Novarise is committed to delivering a superior learning experience for all individuals we collaborate with. We recognize the dedication of our users to their success, and we are equally devoted to ensuring that every interaction with our content is optimized to maximize educational potential. To accomplish this, Novarise needs to collect and use specific information about individuals.
The individuals for whom we collect information include customers, affiliates, business contacts, employees, and other individuals with whom the organization maintains relationships or may need to contact.
This policy outlines how we collect, handle, and store this personal data to uphold the company’s data protection standards and comply with the law.
Purpose of this policy
This data protection policy ensures that Novarise:
- Complies with data protection laws and adheres to industry best practices.
- Safeguards the rights of staff, customers, affiliates, and partners.
- Maintains transparency in how it stores and processes individuals’ data.
- Protects itself from the risks of data breaches.
EU General Data Protection Regulation (GDPR) Compliance
The GDPR (General Data Protection Regulation) outlines how organizations conducting business with individuals or entities in EU (European Union) nations, including Novarise, must collect, handle, and store personal information.
These rules apply irrespective of whether data is stored electronically, on paper, or in any other format.
To comply with the law, personal information must be collected and used fairly, stored securely, and not disclosed unlawfully.
The EU GDPR is founded on eight core principles, which dictate that personal data must:
- Be processed fairly and lawfully.
- Be obtained solely for specific, lawful purposes.
- Be adequate, relevant, and not excessive.
- Be accurate and regularly updated.
- Not be retained for longer than necessary.
- Be processed in accordance with data subjects’ rights.
- Be safeguarded adequately.
- Not be transferred outside the European Economic Area (EEA) unless the receiving country or territory ensures an adequate level of protection.
1. Policy statement
On a daily basis, our business will receive, use, and store personal information concerning our customers, affiliates, partners, and colleagues. It is crucial that this information is handled in a lawful and appropriate manner, in accordance with the requirements of the Data Protection Act 2018 and the General Data Protection Regulation (collectively referred to as the ‘Data Protection Requirements’).
We take our data protection responsibilities seriously because we value the trust placed in us to use personal information in a responsible and appropriate manner.
2. About this policy
This policy, along with any referenced documents, establishes the framework for processing any personal data we collect or process. Please note that this policy does not constitute part of any employee’s employment contract and may be modified at any time.
The company as a whole is responsible for ensuring compliance with the Data Protection Requirements and this policy. Any questions regarding the implementation of this policy or concerns about potential deviations should be directed initially to the Data Protection Officer.
3. What is personal data?
Personal data is defined as data, whether stored electronically or in paper format, that pertains to a living individual who can be identified directly or indirectly from that data or from that data in conjunction with other information in our possession.
Processing encompasses any activity involving the use of personal data. It includes obtaining, recording, or holding data, organizing, amending, retrieving, using, disclosing, erasing, or destroying it. Processing also encompasses the transfer of personal data to third parties under conditions of privacy control.
Sensitive personal data includes contact information, addresses, session activity on the platform, IP locations, etc. Sensitive personal data can only be processed under strict conditions and for the express purpose for which it was collected.
4. Data protection principles
Anyone processing personal data must ensure that the data is:
- A. Processed fairly, lawfully, and transparently.
- B. Collected for specified, explicit, and legitimate purposes, with any further processing conducted for compatible purposes.
- C. Adequate, relevant, and limited to what is necessary for the intended purposes.
- D. Accurate and, where necessary, kept up to date.
- E. Maintained in a form that permits identification for no longer than necessary for the intended purposes.
- F. Processed in line with the individual’s rights and in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing, accidental loss, destruction, or damage, using appropriate technical or organizational measures.
- G. Not transferred to individuals or organizations situated in countries without adequate protection without first notifying the individual.
5. Fair and lawful Processing
The Data Protection Requirements are not intended to prohibit the processing of personal data but to ensure that it is done fairly and without adversely affecting the rights of the individual.
In accordance with the General Data Protection Regulation (GDPR), we will only process personal data when it is necessary for a lawful purpose. Lawful purposes include (among others): obtaining the individual’s consent, processing necessary for fulfilling a contract with the individual, compliance with a legal obligation, or serving the legitimate interest of the business. When processing sensitive personal data, additional conditions must be met.
