Gateway Educonnect Privacy Policy
1. Why are we, and what is the extent of this policy?
Gateway EduConnect is an education counselling and student recruitment agency that helps prospective students with enquiries, counselling, course shortlisting, application preparation, document preparation, submissions to the university portal, visa coordination, post-offer services, and various other student care services. This Privacy Policy describes how Gateway EduConnect gathers, uses, retains, distributes, transfers, safeguards, and disposes of the personal data of students, parents, sponsors, guardians, education partners, channel partners, users of our websites, and other people who engage with us.
2. Standards and laws that this policy targets.
This policy is intended to ensure that it complies with the UK GDPR and Data Protection Act 2018 where processes by Gateway EduConnect involve personal data that is linked to UK institutions or the UK-based recruitment process; the Privacy and Electronic Communications Regulations where electronic marketing and cookies are used; the Digital Personal Data Protection Act, 2023 and Indian rules where Gateway EduConneand ct processes involve digital personal data in India; and contractual obligations as required by partner universities, pathway providers, payment processors, CRM providers, and cloud providers as well as professional advisers.
3. Key privacy principles
Gateway EduConnect applies the following principles of working with personal data: lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage, security, confidentiality, accountability, and respect of personal rights. We never gather personal information on the idea that it would be helpful in the future. Additionally, we've only gathered the data needed to serve the student recruitment, counselling, application, visa support, partnership, compliance, or communication purposes described in this policy.
4. Important definitions
|
Term |
Meaning in this policy |
|
Special category data |
Sensitive data, including health or disability data, is handled in accordance with accommodation, university support, welfare, complaint management, visa medical needs, or any other legal reason and with supplementary security provisions. |
|
Personal data |
Information that relates or might relate to the identity of an individual, such as name, passport details, contact details, academic records, applications, financial sponsorship, and communications information. |
|
Processor |
An organisation that is processed in documented instructions by another controller is called an organisation. Gateway EduConnect can serve as a processor, preparing, formatting, verifying, or uploading the documents of a selected applicant on behalf of a partner university or pathway provider, at the institution's direction. |
|
University/education partner |
A university, college or pathway provider, language school, training provider, accommodation provider, support provider and admissions platform that was used in the application journey chosen by the student. |
|
Controller |
A company that makes decisions about the processing of personal data, why and how it is done: Gateway EduConnect serves as a controller to our own counselling, CRM, onboarding, compliance efforts, and business administration. |
|
UK GDPR rights request |
A request to receive, delete, rectify, limit, transfer, object to, or otherwise exercise privacy rights regarding personal data. |
5. We are data controllers, data processors, and may also be joint controllers.
5.1 Data controller Gateway EduConnect.
- Accepting email, WhatsApp, telephone, event, social media, walk-in inquiries, and referrals
- Maintaining and developing CRM databases of possible parents, students, education partners, and sponsors.
- Evaluating the English language, original academic, intake, and course preferences before the selection of a particular institution by a student;
- Offering counselling, updates on the intake, appointment notices, service updates, application assistance, and document checklists
- Organising marketing preferences, invitees to webinars, newsletters, consent records, and event registration;
- Lead allocation, running internal reporting, audits, service quality monitoring, fraud prevention, complaint handling, legal compliance, and security.
5.2 Gateway EduConnect as the processor of data.
After an applicant has chosen a particular university or partner in education and requested that Gateway EduConnect process an application or prepare application files on the applicant's behalf, Gateway EduConnect may handle that aspect of processing on behalf of that institution. In that role, we only act on personal data as documented within the institution in the documented instructions, the data processing agreement, the admissions portal instructions, and the published privacy notice. This could involve compiling academic documents, confirming the submission and transfer of files, answering admissions questions, and sending necessary supporting files.
5.3 Joint controller situations
Under certain circumstances, there can be collaborative decisions regarding the purposes and methods of processing between Gateway EduConnect and a partner in the education sector, such as co-branded events, shared CRM campaigns, shared applicant follow-up processes, or shared recruitment fairs. Where this occurs, Gateway EduConnect will draft a written agreement specifying duties regarding privacy notices, personal rights, security, retention, and a complaint policy.
6. Personal data we collect
|
Category |
Examples |
Typical source |
|
Contact data |
Emergency contact number, Postal address, email address, WhatsApp number, or mobile number. |
Parent/guardian, Student, online form, referral form, communication history, and events |
|
Identity data |
Full name, first name, DOB, gender, nationality, government ID details, and passport. |
Parent/guardian, Student, identity documents, sponsor, and application forms. |
|
Employment and profile data |
Work experience, CV, internships, preferred country/ your course/ selected intake/ your budget, SOP, career goals, professional qualifications, and portfolio. |
Student, counsellor notes, and Application forms. |
|
Application data |
Institutions, nominated courses, application records (including admissions portal), application status, CAS or similar records, offer letters, accommodation preferences, and scholarship records. |
Gateway EduConnect applications, Student, universities, and pathway applications. |
|
Visa and immigration support data |
Passport copies, Past visa history, visa refusal data, a record of the travel history (where needed), CAS or similar records, appointment records, and visa checklist records. |
Student, visa forms, University records, Gateway EduConnect counsellor notes. |
|
Communication data |
WhatsApp messages, call notes, meeting notes, chat transcripts, appointment history, webinar questions, complaint records, feedback, consent and opt-out records, and email. |
Direct communication, CRM, communicating platforms, and event systems. |
|
Partner and business contact data |
Position, Paperwork email (Work), institution, contract history, company address, invoices, onboarding paperwork, and commission history. |
Partner in Business, channel partner, institution, professional adviser, public sources. |
|
Academic data |
Transcripts, Records, marksheets, predicted marks, certificates, backlogs, English language scores, grading scales, academic references, and their records in school/college/university. |
Student, institution of issuance, test organisation, education partner, uploaded documents. |
|
Financial and sponsorship data |
Status of fee payment. Fee receipt. Fee receipts, sponsorship letters, bank statements, or financial documents are required to submit for admissions, pre-CAS, visa, or scholarship evaluation. |
Application forms (student, parent, sponsor, bank), university or payment records. |
|
Special category data |
Health, Disability, medical, welfare, support information, or accessibility or where needed, relating to support services, medical visa requirements, accommodations, safeguarding, legal requirements, or complaints. |
Parent/guardian, Student, medical/support documentation, university support teams. |
|
Technical and website data |
Device/browser information, IP address, cookie identifiers, form submission information, visited web pages, enable events, and security logs with analytics. |
Internet, cookies, data gathering tools, and security programs. |
Gateway EduConnect does not gather any personal information on an unnecessary basis. When we are provided with too many documents, or sensitive information that is not relevant to us, then we will reduce, black out, send back, destroy or tighten the access to such information, where necessary.
