy;
  • to aggregate or otherwise anonymise your information, and to permit our service providers to do the same, for our or those providers’ use of the anonymised information for operational, administrative or business improvement purposes;
  • to notify you about changes to our services or the availability of our services and Website;
  • to inform you of updates to our terms and conditions and policies; and
  • for other general administration purposes, including to send service messages to you.

For our legitimate interest in promoting our business:

  • if you are representative of a corporate organisation or where the law otherwise allows, to send to you marketing communications by email relating to our business (or the businesses of our third party partners) which we think may be of interest to you;
  • to contact with you by telephone and post with marketing communications (unless you have opted out of receiving these, directly with us or by using the Telephone Preference Service);
  • for analysis, insight and market research (including surveys) conducted to inform our marketing and business strategies, and to enhance your user experience;
  • to analyse, combine and evaluate information that you have provided to us (including by using information we receive from third party data providers and by receiving and sharing your personal information within our group of companies) to predict your current or future needs;
  • to tailor the marketing information we send based on information we hold about you or based on our Website;
  • to use services provided by social media and other online advertising platforms and networks to deliver targeted advertising to you online or to measure the effectiveness of that advertising, where this does not involve the use of cookies (see also Section 5 Our Use of Social Media below); and
  • to identify and record when you have received, opened or engaged with the or our electronic communications.

For your and our legitimate interest in providing our services and supporting customers and users with their enquiries:

  • to provide our services to your employer;
  • to manage and respond to queries made by you about our services or our Website; and
  • to provide you with technical support.

Processing necessary for us to communicate with you and to assess and respond to complaints, claims and regulators:

  • to communicate with you to respond to queries, complaints or claims and to manage legal and regulatory requests and requirements;
  • to enforce or protect our contractual or other legal rights or to bring or defend legal proceedings.

 

Where necessary to comply with our LEGAL OBLIGATIONS

We will use your personal data to comply with our legal obligations including for the following purposes:

  • to comply with and (where relevant) keep a record relating to the exercise of any of your data rights under data protection laws;
  • to anonymise or delete your personal data when it is no longer required for the purposes described in this Notice;
  • to comply with court orders or other notices where failure to do so would result in us breaking the law;
  • to handle and resolve any complaints we receive relating to our processing of your personal data as described in this Notice; and
  • to inform you of updates to this Notice and other notices that we are required to provide to you by law.

Your personal data may also be converted into statistical or aggregated data in such a way as to ensure that you are not identified or identifiable from it. Aggregated data cannot be linked back to you as a natural person. We may use this data for analytical and research purposes.

 

4.              DISCLOSURE OF PERSONAL DATA

We may disclose your personal data to our entities within our group, service providers, agents and subcontractors (“Third Parties”) for the purposes set out in Section 3 (How and Why We Use Your Personal Data). These Third Parties can be categorised as follows:

 

Recipient / relationship to usIndustry sector
Cloud software system providers, including database, email and document management providersIT (Cloud Services)
Facilities and technology service providers including scanning and data destruction providersIT (Data Management)
Insurers and insurance brokersInsurance (Underwriting & Broking)
Legal, security and other professional advisers and consultantsProfessional Services (Legal & Accounting)
Payment service providersFinancial Services (Payment)
Social media platforms (see further below)IT (Social Media)
Website and data analytics platform providersIT (Data Analytics)
Website and software developersIT (Software Development)
Website hosting services providersIT (Hosting)

 

When sending your personal data to third parties, we only disclose to them personal data that is necessary for them to provide their service and we have a contract in place that requires them to keep your information secure and, where they are a processor working on our behalf, not to use it other than in accordance with our specific instructions.

When we share your personal data with any third parties that are controllers of that information, they may disclose or transfer it to other organisations in accordance with their data protection policies. This does not affect any of your data subject rights as detailed below.

We may also share your personal data to other third parties as follows:

  • your current or prospective employer or organisation contracting your services who may retain a copy of your personal information in line with their privacy policies (please refer to those policies for further information);
  • any third party who is restructuring, selling, franchising, licensing or acquiring some or all of our business or assets or otherwise in the event of a merger, re-organisation or similar event; and
  • if we are under a duty to disclose or share your information in order to comply with any legal or regulatory obligation or request, including by the police, tribunals, regulators, the government or related agencies.

 

5.              OUR USE OF SOCIAL MEDIA

We use a number of different social media platforms to communicate with you and to promote products and services. We process your personal information using these platforms in a variety of ways, as follows:

Pages and Page Insights

We use your personal information when you post content or otherwise interact with us on our official pages on social media platforms.   We also use the ‘Page Insights’ services on these platforms to view statistical information and reports regarding your interactions with the pages we administer on those platforms and their content.  Where those interactions are recorded and form part of the information we access through these Page Insights services, we and the relevant platform are joint controllers of the processing necessary to provide that service to us.

