Full policy

 

Privacy Policy (Public-Facing)

Last updated: 20 September 2025

Grays Medic Training Services (also trading as Grays Medic, Grays Training, Grays Training Online Awards, and GTOnlineAwards) is committed to protecting your privacy and handling your personal data lawfully and transparently. This Privacy Policy explains what data we collect, how and why we use it, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

What Data We Collect and Why

We only collect personal information that we need for specific purposes. The types of data we collect include:

• Contact and Identity Details: When you register for our online courses or make an enquiry, we collect information such as your name, email address, phone number, and postal address. We use this information to create your account and provide you access to learning materials, as well as to communicate with you about your courses or inquiries (e.g. course updates, booking confirmations). For example, we collect your name and contact details when you register for our online courses, for the purpose of providing you access to learning materials.
• Learner Information for In-Person Training: If you attend our in-house training courses (including first aid or other accredited programs), we may collect your name and signature on attendance registers. This is to verify your attendance and for our administrative records. We sometimes scan paper registers and store them electronically (see How Data is Stored below).
• Date of Birth and Certification Data: For certain accredited courses (e.g. programs certified by ITC First or the CPD Accreditation Office), we collect additional details such as date of birth and any learner ID required by the awarding body. We collect this information to register you with the external awarding body and ensure you receive your qualification or certificate.
• Payment Information: If you purchase a course or service, payment details (e.g. card information) are processed securely via our third-party payment provider. We do not store full payment card details ourselves. (For instance, if you pay online, your card payment is handled by a secure payment processor; we retain only transaction references or receipts for accounting purposes.)
• Client Leads and Marketing Data: We may collect contact information of prospective clients (e.g. training enquiries from individuals or companies). We also occasionally use a licensed marketing database from a British Library service containing business contact details. We use this data to inform relevant businesses or professionals about our training services. We ensure any marketing outreach is done lawfully – for example, we rely on either your consent or our legitimate interests (for B2B contacts) and always offer an opt-out (see Lawful Basis and Your Rights below).
• Website Usage Data: When you visit our websites or online learning platform, we collect limited data via cookies and analytics (such as IP address, browser type, and pages accessed) to understand site usage and improve user experience. Please see our Cookie Policy for details on what cookies we use and how you can control them.

We do not collect any special categories of personal data (such as health, race, or biometric data) unless it is explicitly necessary and you have provided it (for example, if you volunteer medical information for reasonable adjustments during training, which we would handle with extra care). Our services are available to learners of various ages, including children – if you are under 13, a parent/guardian’s consent will be required to register for online services in accordance with legal requirements. We minimise the data we collect to what is necessary for the stated purposes, in line with the principle of data minimisation under UK GDPR.

Lawful Basis for Processing

Under UK GDPR, we must have a valid lawful basis for each use of personal data. Depending on the context, we rely on the following lawful bases:

• Performance of a Contract: Most of our data processing is necessary to provide the services you have requested. When you enroll in a course (online or in-person), we process your personal data to fulfill our contract with you – for example, using your details to set up your e-learning account, deliver training, and issue certificates. Sharing your details with an awarding body to register your qualification is also part of fulfilling our service contract with you.
• Legal Obligation: In some cases we must process data to comply with laws or regulatory requirements. For instance, we keep financial transaction records for HMRC/tax purposes (typically for 6-7 years, as required by law). If an awarding regulation or child protection law requires us to retain or report certain data (e.g. maintaining records of certified individuals for a mandated period), we will do so under legal obligation.
• Legitimate Interests: We may process data for our legitimate business interests in ways that do not override your rights and freedoms. Examples include: using attendance records and course evaluations to improve our training services; keeping a record of past training participants for warranty or refreshers; and sending business-to-business marketing communications to companies or professionals who might benefit from our courses (using contact details from the British Library-sourced database). In each case, we carefully consider and balance any potential impact on you and will honor any objections you raise. If we rely on legitimate interests for direct marketing, we only target appropriate contacts and always provide a clear opt-out option.
• Consent: We will ask for your consent in situations where we don’t have another lawful basis. For example, we obtain your consent to send you email newsletters or promotional updates if you are an individual consumer (not a business contact) and not already our customer. We also rely on consent for non-essential cookies on our websites (see Cookie Policy). Where we process children’s personal data for online services, we seek parental consent as required. You have the right to withdraw consent at any time (see Your Rights below), and we will immediately stop the processing in question.
• Public Task / Vital Interests: These bases are unlikely to apply to our standard operations. We do not perform tasks in the public interest, and we would only use “vital interests” (processing data to protect someone’s life) in an extreme emergency situation at one of our training events.