6.1 Special health, welfare, visa-health, and disability category of data.
Gateway EduConnect handles special category data only when strictly required, due to a specific purpose, like disability support at the university, reasonable adjustments, welfare support, accommodation support, visa medical requirements, complaints management, protection, or legal requirements. Processing of such information is done where it is absolutely necessary and to authorised personnel with a legitimate purpose of operation.
Examples could be disability data, healthcare or welfare data that an applicant voluntarily submits, health-related visa data or data required by a university support staff. We will not ask wide medical histories where a more specific document suffices, and we will censor, isolate, limit or delete sensitive data where it is not needed.
6.2 Children, children under 18, parents and guardians.
Gateway EduConnect can assist applicants who are below 18, pathway/foundation applicants or applicants who need parent, guardian or sponsor support. Grounded in the law or required by the institutional regulations, the safeguarding expectation, service necessity, the Gateway EduConnect will collect or submit minor applicant data by obtaining or verifying parent/guardian involvement or permission as needed by such law or institution regulation. We will proactively avoid subjecting children to unnecessary direct marketing, and we will take extra precautions regarding the identity material, welfare data, contact information and messages with minors.
In cases where safeguarding, welfare, emergency-contact, accommodation or student-support matters come into play, Gateway EduConnect can disseminate the minimum information required by the appropriate institution, parent/guardian, sponsor, authority or professional adviser where there is an appropriate lawful basis, and there is an operational necessity.
7. Reason why we process your personal data and the law.
The following table mirrors the key processing purposes with the probable basis that is lawful according to the UK GDPR. Where Indian law is applicable, the Gateway EduConnect will also address the existence of a legal basis of the analysis of applicable Indian data protection legislation, such as consent or valid purpose, where applicable.
|
Processing purpose |
Examples |
UK GDPR lawful basis |
|
Student counselling and profile assessment |
Evaluation of academic profile, English scores, work experience, budget, preferences, eligibility and documentation requirements. |
Performance of a contract or pre-contract steps that are requested by the student in article 6(1)(b). |
|
Responding to enquiries and arranging counselling |
Making calls to potential students, appointments, resolving course/country/intake queries, and developing a CRM enquiry system. |
Article 6(1) (b) precedes the conclusion of a contract; Article 6(1)(f) legitimate interests essential to the basic management and administration of the services. |
|
University-side application processing |
Partner university evaluates and materials application, confirms eligibility, offers CAS or other documents, and maintains student records. |
Article 6(1)(b): Universities usually apply it: processing must occur at the request of the applicant so that steps can be taken before concluding the student contract, and the university has its own privacy statement. |
|
Visa support coordination |
Making checklists, organising documents, communicating with institutions regarding CAS or similar documents, and recapping the results of visas where necessary. |
Article 6(1)(b) service delivery; Article 6(1)(c) legal obligation where necessary; Article 6(1) f legitimate interests in accurate records and compliance. |
|
Service communications |
Reminders of appointments, document reminders, document missing notices, application status, and updates. |
Article 6(1)(b) steps relating to contract/pre-contract/ Article 6(1)(f) legitimate interest in the delivery or supply of the requested service. |
|
Improving services and analytics |
In-house quality controls, review of counsellor performance, analysis of the website, workflow enhancement of CRM, and reporting. |
Article 6(1) (f) legitimate interests, which are backed up by a documented legitimate interests assessment and safeguards. |
|
Tax, Legal, regulatory compliance, and audit |
Accounting logs, bills, complaint log, regulatory requests, litigation, audit trail, breach reporting. |
Article 6(1)(c) legal obligation; Article 6(1)(f) legitimate interests in the process of defence of claims and keeping of accountable records. |
|
Preparing and submitting applications |
Submission of application forms, uploading of application form documents in the university web portals, communication with the admissions teams, and monitoring of the application status. |
Article 6(1)(b) performing the steps of contract/pre-contract; acting on behalf of a university, acting in line with the instructions of the university controller and on the basis of Article 6. |
|
Identity, document, and accuracy checks |
Ensuring the completeness, consistency, and absence of fraud indicators, as well as the absence of similar names, duplicate applications, or requirements in the admissions portal. |
Article 6(1)(b) of providing the service; Article 6(1)(f) of having legitimate interests in accuracy and fraud prevention, Article 6(1)(c) of a legal obligation existing in a situation where a particular law mandates checks. |
|
Special category data for support needs |
Assembling disability, medical, accommodation, welfare or accessibility information to support the university or visa medical needs. |
Article 6(1)(b) or 6(1)(c) together with Article 9 conditions, such as explicit consent, substantial public interest and legal claims, according to the specific circumstances. Gateway EduConnect will implement the fewest conditions to be met and more stringent protection. |
|
Marketing communications |
Newsletters, the updates about the course offer, webinar, event campaign, offer of Gateway EduConnect or chosen education partners. |
Consent on the basis of PECR/electronic marketing regulations, namely Article 6(1)(a) consent or Article 6(1)(f) legitimate interests, must be in line with what is lawful and appropriate. You can opt out at any time. |
|
Security and fraud prevention |
Account controls, access logs, MFA, incident investigation, and the prevention of misuse and suspicious activity. |
Article 6(1)(f) legitimate interests; Article 6(1)(c) where there is a legal requirement to report or uphold its compliance. |
8. Legitimate interests assessment summary
In cases where Gateway EduConnect is dependent on legitimate interests, we use a three-part test:
- Purpose test: the processing has to be in support of an authoritative business, service, safety, anti-fraud, quality, security, communication or compliance purpose related to education, counselling and student recruitment.
