Gateway Educonnect Privacy Policy
Gateway Educonnect Privacy Policy
1. Who we are and scope of this policy
Gateway EduConnect is an education counselling and student recruitment organisation that assists prospective students with enquiries, counselling, course shortlisting, admissions applications, document preparation, university portal submissions, visa support coordination, post-offer communications, and related student support services. This Privacy Policy explains how Gateway EduConnect collects, uses, stores, shares, transfers, protects, and deletes personal data about students, parents, sponsors, guardians, education partners, channel partners, website users, and other individuals who interact with us.
2. Laws and standards this policy is designed to address
This policy is designed to support compliance with the UK GDPR and Data Protection Act 2018 where Gateway EduConnect processes personal data connected with UK institutions or UK-based recruitment activities; the Privacy and Electronic Communications Regulations where electronic marketing and cookies are relevant; the Digital Personal Data Protection Act, 2023 and applicable rules in India where Gateway EduConnect processes digital personal data in India; and applicable contractual obligations imposed by partner universities, pathway providers, payment processors, CRM providers, cloud vendors, and professional advisers.
3. Key privacy principles
Gateway EduConnect applies the following principles to all personal data processing: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, security, confidentiality, accountability, and respect for individual rights. We do not collect personal data merely because it may be useful in the future. We collect only what is necessary for the student recruitment, counselling, application, visa support, partnership, compliance, or communication purpose explained in this policy.
4. Important definitions
| Term | Meaning in this policy |
|---|---|
| Personal data | Information that identifies or can reasonably identify an individual, such as name, contact details, passport details, academic records, communications, application documents, and financial sponsorship information. |
| Special category data | More sensitive information, such as health or disability information, processed only where necessary for university support, accommodation, welfare, visa medical requirements, complaint handling, or another lawful purpose with additional safeguards. |
| Controller | An organisation that decides why and how personal data is processed. Gateway EduConnect acts as a controller for our own counselling, onboarding, CRM, marketing, business administration, and compliance activities. |
| Processor | An organisation that processes data only on another controller's documented instructions. Gateway EduConnect may act as a processor when preparing, formatting, verifying, or uploading a chosen applicant's documents for a partner university or pathway provider under that institution's instructions. |
| University / education partner | A university, college, pathway provider, language school, training provider, accommodation provider, student support provider, or admissions platform involved in the student's chosen application journey. |
| UK GDPR rights request | A request to access, correct, erase, restrict, object to, transfer, or otherwise exercise privacy rights in relation to personal data. |
5. Our role as data controller, processor, and possible joint controller
5.1 Gateway EduConnect as data controller
Gateway EduConnect acts as a data controller where we determine the purpose and means of processing personal data, including:
- receiving website, WhatsApp, email, phone, social media, event, referral, and walk-in enquiries;
- creating and managing CRM records for prospective students, parents, sponsors, and education partners;
- assessing initial academic, English language, budget, country, intake, and course preferences before a student chooses a specific institution;
- providing counselling, appointment reminders, intake updates, document checklists, service updates, and application guidance;
- managing marketing preferences, newsletters, webinar invitations, event registrations, and consent records;
- running internal reporting, lead allocation, service quality monitoring, audits, fraud prevention, security, complaint handling, and legal compliance.
5.2 Gateway EduConnect as data processor
Once an applicant selects a specific university or education partner and asks Gateway EduConnect to prepare or submit an application, Gateway EduConnect may act as a processor for that institution for parts of the processing. In that capacity, we process personal data only according to the institution's documented instructions, relevant data processing agreement, admissions portal rules, and published privacy notice. This may include compiling academic documents, checking completeness, uploading files, responding to admissions queries, and forwarding required supporting information.
5.3 Joint controller situations
In limited situations, Gateway EduConnect and an education partner may jointly determine certain purposes and means of processing, for example co-branded events, shared CRM campaigns, shared applicant follow-up workflows, or jointly managed recruitment fairs. Where this happens, Gateway EduConnect will ensure there is a written arrangement allocating responsibilities for privacy notices, individual rights, security, retention, and complaint handling.