We ensure that we only process your data on the above bases and for purposes that are lawful, fair and transparent. If we intend to use your personal data for a new purpose not covered by this Privacy Policy, we will provide you with a new notice explaining the new use and lawful basis before starting that processing.

How Data is Stored and Shared

We are committed to keeping your personal data secure. We use a combination of trusted service providers and in-house measures to store and protect data:

• Secure Cloud Storage: Electronic records (such as scanned training registers or digital files) are stored securely using Amazon Web Services S3 cloud storage. Our AWS S3 storage is configured to use servers in the EU (European Union) region, ensuring robust security and compliance. Data is stored securely using AWS S3 (EU-based server), and is accessible only to authorised personnel. AWS S3 provides encryption and access controls to protect data. Only our authorised staff can access the cloud storage, and all access is password-protected and monitored.
• Learning Management System (Moodle): Our online courses run on a Moodle platform provided by LSM Webhost, which hosts the data on our behalf in the UK. When you use our e-learning site, your account information and course progress data are stored on this secure UK-based server. LSM Webhost acts as our data processor under contract, meaning they only process your data on our instructions and have to meet strict security standards.
• Company Devices and iCloud: Internally, staff may handle data on company devices (computers or secured tablets/phones). We utilize Apple iCloud services for certain business functions (e.g. syncing business calendars or contacts). Any personal data synced via iCloud (for example, an address book of client contacts) is protected by Apple’s encryption and security measures. We have enabled appropriate security on all devices (strong passwords, encryption, remote wipe capability) to prevent unauthorised access. Note that iCloud is a global service; if any data is stored on servers outside the UK (e.g. in the US or EU), we ensure that appropriate safeguards are in place for international data transfers (see Transfers below).
• Physical Records: Any paper documents (e.g. sign-in sheets for a classroom course, or printed certificates) are kept securely when in use and promptly scanned or input to our systems. Physical papers are stored in a locked file cabinet accessible only to authorised personnel, and are shredded or securely archived once no longer needed in paper form.
• Internal Access Control: We limit access to personal data strictly to those who need to know. Our team is very small (two employees and one admin contractor), and each person’s access to systems like Moodle, AWS storage, or contact lists is restricted based on their role. All staff and contractors are subject to confidentiality obligations. We have implemented user permissions so that, for example, instructors might see attendee names for their course but not full databases of all learners.

We do not sell your personal information to any third parties. However, we do share data with a few categories of trusted third parties in order to run our services, under strict conditions:

• Accrediting Bodies and Course Partners: If your course is externally accredited or certified, we share the necessary personal details with the relevant awarding organization (for example, ITC First for certain first aid qualifications, or The CPD Accreditation Office for CPD-certified courses). This typically includes your name, date of birth, and contact details, and sometimes your assessment results. These organisations will use your data to register you, issue your certificate, and maintain a record of your qualification. They operate as independent data controllers for the information we provide to them, meaning they have their own legal obligations to protect your data and may retain records according to regulatory requirements. We only share with such bodies what is required, and we ensure that they have appropriate data protection standards in place.
• Service Providers (Data Processors): We use several third-party companies to support our operations (each under a data processing agreement in line with Article 28 UK GDPR). These include:

·         Cloud Hosting Providers: as mentioned, AWS (for cloud storage) and LSM Webhost (for Moodle LMS) host personal data for us. They are bound by contracts to secure the data and only process it on our instructions.