Targeted advertising

 

We use social media platforms to deliver targeted advertising to you through those platforms, unless you object.  You may receive advertising because you have previously interacted with us (such as by visiting one of our Websites) or because of your profile on a social media platform on which you have an account. You can find out more by consulting the help pages of the relevant social media platform but in summary we use social media platforms to send targeted advertising using two methods:

·       ‘Custom audience’ targeting.  You may receive advertising based on information about you that we have provided to the platform or allowed it to collect using cookies/pixels or code embedded in our Website (or a combination of the two).  For example, we may target you if you have signed up to our mailing list and where cookies have detected that you have recently visited our Website.  Please see the section below regarding our use of cookies to send targeted advertising using social media.

·       ‘Lookalike audience’ targeting. You may also receive advertising because, at our request,  the social media platform has identified you as falling within a group or ‘audience’ whose attributes we have selected, or a group that has similar attributes to you (or a combination of the two).

Cookies

 

We use cookies and similar technologies in our websites and applications to collect and send information to Facebook and LinkedIn about actions you take on our website and applications.  In particular:

 

·       Meta (who operates the Facebook and Instagram platforms) uses this information to provide services to us and also for further processing for its own business purposes. We and Meta are joint data controllers of the processing involved in collecting and sending your personal information to Meta using cookies and similar technologies as each of us has a business interest in Meta receiving this information.  You can find out more about these technologies by visiting our Cookie Policy.  The services we receive from Meta that use this information are delivered to us through Meta Business Tools, which include Meta Pixel, Social Plugins, App Events SDK, Conversions API and Website Custom Audiences. These tools allow us to target advertising to you within Meta’s social media platforms by creating audiences based on your actions on our Website and allow Meta to improve and optimise the targeting and delivery of our advertising campaigns for us.

·       We use LinkedIn Insight Tag, a small piece of code that we embed in our websites that allows us to perform in-depth campaign reporting and unlock insights about users that may visit our websites via our LinkedIn campaigns (e.g. by allowing us to discover business demographics by layering LinkedIn data on data about our website visitors).  LinkedIn Insight Tag enables the collection of metadata such as IP addresses, timestamps, and events such as page views.  You can find out more about these technologies by visiting our Cookie Policy.

Our relationship with Meta and LinkedIn

As we are joint data controllers with these platforms for certain processing, we and each platform have:

 

·       entered into agreements in which we have agreed each of our data protection responsibilities for the processing of your personal information described above;

·       agreed that we are responsible for providing to you the information in this privacy notice about our relationship with each platform; and

·       agreed that each platform is responsible for responding to you when you exercise your rights under data protection law in relation to that platform’s processing of your personal information as a joint data controller.

Meta and LinkedIn also process, as our processor, contact information that we submit for the purposes of matching, online targeting, measurement, reporting and analytics purposes. These services include the processing these platforms carry out when they display our advertisements to you in your news feed at our request after matching contact details for you that we have uploaded to the social media platforms they operate.  These advertisements may include forms through which we collect contact information you give to us. Some of the information we use to measure the effectiveness of our advertising may be sent to Meta and LinkedIn using cookies (see above), whilst some of this may be combined with information collected by the servers that operate our Website and sent directly from those servers to those platforms.

 

Further information

The Meta company that is a joint data controller of your personal information is Meta Platforms, Inc., 1601 Willow Road, Menlo Park, CA 94025, USA  and the LinkedIn company that is a joint data controller of your personal information is LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland For further information regarding these platforms and their use of your personal information, please see:

·       Meta’s Controller Addendum for Page Insights and UK Controller Addendum for Business Tools, and LinkedIn’s Page Insights Joint Controller  Addendum, which include information regarding how our and these platforms’ responsibilities to you are allocated as controllers of your personal information;

·       Meta’s Privacy Center including its Privacy Policy at https://www.facebook.com/privacy and LinkedIn’s Privacy Policy which include details of the legal reasons (known as ‘lawful bases’) on which each platform relies to process your personal information, together with details regarding your data protection rights

·       Meta’s help pages regarding its Page Insights and Business Tools and its terms and conditions relating to those tools

·       LinkedIn’s help pages regarding its Page Insights and its terms and conditions relating to its advertising services, including LinkedIn Insight Tag

  

6.   INTERNATIONAL TRANSFERS

Some of the third parties described above are based outside the UK (and, in certain cases, outside Europe) so their processing of your personal data will involve a transfer of data by us outside the UK. Those countries may not have similar data protection laws to the UK and so may not protect the use of your personal information to the same standard. In accordance with applicable data protection laws, we implement measures to address this, including by relying on standard contractual clauses or declarations by regulators or governments (e.g. adequacy decisions) to ensure that any transferred personal data remains protected and secure.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data outside of the UK.

 

7.              THE PERIOD FOR WHICH WE RETAIN YOUR PERSONAL DATA

If we collect your personal information, the length of time for which we retain it is determined by a number of factors including the purpose for which we use that information and our obligations under other laws. We do not retain personal information in an identifiable format for longer than is necessary.

We will always retain your personal information for the period that you have an active account with our Website. You can delete your account by [insert details].  If you do not hold an account, we retain your personal information for [insert period] from the date we collect it or, where applicable, the date you are unsubscribed from our marketing lists, if later.

Your account will become ‘inactive’ if you do not engage with us for more than [insert period], for example, [insert details]. After that period ends (or at any point you delete your account), we will anonymise the records we hold about you so that we no longer hold your personal information.