- Necessity test: the purpose is not possible to be fulfilled in a less obtrusive manner, and only the least amount of personal data is acted upon.
- Balancing consideration: Gateway EduConnect considers a weighing between its interest and the rights, expectations, age, vulnerability, relationship to us, sensitivity of the data and the impact on the individual. Our defences include access controls, minimisation of data, opt-out, audit trail, human review and retention limits.
9. Automated profiling, AI, decision making, and automation.
9.1 AI usage disclosure
Very little automation can be deployed by Gateway EduConnect, and it can automate certain tools with AI providers, permitting them to be deployed internally by satisfying the organisation's administrative requirements. This can involve assignment of CRM leads and scheduling of intake reminders, detection of duplicate records, use of document checklists, translations, non-final communications drafting and internal service analytics. Gateway EduConnect will not employ AI to come up with final admissions, visa, scholarship, eligibility or rejection decisions regarding a student.
Approved AI-enabled voice calling or conversational automation tools can also be used by the Gateway EduConnect to call prospective students who have enquired, registered for counselling, attended an event, or otherwise provided contact information to enable follow-up by the Gateway EduConnect. Such AI-assisted calls can be exploited to gather the area of interest of the student, the place of study they want to pursue their studies, course level, admission date, their budget level, their academic background, their English language status, their work experience, their visa-history indications, and other high-level eligibility criteria required in preliminary counselling. This is to channel the enquiry to the right counsellor, prepare a human counselling session, save on habitual data collection, and conduct the preliminary profile pre-qualification.
There are no final admissions, visa, scholarship, financial, offer, rejection, or counselling decisions made by AI-enabled voice calls. Any pre-qualification, score, tag, transcript, summary and recommended next step generated as a result of an AI voice interaction is considered an internal administrative expression and needs to be checked by entitled Gateway EduConnect personnel before any advice, application submission or recommendation is provided to the student. Students can seek human consideration, have them call them on the phone, correct their calls, prohibit automated profiling, or choose not to use artificial intelligence to make calls using the contact privacy information in this policy.
By providing a tool that utilises personal data, which includes an AI tool, we will further make certain that it is utilised solely on intended functions that have an adequate lawful foundation, security audits, and controls, human supervision, vendor due diligence and data reduction by making sure that the vendor provides sufficient information in the latter statement. We will not knowingly post special category information, scans of passports, bank statements, or records of visa refusals into unrestricted or untrained AI applications.
ReadyPrev applicant personal data does not undergo training in public AI models, nor does it allow vendors to utilise uploaded applicant data to train unrelated AI models, all by Gateway EduConnect. Outputs based on AI will require trained personnel to verify them before implementation in counselling, preparing applications, reviewing documents or communicating with students. Human staff is still responsible for end advice, actions on applications and communications.
9.2 Automated decision-making disclosure
Gateway EduConnect does not engage in automation of decision-making, which results in legal effects or any other profound effects on individuals. There are further applications, such as automated workflows, we can use to sort enquiries, route leads to counsellors, find missing documents, compare basic profile information with freely available or offered by the institution entry information, or give reminders. These processes are only administrative aids.
All critical evaluations, such as the appropriateness of a course, advice on the admissions process, intensification of an ineligible profile, a final decision to submit an application, complaint response, and other individual decisions impacting service delivery, are all human reviewed by Gateway EduConnect staff. Contacting the privacy contact noted in this policy can enable the students to request human review, appeal an automated classification, give more information, and seek an explanation.
10. Privacy notices of universities and partners.
When Gateway EduConnect discloses the personal data of an applicant to a university, college, pathway provider or other education partner, the applicant shall be shown or emailed the privacy notice of the relevant institution and shall be shown the link where Gateway EduConnect exercises control over the workflow of submission before or at the time of submission. Gateway EduConnect will issue the corresponding link of a notice in the following ways:
- Within the application form or consent/authorisation form;
- In the email confirmation or a WhatsApp message of the application;
- Through the majority of the Gateway EduConnect application portal or CRM consent screen;
- Via the official admissions portal of the institution, prior to submitting it;
- In an upheld internal table of partner privacy notice links utilised by counsellors.