6. Personal data we collect
| Category | Examples | Typical source |
|---|---|---|
| Identity data | Full name, preferred name, date of birth, gender where required by an institution, nationality, passport number, government ID details where necessary. | Student, parent/guardian, sponsor, identity documents, application forms. |
| Contact data | Email address, mobile number, WhatsApp number, postal address, emergency contact details. | Student, parent/guardian, online forms, events, referral forms, communication history. |
| Academic data | School/college/university records, transcripts, marksheets, certificates, predicted grades, backlogs, grading scales, English language scores, academic references. | Student, issuing institution, testing body, education partner, uploaded documents. |
| Employment and profile data | CV, work experience, internships, professional qualifications, statement of purpose, portfolio, career goals, preferred country/course/intake/budget. | Student, counsellor notes, application forms. |
| Application data | Chosen courses, institutions, admissions portal records, application status, offer letters, CAS or equivalent records, scholarship details, accommodation preferences. | Student, Gateway EduConnect systems, universities, pathway providers, admissions portals. |
| Financial and sponsorship data | Fee payment status, fee receipts, sponsorship letters, bank statements or financial evidence required for admissions, pre-CAS, visa, or scholarship assessment. | Student, parent, sponsor, bank documents supplied by the applicant, university or payment records. |
| Visa and immigration support data | Passport copies, previous visa history, visa refusal information, travel history where required, CAS or equivalent records, appointment details, visa checklist records. | Student, visa forms, university records, Gateway EduConnect counsellor notes. |
| Special category data | Disability, health, medical, welfare, accessibility, or support information only where relevant to accommodations, support services, medical visa requirements, safeguarding, complaints, or legal obligations. | Student, parent/guardian, medical/support documentation, university support teams. |
| Communication data | Emails, WhatsApp messages, call notes, meeting notes, chat transcripts, appointment history, webinar questions, complaint records, feedback, consent and opt-out records. | Direct communications, CRM, communication platforms, event systems. |
| Technical and website data | IP address, device/browser data, cookie identifiers, website pages visited, form submission data, security logs, analytics events where enabled. | Website, cookies, analytics tools, security systems. |
| Partner and business contact data | Name, work email, role, institution, company details, contract records, invoices, commission records, onboarding documents. | Business partner, channel partner, institution, professional adviser, public sources. |
Gateway EduConnect does not intentionally collect unnecessary personal data. If we receive excessive documents or irrelevant sensitive information, we will minimise, redact, return, delete, or restrict access to it where appropriate.
6.1 Special category, health, disability, welfare, and visa-health data
Gateway EduConnect processes special category data only where strictly necessary for a defined purpose, such as university disability support, reasonable adjustments, welfare support, accommodation support, visa medical requirements, complaint handling, safeguarding, or legal compliance. Such information is processed only where strictly necessary and access is restricted to authorised personnel with a legitimate operational need.
Examples may include disability information, medical or welfare information voluntarily provided by an applicant, health-related visa documentation, or information needed by a university support team. We will not request broad medical histories where a narrower document is sufficient, and we will redact, segregate, restrict, or delete sensitive information when it is no longer required.
6.2 Children, minors, parents, and guardians
Gateway EduConnect may support applicants who are under 18, pathway/foundation applicants, or applicants who require parent, guardian, or sponsor involvement. Where required by law, institutional rules, safeguarding expectations, or service necessity, Gateway EduConnect will obtain or verify appropriate parent/guardian involvement or authorisation before collecting or submitting minor applicant data. We will not knowingly send unnecessary direct marketing to children, and we will apply additional care to identity documents, welfare information, contact details, and communications involving minors.
Where safeguarding, welfare, emergency-contact, accommodation, or student-support concerns arise, Gateway EduConnect will share only the minimum necessary information with the relevant institution, parent/guardian, sponsor, authority, or professional adviser where there is an appropriate lawful basis and operational need.
7. Why we process personal data and lawful bases
The table below maps the main processing purposes to the likely lawful basis under UK GDPR. Where Indian law applies, Gateway EduConnect will also ensure there is a lawful ground under applicable Indian data protection law, including consent or legitimate uses where relevant.
| Processing purpose | Examples | UK GDPR lawful basis |
|---|---|---|
| Responding to enquiries and arranging counselling | Contacting prospective students, scheduling appointments, answering course/country/intake questions, creating a CRM enquiry record. | Article 6(1)(b) steps before entering into a contract; Article 6(1)(f) legitimate interests for basic enquiry management and service administration. |
| Student counselling and profile assessment | Reviewing academic profile, English scores, work experience, budget, preferences, eligibility, and documentation needs. | Article 6(1)(b) performance of contract or pre-contract steps requested by the student. |
| Preparing and submitting applications | Completing application forms, uploading documents to university portals, communicating with admissions teams, tracking application status. | Article 6(1)(b) performance of contract/pre-contract steps; where acting for a university, processing according to the university controller's instructions and Article 6 basis. |
| University-side application processing | Partner university assesses application, verifies eligibility, makes offers, issues CAS or equivalent documents, manages student records. | Universities commonly rely on Article 6(1)(b): processing necessary to take steps at the applicant's request before entering into a student contract, subject to the institution's own privacy notice. |
| Identity, document, and accuracy checks | Checking documents for completeness, consistency, fraud indicators, mismatched names, duplicate applications, or admissions portal requirements. | Article 6(1)(b) for service delivery; Article 6(1)(f) legitimate interests in accuracy and fraud prevention; Article 6(1)(c) legal obligation where a specific law requires checks. |
| Visa support coordination | Providing checklists, arranging documentation, liaising with institutions on CAS or equivalent documents, recording visa outcomes where needed. | Article 6(1)(b) service delivery; Article 6(1)(c) legal obligation where required; Article 6(1)(f) legitimate interests in accurate records and compliance. |
| Special category data for support needs | Processing disability, medical, accommodation, welfare, or accessibility information for university support or visa medical requirements. | Article 6(1)(b) or 6(1)(c), plus Article 9 condition such as explicit consent, substantial public interest, or legal claims depending on the exact context. Gateway EduConnect will apply the narrowest applicable condition and stronger safeguards. |
| Service communications | Appointment reminders, document reminders, missing-document notifications, intake deadline alerts, application status updates. | Article 6(1)(b) contract/pre-contract steps; Article 6(1)(f) legitimate interests in providing and administering requested services. |
| Marketing communications | Newsletters, promotional course updates, webinar invitations, event campaigns, offers from Gateway EduConnect or selected education partners. | Consent where required by PECR/electronic marketing rules; Article 6(1)(a) consent or Article 6(1)(f) legitimate interests only where lawful and appropriate. Opt-out is always available. |
| Improving services and analytics | Internal quality checks, counsellor performance review, website analytics, CRM workflow improvement, aggregated reporting. | Article 6(1)(f) legitimate interests, supported by a documented legitimate interests assessment and safeguards. |
| Security and fraud prevention | Account controls, access logs, MFA, incident investigation, preventing misuse, detecting suspicious activity. | Article 6(1)(f) legitimate interests; Article 6(1)(c) where legal reporting or compliance is required. |
| Legal, tax, audit, and regulatory compliance | Accounting records, invoices, complaint files, regulatory requests, legal claims, audit trails, breach reporting. | Article 6(1)(c) legal obligation; Article 6(1)(f) legitimate interests in defending claims and maintaining accountable records. |
8. Legitimate interests assessment summary
Where Gateway EduConnect relies on legitimate interests, we apply a three-part test:
- Purpose test: the processing must support a legitimate business, service, safety, fraud prevention, quality, security, communication, or compliance purpose connected with education counselling and student recruitment.
