Privacy Policy

IncludeDeaf Ltd is committed to protecting and respecting your privacy.

This Privacy Policy explains how we collect, use, store, and protect personal data when delivering training, consultancy services, online platform access, and related products (“Services”).

Capitalised terms used in this Privacy Policy have the meaning given in the IncludeDeaf Ltd Terms and Conditions unless otherwise defined herein.

This policy is written in accordance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations 2003

1. Who We Are

IncludeDeaf Ltd

Registered in England and Wales

Company Number: 16763467

Registered Office: Kenton House, Oxford Street, Moreton-In-Marsh, England, GL56 0LA

Email: [email protected]

For data protection queries, please contact: Victoria Williams

2. Our Role: Controller and Processor

IncludeDeaf Ltd acts in different capacities depending on the context of the data processing.

2.1 When We Act as a Data Controller

We act as a Data Controller when we:

  • Process personal data of Customers for contract administration
  • Manage billing and invoicing
  • Handle enquiries and marketing communications
  • Manage complaints and feedback
  • Monitor Platform access, login activity and usage data for security, fraud prevention, licence compliance and platform integrity.
  • Manage our own staff and subcontractors

In these cases, we determine the purpose and means of processing.

2.2 When We Act as a Data Processor

We act as a Data Processor when:

  • Delivering training or consultancy to a Customer’s employees
  • Hosting participant accounts on behalf of a corporate Customer
  • Processing participant data under the Customer’s instruction

In these situations:

  • The Customer is the Data Controller. Where IncludeDeaf Ltd processes participant data for its own security, compliance, platform integrity or service improvement purposes, it may act as an independent Data Controller for those limited purposes.
  • IncludeDeaf Ltd processes data only on documented instructions.
  • Processing is governed by the Data Protection clause in our Terms and Conditions.

3. What Personal Data We May Collect

Depending on the Service, we may process:

  • Name
  • Work email address
  • Job title
  • Organisation name
  • Login credentials
  • Platform usage data
  • Training attendance records
  • Assessment results
  • Invoices and payment details
  • Communication records

We do not intentionally collect special category data unless required for accessibility adjustments and explicitly agreed.

4. Legal Basis for Processing

When acting as Controller, we rely on:

  • Contract performance (Article 6(1)(b))
  • Legitimate interests (Article 6(1)(f))
  • Legal obligations (Article 6(1)(c))
  • Consent (where required, e.g. marketing)

When acting as Processor, we rely on:

  • The lawful basis identified by the Customer (Controller).

5. Sub-Processors

IncludeDeaf Ltd may engage carefully selected third-party service providers (“Sub-processors”) to assist in delivering Services.

These may include:

  • Cloud hosting providers
  • Learning management system providers
  • Video hosting platforms
  • Payment processors
  • IT support providers
  • Email and communication platforms

Where Sub-processors are used:

  • We conduct due diligence.
  • A written data processing agreement is in place.
  • They are bound by confidentiality obligations.
  • They are required to implement appropriate technical and organisational security measures.

We remain responsible for the acts and omissions of Sub-processors where required by law.

A list of current Sub-processors is available upon written request.

6. International Data Transfers

IncludeDeaf Ltd primarily stores and processes data within the United Kingdom.

If personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

  • UK International Data Transfer Agreement (IDTA)
  • UK Addendum to EU Standard Contractual Clauses
  • Transfers to countries with UK adequacy regulations

We ensure enforceable data subject rights and effective legal remedies are available.

7. Data Retention

We retain personal data only for as long as necessary for the purposes for which it was collected, including:

Data TypeRetention Period
Contract and billing records6 years (statutory requirement)
Platform account dataDuration of contract + up to 12 months
Training attendance recordsUp to 3 years
Marketing consent recordsUntil consent is withdrawn
Complaint recordsUp to 6 years

Where acting as Processor, retention periods are determined by the Customer.

Data is securely deleted or anonymised when no longer required.

8. Data Subject Rights

Under UK GDPR, individuals have the following rights:

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing
  • Right to data portability
  • Right to object
  • Rights relating to automated decision-making

Where IncludeDeaf Ltd acts as Processor, requests will be forwarded to the relevant Customer (Controller).

To exercise your rights, contact:

[email protected]

We may require identity verification before fulfilling requests.

9. Security Measures

IncludeDeaf Ltd implements appropriate technical and organisational measures, including:

  • Access controls and user authentication
  • Secure hosting environments
  • Encryption where appropriate
  • Confidentiality agreements
  • Regular system monitoring

In the event of a personal data breach affecting Customer data, IncludeDeaf Ltd will notify the relevant Customer without undue delay in accordance with its contractual obligations.

10. Cookies and Platform Analytics

Where our Platform uses cookies or analytics tools, these are used to:

  • Maintain functionality
  • Monitor performance
  • Ensure compliance with Acceptable and Fair Use policies

A separate Cookie Notice is available where required.

11. Complaints

If you have concerns about how we process personal data, you may contact us first.

You also have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner’s Office (ICO)

www.ico.org.uk

12. Changes to this Policy

We may update this Privacy Policy from time to time. The latest version will always be made available upon request or via our website or platform.

Where required by law or where changes materially affect data processing, we will notify Customers of significant updates.