In case an institution changes its privacy notice, the Gateway EduConnect will make reasonable efforts to change the link in its records. The applicants, too, are expected to read the privacy notice posted on the official site of the institution since the institution has the power to decide on how it manages the information regarding the applicant once it receives the application.
Operational rule: prior to any application being registered via a university portal, or forwarded to an education partner, the counsellor, or admissions officer, should make a record of the applicant having been made aware of the corresponding institution's privacy notice link or having been told of the official institution's privacy notice. In cases where the institution has a portal notice of its own, the Gateway EduConnect can use the portal notice without further evidence of the route of linkages or submission, but must retain evidence of such routes.
11. Who we share personal data with
|
Recipient category |
Introduction of the purpose of sharing |
Safeguards/limits. |
|
Universities, colleges, and pathway providers |
Admissions assessment, processing offers, scholarships, CAS or other documents, accommodation, student support and supplementary services at the student's choice. |
The shared assumption is that there is a need to do so/use. Privacy of the institution should be given. Where applicable, data sharing agreements/ portal terms are applicable. |
|
Admissions portals/education technology vendors |
Vaulting applications, document management, tracking, communications. |
The access controls and the contract terms, the encryption (where possible), and the minimum necessary data. |
|
CRM, email, SMS, WhatsApp, telephony, cloud, IT, web, analytics and automation providers |
Response to enquiries, messages, reminders, document process, security, analytics and records. |
Our contracts with processors, obligations of confidence, limited access, safeguards and our review of vendors, deletion/return policies. |
|
Visa support services and professional service advisors |
Visa paperwork services, compliance check, legal or professional advice, where necessary or requested. |
disclosed only as required to provide the service, legal compliance or handling of claims. Professional confidence requirement as appropriate. |
|
Banks, Payment processors, accountants, tax advisers, and auditors. |
Refunds, Fee processing, invoices, accounting, commission, financial reporting, and audit. |
Inadequate financial documentation, legal/audit custody, confidentiality and professional responsibility. |
|
Compliance with legal regulations, government, law enforcement, UKVI or similar, |
immigration/regulatory reporting, fraud prevention, complaints, inquiries, legal claims, and data breach reporting. |
Sharing would occur only where there is a legal or reasonably necessary need, limited to the minimum necessary information. |
|
Channel partners, referral partners, events partners |
Referral tracking, event follow-up, and student support where the student has interacted with such partners. |
Contractual, confidentiality, less sharing of data, and consideration of marketing preferences. |
|
Potential business lookers and inheritors |
Overhaul of business, merger, acquisition, due diligence, and continuity of services. |
Confidentiality, limited disclosure, due diligence protection, notice, where not legal. |
12. International transfers
Personal data in Gateway EduConnect can be transferred between India, the United Kingdom, and the European Economic Area, and other countries where the institutions of choice, pathways providers, customer relationship management providers, cloud computing platforms, communication services, or professional consultants are based. International transfers can only be made for the following reasons, as explained in this policy: application processing, counselling, admissions communications, visa support, technology hosting, or compliance.
In the event of UK GDPR transfer regulations, as well as the personal data transferred out of the UK to another country lacking an adequacy regulation, Gateway EduConnect will employ relevant protection measures where necessary, including the UK International Data Transfer Agreement, UK Addendum to the EU Standard Contractual Clauses, data processing agreements, a risk transfer evaluation of the transfer, encryption, access controls and minimisation. Where the Indian law would lead us, Gateway EduConnect will adhere to any possible restrictions on transfer, government notices, contractual controls and security measures.
UK representative evaluation: In the event that the Gateway EduConnect is not operational in the United Kingdom but is eligible to UK GDPR due to providing services to individuals in the United Kingdom or observing their behaviour, then the Gateway EduConnect will evaluate whether Article 27(1) UK GDPR mandates that a UK representative be appointed. Should it be necessary, the name and contact information of the representative are going to be woven into this policy and presented to the individuals and the ICO. In case the Article 27 exception is taken into account by Gateway EduConnect, the evaluation should be registered in-house and checked upon alterations of UK-facing operations.
13. Security and confidentiality.
- Role-based access wherein only authorised staff can view student records required in their work;
- Where applicable, key systems must have multi-factor authentication;
- Encryption at rest and in transit, where the platform supported them;
- Protected CRM and cloud storage with access history where possible;
- Limited work with the passports, financial evidence, visa files, and special category information;
- Confidentiality of staff and privacy training;
- Core system vendor due diligence of systems that process personal data;
- Data breaches of suspected personal information;
Personal data breach process: Gateway EduConnect will have a work policy breach escalation procedure regarding potential accidental or illegal destruction, loss, change, unauthorised disclosure of or accessing personal data. Teammates and consultants need to report on any suspected cases to the Data Protection Lead. Gateway EduConnect will determine the type of data, individuals impacted, risk probability, mitigation measures, and notification roles.
Where the law allows, Gateway EduConnect will inform individuals and other regulators who may be affected where reportable personal data breaches have happened. Reportable breaches will be evaluated against the ICO notification threshold where UK GDPR applies and where notified, in accordance with the data breach notification requirement, without undue delay and, where practicable, within 72 hours of learning about it. Where Indian law is in play, DPDP Act/rules will be adhered to at Gateway EduConnect and any Data Protection Board or sectoral reporting.