·         IT and Email Providers: We use reputable IT solutions for business email and communications (for example, if we use an email service or productivity suite, all data in emails or documents is subject to confidentiality and security commitments by that provider). If we send group emails or newsletters, we may use an email marketing platform (we will inform you in the context of consent if so).

·         Payment Processors: To handle payments securely, we might use providers such as PayPal or Stripe (if you pay through our website). These processors obtain your payment details directly and only share with us limited information (like confirmation of payment). They are responsible for complying with PCI DSS (payment card security standards). We have agreements in place to ensure they protect any personal data involved in transactions.

Each of our processors is carefully vetted for GDPR compliance. They are required to implement appropriate technical and organisational measures to protect data (such as encryption, access controls, and regular security testing). They must also assist us in meeting individuals’ rights and delete or return data to us upon our instruction. We maintain a Data Processor Agreements checklist (see Supporting Documents) to ensure all necessary contract terms are in place.

·         Business Transfers or Legal Requirements: In the unlikely event we reorganise or transfer our business, personal data might be transferred to the new owner under continued protection of this Policy. Also, if required by law or a lawful request by authorities (for example, an ICO inquiry or a court order), we may have to disclose certain data. We will ensure any disclosure is made in compliance with data protection laws.

We never share your information with third parties for their own marketing purposes. Any third-party that handles your data does so on our behalf (as explained above) or for official reasons linked to your training (like an awarding body).

Data Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes we collected it for, and to meet any legal or contractual obligations. Retention periods vary depending on the type of data:

• Learner Accounts and Course Records: If you have an online learning account with us, we will keep your account data while you are an active learner. Inactive account information is typically archived or deleted after 3 years of no activity, unless we have a reason to retain it longer (for example, records of certifications). For accredited courses, we may need to keep your details and results for a certain period (e.g. 3 to 5 years) to satisfy the requirements of the accrediting body or to verify qualifications if needed. Where possible, after a course is long completed, we will pseudonymise or remove personal identifiers but keep non-personal statistics.
• Attendance Registers and In-house Training Records: Scanned attendance sheets or training records are kept for up to 6 years. This period allows us to have evidence of training delivery (for liability or insurance purposes) and aligns with typical contract limitation periods. After that, digital records are securely deleted from our systems (and any paper originals are shredded). If an awarding body requires us to keep records longer (for audit), we will follow their guidelines but will securely archive the data.
• Financial and Transaction Data: Invoices, payment records, and related customer contact information are kept for 6-7 years as required under UK tax law and accounting rules (to comply with HMRC audits and financial recordkeeping obligations).
• Enquiries and Leads: If you contact us but do not become a customer, we will retain your enquiry information for up to 1 year to allow us to follow up on your request and as a reference for any related future inquiries. After a year of inactivity, we will delete or anonymise inquiry data, unless you have consented to ongoing marketing.
• Marketing Database Contacts: Contact details sourced from the British Library service or other marketing lists are refreshed periodically. We only retain such data while it is accurate and relevant. If we have an ongoing communication with you (e.g. you respond or show interest), we will treat you as an active contact; otherwise, unresponsive or outdated contacts are purged typically within 12-18 months. Furthermore, anyone who opts out of marketing will be removed from our mailing list immediately and we will keep a record only of the minimum information needed to honour the opt-out (e.g. email address in a suppression list).
• Website Analytics Data: Analytics logs (IP addresses, device info) are retained for a short period (usually 26 months or as configured in our analytics tool) in aggregate form for trend analysis, after which they are deleted or anonymised. Cookie data retention varies (see Cookie Policy for specific cookie lifespans).

After the applicable retention period, we will securely erase or anonymise personal data. For example, digital files are permanently deleted from cloud storage (with backups updated accordingly) and physical documents are cross-cut shredded or incinerated. If there are any data we cannot completely delete from backups, we will ensure it is put beyond use (not accessible in ordinary operations) and deleted as soon as technically feasible in our next backup cycle.