A. Collection of Information
We receive and store information about you, including but not limited to:
- Information you provide us: We collect information you provide, such as your name, email address, address or postal code, payment method, and telephone number. This information is gathered through various means, including manual entry during your use of our service, interactions with our customer service, participation in surveys or marketing promotions, providing reviews or ratings, indicating taste preferences, setting preferences in Your Profile/Account, or supplying information to us through our service or other channels.
- Information we collect automatically: We gather information related to you and your use of our service, your interactions with us and our advertising, as well as details about the computer or other device you use to access our service. This information includes:
- Your activity on our platform, such as course progress and search queries.
- Details about your interactions with customer service, including the date, time, and reason for contacting us.
- Transcripts of any chat conversations initiated on our platforms.
- In cases where you initiate phone support, your phone number.
- Device IDs or unique identifiers, device and software characteristics (such as type and configuration).
- Connection information, statistics on page views, referral URLs, IP addresses, and standard web log information.
B. Use of Information
We utilize the information we gather to provide, analyze, administer, enhance, and personalize our services and marketing efforts. This includes processing your registration, orders, payments, and communication on various topics.
Our primary objective is to consistently enhance the user experience. We achieve this through various means using the data we collect. A few examples include determining your general platform usage, tracking required action item completions, and monitoring login details. This data helps us identify any challenges you may face within the platform, allowing us to take actions to minimize your efforts. Additionally, we collect data such as the most visited links on our website, which assists us in identifying the most viewed content. This, in turn, enables us to create additional content tailored to our users’ needs and preferences.
6. Processing for limited purposes
Throughout our business operations, we may collect and process personal data. This data may include information obtained directly from a data subject and data received from other sources, including location data, business partners, and subcontractors responsible for technical, payment, and delivery services, credit reference agencies, and other roles.
We will only process personal data for specific purposes or other purposes explicitly allowed by the Data Protection Requirements. We will notify data subjects of these purposes when we initially collect the data or as soon as possible thereafter.
7. Notifying individuals
When we collect personal data directly from an individual, we will inform them about:
- A. The purpose or purposes for which we intend to process their personal data, along with the legal basis for such processing.
- B. In cases where we rely upon the legitimate interests of the business to process personal data, we will specify the pursued legitimate interests.
- C. The types of third parties, if any, with whom we will share or disclose their personal data.
- D. Our intention to transfer personal data to a non-EEA country or international organization, and the appropriate and suitable safeguards in place.
- E. How individuals can limit our use and disclosure of their personal data.
- F. Information regarding the duration for which their information will be stored, or the criteria used to determine that duration.
- G. Their right to request access to and rectification or erasure of their personal data, or restriction of processing.
- H. Their right to object to processing and their right to data portability.
- I. Their right to withdraw their consent at any time (if consent was given), without affecting the lawfulness of processing prior to consent withdrawal.
- J. The right to lodge a complaint with the Information Commissioner’s Office.
- K. Other sources from which personal data regarding the individual originated, and whether it came from publicly accessible sources.
- L. Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the individual is obliged to provide the personal data and any consequences of failing to provide it.
- M. The existence of automated decision-making, including profiling, and meaningful information about the logic involved, as well as the significance and anticipated consequences of such processing for the individual.
If we receive personal data about an individual from other sources, we will promptly provide them with this information (in addition to informing them about the categories of personal data concerned), and no later than one (1) month from the time of receiving such data.
We will also inform data subjects whose personal data we process that we are the data controller regarding that data. Our contact details for data protection are [email protected], and we will specify who the Data Protection Compliance Manager/Data Protection Officer is.
8. Adequate, relevant, and non-excessive processing
We will collect personal data only to the extent necessary for the specific purpose notified to the data subject.
9. Accuracy of data
We are committed to maintaining the accuracy of the personal data we hold. To achieve this, we will verify the accuracy of any personal data at the time of collection and at regular intervals thereafter. We will take all reasonable measures to correct or update inaccurate or outdated data.
10. Timely processing
We will not retain personal data longer than necessary for the purpose or purposes for which it was initially collected. We will take all reasonable steps to delete or erase any data from our systems that is no longer required.