The exceptions to the periods mentioned above and our retention of your personal information are where:

·       the law requires us to hold your personal information for a longer period, or delete it sooner;

·       you exercise your right to have the information erased (where it applies) and we do not need to hold it in connection with any of the reasons permitted or required under the law;

·       you exercise your right to require us to retain your personal information for a period longer than our stated retention period; or

·       we bring or defend a legal claim or other proceedings during the period we retain your personal information, in which case we will retain your personal information until those proceedings have concluded and no further appeals are possible.

 

8.              SECURITY AND LINKS TO OTHER SITES

We care about protecting your information. We put in place appropriate measures that are designed to prevent unauthorised or unlawful processing and accidental loss, destruction, or damage. We do this by having in place a range of appropriate technical and organisational measures, including encryption measures and disaster recovery plans.

If you suspect any misuse or loss of or unauthorised access to your personal data, please let us know immediately by contacting us using the details provided at the end of this Notice.

Our Website may from time to time contain links to and from other websites. If you follow a link to any of those websites, please note that those sites ought to have their own privacy notices or applicable policies. Please check those privacy notices/policies before you submit your personal data to those websites.

9.              AUTOMATED DECISION MAKING

We do not envisage that any decisions that have a legal or significant effect on you will be taken about you using purely automated means, however we will update this Notice and inform you if this position changes.

10.           YOUR RIGHTS

You have a number of rights in relation to your personal data under applicable data protection law as set out below, some of which may only apply in certain circumstances:

Your RightsFurther Information
To have your information corrected if it is inaccurate and to have incomplete personal data completedIf you change your name or address/email address, or you discover that any of the other information we hold is inaccurate or out of date, please let us know by contacting us using any of the details described at the end of this Notice.
To object to processing of your personal dataWhere we rely on our legitimate interests as the lawful basis for processing your personal data for particular purposes, you may object to us using your personal data for these purposes by emailing or writing to us at the address at the end of this Notice. Except for the purposes for which we are sure we can continue to process your personal data, we will temporarily stop processing your personal data in line with your objection until we have investigated the matter. If we agree that your objection is justified in accordance with your rights under data protection laws, we will permanently stop using your data for those purposes. Otherwise, we will provide you with our justification as to why we need to continue using your personal data.
To withdraw your consent to processing your personal dataWhere we rely on your consent as the legal basis for processing your personal data, you may withdraw your consent at any time by contacting us using the details at the end of this Notice. If you would like to withdraw your consent to receiving any direct marketing to which you previously opted-in, you can also do so using our unsubscribe tool.
To restrict processing of your personal dataYou may ask us to restrict the processing of your personal data in the following situations:

·       where you believe it is unlawful for us to do so; or

·       you have objected to its use and our investigation is pending or you require us to keep it in connection with legal proceedings.

In these situations, we may only process your personal data whilst its processing is restricted if we have your consent or are legally permitted to do so, for example for storage purposes, to protect the rights of another individual or company or in connection with legal proceedings.

To have your personal data erasedIn certain circumstances, you may ask for your personal data to be removed from our systems by emailing or writing to us at the address at the end of this Notice. Unless there is a reason that the law allows us to use your personal data for longer, we will make reasonable efforts to comply with your request.
To request access to your personal data and how we process itYou have the right to ask for a copy of the information that we hold about you by emailing or writing to us at the address at the end of this Notice. We may not provide you with a copy of your personal data if this concerns other individuals or we have another lawful reason to withhold that information.
To electronically move, copy or destroy your personal data in a standard, machine-readable formWhere we rely on your consent as the legal basis for processing your personal data or need to process it in connection with a contract in place directly with you, you may ask us to provide you with a copy of that information in a structured data file. We will provide this to you electronically in a structured, commonly used and machine-readable form, such as a CSV file.

You can ask us to send your personal data directly to another service provider, and we will do so if this is technically possible. We may not provide you with a copy of your personal data if this concerns other individuals or we have another lawful reason to withhold that information.

Rights relating to automated decision making, including profilingYou may also contest a decision made about you based purely on automated processing, including through profiling, by contacting us using the information at the bottom of this Notice.
To complain to a data protection regulatorYou have the right to complain to the UK data protection regulator, the Information Commissioner’s Office (ICO), (www.ico.org.uk). We encourage you to contact us to deal with your concerns in the first instance.

 

If you would like to exercise your right of access or erasure, please contact us at dataprotection@flourish.co.uk.

11.           CHANGES TO THIS NOTICE

We may review this Privacy Notice from time to time and any changes will be notified to you by posting an updated version on our Website and/or by contacting you by email, where appropriate.

Any changes will take effect 7 days after the date of our email or the date on which we post the modified terms on our Website, whichever is sooner.   We recommend you regularly check for changes and review this Privacy Notice whenever you visit or use our Website or any of our services that we make available through it.

12.           CONTACT US

If you have any questions or comments regarding this Notice, please contact us at dataprotection@flourish.co.uk.

When contacting us by email or post, please use the subject heading ‘Data protection query’ so that we can direct your query to the appropriate department and deal with it promptly.