14. Data retention
Gateway EduConnect retains the personal data no longer than deemed necessary to the purpose collected, unless the period is justified, or permitted by law, contract, tax, audit, immigration, handling complaints, legal action, or requirements of institutions. Where a legal institution has a published retention schedule to which an application pertains, Gateway EduConnect will match its treatment with such a schedule where it is both legally and operationally so.
|
Record type |
Retention period |
Criteria and notes |
|
Marketing preference records |
The right to active marketing is held at the time of consent, or an acceptable marketing permission is still valid. The retention of suppression/opt-out records will just be as long as necessary to avoid undesired marketing and evidence compliance. |
In cases when a person withdraws consent or objects, cease marketing within a reasonable timeframe, revise CRM/campaign systems as soon as possible, and supplement with little or no details about suppression, like contact identifier, date, channel, and opt-out source. |
|
General enquiry records |
Until 12 months of the last significant contact, except on the basis of being moved to an active counselling/application record or otherwise, a longer period may be justified and recorded as such. |
Includes simple enquiry forms, pre-emails, event enquiries and non-engaged leads. Win or delete (where no longer necessary) prior. Not to store retrospective enquiry books merely in anticipation of marketing in the future. |
|
Application records held by Gateway EduConnect |
Until up to 6 years; within any of the following, such as the close of the relevant application cycle, the definition of student relationships or the completion of final service otherwise (unless otherwise indicated in institution-specific schedule or otherwise necessary by law). |
Consists of application forms, transcripts, SOPs, CVs, results of English tests, offer documents, communications of admissions, and related records. Where partner universities have both greater and lesser periods of retention required by law, Gateway EduConnect may keep records of the application based upon the institutional retention schedule. |
|
Other university applicant records where the institution's schedule requires six years, irrespective of the outcome |
Adhere to the institution's schedule, whereby they have six years, regardless of outcome, which is the length of stay requirement in the institution. |
Have a partner retention and privacy notice (matrix). In case of conflict, seek escalation to the Data Protection Leads prospecting, extending retention to the default of Gateway EduConnect periods. |
|
Complaint, dispute, legal claim, DSAR, and regulatory records |
Until 6 years after closure or otherwise, as litigation, investigation or law will necessitate. |
Hold retained to show reaction, legal rights, obedience and responsibility. |
|
Security logs and access logs |
Typically, 6 to 24 months unless it is necessary to investigate an incident, file a legal claim or comply with security. |
Maintained as a system security, audit and incident response. |
|
Counselling and onboarding records |
For 2 years after the last contact, when the student is not going to an application (unless there are legal/complaint requirements to the contrary). |
Counselling notes, preferences and basic academic profile, appointment records and service discussions. |
|
Unsuccessful UK/Berlin university applications where the relevant university schedule requires it |
Adhere to the school schedule. In cases where there is a certified UK/Berlin university schedule, which dictates it, the unsuccessful application records can be kept for a period of up to 1 year and the successful record students for a period of 6 years. |
Retention Schedule, Portal Terms and written instruction: Only used where the applicable institution's privacy notice, retention schedule, portal terms or written instruction confirms its use. Before submitting the application, the applicant will be instructed by that institution. |
|
Visa, financial, payment, tax, invoice, commission, and audit records |
Until the due date of the accounts covering the 7 year in which the financial transaction or transaction occurred, or as specified by law, whichever is later. |
Retained to pay the taxes, audit, account, anti-fraud, contract and regulatory reasons. Sensitive financial documents are to be redacted or segregated, and copies are not needed any more. |
|
Website analytics and cookie data |
The cookie banner, analytics tool settings, or consent management platform generally defaults to the shortest reasonable time. |
Cookies like non-essential analytics /advertising cookies must have the suitable consent where necessary. |
|
Partner, supplier, and adviser records |
To the full extent that the law or disputes mandate the relationship or contract to be longer. |
Covers contracts, invoices, due diligence, commission documents and compliance documents. |
In case no specific retention periods are indicated, the purpose of processing, necessity, limit periods, tax/audit requirements, immigration or regulatory requirements, institution instructions, complaint risk, sensitivity of the data and the practicability of anonymisation are written down as criteria by which Gateway EduConnect will determine retention.
Gateway EduConnect will also keep a retention matrix, which will note the enquiry retention, marketing consent and suppression retention, counselling/onboarding retention, active application retention, unsuccessful applicant retention, successful applicant retention, financial/visa/tax retention, complaint/legal retention, and retention partner-specific university schedules. Deletion can be secure deletion, anonymisation, redaction, returning to the applicant, or limited archival storage when deletion cannot be immediately granted due to legal or technical considerations.
15. Individual rights
Individuals might include the following rights depending on laws that apply and whether or not they are controller or processor through Gateway EduConnect.
|
Right |
What it means |
How Gateway EduConnect handles it |
|
Right of access |
Ask for confirmation that the personal data is processed and to receive a copy. |
Grab your response within statutory deadlines upon identity checks. |
|
Right to be informed. |
Understand how personal information is gathered, utilised, distributed, stored and safeguarded. |
Make this policy and other institution notices available (de NOTE) prior to or at the time of application, as applicable. |
|
Right to erasure |
Request deletion in case of no longer required data, consent is deleted or lacks any other legitimate basis. |
Delete where necessary, but can still have data required due to legal, audit, tax, regulatory, complaint, contract or institution requirements. |
|
Right to data portability |
Get some data in a structured and frequently used machine-readable form, or request that it be transferred to another controller. |
Be able to supply relevant data in a CSV format or PDF (or any other reasonable format) where there is a right to do so. |
|
Right to object to marketing. |
Disapprove of direct marketing any time. |
Immediately, cessation of direct marketing and prompt updating of suppression/marketing lists. |
|
Rights about automated decisions |
Ask a human review in a case where an important automated decision is required. |
Gateway EduConnect does not engage in more automated significant decisions, but human review can be used in the classifications, which are automated with the help of automation. |
|
Right to complain |
Report to Gateway EduConnect and (where relevant) to the UK Information Commissioner’s Office. |
Fair investigation and provision of ICO details: In this policy, investigations would be fair and would include ICO details. |
|
Right to rectification |
False or incomplete personal information. |
Report accurately and on time where necessary and report to where necessary. |
|
Right to restrict processing. |
Use minimal data when the issues of accuracy, legality, objection, or claim are determined. |
Store yet cease active use when legally mandated when not used in a manner permitted by law, e.g. claims or approved processing. |
|
Right to object to processing. |
Make a legitimate interests argument against processing. |
Evaluate the objection and discontinue unless Gateway EduConnect can prove some profound legitimate reasons or requires the data to assert legal claims. |
