top of page

Privacy Policy

Edubox Privacy Statement

 

The Purpose of this privacy statement is to explain, in general terms, how Edubox processes your personal data from the moment it is collected to the point it is deleted or destroyed. It is written for anyone who is making an enquiry about one of Edubox’s services or making a booking for a course. Other ‘specific to customer’ privacy notices will be provided when needed.

 

The Role of Eduox in data protection terms is that of a data controller because we determine the purposes and the use of the personal data we collect. Once received it becomes the responsibility of the Edubox Privacy Officer (PO) to ensure that it is processed in accordance with the latest relevant UK legislation. You can contact the Edubox PO by email using office@educationbox.co or by writing to: Edubox, Flat 7, 2 Mckinley Road, BH4 8AQ.

​

The personal data processed by Edubox will only be basic contact information such as names, addresses, telephone numbers and an email address to be able to respond to your query. If you are booking a course for a child, Edubox will need additional information about the child which will include health related data, sufficient to complete the booking. Edubox will also collect minimal financial details for the purposes of recognising payments for activities.

​

The way we collect or receive your personal data is directly from you when you make your initial enquiry either through the web page contact form, a direct call, by email.

​

Edubox’s duty of confidentiality means that Edubox team will treat your personal data in confidence. Edubox uses reasonable technical and organisational measures to ensure personal data is safe guarded. Access is strictly limited to those members of team who need it. Edubox expects the same duty of confidentiality of all third parties with whom we need to share your personal data for the purposes of fulfilling our contractual obligations to you. They are required to enter into a separate data processing agreement with us when they have the role of data processor unless the equivalent clauses are already included in our contract with them.

 

Edubox will process personal data using a lawful basis; such instances are described below:

 

  • When we have a legitimate interest to respond to your general enquiry regardless of how it reached us in the first instance

  • When we have a legitimate interest to use your contact details, as a former and/or current customer, to send you a newsletter with updates about our services

  • When we have your consent in the situation where you have not been a customer of ours before, in order to send you a newsletter with updates about our services

  • When we have your explicit consent when we need to process special category data such as medical/health related data needed to support activity applications

  • To fulfil our contractual obligations to you either as a customer for the purposes of delivering the service(s) you have asked of Edubox

  • To comply with our legal obligations

 

Edubox will never sell your personal data and will only disclose it when it’s absolutely necessary, to some or all of the following third parties:

 

  • Company accountant and the legal firm appointed by Edubox

  • HMRC for invoice related activities

  • Sub-contractors appointed by PEG, subject to a data processing agreement or equivalent commitment to confidentiality

 

Edubox will process your personal data via Google Drive (UK) and for back up services. This website is hosted at a US based data centre. We use Wix purely for marketing purposes which is US based. 

​

Edubox follows a retention schedule to determine the length of time it holds different types of personal data of the customer. The key points of the schedule are shown below:

  • If you make an enquiry about a service that you subsequently choose not to use, we will routinely delete any information we have collected about you 36 months

  • If you make an enquiry about a service that generates a quotation that does not result in an order, we will retain your contact details indefinitely, unless you ask us to delete it

  • If you are or have been a customer, we will retain the details of your order, including your contact details, indefinitely, unless you ask us to delete them. If we don’t have another over-riding legal basis for processing, we will fulfil your request

  • If we have your consent to hold your contact details, we will retain them until you notify us that you want to withdraw your consent

  • For financial records and invoices, which include your personal data, these will be retained for 6 years after the end of the current tax year of processing

  • Personal data collected about children is not retained beyond their 12th birthday unless separate consent has been granted by the parent for specific activities

​

By exception, documentation that includes your personal data may be retained by Edubox beyond the schedule, but only for a specific purpose and only when Edubox believes there is a legitimate interest or has a legal obligation to do so. None the above affects your rights stipulated under the UK GDPR (see below).

​

At the end of the retention schedule Edubox will either return, destroy or delete/ anonymise your personal data and any associated emails or relevant documentation. If it is technically impractical to do so, we will put it beyond operational use. It allows up to 3 months after the retention criteria has expired to do this.

​

The Edubox website uses cookies (and similar technologies) with your permission when this is needed and does not attempt to identify individuals who visit the website. For further details please read the Edubox cookie policy, a link to which can be found at the foot of the homepage.

​

The UK General Data Protection Regulation defines the rights that you have (although these do not apply in all situations). For convenience, these rights are shown below:

  • Right to be informed as to how your personal data is being processed by Edubox – this is done through this privacy policy and/or separate Edubox privacy notices when appropriate

  • Right to access your personal data held by Edubox which is done by making a ‘Data Subject Access Request’ (DSAR) to the Edubox privacy officer

  • Right to rectification of your personal data if you believe Edubox has collected it incorrectly or it needs to be updated

  • Right to erasure of your personal data for which Edubox no longer has an overriding lawful basis with which to process

  • Right to restrict processing under certain circumstances, during which time your personal data will be out of operational use until the related matter is resolved

  • Right to data portability in a machine-readable version of the personal data you have provided to us, but this only applies to data provided with your consent or under contract

  • Right to object to Edubox processing your personal data when it does not relate to a legal or contractual obligation

  • Rights related to automated decision making and profiling (however Edubox does not use these techniques in its decision making)

  • Right to withdraw your consent at any time to any service for which have previously sought and obtained your consent as the lawful basis for processing your personal data

 

Further details on data subjects’ rights can be found on the Information Commissioner’s Office (ICO) website: https://ico.org.uk.

 

Exercising rights or making queries to Edubox can be done by contacting the Privacy Officer. We will need to confirm your identity before proceeding with any request, therefore it may be necessary to ask you to provide documentation to verify your identity. If you have any concerns about the way we are processing your personal data, please contact the Privacy Officer in the first instance. 

 

In the event of a takeover or acquisition, the personal data Edubox holds will form part of the assets of the organisation to be taken over by the new company, but only used for the same or similar purpose. If this happens, we will notify you using the latest contact details held.

 

This privacy statement is subject to a routine review every 12 months or sooner if there are significant changes to UK legislation.

bottom of page