Necessity test: the purpose cannot reasonably be achieved in a less intrusive way, and only the minimum personal data needed is processed.
Balancing test: Gateway EduConnect weighs its interest against the individual's rights, expectations, age, vulnerability, relationship with us, sensitivity of the data, and potential impact. We apply safeguards such as access controls, data minimisation, opt-outs, audit logs, human review, and retention limits.
9. AI, automation, profiling, and automated decision-making
9.1 AI usage disclosure
Gateway EduConnect may use limited automation and, where approved internally, AI-assisted tools to improve administrative efficiency. This may include CRM lead assignment, intake reminder scheduling, duplicate record detection, document checklist prompts, translation support, drafting of non-final communications, and internal service analytics. Gateway EduConnect will not use AI to make final admissions, visa, scholarship, eligibility, or rejection decisions about a student.
Gateway EduConnect may also use approved AI-enabled voice calling or conversational automation tools to contact prospective students who have submitted an enquiry, registered for counselling, attended an event, or otherwise provided contact details for follow-up. These AI-assisted calls may be used to understand the student's area of interest, preferred study destination, course level, intake, budget range, academic background, English-language status, work experience, visa-history indicators, and other high-level eligibility factors needed for preliminary counselling. The purpose is to route the enquiry to the appropriate counsellor, prepare for a human counselling session, reduce repeated data collection, and carry out preliminary profile pre-qualification.
AI-enabled voice calls do not make final admissions, visa, scholarship, financial, offer, rejection, or counselling decisions. Any pre-qualification outcome, score, tag, transcript, summary, or recommended next step generated through an AI voice interaction is treated only as an internal administrative indicator and must be reviewed by authorised Gateway EduConnect staff before advice, application submission, or a recommendation is given to the student. Students may request human review, ask to speak directly with a counsellor, correct call information, object to automated profiling, or opt out of AI-assisted calls by using the privacy contact details in this policy.
If Gateway EduConnect uses an AI tool that processes personal data, we will ensure the tool is used only for stated purposes, subject to an appropriate lawful basis, security review, access controls, human oversight, vendor due diligence, and data minimisation. We will not intentionally upload special category data, passport scans, bank statements, or visa refusal records into public or unapproved AI tools.
Gateway EduConnect does not use applicant personal data to train public AI models and does not permit vendors to use uploaded applicant data for unrelated AI model training. AI-assisted outputs must be checked by trained staff before being used in counselling, application preparation, document review, or student communications. Human staff remain accountable for final advice, application actions, and communications.
9.2 Automated decision-making disclosure
Gateway EduConnect does not carry out solely automated decision-making that produces legal effects or similarly significant effects on individuals. Automated workflows may help us sort enquiries, route leads to counsellors, identify missing documents, compare basic profile information against publicly available or institution-provided entry criteria, or trigger reminders. These workflows are administrative aids only.
Every critical assessment, including course suitability, admissions advice, escalation of an ineligible profile, final recommendation to submit an application, complaint response, and any decision affecting service delivery, is subject to human review by Gateway EduConnect staff. Students can request human review, contest an automated classification, provide additional information, and ask for an explanation by contacting the privacy contact listed in this policy.
10. University and partner privacy notices
When Gateway EduConnect shares an applicant's personal data with a university, college, pathway provider, or other education partner, the applicant will receive or be directed to the relevant institution's privacy notice and must be shown the applicable link before submission wherever Gateway EduConnect controls the submission workflow before or at the time of submission. Gateway EduConnect will provide the applicable notice link in one or more of the following ways:
- inside the application checklist or consent/authorisation form;
- in the application confirmation email or WhatsApp message;
- on the Gateway EduConnect application portal or CRM consent screen;
- through the institution's official admissions portal before submission;
- in a maintained internal table of partner privacy notice links used by counsellors.