|
Right to withdraw consent. |
Revoke consent where it is done on the basis of consent. |
End consent-based processing, without impairing previous legal processing. |
16. How to exercise rights or contact us.
To invoke a privacy right, make an inquiry, withdraw consent, marketing objection, automated classification request, human review, or complaint:
|
Contact item |
Details |
|
|
[Insert privacy email address] |
|
Privacy contact / Data Protection Lead |
[Insert name/title] |
|
Phone / WhatsApp |
[Insert official number] |
|
Postal address |
[Insert registered office address] |
|
Suggested subject line |
Privacy Rights Request - Gateway EduConnect |
Gateway EduConnect can provide evidence of identity prior to the release, correction, deletion, or transfer of data. We will react to the statutory period during which the request applies. This normally has a time limit of one month as per UK GDPR and may have an additional two months in case of a complicated request. Assuming that we are a university processor, we might be required to pass the request on to the appropriate university controller and help the controller to respond.
17. Supervisory authorities and complaints.
Gateway EduConnect will urge people to reach out to us initially so that we can enquire and address privacy issues. In UK GDPR-affected areas, it is also the right of individuals to complain to the UK Information Commissioner's Office:
Website: https://ico.org.uk/make-a-complaint/
Main website: https://ico.org.uk/
Telephone: 0303 123 1113
Postal address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, United Kingdom.
In case of the Indian data protection law, any individual can also be remitted to the relevant Indian authority after the relevant mechanism is in place and is applicable to the processing.
18. Electronic marketing, website analytics and cookies.
Gateway EduConnect can only deploy strictly necessary cookies as long as authorised under the relevant legislation and user preferences to facilitate the functionality of its website, and optional cookies or other similar technologies to support its analytics, performance, advertising, or personalisation. The site will have, prior to non-essential cookies being served where necessary, a cookie banner or cookie settings button that will isolate essential and non-essential cookies and document assent decisions where necessary.
Rule on cookie policy: Gateway EduConnect must have a separate Cookie Policy or Cookie Notice that enumerates the types of cookies, cookies used, cookies providers, cookies duration, consent options, and preference changes. Non-essential analytic cookies, advertising cookies, tracking cookies or personalisation cookies, which are not essential, should not be implemented unless there is a valid consent where PECR or equivalent requirements mandate such a course of action.
Gateway EduConnect shall dispatch electronic marketing at any location where it has a valid permission or at any other legitimate pathway that is allowed by the marketing laws. All marketing emails, SMS messages or WhatsApp emails will contain a viable opt-out path. In the event that an individual decides against the direct marketing, and/or withdraws consent or objects to direct marketing, the Gateway EduConnect will promptly terminate direct marketing and update CRM suppression records as soon as possible.
Gateway EduConnect shall only make use of AI-enabled voice calls when it has been permitted by the admissible law and shall be used to make service-related enquiries after follow-up, counselling preparation, profile pre-qualification, arranging appointments, support of document checklists, or when consent communication is required. Where the AI-assisted call is marketed or promoted with the help of promotion, Gateway EduConnect will refer to the valid consent or another legitimate pathway authorised according to the provisions of the electronic communications rules. People have the right to discontinue automated or AI-assisted calls whenever they choose, and Gateway EduConnect will update their CRM, call lists and suppression records without unreasonable delay.
Marketing retention rule: In the case of a person consenting, opting out, or objecting to direct marketing, Gateway EduConnect will cease marketing to that individual without unreasonable delay, update CRM/campaign tools and retain only the minimal suppression record just in time to honour the opt-out and prove compliance. No, the consent logs and preference records will be maintained to serve as evidence to show compliance, and not to carry on with marketing after withdrawal or objection.
19. Children and guardians
Gateway EduConnect subsidies mostly students who are applying to higher education. In cases where a student is below 18 years old or other age limit required by the applicable law, parent consent or approval of some services by a parent or a person may be required by Gateway EduConnect. We will handle children's data with extra care, will only capture such information as necessary, will not engage in marketing to children that will not add value, and will have tougher security measures around sensitive or welfare-related information.
In the case of under-18 applicants, Gateway EduConnect will communicate to applicants in an age-sensitive manner, provide access only to minor records, engage parents/guardians as necessary, and disseminate information regarding welfare or safeguarding where necessary and legal. Where an individual requesting a separate minor consent form or safeguarding declaration is necessary by the university, pathway provider, accommodation provider or sponsor, Gateway EduConnect will gather or support such a declaration before it is sent, where such is a requirement.
20. Accuracy and responsibility of the applicant.
The applicants are required to submit truthful, full and legal information and are not allowed to submit forged information, misleading, incomplete, /third party documents. Gateway EduConnect can confirm the completeness and consistency, but cannot determine admission, visa grant, scholarship, accommodation, or employment. Colleges and government agencies decide independently in their own manner and policy statements about privacy.
