Privacy Policy — CourseGenie.co.uk

This policy explains what personal data CourseGenie collects, why we collect it, and what we do with it. We've written it in plain English and kept it as short as we reasonably can.

Who we are

CourseGenie.co.uk is operated by Course Genie Limited, a company registered in England and Wales. For the purposes of the UK GDPR and Data Protection Act 2018, we are the data controller for the personal information we collect through this site.

You can contact us at sales@coursegenie.co.uk or on 0800 000 0001 about anything in this policy, including requests to access, correct, or delete your data.

What we collect and why

We only collect data we actually need. Here's what that looks like in practice:

When you browse the site, we collect standard technical information — IP address, device and browser type, pages viewed, and referring site. This keeps the site secure and helps us understand what's useful. Some of this is collected via cookies, which are covered in full in our Cookie Policy.

When you book a course, we collect your name, email, phone number, billing address, company name (where relevant), and the names and email addresses of the delegates attending.

When you ask us to find a course for you, we collect the contact details and requirements you share in the enquiry form so we can come back to you with options.

When you subscribe to our newsletter, we collect your email address so we can send it to you. You can unsubscribe from any email we send.

When you contact us, we keep a record of the conversation — email, phone notes, or chat — so we can pick up where we left off and improve our service.

We do not collect payment card details. Card payments are handled directly by our payment processor (Stripe) on their own secure infrastructure. We only receive a confirmation that payment succeeded, plus the last four digits of the card for your records.

Our legal bases for using your data

UK GDPR requires us to have a specific legal reason for using your personal data. Ours are:

Contract — to take your booking, deliver it to the training provider, issue invoices, and handle any cancellations or rebookings.
Legitimate interests — to run and secure the site, prevent fraud, keep internal records, and respond to enquiries.
Legal obligation — to keep accounting records (we're required to hold invoicing data for six years under UK tax law) and to comply with other regulatory duties.
Consent — for optional analytics and marketing cookies, and for marketing emails. You can withdraw consent at any time.

Who we share your data with

We share your data with a limited set of third parties, only where necessary:

Training providers — when you book a course, we pass the delegate's name, email, and (where the provider requires it) employer and National Insurance number to the provider delivering the course. The provider uses this to register the delegate, deliver training, and issue certificates. They act as a separate data controller once they receive this data.
Payment processor — Stripe, for card payments.
Cloud and infrastructure providers — for hosting, email delivery, and customer support tooling. These suppliers process data on our instructions and are contractually bound to protect it.
Analytics and marketing providers — Google and, where applicable, Meta and LinkedIn, as set out in our Cookie Policy. Only if you've accepted the relevant cookies.
Professional advisers and authorities — accountants, lawyers, HMRC, or regulators, where we're legally required or have a legitimate need.

We never sell your personal data.

International transfers

Some of our suppliers (including Stripe and Google) process data outside the UK. Where that happens, we rely on approved safeguards — UK adequacy regulations, the UK International Data Transfer Addendum, or the EU Standard Contractual Clauses — so your data has equivalent protection wherever it's processed.

How long we keep it

Booking and invoicing records: six years after the end of the tax year they relate to (UK accounting requirement).
Enquiries that didn't lead to a booking: 24 months from last contact.
Newsletter subscribers: until you unsubscribe.
Website analytics: up to 24 months, then aggregated or deleted.
Support correspondence: 24 months from the last exchange.

When the retention period ends, we delete the data or anonymise it so it can no longer identify you.

How we keep it safe

We use encryption in transit (HTTPS) and at rest, role-based access controls, and regular backups. Access to personal data is limited to staff who need it to do their jobs. No system is perfectly secure, but we take this seriously and review our practices regularly.

Your rights

Under UK GDPR, you have the right to:

Ask for a copy of the personal data we hold about you.
Ask us to correct anything that's wrong.
Ask us to delete your data (subject to legal retention rules — for example, we can't delete invoicing data within the six-year window).
Ask us to restrict or object to how we use your data.
Ask for your data in a portable format.
Withdraw consent at any time, where we rely on it.

To exercise any of these rights, email sales@coursegenie.co.uk. We'll respond within one month.

If you're not happy with how we've handled your data, you can complain to the Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113. We'd appreciate the chance to resolve things first, though.

Children

CourseGenie serves both businesses and individual learners, and our courses are aimed at working adults. We don't knowingly collect data from anyone under 18. If you're booking on behalf of a delegate, please make sure they're 18 or over. If you believe a child has given us their data, email us and we'll delete it.

Changes to this policy

If we make material changes, we'll update the "Last updated" date at the top and, where the change is significant, notify you by email or via a notice on the site.