If an institution updates its privacy notice, Gateway EduConnect will use reasonable efforts to update the link in its records. Applicants should also review the privacy notice on the institution's official website because the institution controls how it processes applicant data after receiving the application.
Operational rule: before any application is submitted through a university portal or sent to an education partner, the counsellor or admissions officer must record that the applicant has received the relevant institution privacy notice link or has been directed to the official institution privacy notice. Where the institution provides its own portal notice, Gateway EduConnect may rely on that portal notice but should still maintain evidence of the link or submission route used.
11. Who we share personal data with
| Recipient category | Purpose of sharing | Safeguards / limits |
|---|---|---|
| Universities, colleges, and pathway providers | Admissions assessment, offer processing, scholarships, CAS or equivalent documents, accommodation, student support, and related services selected by the student. | Shared only where necessary for the chosen application or related service. Institution privacy notice should be provided. Data sharing agreements or portal terms apply where relevant. |
| Admissions portals and education technology providers | Submitting applications, storing documents, tracking status, communication workflows. | Access controls, contractual terms, encryption where available, minimum necessary data. |
| CRM, email, SMS, WhatsApp, telephony, cloud, IT, website, analytics, and automation providers | Managing enquiries, communications, reminders, document workflows, security, analytics, and records. | Processor contracts, confidentiality obligations, restricted access, security measures, vendor review, deletion/return rules. |
| Visa support partners and authorised professional advisers | Visa documentation support, compliance review, legal or professional advice where requested or required. | Shared only where needed for the service, legal compliance, or claim handling. Professional confidentiality obligations where applicable. |
| Payment processors, banks, accountants, auditors, and tax advisers | Fee processing, refunds, invoices, commission, accounting, audit, financial reporting. | Limited financial records, legal/audit retention, confidentiality and professional obligations. |
| Regulators, courts, government bodies, law enforcement, UKVI or equivalent authorities | Legal compliance, immigration or regulatory reporting, fraud prevention, complaints, investigations, legal claims, data breach reporting. | Shared only where legally required or reasonably necessary and limited to the minimum necessary information. |
| Channel partners, referral partners, event partners | Referral tracking, event follow-up, student support where the student has engaged through that partner. | Contractual terms, confidentiality, limited data sharing, respect for marketing preferences. |
| Potential business transferees or successors | Business restructuring, merger, acquisition, due diligence, continuity of services. | Confidentiality agreements, limited disclosure, due diligence safeguards, notice where legally required. |
12. International transfers
Gateway EduConnect may transfer personal data between India, the United Kingdom, the European Economic Area, and other countries where chosen institutions, pathway providers, CRM providers, cloud platforms, communication tools, or professional advisers are located. International transfers are made only for the purposes described in this policy, such as application processing, counselling, admissions communication, visa support, technology hosting, or compliance.
Where UK GDPR transfer rules apply and personal data is transferred from the UK to a country without an adequacy regulation, Gateway EduConnect will use appropriate safeguards where required, such as the UK International Data Transfer Agreement, the UK Addendum to EU Standard Contractual Clauses, data processing agreements, transfer risk assessments, encryption, access controls, and minimisation. Where Indian law applies, Gateway EduConnect will follow applicable transfer restrictions, government notifications, contractual controls, and security safeguards.
UK representative assessment: if Gateway EduConnect is not established in the United Kingdom but becomes subject to UK GDPR because it offers services to individuals in the UK or monitors their behaviour, Gateway EduConnect will assess whether Article 27 UK GDPR requires appointment of a UK representative. If required, the representative name and contact details will be inserted into this policy and made available to individuals and the ICO. If Gateway EduConnect concludes that the Article 27 exception applies, the assessment should be documented internally and reviewed when UK-facing activities change.
13. Security and confidentiality measures
role-based access so only authorised staff can access student records needed for their work;
multi-factor authentication for key systems where available;
encryption in transit and at rest where supported by the platform;
secure CRM and cloud storage with access logs where available;
restricted handling of passports, financial evidence, visa records, and special category data;
staff confidentiality obligations and privacy training;
vendor due diligence for core systems that process personal data;
incident response procedures for suspected personal data breaches;
secure deletion, redaction, or anonymisation when data is no longer needed.
Personal data breach procedure: Gateway EduConnect will maintain an internal breach escalation process for suspected accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. Staff and vendors must escalate suspected incidents promptly to the Data Protection Lead. Gateway EduConnect will assess the nature of the data, affected individuals, likely risk, containment steps, and notification duties.
Where required by law, Gateway EduConnect will notify affected individuals and relevant regulators of reportable personal data breaches. Where UK GDPR applies, reportable breaches will be assessed against the ICO notification threshold and, where required, notified without undue delay and where feasible within 72 hours of becoming aware. Where Indian law applies, Gateway EduConnect will follow applicable DPDP Act/rules and any Data Protection Board or sectoral reporting requirements.