21. Changes to this policy
Gateway EduConnect can revise this policy when there are changes in services, laws, partners, systems, retention practices or data flows. The most recent issue is to be released on the Gateway EduConnect site with the effective date. The modifications in materials are to be pointed out where necessary, and in cases stipulated by law, people must be informed personally.
22. Pre-publication internal implementation checklist.
|
Action |
Owner |
Status |
|
Check that the legal entity name is full, registered, address, official privacy email, phone number, and Data Protection Lead. |
[Gateway EduConnect] |
Required |
|
Develop a matrix of privacy notice links by university partners and submit the corresponding link at the time of application. |
[Admissions / Compliance] |
Required |
|
Failover backup up-to-date CRM, WhatsApp, email, cloud, and website, analytics, telephony, and payment vendors and include them in Vendor records. |
[IT / Operations] |
Required |
|
Gather a retention matrix by category of records to be saved and schedule based on the university. |
[Compliance / Operations] |
Required |
|
Determine legitimate interest in CRM, analytics, service enhancement, security and non-marketing communications. |
[Compliance] |
Required |
|
Uses document AI/automation and does not allow the uploading of passports, financial, visa, or sensitive data that is not approved by AI. |
[Management / IT] |
Required |
|
Check cookie banner and marketing consent/opt-out processes. |
[Marketing / IT] |
Required |
|
Establish a DSAR and complaint management process with timelines and response schedules, identity verification, and escalation procedures. |
[Compliance / Data Protection Lead] |
Required |
|
Make sure that contracts with service providers have confidentiality, security, processor, subprocessor, retention, deletion and transfer provisions. |
[Legal / Procurement] |
Required |
|
Seek the advice of a competent legal counsel prior to publication of the website. |
[Management] |
Required |
|
Provide precise legal name, registered location, operating location, privacy email, direct phone/WhatsApp, website and Data Protection Lead information prior to publication. |
[Management / Compliance] |
Mandatory before publication |
|
Document Article 27 representatives of the UK assessment and appoint/identify a representative of the UK when legally necessary. |
[Management / Legal] |
Required |
|
Issue/develop a distinct cookie policy and consent process for non-essential cookies. |
[IT / Marketing / Compliance] |
Required |
|
Improvements to document breach escalation, assessment, and notification process of UK GDPR/DPDP and contract reporting obligations. |
[Data Protection Lead / IT] |
Required |
|
Document AI vendor controls that assure no personal details of applicants are utilised as part of training irrelevant models. |
[IT / Compliance] |
Required |
23. Final publication controls
Unresolved placeholders should not be published with this policy. The Gateway EduConnect needs to fill the legal entity table, ensure all lists of vendors and all institutions, validate the retention matrix with regard to the actual university agreements, check cookie and marketing processes, and also ensure that staff are trained to adhere to the operational controls mentioned in this policy before using it.
24. Writing references and alignment of sources.
This draft has been prepared based on the identified topics in the uploaded UK company sample checklist and analysis table, such as AI disclosure, automated decision-making, the role of controller/processors, data types, data sharing, data treatment of other people, data treatment of complaints, the lawful bases of data treatment, standard marketing, and data retention. It also explains official guidance themes by the UK Information Commissioner's Office regarding privacy information, a lawful basis, direct marketing, automated decision-making, and protection against international transfers in areas where applicable, the Indian Digital Personal Data Protection Act, 2023, and related regulations.
- ICO guidance: legal basis, privacy data, direct marketing and PECR, automated decision-making and international transfer protection.
- Article 22 and Chapter III of the UK GDPR individual rights principles.
- Digital Personal Data Protection Act, 2023 and Indian DPDP rules/guidelines.
- TIB checklist of UK company uploaded and elaborated the compliance table as the structural benchmark.
Previous Privacy Policy
At Gateway EduConnect, we value the privacy and confidentiality of our students and users. This Privacy Policy applies. When reading about how we use, collect, and protect your personal information, we rely on both the law and the Information Technology Act and the Digital Personal Data Protection (DPDP) guidelines.
Why do we gather personal information?
Your demographics assist us in orienting you better. We protect and ensure the well-being of students and offer advice and placement in international universities, and so we use the data you give to create and protect student welfare and provide expert education consultancy. This information also enables us to deliver timely web content and advertisements, which will gauge the output of our outreach. Your information can also be used by us to make customised recommendations on educational services that can help you achieve your career objectives.
B. What Data do we gather, and how do we utilise it?
Information you provide:
In our first interaction, we will try to understand your unique educational and career requirements. When registering for some features on the site, we request detailed basic information such as full name, email address, date of birth, contact information, and other relevant personal data. This data helps us to provide more effective, personalised counselling services to you.
Cookies:
On our website, we collect non-personal data about visitors to develop a general overview of our platform's reach. These statistics will incorporate data on the number of visitors who have visited particular pages, the type of browser that was used to access the site, and the exact navigational paths that the visitor followed through the site. No one can be singly identified on the basis of these statistics with any chance.
Cookies can also be referred to as cuter little text files which assist our servers in recognising your computer, but not your individual identity. We can personalise, streamline and enhance your experience on Gateway EduConnect by putting cookies on your computer. To disable the functionality of cookies, you can use your browser settings if you do not want to use this feature. Nevertheless, it is important to note that you can experience performance-related problems and that some services and features might not be available if cookies are turned off.