Your Rights as a Data Subject

Under the UK GDPR, individuals have a number of rights regarding their personal data. We are committed to respecting these rights. You have the right to:

• Access Your Information: You can request a copy of the personal data we hold about you, commonly known as a Subject Access Request. We will provide this information, usually free of charge, within one month (unless an extension is permitted by law due to complexity).
• Rectification: If any of your personal data is inaccurate or incomplete, you have the right to have it corrected or updated. For example, if you change your email or notice an error in your contact details, let us know and we will amend our records promptly.
• Erasure: You can ask us to delete your personal data in certain circumstances – for instance, if the data is no longer necessary for the purposes it was collected, or if you withdraw consent and we have no other legal basis to continue processing. This is sometimes called the “right to be forgotten.” Please note that this right is not absolute; we might need to retain certain information if required by law or if an exemption applies (e.g. we cannot delete records that we must keep for legal obligations or legitimate interests, but we will inform you if that’s the case).
• Restriction of Processing: You have the right to request that we limit the processing of your data (for example, while we verify the accuracy of data or consider an objection you have raised).
• Objection: You may object to our processing of your personal data when we are relying on legitimate interests as the lawful basis. If you object, we will consider whether our interests in using the data are overridden by your rights and freedoms. You can always object to direct marketing – if you opt out or object to marketing communications, we will stop using your data for that purpose immediately.
• Data Portability: For data you provided to us directly and which we process by automated means on the basis of consent or contract, you have the right to request a digital copy in a common format (e.g. CSV) to transfer to another provider. This is generally applicable to things like account data. We will assist with any such request as far as applicable.
• Withdraw Consent: If we are processing any of your personal data based on consent, you have the right to withdraw that consent at any time. For example, if you consented to receive our newsletter, you can unsubscribe at any time (each email includes an unsubscribe link, or you can contact us directly). Withdrawing consent will not affect the lawfulness of processing already carried out, but we will cease the relevant processing going forward.
• Not to be Subject to Automated Decisions: We do not use your personal data for any automated decision-making that produces legal or similarly significant effects (like profiling that would affect your access to a service). If that ever changes, you would have the right to human review of any such decision.

If you wish to exercise any of these rights, you can contact us (see Contact Information below). We will respond to all legitimate requests and will ask you to verify your identity to ensure we do not disclose data to an unauthorised person.

Additionally, if you have concerns about how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent authority for data protection. We would appreciate the chance to address your concerns before you approach the ICO, so please do contact us first if possible. The ICO’s contact details are available on their website.

Data Transfers and International Flows

We primarily store and process data within the United Kingdom or the European Economic Area (EEA). In a few cases, your personal data may be transferred or accessible outside of the UK (for example, if we use a cloud service or subcontractor based abroad). We are mindful of our obligations under UK GDPR regarding international data transfers.

• EEA Transfers: The UK government deems EEA countries as having essentially equivalent data protection laws. Therefore, if we store data on an EU server (such as our AWS S3 storage in the EU region) or share data with an organisation in the EEA, those transfers are permitted and safeguarded by adequacy regulations. We still ensure that any processor in the EEA contracts to protect your data to UK standards.
• Other Countries: For any service providers outside the UK/EEA (for example, if our use of Apple iCloud or an email service involves servers in the United States or other countries), we rely on approved transfer mechanisms to ensure your data remains protected. Typically, this means we have Standard Contractual Clauses (SCCs) or the UK’s International Data Transfer Agreement/Addendum in place with the provider, committing them to uphold privacy protections for your data equivalent to those in the UK. In some cases, providers may be certified under schemes recognised by UK law. (For instance, if a US provider is certified under an approved framework or has Binding Corporate Rules, we take that into account as an additional safeguard.)
• Encryption and Security Abroad: Wherever your data travels, it remains encrypted and secure. Our cloud storage (AWS) encrypts data in transit and at rest. iCloud data is encrypted as well. These technical measures mean that even during transfer, your information is protected from unauthorised access.

