Privacy Notice

Last Updated: 20 Jan 2025

1. Introduction

Welcome to Purlos, a trading name of My Digital College Ltd (“Purlos”, “we”, “us”, or “our”). We provide software and services to the education sector in the United Kingdom, enabling our clients (education institutions) to engage with their learners using WhatsApp, SMS, and Email. This Privacy Policy explains how we collect, process, store, and protect personal data in compliance with the UK Data Protection Act (DPA) and the General Data Protection Regulation (GDPR).

By using our platform (“Purlos App”), you acknowledge that you have read and understood this Privacy Policy. If you have any questions, please contact our Data Protection Officer (DPO) using the details in the Contact Information section below.

2. Who We Are

Purlos is a trading name of My Digital College Ltd, a company registered in England and Wales under company number 11287890. Our registered address is:

My Digital College Ltd
20 Wenlock Road,
London,
N1 7GU

3. Scope of This Policy

This Privacy Policy describes how Purlos collects and processes personal data when:

  1. We provide the Purlos App and related services to our clients and their authorised users (e.g., staff, administrators).
  2. Learners interact with Purlos-based communications (e.g., WhatsApp, SMS, Email) as part of their engagement with an education institution that uses our service.
  3. You otherwise interact with us (e.g., visit our website or contact us directly).

Where we act as a data processor, we handle personal data strictly in accordance with our clients’ instructions and the terms of our data processing agreement with them. In such cases, our clients are responsible for ensuring that the personal data has been collected lawfully and that data subjects are informed about how their data is processed.

However, in certain circumstances, Purlos acts as a data controller—for example, when processing data about staff members in the Purlos App.

4. Purlos’ Data Processing Roles

Purlos processes personal data in two distinct capacities based on the type of data and our relationship with the client:

Role

Data Category

Description

Purpose

Legal Basis

Data Controller

Staff Member Data

Data related to education institution staff members, such as names, email addresses, job roles, and activity logs in Purlos

– To manage staff accounts

– Provide platform access

– Send communications

– Maintain system security

Legitimate interest for service provision and communication or consent for optional features

Data Processor

Learner Data

Data provided by education institutions about their learners (e.g., names, contact details, enrolment status, educational progress)

– To enable institutions to communicate with learners

– Track engagement

– Support learners

Processing is performed under the instructions of the education institution (the data controller)

4.1. Details of Processing Activities

(a) As Data Controller

Purlos is responsible for determining the purposes and means of processing Staff Member Data.

  • Creating and managing staff accounts
  • Monitoring staff activity on the platform
  • Sending service updates

(b) As Data Processor

Purlos acts on behalf of the education institution (the data controller) to process Learner Data in accordance with the institution’s instructions.

  • Sending communications to learners via sub-processors (e.g., Twilio, Meta for WhatsApp)
  • Analysing learner engagement trends
  • Providing data reports to the institution

5. Types of Personal Data We Process

Depending on the nature of our services and the instructions of our clients, we may process the following types of personal data:

  1. Learner Data (acting as a data processor):
    • Name, contact details (e.g., phone number, email address).
    • Education institution details (e.g., student ID, enrolment information).
    • Communication history and preferences.
    • WhatsApp-specific data such as display name, template messages, and onboarding information (where applicable).
  2. Staff and Administrator Data (acting as a data controller in relation to staff):
    • Names, job titles, and contact details of staff or administrators who use our platform.
    • User login credentials (e.g., username, password).
    • Usage details of the platform (e.g., IP addresses, activity logs).
  3. Other Data (when we act as a data controller for our own business operations):
    • Contact details for individuals who contact us or request information about our services.
    • Website usage data (e.g., cookies, IP addresses, device information) when visiting our website.

We do not knowingly collect any special category data (e.g., health, biometric, or political opinions) unless explicitly agreed upon with our clients and strictly necessary for the services provided.

6. Purposes and Legal Bases for Processing

We process personal data for the following purposes:

  1. Providing Our Services
    • Purpose: To operate and maintain our platform, facilitate communications between our clients and their learners, and provide customer support.
    • Legal Basis:
      • Performance of a contract with our clients (especially where we act strictly on the instructions of the data controllers)
      • Legitimate interests (to provide our contracted services)
  2. Client Relationship Management
    • Purpose: To manage contracts and relationships with our clients and prospective clients.
    • Legal Basis:
      • Performance of a contract
      • Compliance with legal obligations
      • Legitimate interests (business administration)
  3. Marketing (as Data Controller)
    • Purpose: To send marketing communications to individuals who have given their consent or where we have another lawful basis.
    • Legal Basis:
      • Consent
      • Legitimate interests (where permitted by law)
  4. Security and Fraud Prevention
    • Purpose: To ensure the security of our platform, prevent and detect fraud, and comply with legal obligations.
    • Legal Basis:
      • Compliance with legal obligations
      • Legitimate interests (protecting our business, clients, and data subjects)
  5. Analytics and Service Improvement
    • Purpose: To analyse usage and performance of our services for improvement and development of our platform.
    • Legal Basis:
      • Legitimate interests (to enhance our service and user experience)