Log Information:
Whenever you access the Gateway EduConnect site, what the browsers send to us is automatically logged by our servers. This "Log Information" could contain your particular web request, your IP address, the browser you are using, your language, the date and time of your request, and a cookie or two that assist in making your browser session unique.
User Communications:
We might save your communications, such as email, contact form, chat, etc., whenever you communicate with us to facilitate processing of your inquiries, your questions, our requests, and improve our service offerings. Keeping these records will give us the feeling that when you come in contact with our brand, you will consistently have a quality and the same experience.
Links:
The links on our site can be posted in such a way that we can monitor whether the links have been used. This information enables us to enhance our personalised content and layout. There are links that will take you to websites outside the site. By utilising other websites, you must understand that their privacy policies could be far different from ours. In the case of external websites, Privacy practices and the content of these sites are the responsibility of the Gateway EduConnect. After you have left our realm, we strongly encourage you to look into the privacy statements of every site you visit. We have our own Privacy Statement applicable only to information gathered on our site.
Alerts:
With that information, of what you like and what you need to learn, we can help you know what services will have the greatest difference in your career. Therefore, we can send alert messages (via email or phone) to update you on our new services, university and scholarship deadlines, or information that matches your profile.
Public Forums:
At your risk, you post some data on our site. This involves posting of photos, messages, and comments in open space forums, discussion boards or blog comment boxes. Any details that you might add to your profile or when writing in our forums might go public and be accessible to anybody. Be aware that you should be very cautious and preventive in revealing personal information in these publicly-facing features.
Data Security:
In case you make use of an online feature related to paying fees, we send your credit card information to our appointed bank to execute the transaction. The details you shared regarding your order will be discussed with you and our banking partner in case of a discrepancy or issue with payment. No other way will disclose your credit card information. We do not sell your email or other sensitive data to third parties who are not authorised, and we do not delegate this to unscrupulous parties.
The data that we obtain on our order forms is processed with encryption to secure credit card information when passing over the internet. The whole Gateway EduConnect site is securely encrypted to guarantee the security of the sensitive information you provide to us. Nevertheless, we are not ignorant of the dangers of the online environment and the inability of any computer system to be completely safe. Security Astute policies on our site and payment partners ensure that security is highly valued, and to the extent of providing security that is in tandem with the data handled.
Our first priority is to protect your data. To accomplish this, there is the integration of technical, administrative and physical security in our security design. We use a series of overall internal policies that stop unauthorised access to all data. In implementing our privacy compliance, we have made sure that all third parties with whom we share our data have a reasonable promise of security practices and procedures. Gateway EduConnect does not suffer any loss, unauthorised access or harm due to improper use of your personal information, except where there was direct and foreseeable harm through proven negligence or non-compliance on our part. Your use of our services means that we will not be liable to you or any other person in terms of any loss or harm to you or anyone through the actions of a third party or through any actions on your part.
C. Information Sharing
We maintain the safety of your information when sharing it with third parties when required. All of our personal information (except credit card information) is shared by us only under the circumstances listed below:
- To comply with all local laws and regulations, legal procedures and government demands.
- In our Terms of Use, we study potential violations of our Terms of Use.
- Report, prevent or resolve fraud, security or technical problems by locating and resolving these problems in real-time.
- To protect our users, property or safety against immediate damage as necessitated or authorised by law.
Non-personal and aggregated data (like the number of subscribers to a specific course) can be shared by us with third parties. No one is identified in this information.
To obtain services or goods via any of the features of our site or by signing up with us, you give Gateway EduConnect the right to communicate with you by mail or phone. You give us permission to send us information about our services, deals and latest happenings. However, even where you have signed up to a "Do Not Disturb" or a Denial of Consent service, you give us the right to communicate with you up to 365 days following the date of your registration by us.
D. How long is the user data retention?
We keep any data only as long as we have a legitimate business or legal requirement in connection with global data protection guidelines (including GDPR). We can and will not need to keep your personal information longer than is required to accomplish the purposes of its collection. The duration of time our personal information exists is based on the volume, type and sensitivity of data and the possible chance of loss through inappropriate usage. Before we share your data with other companies other than Gateway EduConnect, we will seek your direct permission for the use of your data in marketing. Third parties are not our friends; we have a strict code of conduct which gives an understanding of the boundaries of providing personal information to identify the purpose of such sharing.
E. Grievances/ Complaints.
Your concerns about how your more personal information may be used can be brought to the attention of the Gateway EduConnect Grievance Officer. You can be sure that we are listening to you and that we can do so once we get your complaint.
Grievance Email:
Contact Phone:
F. Disclaimer
Our data about potential students interested in the functions of our consultancy is personal and confidential. The contents of this site are general information and do not relate in any way to other consultancies. The aim of gathering this information is to update on our services and products. Yet we are not reflecting or warranting the accuracy of the site's (written or graphic) content. The user only has the responsibility for the information they have posted on our site. This is because neither our associates nor Gateway EduConnect will be liable to any loss or damage of any kind from the use of this website.
G. Data Deletion
We give you maximum flexibility in our privacy policy. You can seek to have your particulars completely erased from our records by writing an email with the following format:
Email:
Message: Data Deletion Request <Email-Id of the User>.
H. Grievance Redressal
The Information and Technology Act provides us with the power to have a Grievance Officer to address inquiries or complaints.
To contact us with concerns, please contact us by email to [Insert Email] or mail to us at: [Insert Office Address].
What the Grievance Officer will do is to respond to your email within 24 hours. We are going to be investigating intensely, and in 15 days, you will be shown a concrete solution.