We maintain an up-to-date list of the key third-party services and their data locations, which we can provide upon request. We will also inform you in this Privacy Policy if we add any significant new international transfer. Our goal is to ensure no matter where your data is processed, your rights and protections travel with it.

Cookies and Tracking Technologies

Our websites and online platforms use cookies and similar technologies to function effectively and to enhance user experience. We do not use cookies to collect personally identifiable information without your consent. For details on the types of cookies we use, why we use them, and how you can manage your preferences, please refer to our separate Cookie Policy (below). In summary, we only use non-essential cookies (such as analytics cookies) with your permission, in compliance with the Privacy and Electronic Communications Regulations (PECR) and ICO guidance.

Updates to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. When we make changes, we will revise the “Last updated” date at the top of this policy. For significant changes, we may provide a more prominent notice (such as a banner on our website or an email notification). We encourage you to review this Policy periodically to stay informed about how we are protecting your information.

Contact Information

Data Controller: Grays Medic Training Services (Sole Trader, operating in England, UK).

If you have any questions about this Privacy Policy or about how we handle your personal data, please contact us:

·         Email: privacy@graysmedic.com

·         Phone: 0808 166 1016 (Mon–Fri, 9am–5pm)

·         London - United Kingdom

You can also reach out to any of our staff during training events if you have immediate questions, and they will direct your query to our data protection responsible person. We take privacy seriously and will be happy to assist you.

Full policy

Scope

This policy applies to visitors and users of gtonlineawards.com and related e-learning services delivered via our Moodle 5 platform (the “Site” / “Platform”). It also covers enquiries made by phone or email about our courses and services.

What data we collect and why

We only collect what we need for specific purposes:

• Account & identity data (name, email, phone, postal address) to create and manage your Moodle account, provide access to materials, and communicate about your courses or enquiries.

• Learner/course data (attendance, progress, assessment results). For externally accredited courses we may also collect date of birth and any learner ID needed to register you with the awarding body and issue certificates.

• Payment information is processed by our third-party payment providers; we do not store full card details. We retain transaction references for accounting.

• Enquiry/lead data (contact details, organisation, interests) to respond to requests and—where lawful—send B2B service information with an opt-out.

• Website usage data (IP address, device/browser, pages accessed) via cookies/analytics to operate and improve the Site—only non-essential cookies run with your consent (see Cookie section).

• Children’s data. If you are under 13, we require parent/guardian consent to register for online services; we minimise collection and apply heightened protections.

We do not collect special category data unless you provide it for a clear purpose (e.g., reasonable adjustments), in which case we handle it with extra care.

Lawful bases for processing

We rely on the following, as applicable: contract (to deliver your course, manage your account, issue certificates), legal obligation (tax, regulatory or awarding-body requirements), legitimate interests (service improvement; proportionate B2B outreach with opt-out), and consent (non-essential cookies; newsletters to individuals; parental consent for under-13s). You can withdraw consent any time.

How we store and secure data

• Hosting & storage. Electronic records (e.g., scanned registers) are stored in AWS S3 in an EU region with encryption and restricted access. Moodle 5 is hosted by LSM Webhost in the UK under a data-processing contract and security standards. We also use secured company devices and Apple iCloud for certain business functions with appropriate safeguards and device protections. Paper records are locked, then scanned, and shred-destroyed when no longer needed. Access is strictly role-based within our small team and bound by confidentiality.

• Processors & partners. We use vetted providers (hosting, email/IT, payment processors like Stripe/PayPal) under Article 28-compliant agreements. For accredited programmes we share necessary learner data with awarding bodies (e.g., ITC First; CPD Accreditation Office) who act as independent controllers for certification. We do not sell your personal information or share it for others’ marketing.

