Privacy Policy

Green Valley Academy – Privacy Notice

Last updated: 24 September 2025

  1. Who we are: Green Valley Academy Limited (company no. 11278050)
    Registered address: Office 5, 3rd Floor 20 Clements Road, Ilford, England, IG1 1BA

    1. Who is the controller and how to contact us
      Controller: Green Valley Academy Limited (“GVA”, “we”, “us”).
      Data Protection Officer (DPO):Mr Tanzir Al Wahab
      Email: info@greenvalley.org.uk
      Post: Office 5, 3rd Floor 20 Clements Road, Ilford, England, IG1 1BA

    2. What this notice covers
      This notice explains what personal data we collect, why and how we use it, who we share it with, how long we keep it, our lawful bases, international transfers, your rights, and how to complain. “Personal data” means any information that identifies you.

    3. The data we collect
      • Data you give us (forms, email, phone, events, social channels, in-person): identity and contact details (e.g., name, address, email, phone, date/place of birth, nationality, gender, photo), course preferences, education history and qualifications, CV, references, supporting statements, copies of ID/visas (where relevant), marketing preferences, and communications with us.
      • Data we create or infer: notes on your enquiries, application status, internal decisions, and simple segmentation (e.g., subject interests).
      • Data we get from others: referees, education partners (colleges/universities/recruiters), publicly available sources (e.g., professional profiles), and lead-generation partners (where lawfully obtained).
      • Special category or criminal-offence data: we avoid collecting this unless essential (e.g., disability information for reasonable adjustments; optional equality monitoring). If exceptionally required, we will tell you why, rely on a permitted legal condition (such as explicit consent or substantial public interest under the DPA 2018, Schedule 1), and keep an Appropriate Policy Document. We only process criminal-offence data where permitted by law and with additional safeguards.

    4. Why we use your data and our lawful bases
      We decide our lawful basis before processing. Different activities may rely on different bases.
      • Respond to enquiries; advise on courses; pre-contract steps
      – Typical data: identity/contact, preferences
      – Lawful basis: Legitimate interests (running our services); Contract where steps are requested by you
      • Process and submit applications to institutions/recruiters; updates on progress
      – Typical data: application materials, ID, contact
      – Lawful basis: Contract (to perform our services); Legal obligation where checks are required
      • Operate websites/apps; security, fraud prevention; essential service analytics
      – Typical data: technical/usage data, IP
      – Lawful basis: Legitimate interests (IT security and service quality)
      • Direct marketing about similar services to existing customers (soft opt-in) or to corporate subscribers; otherwise only with consent
      – Typical data: contact, preferences
      – Lawful basis: Legitimate interests / PECR soft opt-in (existing customers & corporate subscribers); Consent otherwise
      • Safeguarding, public security, emergency sharing (rare)
      – Typical data: contact, incident details
      – Lawful basis: Legal obligation; In future, Recognised legitimate interest (under the Data (Use and Access) Act 2025) where and when it comes into force
      • Compliance, record-keeping, audit; responding to authorities
      – Typical data: relevant records
      – Lawful basis: Legal obligation; Legitimate interests
      • Handling complaints and data-rights requests
      – Typical data: identity/contact, case details
      – Lawful basis: Legal obligation; Legitimate interests

    5. Marketing & cookies (PECR)
      • Email/SMS marketing to individuals: we only send if we have your consent or we can rely on the soft opt-in (you gave details during a sale/negotiation for similar services, we provided a clear opt-out then and in every message). You can opt out at any time.
      • Corporate subscribers (e.g., limited companies): we may email work addresses about our services; every message identifies us and includes an easy opt-out.
      • Cookies/analytics: we use necessary cookies to make the site work (no consent needed). Analytics/advertising cookies load only with your consent via our cookie banner/preferences centre. You can change choices anytime via “Manage cookies”. See our Cookie Policy for details.

    6. Who we share your data with
      • Education partners & recruiters (UK & overseas): when you ask us to progress an application, we share relevant data. Once shared, those organisations are independent controllers with their own privacy notices.
      • Service providers (processors): IT hosting, CRM, document management, communications, analytics, consultants—bound by contract, confidentiality, and security obligations.
      • Authorities and courts: where required by law or to protect rights, safety, or security.
      • Other third parties: only with a lawful basis and, where needed, your consent.
      We may also share aggregated/anonymised statistics that do not identify you.

    7. International transfers
      Where we transfer personal data outside the UK, we use appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, the UK-US Data Bridge (for certified US organisations), or another mechanism recognised under UK law. We complete transfer risk assessments where required.

    8. How long we keep your data
      • Enquiries (no application): 24 months from last contact
      • Applications & student file (successful or unsuccessful): up to 7 years from decision or last service provision
      • Marketing data: until you opt out or 24 months of inactivity (then suppressed—not erased—to honour opt-out)
      • Finance/transaction records: 6–7 years for tax/audit
      • Safeguarding/serious incident records: as required by law/guidance (case-by-case)

    9. Automated decision-making
      We do not make decisions with legal or similarly significant effects based solely on automated processing. If this changes, we will inform you and explain your rights to obtain human review, express your view, and contest the decision.

    10. Security
      We use appropriate technical and organisational measures, including encryption, access controls, logging, staff training, policies, and supplier due-diligence. We test and review controls regularly.

    11. Children and young people
      Our services are not aimed at under-18s, but 16–17-year-olds may engage for admissions. If consent is our lawful basis for an online service offered directly to a child, only those aged 13+ can consent for themselves; under-13s require verified parental consent. We provide clear, age-appropriate information and enhanced safeguards.

    12. Your rights
      You have the right to access, rectify, request erasure, restrict processing, object (including to direct marketing), and request data portability (where applicable). Where we rely on consent, you can withdraw consent at any time (this does not affect earlier processing).
      Requests are free in most cases. We may ask for ID and, if a request is manifestly unfounded/excessive or for extra copies, charge a reasonable fee or refuse (with reasons).
      How to exercise your rights: email info@greenvalley.org.uk(FAO: DPO) or write to us.

    13. Do you have to provide data?
      You do not have to provide personal data, but if you choose not to, we may be unable to respond to your enquiry, progress an application, or provide certain services.

    14. Our data-protection complaints process
      If you are unhappy with how we handled your data, email info@greenvalleyacademy.com with the subject “Data protection complaint”. We will acknowledge within 5 working days and aim to respond within one month (or tell you if we need up to two more months for complex matters).

    15. Your right to complain to the ICO
      You may complain to the Information Commissioner’s Office (ICO) at any time: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; Tel: 0303 123 1113; Online: https://ico.org.uk/concerns

    16. International data transfers – important note
      When transferring personal data outside the UK we use recognised safeguards (see section 7). For US transfers, we may rely on the UK-US Data Bridge where the recipient is certified.

    17. Changes to this notice
      We may update this notice from time to time. We will post the latest version on our website and date it at the top.

    Cookie Policy (summary)
    • Strictly necessary cookies: operate the site/features (no consent required).
    • Analytics/measurement cookies: used only with your consent.
    • Advertising/retargeting cookies (if used): require consent.
    Use “Manage cookies” on our site to change settings at any time. See our full Cookie Policy for cookie names, providers, purposes, and lifetimes.