We collect only the personal data that is necessary for the purposes set out in this notice. The categories of personal data we may collect include:

2.1 Data You Provide Directly

• Identity data: full name, job title, organisation name
• Contact data: email address, telephone number, postal address
• Account and profile data: login credentials for our platforms or learning management systems
• Payment and financial data: billing address, payment card details (processed securely via third-party payment processors; we do not store full card details)
• Communications data: messages you send us via email, contact forms, telephone or social media
• Course and training data: enrolment details, assessment submissions, completion records, certifications
• Event data: registration details for webinars, roadshows or career events
• Marketing preferences: your consent choices and communication preferences

2.2 Data Collected Automatically

• Technical data: IP address, browser type and version, operating system, device type
• Usage data: pages visited, time spent on pages, links clicked, referral sources
• Cookie data: as described in Section 10 of this notice

 

2.3 Data from Third Parties

• Referral data from partner organisations, course vendors or examination bodies
• Publicly available professional profile data (e.g. LinkedIn) where relevant to a business relationship

 

We do not collect or process any special category personal data (e.g. health data, racial or ethnic origin, religious beliefs) unless you voluntarily disclose it and we have a specific lawful basis to do so. We do not knowingly collect personal data from children under the age of 16.

 

3. How and Why We Use Your Personal Data

We only use your personal data for specific, legitimate purposes. The table below sets out our processing activities, the lawful basis under UK GDPR Article 6, and where applicable the legitimate interest being pursued.

 

Purpose	Lawful Basis (UK GDPR Art. 6)	Further Detail
Providing our services and fulfilling course enrolments	Art. 6(1)(b) – Contract performance	Necessary to deliver the service you have purchased or registered for
Responding to enquiries and providing pre-sales information	Art. 6(1)(f) – Legitimate interests	We have a legitimate interest in responding to prospective clients and leads
Sending marketing emails and promotional materials	Art. 6(1)(a) – Consent (PECR)	Only where you have opted in. You may withdraw consent at any time
Processing payments and maintaining financial records	Art. 6(1)(c) – Legal obligation	Required under UK tax law (HMRC) to retain for minimum 6 years
Monitoring and improving our website and services	Art. 6(1)(f) – Legitimate interests	Analytics to understand how our site is used and improve user experience
Preventing fraud and ensuring network/information security	Art. 6(1)(f) – Legitimate interests	We have a legitimate interest in protecting our systems and customers
Issuing certificates and liaising with awarding bodies	Art. 6(1)(b) – Contract performance	Required to fulfil our obligations as a training provider

 

Where we rely on legitimate interests as our lawful basis, we have carried out a Legitimate Interests Assessment (LIA) to ensure that our interests are not overridden by your rights and freedoms. You have the right to object to processing based on legitimate interests at any time (see Section 6).

 

4. Sharing and Disclosing Your Personal Data

We do not sell, rent or trade your personal data. We may share your personal data with the following categories of recipients, strictly on a need-to-know basis:

 

4.1 Data Processors (acting on our instructions)

• Payment processors: for secure processing of course fees and other payments
• Learning management system providers: to host and deliver our online courses
• Email marketing platforms: to manage our mailing lists and campaigns (e.g. where you have consented to receive marketing)
• Form and data collection tools: including JotForm (used for DSARs and enquiry forms)
• Website hosting and analytics providers: including CookieYes (consent management) and Google Analytics (website analytics — subject to your cookie consent)
• IT and cloud service providers: for secure storage and system support

 

4.2 Third-Party Controllers (independent data responsibilities)

• Examination and awarding bodies: where you are registered for a qualification (e.g. BCS, IAPP)
• Course vendors and specialist trainers: where third-party delivery is required
• Meta (Facebook/Instagram): where you have consented to analytics or advertising cookies on our website

 

4.3 Statutory Disclosures

• Law enforcement agencies, courts, regulators (including the ICO) or government authorities, where we are legally required or permitted to do so

 

All third-party processors are bound by contractual obligations (including UK GDPR-compliant Data Processing Agreements where required) to process your data only on our instructions and to maintain appropriate security measures.

 

5. International Data Transfers

Some of our third-party service providers are located outside the United Kingdom. Where we transfer your personal data outside the UK, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V and the ICO’s guidance on international transfers.

Safeguards we rely on include:

• Adequacy decisions made by the UK Secretary of State (where the destination country is deemed to provide adequate protection)
• The International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), where no adequacy decision exists

We currently use services that may transfer data to the United States and Australia. In such cases, we ensure that appropriate transfer mechanisms are in place.

6. Your Data Protection Rights

Under UK GDPR, you have the following rights in relation to your personal data. We will respond to all valid requests within one calendar month of receipt. In complex cases, we may extend this by up to a further two months, and we will notify you if this applies.

 

Right	What This Means
Right of Access (Art. 15)	You may request a copy of the personal data we hold about you and information about how we process it (a Data Subject Access Request — DSAR).
Right to Rectification (Art. 16)	You may ask us to correct inaccurate or incomplete personal data.
Right to Erasure (Art. 17)	You may ask us to delete your personal data where there is no compelling reason for continued processing. This right is not absolute and may be subject to legal obligations.
Right to Restrict Processing (Art. 18)	You may ask us to suspend processing of your personal data in certain circumstances, for example while accuracy is contested.
Right to Data Portability (Art. 20)	Where processing is based on your consent or a contract, you may request a copy of your data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21)	You may object at any time to processing based on legitimate interests, including profiling and direct marketing. We will cease processing unless we can demonstrate compelling legitimate grounds.
Right to Withdraw Consent (Art. 7)	Where we rely on your consent as the lawful basis, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right Not to Be Subject to Automated Decisions (Art. 22)	We do not currently make solely automated decisions that produce legal or similarly significant effects. If this changes, we will update this notice and seek your explicit consent where required.