International transfers

We primarily process data in the UK/EEA. Where services may involve locations outside the UK/EEA (e.g., certain cloud or email services), we use recognised safeguards such as UK IDTA/Addendum or SCCs, and maintain encryption in transit/at rest. We can provide our current list of key services and data locations on request.

Retention

We keep data only as long as needed for the purposes collected and legal/regulatory requirements:

• Learner accounts/course records: active during learning; typically archived/deleted after 3 years of inactivity (longer where certification verification is needed).

• Accredited course records/attendance: up to 3–6 years (or awarding-body requirements).

• Financial records: 6–7 years for HMRC.

• Enquiries/leads: up to 1 year unless ongoing relationship or consent for marketing.

• Analytics logs: typically up to 26 months (aggregate/anonymised).

Data is securely erased or anonymised after retention periods; where backup deletion is delayed, data is placed “beyond use” until the next cycle.

Your rights

You have rights to access, rectify, erase, restrict, object (including to direct marketing), data portability, withdraw consent, and to not be subject to decisions based solely on automated processing. We don’t carry out automated decision-making with legal/similar effects. To exercise rights, contact us (details below). You can complain to the ICO; we’d appreciate the chance to resolve issues first.

Cookies & tracking (Moodle 5)

Our Site uses cookies and similar technologies. We only set non-essential cookies with your consent via our banner. Strictly necessary cookies include Moodle’s session cookie “MoodleSession” (keeps you logged in; expires on logout/close). Optional cookies can include “rememberusername” (if enabled) and analytics cookies such as Google Analytics (_ga, _gid, _gat)—loaded only if you opt in. You can change preferences anytime via “Cookie Settings” in the footer, or manage cookies in your browser. See our full Cookie Policy for details and durations.

Children’s privacy

We require parental consent for users under 13 and design our services with the best interests of children in mind (e.g., limiting features for minors, minimising data, shorter retention).

Data sharing—further detail

We share only what’s necessary with:

• Awarding bodies/partners to register and certify qualifications (they have their own obligations and retention rules).

• Service providers (hosting, LMS, email/IT, payments) under contract and security standards; they act on our instructions.

• Legal/transfer scenarios (e.g., lawful requests; business reorganisation) with protections intact.

Security

We use encryption, access controls, strong authentication, device security (including remote-wipe), HTTPS for Moodle, backups, and least-privilege roles. Staff receive guidance on phishing and safe handling. Incidents are logged and handled under a documented breach procedure (including ICO/individual notification where risk thresholds are met).

Changes to this policy

We may update this policy to reflect operational, legal, or regulatory changes. We’ll revise the “Last updated” date and, for significant changes, provide a prominent notice (e.g., banner/email).

Contact us (Data Controller)

Grays Medic Training Services (Sole Trader, England, UK)

Email: privacy@graysmedic.com

Phone: 0808 166 1016 (Mon–Fri, 9am–5pm)

Postal: 5 Wylie House, SW20 0QQ, London, United Kingdom

Full policy

Cookie Policy (Public-Facing)

About Cookies:
Grays Medic Training Services (“we” or “our”) uses cookies and similar technologies on our websites (including our main site and online learning platform) to provide a smooth user experience and to help us understand how people use our services. This Cookie Policy explains what cookies are, which types we use, why we use them, and how you can manage your preferences. We abide by the UK Privacy and Electronic Communications Regulations (PECR) and UK GDPR regarding cookies, meaning we obtain consent for any cookies that are not strictly necessary for the website’s operation.

What Are Cookies?

Cookies are small text files placed on your device (computer, tablet, smartphone) when you visit a website. They allow the site to remember your actions or preferences over time. Cookies can be “first-party” (set by our website) or “third-party” (set by other services we use). They can also be session cookies (which expire when you close your browser) or persistent cookies (which remain on your device for a set period or until you delete them).

In addition to cookies, we might use similar tracking technologies like web beacons or local storage – for simplicity, we refer to all these as “cookies” in this policy.