14. Data retention
Gateway EduConnect keeps personal data only for as long as necessary for the purpose collected, unless a longer period is required or permitted by law, contract, tax, audit, immigration, complaint handling, legal claim, or institution-specific requirements. Where an institution has a published retention schedule that applies to an application, Gateway EduConnect will align its handling with that schedule where it is legally and operationally applicable.
| Record type | Retention period | Criteria and notes |
|---|---|---|
| General enquiry records | Up to 12 months from last meaningful interaction, unless converted to an active counselling/application record or a longer period is specifically justified and documented. | Covers basic enquiry forms, initial messages, event enquiries, and non-engaged leads. Delete or anonymise earlier where no longer needed. Do not keep dormant enquiry records simply for future marketing. |
| Marketing preference records | Active marketing permission is retained only while consent or a valid marketing permission remains in force. Suppression/opt-out records are retained only as long as needed to prevent unwanted marketing and evidence compliance. | When a person withdraws consent or objects, stop marketing without undue delay, update CRM/campaign systems promptly, and keep only minimal suppression details such as contact identifier, date, channel, and opt-out source. |
| Counselling and onboarding records | Up to 2 years from last interaction if the student does not proceed to application, unless legal/complaint needs require longer. | Includes counselling notes, preferences, basic academic profile, appointment records, and service discussions. |
| Application records held by Gateway EduConnect | Up to 6 years after the relevant application cycle closes, student relationship ends, or final service is completed, unless a shorter institution-specific schedule applies or longer legal retention is required. | Includes application forms, transcripts, SOPs, CVs, English test results, offer documents, admissions communications, and related records. Where partner universities impose longer or shorter legally required retention periods, Gateway EduConnect may retain application records in line with the applicable institutional retention schedule. |
| Unsuccessful UK/Berlin university applications where the relevant university schedule requires it | Follow the relevant institution schedule. Where a confirmed UK/Berlin university schedule requires it, unsuccessful application records may be retained for 1 year and successful student records for 6 years. | Use only where confirmed by the relevant institution privacy notice, retention schedule, portal terms, or written instruction. The applicant will be directed to that institution notice before submission. |
| Other university applicant records where institution schedule requires six years irrespective of outcome | Follow the relevant institution schedule, including six years irrespective of outcome where the institution requires that retention period. | Maintain a partner retention and privacy-notice matrix. Where there is a conflict, escalate to the Data Protection Lead before extending retention beyond Gateway EduConnect default periods. |
| Visa, financial, payment, tax, invoice, commission, and audit records | Up to 7 years after the end of the relevant financial year or transaction, unless a longer period is legally required. | Retained for tax, audit, accounting, anti-fraud, contract, and regulatory purposes. Sensitive financial evidence should be redacted or segregated where full copies are no longer necessary. |
| Complaint, dispute, legal claim, DSAR, and regulatory records | Up to 6 years after closure, or longer where litigation, investigation, or legal obligation requires. | Retained to evidence response, legal rights, compliance, and accountability. |
| Website analytics and cookie data | According to the cookie banner, analytics tool settings, or consent management platform, normally using the shortest practical period. | Non-essential analytics/advertising cookies require appropriate consent where applicable. |
| Security logs and access logs | Normally 6 to 24 months unless needed for incident investigation, legal claim, or security compliance. | Retained for system security, audit, and incident response. |
| Partner, supplier, and adviser records | Up to 7 years after the relationship or contract ends, unless law or disputes require longer. | Includes contracts, invoices, due diligence, commission records, and compliance correspondence. |
If exact retention periods are not specified, Gateway EduConnect will decide retention using documented criteria: purpose of processing, necessity, limitation periods, tax/audit requirements, immigration or regulatory requirements, institution instructions, complaint risk, sensitivity of the data, and the feasibility of anonymisation.
Gateway EduConnect will maintain a retention matrix that records enquiry retention, marketing consent and suppression retention, counselling/onboarding retention, active application retention, unsuccessful applicant retention, successful applicant retention, financial/visa/tax retention, complaint/legal retention, and partner-specific university schedules. Deletion may include secure deletion, anonymisation, redaction, return to the applicant, or restricted archival storage where deletion is not immediately possible for legal or technical reasons.