7. Data Retention

We will retain personal data only for as long as is necessary for the purposes described in this Privacy Policy or as required by law. Where we act as a data processor, we will retain personal data in accordance with our client’s instructions or a data sharing agreement signed between the parties. Once the relevant retention period has expired, or upon our client’s request (whichever comes first), we will securely delete or anonymise the personal data, unless we are required to retain it to comply with legal obligations.

7.1 Data Minimisation
We adhere to the principle of data minimisation, collecting only the personal data strictly necessary to meet our contractual obligations. We retain data for six (6) months following the end of a contract unless the client requests earlier deletion. Within our Purlos App, clients have full control to delete specific data or submit a deletion request form at any time. We regularly review our data collection and storage processes to ensure that any unnecessary or redundant data is securely deleted or anonymised.

8. Sub-processors Used

Purlos utilises third-party providers (Sub-processors) to deliver its services effectively. The use of Sub-processors varies based on whether Purlos is acting as a Data Controller or Data Processor.

Sub-processor Name Purpose Data Processed Purlos Role Legal Safeguards Processor’s Privacy Policy
Twilio For WhatsApp, SMS, and email communication Learner contact information (e.g., name, phone, email) Data Processor Standard Contractual Clauses Twilio Privacy Policy
AWS Middleware for communication data storage Learner and staff data (e.g., name, email, phone, communication logs) Data Processor / Controller Standard Contractual Clauses AWS Privacy Policy
HubSpot CRM for contracts and renewals Staff data (e.g., name, email, direct phone, mobile phone) Data Controller Standard Contractual Clauses HubSpot Privacy Policy
Salesforce CRM and platform access Learner and staff data (e.g., name, email, course details) Data Processor / Controller Standard Contractual Clauses Salesforce Privacy Policy
Intercom Support functionality on the platform Staff data (e.g., name, email, support tickets) Data Controller Standard Contractual Clauses Intercom Privacy Policy
Heap Platform analytics and usage Learner and staff activity logs (e.g., navigation data, platform usage behaviour) Data Controller Standard Contractual Clauses Heap Privacy Policy
Gearset Data backup Learner and staff data (e.g., communication logs, activity data) Data Controller Standard Contractual Clauses Gearset Privacy Policy
Meta For WhatsApp communication Learner contact information (e.g., name, phone number) Data Processor Standard Contractual Clauses Meta Privacy Policy
OpenAI Automated AI responses in communication Learner communication content (e.g., chat text) Data Processor Standard Contractual Clauses OpenAI Privacy Policy
Celonis Make. com middleware for integration Learner and staff data (e.g., name, email, phone, communication logs) Data Processor Standard Contractual Clauses Celonis Privacy policy

 

Note: Purlos may update this list of Sub-processors from time to time as service needs evolve.

9. Data Sharing and Transfers

  1. Sharing with Clients: As a data processor, we only share learners’ personal data with the specific client (education institution) that provided it to us or as otherwise instructed by them.
  2. Service Providers (Sub-processors): We share personal data with third-party service providers who assist us in delivering our services (e.g., hosting providers, communication platforms). These service providers are contractually obligated to protect personal data and only process it on our behalf.
  3. Compliance with Law: We may disclose personal data if required to do so by law or in response to a valid legal request (e.g., court order, law enforcement request).
  4. Business Transfers: In the event of a merger, acquisition, or sale of all or a portion of our assets, personal data may be transferred to the acquiring entity under appropriate confidentiality arrangements.

9.1 International Data Transfers
We may transfer personal data to countries outside the United Kingdom or the European Economic Area (EEA) where our sub-processors or affiliates operate (for example, the United States). In such cases, we ensure that appropriate safeguards, such as Standard Contractual Clauses, are in place to protect the personal data in accordance with GDPR requirements. Post-Brexit, we continue to apply UK data transfer requirements and monitor relevant legislation to ensure ongoing compliance.