Types of Cookies We Use

We aim to use a minimal number of cookies. Here are the categories of cookies on our site and what they do:

• Strictly Necessary Cookies: These cookies are essential for our website and learning platform to function properly. They enable core features such as page navigation, secure login, and load balancing. For example, when you log into your learning account on our Moodle platform, a session cookie is set (MoodleSession) so you can stay logged in as you navigate the course pages. These cookies do not gather information about you for marketing or remember where you’ve been on the internet. Because they are necessary for the service, we do not require your consent to use these, but we list them here for transparency. If you disable these cookies (through browser settings), parts of the site may not work.
• Preferences/Functionality Cookies: These cookies remember choices you make to improve your experience. For instance, the site might use a cookie to remember your preferred language or text size, or to keep you logged in on your device (if you select a “remember me” option). Another example could be a cookie that remembers if you’ve seen a notification banner so we don’t show it again. While these enhance usability, they are not strictly essential. We currently use very few of these, if any. If we do, we will ask for your consent unless the function is strictly necessary. Declining these cookies might mean you have to re-enter information or preferences each time.
• Performance/Analytics Cookies: We use these cookies to collect information about how visitors use our website, so we can improve it. For example, we use Google Analytics (a popular web analytics service) to gather anonymous statistics such as number of visits, which pages are popular, how long users stay on a page, and what sources bring traffic. These cookies (like _ga from Google) track such information without identifying you personally – we do not collect your name or email via analytics cookies, only aggregated usage data. Analytics cookies help us understand what we’re doing right or wrong on the site. Because these cookies are not essential, we only set them if you give consent when you first visit. If you opt out, we will respect that and not load analytics.
• Marketing/Targeting Cookies: We currently do not use any advertising cookies or targeted advertising on our website. We do not serve ads or engage in behavioral advertising that profiles you across other sites. If this changes in the future, we will update this policy and request your explicit consent before setting any marketing cookies. These types of cookies, in other contexts, help deliver relevant ads to users or measure the effectiveness of ad campaigns, but as of now, our site does not employ them.
• Third-Party Service Cookies: Some features on our site might involve third-party tools that set cookies. For example:

·         If we embed a YouTube video in a course or an article, YouTube may set cookies to track video views or remember your player settings.

·         Our site uses a cookie consent banner/tool (which might be provided by a third-party service) to remember your cookie preferences; this itself uses a cookie to save your choices (so that you’re not asked every time).

·         Social media “share” buttons (if present) might set cookies if you use them.

We list such cookies in our detailed cookie list (available on our website’s cookie settings page). Third-party cookies are controlled by the providers of those services, so we advise checking their privacy/cookie policies for more information. We ensure we only integrate third-party services that respect privacy and give us the ability to obtain consent where needed.

How We Obtain Consent for Cookies

Upon your first visit to our site, you will see a cookie consent banner or pop-up. This banner explains that we use cookies and asks for your consent for non-essential cookies (like analytics or functionality cookies). It provides an option to “Accept All,” as well as a way to manage preferences (e.g. “Accept only necessary cookies” or toggle specific categories on/off). We do not set non-essential cookies until you have made a choice.

Our approach follows ICO guidance: - Transparency: Our banner and this policy inform you in plain language what cookies are used and why. - Real Choice: You can choose to refuse analytics cookies and the site will still largely work (only necessary cookies will run). We do not use deceptive designs or pre-ticked boxes – consent for cookies must be a clear affirmative action from you. - Record of Consent: We keep a record of your cookie consent decision (typically via a cookie itself that just notes yes or no, and possibly a log on our backend). This is so we can demonstrate compliance and also so that you don’t get repeatedly asked on the same browser. However, note that if you clear your cookies or use a different device/browser, the consent tool will treat you as a new visitor and ask again, since we won’t have a record in that context.

If you ignore the banner and just continue using the site without making a choice, we will treat that as no consent for non-essential cookies (by default, we will not set them unless you explicitly opt in). The banner will remind you until you either accept or decline. We believe in a “privacy-first” default.