15. Individual rights
Depending on the applicable law and Gateway EduConnect's role as controller or processor, individuals may have the following rights:
| Right | What it means | How Gateway EduConnect handles it |
|---|---|---|
| Right to be informed | Know how personal data is collected, used, shared, retained, and protected. | Provide this policy and relevant institution notices before or at the time of application submission where applicable. |
| Right of access | Request confirmation whether personal data is processed and obtain a copy. | Respond within applicable statutory timelines after identity verification. |
| Right to rectification | Correct inaccurate or incomplete personal data. | Correct without undue delay and notify relevant recipients where required. |
| Right to erasure | Ask for deletion where data is no longer needed, consent is withdrawn, or no overriding lawful basis exists. | Delete where applicable, but may retain data needed for legal, audit, tax, regulatory, complaint, contractual, or institution requirements. |
| Right to restrict processing | Limit use of data while accuracy, legality, objection, or claim issues are assessed. | Store but stop active use where legally required, except for permitted purposes such as claims or consented processing. |
| Right to data portability | Receive certain data in a structured, commonly used, machine-readable format or ask for transfer to another controller. | Provide applicable data such as CSV, PDF, or another reasonable format where the right applies. |
| Right to object to processing | Object to processing based on legitimate interests. | Assess the objection and stop unless Gateway EduConnect demonstrates compelling legitimate grounds or needs the data for legal claims. |
| Right to object to marketing | Object to direct marketing at any time. | Stop direct marketing promptly and update suppression/marketing lists without undue delay. |
| Right to withdraw consent | Withdraw consent where processing is based on consent. | Stop consent-based processing from that point, without affecting prior lawful processing. |
| Rights about automated decisions | Request human review where a significant automated decision is made. | Gateway EduConnect does not make solely automated significant decisions; human review is available for automation-assisted classifications. |
| Right to complain | Complain to Gateway EduConnect and, where UK GDPR applies, to the UK Information Commissioner's Office. | Investigate complaints fairly and provide ICO details in this policy. |
16. How to exercise rights or contact us
To exercise a privacy right, ask a question, withdraw consent, object to marketing, request human review of an automated classification, or make a complaint, contact:
| Contact item | Details |
|---|---|
| Privacy contact / Data Protection Lead | [Insert name/title] |
| [Insert privacy email address] | |
| Postal address | [Insert registered office address] |
| Phone / WhatsApp | [Insert official number] |
| Suggested subject line | Privacy Rights Request - Gateway EduConnect |
Gateway EduConnect may ask for proof of identity before releasing, correcting, deleting, or transferring data. We will respond within the statutory period that applies to the request. Under UK GDPR, this is usually one month, with a possible extension of up to two further months for complex requests. If we act as a processor for a university, we may need to forward the request to the relevant university controller and assist that controller in responding.
17. Complaints and supervisory authorities
Gateway EduConnect encourages individuals to contact us first so we can investigate and resolve privacy concerns. Where UK GDPR applies, individuals also have the right to complain to the UK Information Commissioner's Office:
- Website: https://ico.org.uk/make-a-complaint/
- Main website: https://ico.org.uk/
- Telephone: 0303 123 1113
Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.
Where Indian data protection law applies, individuals may also have remedies before the relevant Indian authority once the applicable mechanism is operational and applicable to the processing.
18. Cookies, website analytics, and electronic marketing
Gateway EduConnect may use strictly necessary cookies to operate its website and optional cookies or similar technologies for analytics, performance, advertising, or personalisation only where permitted by applicable law and user choices. The website will include, before non-essential cookies are set where required, a cookie banner or cookie settings tool that separates essential and non-essential cookies and records consent choices where required.
Cookie policy rule: Gateway EduConnect should maintain a separate Cookie Policy or Cookie Notice that lists cookie categories, purposes, providers, duration, consent controls, and how users can change preferences. Non-essential analytics, advertising, tracking, or personalisation cookies should not be deployed until valid consent is obtained where PECR or other applicable rules require it.
Gateway EduConnect will send electronic marketing only where it has a valid consent or another lawful route permitted by applicable marketing rules. Every marketing email, SMS, or WhatsApp campaign will include a practical opt-out route. If a person opts out, withdraws consent, or objects to direct marketing, Gateway EduConnect will stop direct marketing promptly and update CRM suppression records without undue delay.
Gateway EduConnect will use AI-enabled voice calls only where permitted by applicable law and only for service-related enquiry follow-up, counselling preparation, profile pre-qualification, appointment scheduling, document-checklist support, or consent-based promotional communication. Where an AI-assisted call is used for marketing or promotional outreach, Gateway EduConnect will rely on a valid consent or another lawful route permitted by applicable electronic communications rules. Individuals may opt out of automated or AI-assisted calls at any time, and Gateway EduConnect will update its CRM, call lists, and suppression records without undue delay.
Marketing retention rule: when a person withdraws consent, opts out, or objects to direct marketing, Gateway EduConnect will stop marketing to that person without undue delay, update CRM and campaign tools promptly, and retain only the minimum suppression record needed to honour the opt-out and demonstrate compliance. Consent logs and preference records will be retained only for compliance evidence and will not be used to continue marketing after withdrawal or objection.
19. Children and guardians
Gateway EduConnect primarily supports students applying to higher education. Where a student is under 18 or another age threshold under applicable law, Gateway EduConnect may need parent or guardian involvement, consent, or authorisation for certain services. We will process children's data with additional care, collect only what is necessary, avoid unnecessary marketing to children, and apply stronger safeguards for sensitive or welfare-related data.
For under-18 applicants, Gateway EduConnect will use age-appropriate communication, restrict access to minor records, involve parents/guardians where required, and share welfare or safeguarding information only where necessary and lawful. If a university, pathway provider, accommodation provider, or sponsor requires a separate minor consent form or safeguarding declaration, Gateway EduConnect will collect or facilitate it before submission where applicable.
20. Accuracy and applicant responsibility
Applicants must provide accurate, complete, and lawful information and must not submit forged, misleading, incomplete, or third-party documents without authority. Gateway EduConnect may verify completeness and consistency but does not guarantee admission, visa grant, scholarship, accommodation, or employment outcomes. Universities and government authorities make their own decisions according to their rules and privacy notices.
21. Changes to this policy
Gateway EduConnect may update this policy when services, laws, partners, systems, retention practices, or data flows change. The latest version should be published on the Gateway EduConnect website with an effective date. Material changes should be highlighted where appropriate and, where required by law, individuals should be notified directly.