 

To exercise any of your rights, please complete our Data Subject Access Request form or contact us at teams@sterlingtechsolns.com. We may ask you to verify your identity before processing your request.

 

7. Data Retention

We retain personal data only for as long as is necessary to fulfil the purposes for which it was collected, taking into account our legal, regulatory and contractual obligations. Our retention periods are set out below:

 

Data Category	Retention Period	Basis / Reason
Customer financial records (name, address, transaction data)	6 years from end of tax year	UK tax law (HMRC) — legal obligation
Course enrolment and training records	7 years from course completion	Contractual and potential claims period
Certificates and qualification records	Indefinitely (or until erasure requested)	Legitimate interest in providing proof of achievement
Website enquiry and contact form data	2 years from last contact	Legitimate interest in managing client relationships
Marketing consent records and mailing list data	Until consent withdrawn + 1 year	Legal compliance — evidence of consent
DSAR and rights request records	3 years from date of request	Legal compliance and accountability
Job applicant data (unsuccessful)	6 months from rejection	Recruitment purposes and legal claims window
Website analytics data (cookie-based)	Up to 26 months (per Google Analytics)	Subject to cookie consent — analytics purposes

 

At the end of the applicable retention period, personal data is securely deleted or anonymised. Our retention schedule is reviewed annually.

 

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction or damage. These measures include:

• Encryption of data in transit and at rest
• Access controls and role-based permissions
• Regular security assessments and staff data protection training
• Incident response procedures, including our obligations to notify the ICO within 72 hours of a notifiable breach
• Secure disposal of data at end of retention periods

 

Where third-party processors handle your data, we require them to implement equivalent security standards and to notify us promptly of any personal data breaches affecting your information.

 

9. Marketing Communications

We will only send you marketing communications (including email newsletters, event invitations, and promotional offers) where you have given us your prior explicit consent, in accordance with PECR Regulation 22 and UK GDPR Article 6(1)(a).

You may withdraw your consent and unsubscribe from marketing communications at any time by:

• Clicking the ‘unsubscribe’ link in any marketing email
• Emailing us at teams@sterlingtechsolns.com
• Updating your preferences via our preference centre

 

10. Cookies and Tracking Technologies

10.1 What Are Cookies?

Cookies are small text files placed on your device when you visit our website. They help us to provide a better experience, understand how our website is used, and deliver relevant content.

 

10.2 Categories of Cookies We Use

Category	Examples	Consent Required?
Strictly Necessary	Session management, security, cookie consent (CookieYes)	No — these are essential for the site to function
Analytics & Performance	Google Analytics (tracks page visits, user journeys)	Yes — opt-in consent required before cookies are set
Advertising & Targeting	Meta Pixel (Facebook/Instagram — used for ad targeting)	Yes — explicit prior consent required under PECR
Functional	Language preferences, previously visited pages	No — but we will inform you of their use

 

10.3 Your Cookie Choices

When you first visit our website, you will be presented with a cookie consent banner (managed by CookieYes). Non-essential cookies are not set until you give your consent. You may:

• Accept all cookies
• Reject non-essential cookies
• Manage your preferences category by category
• Withdraw or change your consent at any time via the cookie settings panel on our website

 

You can also control cookies through your browser settings. Please note that disabling certain cookies may affect the functionality of our website.

 

11. Third-Party Websites

Our website may contain links to third-party websites. These websites operate independently and have their own privacy policies. We are not responsible for the privacy practices of third-party sites and encourage you to review their policies before submitting any personal data.

 

12. Data Subject Access Requests (DSARs)

You have the right to request access to the personal data we hold about you at any time, free of charge. To submit a DSAR:

1. Complete our online DSAR form at www.sterlingtechsolutions.com/privacy-center/
2. Or email us at teams@sterlingtechsolns.com with the subject line ‘Data Subject Access Request’
3. We will acknowledge your request within 5 business days
4. We will ask you to verify your identity before releasing any data
5. We will respond to your request within one calendar month
6. In complex cases we may extend this by up to two further months — we will notify you if this applies

 

There is no fee for a DSAR unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or decline the request, explaining our reasons.

 

13. Complaints

If you have concerns about how we handle your personal data, we would always appreciate the opportunity to address them directly. Please contact us in the first instance:

 

Email	teams@sterlingtechsolns.com
Post	Data Protection, Sterling Tech Solutions UK, Belmont House, St. Faiths Street, Maidstone, England, ME14 1LH

 

If you remain dissatisfied after raising a complaint with us, you have the right to lodge a complaint with the UK’s supervisory authority:

 

Supervisory Authority	Information Commissioner’s Office (ICO)
Website	https://ico.org.uk/concerns/
Telephone	0303 123 1113
Post	ICO, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

 

14. Changes to This Privacy Notice

We review and update this Privacy Notice at least annually, and whenever there are significant changes to our processing activities or applicable law. The version number and date at the top of this document indicate when it was last updated.

Where changes are material, we will notify you by email (if we hold your email address) or by displaying a prominent notice on our website. We encourage you to review this notice periodically.

Thank you for trusting Sterling Tech Solutions UK with your personal data. We are committed to handling it responsibly, transparently and in accordance with the law.