GTonlineawards

Scope

This policy applies to visitors and users of gtonlineawards.com and related e-learning services delivered via our Moodle 5 platform (the “Site” / “Platform”). It also covers enquiries made by phone or email about our courses and services.

What data we collect and why

We only collect what we need for specific purposes:

• Account & identity data (name, email, phone, postal address) to create and manage your Moodle account, provide access to materials, and communicate about your courses or enquiries.

• Learner/course data (attendance, progress, assessment results). For externally accredited courses we may also collect date of birth and any learner ID needed to register you with the awarding body and issue certificates.

• Payment information is processed by our third-party payment providers; we do not store full card details. We retain transaction references for accounting.

• Enquiry/lead data (contact details, organisation, interests) to respond to requests and—where lawful—send B2B service information with an opt-out.

• Website usage data (IP address, device/browser, pages accessed) via cookies/analytics to operate and improve the Site—only non-essential cookies run with your consent (see Cookie section).

• Children’s data. If you are under 13, we require parent/guardian consent to register for online services; we minimise collection and apply heightened protections.

We do not collect special category data unless you provide it for a clear purpose (e.g., reasonable adjustments), in which case we handle it with extra care.

Lawful bases for processing

We rely on the following, as applicable: contract (to deliver your course, manage your account, issue certificates), legal obligation (tax, regulatory or awarding-body requirements), legitimate interests (service improvement; proportionate B2B outreach with opt-out), and consent (non-essential cookies; newsletters to individuals; parental consent for under-13s). You can withdraw consent any time.

How we store and secure data

• Hosting & storage. Electronic records (e.g., scanned registers) are stored in AWS S3 in an EU region with encryption and restricted access. Moodle 5 is hosted by LSM Webhost in the UK under a data-processing contract and security standards. We also use secured company devices and Apple iCloud for certain business functions with appropriate safeguards and device protections. Paper records are locked, then scanned, and shred-destroyed when no longer needed. Access is strictly role-based within our small team and bound by confidentiality.

• Processors & partners. We use vetted providers (hosting, email/IT, payment processors like Stripe/PayPal) under Article 28-compliant agreements. For accredited programmes we share necessary learner data with awarding bodies (e.g., ITC First; CPD Accreditation Office) who act as independent controllers for certification. We do not sell your personal information or share it for others’ marketing.

International transfers

We primarily process data in the UK/EEA. Where services may involve locations outside the UK/EEA (e.g., certain cloud or email services), we use recognised safeguards such as UK IDTA/Addendum or SCCs, and maintain encryption in transit/at rest. We can provide our current list of key services and data locations on request.

Retention

We keep data only as long as needed for the purposes collected and legal/regulatory requirements:

• Learner accounts/course records: active during learning; typically archived/deleted after 3 years of inactivity (longer where certification verification is needed).

• Accredited course records/attendance: up to 3–6 years (or awarding-body requirements).

• Financial records: 6–7 years for HMRC.

• Enquiries/leads: up to 1 year unless ongoing relationship or consent for marketing.

• Analytics logs: typically up to 26 months (aggregate/anonymised).

Data is securely erased or anonymised after retention periods; where backup deletion is delayed, data is placed “beyond use” until the next cycle.

Your rights

You have rights to access, rectify, erase, restrict, object (including to direct marketing), data portability, withdraw consent, and to not be subject to decisions based solely on automated processing. We don’t carry out automated decision-making with legal/similar effects. To exercise rights, contact us (details below). You can complain to the ICO; we’d appreciate the chance to resolve issues first.

Cookies & tracking (Moodle 5)

Our Site uses cookies and similar technologies. We only set non-essential cookies with your consent via our banner. Strictly necessary cookies include Moodle’s session cookie “MoodleSession” (keeps you logged in; expires on logout/close). Optional cookies can include “rememberusername” (if enabled) and analytics cookies such as Google Analytics (_ga, _gid, _gat)—loaded only if you opt in. You can change preferences anytime via “Cookie Settings” in the footer, or manage cookies in your browser. See our full Cookie Policy for details and durations.

Children’s privacy

We require parental consent for users under 13 and design our services with the best interests of children in mind (e.g., limiting features for minors, minimising data, shorter retention).

Data sharing—further detail

We share only what’s necessary with:

• Awarding bodies/partners to register and certify qualifications (they have their own obligations and retention rules).

• Service providers (hosting, LMS, email/IT, payments) under contract and security standards; they act on our instructions.

• Legal/transfer scenarios (e.g., lawful requests; business reorganisation) with protections intact.

Security

We use encryption, access controls, strong authentication, device security (including remote-wipe), HTTPS for Moodle, backups, and least-privilege roles. Staff receive guidance on phishing and safe handling. Incidents are logged and handled under a documented breach procedure (including ICO/individual notification where risk thresholds are met).

Changes to this policy

We may update this policy to reflect operational, legal, or regulatory changes. We’ll revise the “Last updated” date and, for significant changes, provide a prominent notice (e.g., banner/email).

Contact us (Data Controller)

Grays Medic Training Services (Sole Trader, England, UK)

Email: privacy@graysmedic.com

Phone: 0808 166 1016 (Mon–Fri, 9am–5pm)

Postal: 5 Wylie House, SW20 0QQ, London, United Kingdom