22. Internal implementation checklist before publication
| Action | Owner | Status |
|---|---|---|
| Confirm full legal entity name, registration details, address, official privacy email, phone number, and Data Protection Lead. | [Gateway EduConnect] | Required |
| Create a partner university privacy notice link matrix and attach the relevant link at application time. | [Admissions / Compliance] | Required |
| Confirm current CRM, WhatsApp, email, cloud, website, analytics, telephony, and payment vendors and add them to vendor records. | [IT / Operations] | Required |
| Prepare a retention matrix by record category and university-specific schedules. | [Compliance / Operations] | Required |
| Document legitimate interests assessments for CRM, analytics, service improvement, security, and non-marketing communications. | [Compliance] | Required |
| Document AI/automation use cases and prohibit unapproved AI uploads of passports, financial, visa, and sensitive data. | [Management / IT] | Required |
| Review cookie banner and marketing consent/opt-out workflows. | [Marketing / IT] | Required |
| Set a DSAR and complaint handling workflow with response timelines, identity checks, and escalation rules. | [Compliance / Data Protection Lead] | Required |
| Ensure contracts with service providers contain confidentiality, security, processor, subprocessor, retention, deletion, and transfer clauses. | [Legal / Procurement] | Required |
| Have the final policy reviewed by qualified legal counsel before website publication. | [Management] | Required |
| Add exact legal entity, registered office, operational office, privacy email, direct phone/WhatsApp, website, and Data Protection Lead details before publication. | [Management / Compliance] | Mandatory before publication |
| Document Article 27 UK representative assessment and appoint/identify UK representative if legally required. | [Management / Legal] | Required |
| Publish or implement a separate Cookie Policy and consent management process for non-essential cookies. | [IT / Marketing / Compliance] | Required |
| Document breach escalation, assessment, and notification workflow for UK GDPR/DPDP and contract reporting duties. | [Data Protection Lead / IT] | Required |
| Document AI vendor controls confirming no applicant data is used for unrelated model training. | [IT / Compliance] | Required |
23. Final publication controls
This policy must not be published with unresolved placeholders. Before use, Gateway EduConnect must complete the legal entity table, confirm all vendor and institution lists, verify the retention matrix against actual university agreements, check cookie and marketing workflows, and ensure staff are trained to follow the operational controls stated in this policy.
24. Drafting references and source alignment
This draft was prepared to address the topics identified in the uploaded UK-company sample checklist and analysis table, including AI disclosure, automated decision-making, controller/processor roles, data categories, sharing, data subject rights, complaints, lawful bases, marketing, and retention. It also reflects official guidance themes from the UK Information Commissioner's Office on privacy information, lawful basis, direct marketing, automated decision-making, and international transfer safeguards, plus the Indian Digital Personal Data Protection Act, 2023 and related rules where applicable.
ICO guidance: lawful basis, privacy information, direct marketing and PECR, automated decision-making, and international transfer safeguards.
UK GDPR Article 22 and Chapter III individual rights principles.
Digital Personal Data Protection Act, 2023 and applicable Indian DPDP rules/guidance.
Uploaded UK-company checklist and detailed compliance table used as the structural benchmark.
Previous Privacy Policy
At Gateway EduConnect, we are committed to protecting the privacy and confidentiality of our students and users. This Privacy Policy outlines how we collect, use, and safeguard your personal information in accordance with applicable laws, including the Information Technology Act and the Digital Personal Data Protection (DPDP) guidelines.
Why Do We Collect Personal Information?
Your personal information helps us guide you more effectively. To provide expert education consultancy and placement services, we use the information you provide to safeguard and promote the welfare of students and facilitate their access to global universities. This data also allows us to provide relevant web content and advertisements, measuring the effectiveness of our outreach. We may also use your information to make tailored recommendations regarding educational services that align with your career goals.
B. What Information Do We Collect, and How Do We Use It?
Information you provide:
In our first interaction, we will try to understand your unique educational and career requirements. During the registration for certain site features, we ask for comprehensive basic information including your full name, email address, date of birth, contact information, academic background, and other pertinent personal data. This data helps us to provide more effective, personalized counseling services to you.
Cookies:
On our website, we collect non-personal data about visitors to develop a general overview of our platform's reach. These statistics include data on how many visitors have accessed specific pages, the type of browser used to view the site, and the specific navigational paths taken through it. Under no circumstances can an individual be personally identified through these statistics alone.
Cookies are small text files that help our servers identify your computer, though they do not reveal your personal identity. By placing cookies on your computer, we are able to customize, optimize, and enrich your visit to Gateway EduConnect. The functionality of cookies can be disabled using your browser's settings if you do not wish to utilize this facility. However, please be aware that you may encounter performance issues or find that certain services and features are unavailable if cookies are disabled.
Log Information:
Each time you visit the Gateway EduConnect website, our servers automatically record the information your browser sends. This "Log Information" may include your specific web request, your IP address, the type of browser you are utilizing, the language of your browser, the date and time of your request, and one or more cookies that help in uniquely identifying your browser session.