11. Processing in accordance with Data Subject’s Rights
We will process all personal data in accordance with the rights of data subjects, including but not limited to:
- A. Providing confirmation as to whether or not personal data concerning the individual is being processed.
- B. Facilitating requests for access to any data held about them by a data controller.
- C. Handling requests for rectification, erasure, or restriction of processing of their personal data.
- D. Assisting in the lodging of a complaint with a supervisory authority.
- E. Enabling data portability.
- F. Allowing individuals to object to processing, including for direct marketing purposes.
- G. Ensuring that individuals are not subject to automated decision-making, including profiling, in certain circumstances.
12. Data security
We will implement appropriate security measures to prevent unlawful or unauthorized processing of personal data and to guard against accidental or unlawful destruction, damage, loss, alteration, or unauthorized disclosure of or access to personal data that is transmitted, stored, or otherwise processed.
We will establish procedures and technologies to uphold the security of all personal data, starting from the determination of the means for processing and the data collection point, extending to the point of data destruction. Personal data will only be transferred to a data processor if they agree to comply with these procedures and policies or if they establish adequate security measures themselves.
We will maintain data security by safeguarding the confidentiality, integrity, and availability of personal data, defined as follows:
A. Confidentiality: Only authorized individuals will have access to the data.
B. Integrity: Personal data should be accurate and suitable for the intended processing purpose.
C. Availability: Authorized users should be able to access the data when required for authorized purposes. Consequently, personal data should be stored on the Novarise central computer system and databases rather than individual PCs.
Our security procedures:
- Entry Controls: Any individual observed in entry-controlled areas who is not authorized will be reported.
- Securing Lockable Desks and Cupboards: Desks and cupboards must remain locked at all times, especially if they contain any form of confidential information. (Personal information is always considered confidential.)
- Data Minimization: We will practice data minimization.
- Pseudonymisation and Data Encryption: Data will primarily be stored in a pseudonymized and encrypted state.
- Methods of Disposal: Paper documents will be securely shredded, digital storage devices will be physically destroyed when no longer needed, and electronic data will be deleted once its intended purpose is fulfilled.
- Equipment Security: Staff is responsible for ensuring that individual monitors do not display confidential information to unauthorized individuals. They must also log off from their PCs when leaving them unattended.
Transferring Personal Data Outside of the EEA:
We may transfer any personal data we hold to a country outside the European Economic Area (‘EEA’) or to an international organization, provided that one of the following conditions applies:
- The country to which the personal data is transferred ensures an adequate level of protection for the data subjects’ rights and freedoms.
- The data subject has given their consent.
- The transfer is necessary for one of the reasons specified in the Act, including the performance of a contract between us and the data subject, or to protect the vital interests of the data subject.
- The transfer is legally required for significant public interest reasons or for the establishment, exercise, or defense of legal claims.
- The transfer is authorized by the relevant data protection authority, and we have implemented adequate safeguards to protect the data subjects’ privacy, fundamental rights and freedoms, and the exercise of their rights.
Subject to the requirements above, personal data we hold may also be processed by staff operating outside the EEA who work for us or for one of our suppliers. These staff members may be involved in various tasks, such as fulfilling contracts with data subjects, processing payment details, and providing support services.
14. Disclosure and sharing of personal data
We may share personal data we hold with any member of our group, including our subsidiaries, our ultimate holding company, and its subsidiaries, as defined in legislation link.
15. Subject access requests
To achieve these goals, the company has a privacy statement that outlines how data related to individuals is utilized by the company.
Individuals must make a formal request for information held about them. Employees who receive such requests should promptly forward them to the data department.
When handling telephone inquiries, we will only disclose personal data stored in our systems if the following conditions are met:
- We will verify the caller’s identity to ensure that information is only provided to authorized individuals.
- If we are uncertain about the caller’s identity and cannot verify it, we will recommend that the caller submit their request in writing.
- When a request is made electronically, we will strive to provide data electronically if possible.
- Our support team will escalate difficult situations or requests to the data processing department or the Data Protection Compliance Manager for further assistance.
16. Changes to this Policy
We reserve the right to modify this Privacy Statement at any time. However, we will provide prominent advance notice of any substantial changes to this Statement. This notice may be given through the Services, on our websites, or by sending you an email to ensure that you are informed of any significant revisions.