Data Protection Notice (UK GDPR)

BridgeLang UK Ltd.

Last Updated: 10 September 2025

1. About This Notice

1.1 Purpose

This Data Protection Notice explains how BridgeLang UK Ltd. (“BridgeLang”, “we”, “us”) processes personal data in line with the UK General Data Protection Regulation (“UK GDPR”) and applicable UK data protection laws.

1.2 Relationship to Other Policies

This Notice should be read together with our Privacy Policy and Cookie Policy. Where there is any inconsistency, the Privacy Policy prevails for matters of interpretation.

1.3 Who This Applies To

This Notice applies to all users of the Platform, including Students, Teachers, parents or guardians providing consent for minors, and website visitors.

2. Controller and Contact

2.1 Controller

BridgeLang UK Ltd. is the data controller for personal data processed in connection with the Platform.

2.2 Registered Address

The Apex, Derriford Business Park, Brest Road, Plymouth, PL6 5FL, United Kingdom.

2.3 Data Protection Contact

Questions or requests may be sent to: contact@bridgelang.co.uk. (BridgeLang is not currently required to appoint a Data Protection Officer; a dedicated contact is provided instead.)

3. Personal Data We Process

3.1 Account and Identity Data

Name, email address, password, age/DoB (where relevant), country/region, preferred language.

3.2 Lesson and Communications Data

Booking details, lesson history, messages sent via the Platform, preferences and feedback. (Recording of lessons is not permitted without explicit consent, per the Terms.)

3.3 Payment and Billing Data

Payment method tokens, transaction references, refunds/chargebacks, and billing history processed via our payment processors (e.g., Stripe). (We do not store full card numbers.)

3.4 Technical and Usage Data

IP address, device/browser information, log data, cookie identifiers, pages viewed, session metadata (see Cookie Policy).

3.5 Teacher Vetting (Where Applicable)

Limited verification data necessary to confirm eligibility/identity, as notified at the time of collection.

3.6 Parental Consent Data (14–17)

Parent/guardian name and contact details, consent time-stamps and verification records.

3.7 Special Category Personal Data

We do not intentionally collect special category data (e.g., health, biometrics). Please do not share such data via the Platform.

4. Sources of Personal Data

4.1 Directly from You

Information you provide when creating an account, booking lessons, or contacting us.

4.2 From Your Interactions on the Platform

Usage logs, bookings, messages, and support interactions.

4.3 From Service Providers

Payment processors, cloud hosting, analytics and email/SMS providers supplying service metadata.

4.4 Public or Third-Party Sources

Where appropriate and lawful, basic checks (e.g., eligibility) from public registers or trusted partners.

5. Purposes and Legal Bases

  • 5.1 Provide the Platform and Services — Legal basis: Contract (6(1)(b)).
  • 5.2 Payments and Invoicing — Legal basis: Contract (6(1)(b)); Legitimate interests (6(1)(f)); Legal obligation (6(1)(c)).
  • 5.3 Communications — Legal basis: Contract (6(1)(b)); Legitimate interests (6(1)(f)).
  • 5.4 Safety, Security and Integrity — Legal basis: Legitimate interests (6(1)(f)); Legal obligation (6(1)(c)).
  • 5.5 Product Improvement and Analytics — Legal basis: Legitimate interests (6(1)(f)); Consent for non-essential cookies (6(1)(a)).
  • 5.6 Legal and Compliance — Legal basis: Legal obligation (6(1)(c)).
  • 5.7 Marketing (Optional) — Legal basis: Consent (6(1)(a)).
  • 5.8 Minors and Parental Consent — Legal basis: Legal obligation (6(1)(c)); Legitimate interests (6(1)(f)); Consent (6(1)(a)).

6. Retention

6.1 Principles

We keep personal data no longer than necessary for the purposes set out in this Notice.

6.2 Indicative Periods

  • Account and booking data: for the life of the account and then up to six (6) years for tax and record-keeping.
  • Support tickets and messages: typically up to 24 months after closure.
  • Security and access logs: typically 12 months from collection.
  • Marketing preferences: until you opt out or the data becomes inactive.
  • Parental consent records: retained for as long as necessary and thereafter securely deleted or anonymised in accordance with the Privacy Policy.

7. Sharing and International Transfers

7.1 Recipients (Categories)

Payment processors, hosting and cloud providers, analytics, communications and support tools, professional advisers, and regulators/law enforcement where required.

7.2 Processors vs. Independent Controllers

Some providers act as processors under our instructions; others (e.g., payment providers) act as independent controllers.

7.3 International Transfers

Where data is transferred outside the UK/EEA, we use safeguards such as IDTA or UK Addendum to EU SCCs plus transfer risk assessments. Where transfers are to countries covered by UK adequacy regulations, we rely on that adequacy.

7.4 Further Information

Details of specific transfers and safeguards are available upon request.

8. Security

8.1 Measures

We implement encryption, access controls, data minimisation, secure development practices, and staff confidentiality.

8.2 Incident Response

We will notify you and/or the ICO of a personal data breach where required by law.

8.3 Your Responsibilities

Use strong passwords; keep credentials confidential; report suspected misuse to contact@bridgelang.co.uk.

9. Your Rights (UK GDPR)

9.1 Data Subject Rights

Access; rectification; erasure; restriction; portability; objection; withdrawal of consent.

9.2 How to Exercise

Submit requests to contact@bridgelang.co.uk. Verification of identity may be required.

9.3 Fees and Timing

Requests are ordinarily free. We aim to respond within one (1) month (extendable where permitted).

10. Children and Safeguarding

10.1 Age Thresholds

Students aged fourteen (14) – seventeen (17) may participate only with verified parent or guardian consent.

10.2 Verification and Ongoing Checks

BridgeLang may request proof of parental consent at any time and suspend accounts if consent cannot be verified.

10.3 Direct Contact Details

Teachers and Students must not exchange personal contact details to arrange off-Platform lessons or payments.

11. Cookies and Similar Technologies

11.1 Cookies

We use essential cookies and, with consent, analytics/functional cookies. See Cookie Policy.

12. Automated Decision-Making

12.1 No Solely Automated Decisions

BridgeLang does not make decisions solely by automated processing that have legal or similarly significant effects.

13. Complaints

13.1 Contact Us First

Please contact contact@bridgelang.co.uk and we will seek to resolve concerns.

13.2 ICO

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO).

14. Changes to This Notice

14.1 Updates

We may update this Notice. Material changes will be highlighted and the Last Updated date revised.