User Communications:
Whenever you communicate with us—via email, contact forms, or chat—we may retain those communications in order to process your inquiries, respond to your questions, address your requests, and enhance our service offerings. Maintaining these records ensures we provide you with a consistent and high-quality experience every time you interact with our brand.
Links:
Links on our website may be displayed in a manner that allows us to track whether these links have been followed. We use this information to improve the quality of our personalized content and layout. Some links may direct you to external websites. If you visit another website, please be aware that their privacy policies may differ significantly from ours. Gateway EduConnect is not responsible for the privacy practices or the content of external sites. Once you leave our domain, we strongly urge you to review the privacy statements of each and every site you visit. Our Privacy Statement applies exclusively to information collected on our website.
Alerts:
By understanding your personal preferences and educational goals, we are able to identify which services will most benefit your career. Consequently, we may send alert messages through email or phone to inform you about new services, university deadlines, or scholarship opportunities that align with your profile.
Public Forums:
You share certain information on our platform at your own risk. This includes comments, messages, and the posting of photos in open forums, discussion boards, or blog comment sections. Any information you include in your profile or when posting on our forums could become public and accessible to anyone. We urge you to exercise caution and discretion when disclosing personal details in these public-facing features.
Data Security:
If you use an online feature associated with the payment of fees, we transmit your credit card data to our designated bank to process the transaction. In the event of a payment discrepancy or problem, the information you provided about your order may be reviewed with you and our banking partner. Your credit card information will not be disclosed in any other manner. We do not share your email address or any other sensitive information with unauthorized third parties, and we enforce this policy strictly.
The information collected on our order forms is encrypted to protect credit card information during transmission. The entire Gateway EduConnect website is encrypted to ensure the security of the sensitive information you share with us. However, we acknowledge the inherent risks of the digital landscape and the fact that no computer system is fully secured. Our site and payment partners maintain rigorous security measures that minimize the possibility of security issues to a level appropriate for the data processed.
Protecting your data is our top priority. To achieve this, our security design integrates technical, administrative, and physical safeguards. We adopt a set of comprehensive internal policies that prevent unauthorized access to all data. As part of our commitment to privacy compliance, we ensure that all third parties with whom we share data adopt a reasonable level of security practices and procedures. Gateway EduConnect is not liable for any loss, unauthorized access, or harm resulting from the improper use of your personal information, except in cases of direct and foreseeable harm caused by proven negligence or non-compliance on our part. By using our services, you agree that we shall not be liable to you or any other person for any loss or harm resulting from third-party actions or actions on your part.
C. Information Sharing
We ensure the safety of your data while sharing information with necessary third parties. With the exception of credit card information, any personal information we collect is only shared outside of Gateway EduConnect when the following conditions are met:
- To ensure compliance with all applicable laws, regulations, legal processes, and governmental requests.
- Pertaining to our Terms of Use, including the investigation of possible violations thereof.
- To report, prevent, or resolve fraud, security, or technical issues by identifying and addressing these problems immediately.
- To safeguard our users, property, or safety against imminent harm as required or permitted by law.
We may share non-personal, aggregated information with third parties (such as the number of subscribers for a particular course). This information does not identify any individual.
When you use any feature of our website or register with us, you grant Gateway EduConnect the authority to connect with you through mail or phone. You allow us to send information regarding our services, offers, and current events. Even if you have registered for a "Do Not Disturb" or "Denial of Consent" service, you still grant Gateway EduConnect permission to contact you for up to 365 days from the date of your registration with us.
D. What is the retention period for user data?
Following global data protection guidelines (including GDPR), we retain data only as long as we have a legitimate business or legal need. Our goal is to retain your personal data for no longer than is necessary for the purposes for which it was collected. The length of time we keep personal data depends on the amount, nature, and sensitivity of the information, as well as the potential risk of harm from unauthorized use. We will obtain your explicit consent before sharing your data with any company outside of Gateway EduConnect for marketing purposes. We do not share all data with third parties; we follow a strict set of rules describing the limits of sharing personal information for specified purposes.
E. Grievances or Complaints
The Gateway EduConnect Grievance Officer is available to respond to any concerns you may have regarding the use of your personal information. We assure you that your voice will be heard as soon as we receive your complaint.
Grievance Email:
Contact Phone:
F. Disclaimer
The information we collect from prospective students wishing to utilize our consultancy services is personal and confidential. Information on this website is for general information only and has no connection with other consultancies. The purpose of collecting this information is to provide updates about our services and products. However, we do not represent or guarantee the accuracy of the website's content (written or graphics). The user is solely accountable for the information they provide on our website. Neither Gateway EduConnect nor our associates will be responsible for any loss or damage involved with the use of this website.
G. Data Deletion
Our privacy policy provides you with full flexibility. You may request to remove your details permanently from our records by sending an email with the following format:
Email:
Subject Line: Data Deletion Request <Email-Id of the User>
H. Grievance Redressal
The Information and Technology Act gives us the authority to appoint a Grievance Officer to deal with inquiries or complaints.
To raise concerns, please email [Insert Email] or write to us at: [Insert Office Address].
The Grievance Officer will acknowledge your email within 24 hours. We will conduct a thorough investigation and, within 15 days, present you with a solid solution.