10. Security Measures

We implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, loss, destruction, or alteration. These measures include (but are not limited to):

  • Encrypted communications (e.g., HTTPS).
  • Transport Layer Security (TLS) with 2048-bit RSA encryption for data transmissions.
  • Access controls and authentication.
  • Regular risk assessments and security reviews.
  • Primary hosting of data on Salesforce data centres within the UK, which implement advanced encryption standards.
  • Training and awareness programmes for staff handling personal data.

While we take all reasonable steps to protect personal data, no system is completely secure. If you have reason to believe that your personal data has been compromised, please contact us immediately.

10.1 Staff Training
We provide regular data protection training to our employees and authorised personnel, focusing on confidentiality obligations, internal data protection policies, and ongoing compliance measures. Staff members are required to sign confidentiality agreements and adhere to strict data handling protocols.

11. Your Rights as a Data Subject

Depending on the circumstances and applicable law, you may have the following rights in relation to your personal data:

  1. Right to Access: You can request confirmation of whether we hold your personal data and obtain a copy of it.
  2. Right to Rectification: You can request correction of inaccurate or incomplete personal data.
  3. Right to Erasure (“Right to be Forgotten”): You can request that we delete or remove your personal data where there is no lawful reason to continue processing it.
  4. Right to Restrict Processing: You can request that we limit the processing of your personal data in certain circumstances.
  5. Right to Data Portability: In certain circumstances, you can receive your personal data in a structured, commonly used, and machine-readable format and have it transferred to another controller.
  6. Right to Object: You can object to the processing of your personal data where we are relying on our legitimate interests, and you believe this impacts your fundamental rights and freedoms.
  7. Right to Withdraw Consent: Where processing is based on consent, you have the right to withdraw consent at any time.

If you wish to exercise any of these rights, please contact us using the details in the Contact Information section. We will respond to your request in accordance with applicable data protection laws.

12. Cookies and Similar Technologies

When you visit our website or use our services, we may use cookies and similar technologies to collect certain information automatically. This may include IP addresses, browser type, device information, and browsing behaviour. You can control cookies through your browser settings.

We use both session cookies and persistent cookies to enhance user experience, remember user preferences, and perform analytics. For more information, including how to manage or disable cookies, please see our separate Cookie Policy (or contact us for a copy of it).

13. Updates to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational needs. When we do, we will revise the “Last Updated” date at the top of this policy. We encourage you to review this Privacy Policy periodically to stay informed about our data processing activities.

14. Contact Information

If you have any questions about this Privacy Policy or would like to exercise your rights, please contact our Data Protection Officer (DPO):

David Bartlett
Email: ask@purlos.co.uk

My Digital College Ltd
20 Wenlock Road
London
N1 7GU

We will do our best to address and resolve any concerns you may have about our handling of your personal data. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) (the UK supervisory authority for data protection):
https://ico.org.uk/

15. Complaints

If you believe that we have not processed your personal data in accordance with this Privacy Policy or applicable data protection laws, we encourage you to contact us first at ask@purlos.co.uk so that we can address your concerns. You also have the right to lodge a complaint directly with the ICO at any time.

16. Data Breach Notification

In the event of a personal data breach, we will promptly assess the risk to your rights and freedoms. If required under GDPR, we will report the breach to the relevant supervisory authority (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of it. If the breach is likely to result in a high risk to your rights and freedoms, we will also inform you directly (where feasible) with clear information about the nature of the breach, the data affected, and any recommended steps to mitigate its potential impact.

17. Children’s Data Processing

Given that our services are used in the education sector, we recognise that some learners may be under 18 years old. We process children’s data strictly under the instructions of our client (the educational institution), which is responsible for obtaining any necessary consents (e.g., parental consent) and ensuring compliance with age-related legal obligations. If you believe we may be processing personal data of a minor without proper authorisation, please contact us immediately.

18. Automated Decision-Making and Profiling

In some cases, our services may use AI-driven functionalities through our sub-processor to assist in generating automated responses or insights. While these processes can help improve communications with learners, we do not solely rely on fully automated decision-making that produces legal or similarly significant effects for data subjects. If you have any concerns or wish to object to the use of such automated tools, please contact us at ask@purlos.co.uk.

19. Privacy Impact Assessments (PIAs / DPIAs)


We carry out Data Protection Impact Assessments (DPIAs) where the processing is likely to result in a high risk to the rights and freedoms of individuals, particularly when introducing or changing technologies or data practices in the education context. These assessments help us identify and minimise data protection risks.

By using our Purlos App or otherwise providing personal data to us, you acknowledge that you have read and understood this Privacy Policy. If you have any questions, please contact us at ask@purlos.co.uk.