Managing and Withdrawing Consent

You have full control over your cookie preferences. Here are ways you can manage cookies on our site and others:

• Cookie Settings on Our Site: At any time, you can access our Cookie Settings (usually via a link in the footer of the website or within your account settings) to change your preferences. For example, if you initially accepted analytics cookies but later change your mind, you can toggle them off, and our site will stop using them and remove them where possible. Conversely, if you initially rejected something but now want to enable a feature, you can do that too. Any changes you make will be saved via the consent tool.
• Browser Settings: Most web browsers allow you to control cookies through their settings. You can typically:

·         Delete all cookies or cookies from a specific site.

·         Block cookies (all or just third-party cookies).

·         Set the browser to prompt you each time a cookie is offered.

Please note that if you delete cookies, any preference cookies (including our own cookie remembering your preferences) will be deleted too, so you may need to re-set preferences on our site. Blocking cookies entirely might affect functionality – for example, if you block even necessary cookies, our site’s login or shopping cart might not work.

• Opt-Out Options: For third-party analytics like Google Analytics, you can install browser add-ons (Google provides an opt-out add-on) to prevent data from being used by those scripts. We honor the choices you make via such tools as well.
• Do Not Track (DNT): Some browsers have a DNT setting that signals to websites that you do not want to be tracked. Currently, our site’s cookie consent mechanism is the primary way to manage cookies. We will treat any absence of consent as opt-out, as described, but we do not currently respond to DNT signals for cookie blocking. We recommend using the methods above for the most effective control.

Cookie List and Duration

For transparency, here is an overview of key cookies we use, their purpose, and how long they last (duration):

·         Necessary Cookies:

·         MoodleSession – Keeps you logged in to the e-learning platform. Expires when you log out or close your browser (session cookie).

·         GREYSTRAINING_COOKIECONSENT – Remembers your cookie consent preferences for our site. Duration: e.g. 6 months to 1 year (so we don’t ask every visit).

• (Other possible necessary cookies may include ones for load balancing or security, which would similarly expire after the session or a short time.)
• Analytics Cookies: (only set if consented)

·         _ga – Google Analytics identifier, used to distinguish users (anonymously). Duration: 2 years.

·         _gid – Google Analytics, distinguishes users on a day-by-day basis. Duration: 24 hours.

·         _gat – Google Analytics throttle request rate. Duration: 1 minute.

• (Plus any similar cookies if we use a different analytics tool or if Google Analytics updates their names; we will update the list accordingly.)
• Functionality Cookies: (if in use, for example)

·         language – Remembers language selection. Duration: until end of session or short period.

·         rememberusername (Moodle) – If enabled, remembers your username on login form. Duration: 1 year.

• We currently either do not use these or they are optional based on user choice (like a “remember me” checkbox).
• Third-Party Cookies:

·         If a YouTube video is embedded, YouTube may set cookies such as VISITOR_INFO1_LIVE (tries to estimate your bandwidth, duration ~6 months) or YSC (session, for keeping stats of videos watched).

·         If using a social share plugin, cookies from Facebook, Twitter, etc., might appear only if you use those features.

·         We do not have ads, so no ad network cookies should be present.

(The above is an example list; actual cookies and durations are maintained in our cookie consent tool interface for accuracy.)

We endeavor to keep this list up-to-date. If you notice a cookie on our site not listed, feel free to contact us so we can include it.

Changes to this Cookie Policy

We may update this Cookie Policy to reflect changes in technology or legislation, or if we start using new cookies. Major changes will be communicated via our website (e.g. a notice or updated banner). The “last updated” date will always be noted. By continuing to use our site, you acknowledge the Cookie Policy, but remember: you can adjust your preferences at any time.

Last Updated: 20 September 2025

If you have any questions about our use of cookies or how to manage them, you can reach out to us at privacy@graysmedic.com

 We want you to feel in control of your online privacy while still enjoying the functionality of our sites.