PRIVACY POLICY
Last updated: January 25, 2026
15Degrees-North Ltd, trading as Onion Training Academy (“we”, “us”, “our”), is committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
We process personal information in compliance with UK data protection law, which includes the UK GDPR and the Data Protection Act 2018. These regulations govern how we collect, use, store and protect your personal data.
This policy explains how we collect, use and safeguard your information when you visit https://onion.training, enrol in our Level 3 Software Testing Course, or receive our marketing communications.
2. Data We Collect
– Communication Data: Information from contact forms, emails, social media, or other communications (e.g., name, email).
– Customer Data: Name, billing address, email, phone, payment details for course purchases (incl. VAT).
– User Data: Website usage data (e.g., pages visited, posts) for service delivery.
– Technical Data: IP address, browser details, page views from analytics tools (e.g., Google Analytics).
– Marketing Data: Preferences for receiving marketing (e.g., newsletters, B2B campaigns).
– Educational Data: Names, quiz results for course participants, including students aged 13–16 with parental/school consent.
We do not collect sensitive data (e.g., race, health, criminal records).
3. How We Use Your Data
– Deliver and manage courses (e.g., access, progress tracking).
– Process payments and invoices (incl. VAT).
– Respond to communications and maintain records.
– Send B2B marketing emails (see Section 6).
– Analyse website usage to improve services and deliver relevant content.
– Ensure website security and compliance with legal obligations.
4. Legal Basis
– Consent: For course enrolment, newsletters, or student data (13–16 years).
– Contract: To deliver courses and process payments.
– Legitimate Interest: For B2B marketing, website analytics and service administration.
– Legal Obligation: To comply with tax or safeguarding requirements.
5. How We Collect Data
– Directly: Via website forms, emails, or course sign-ups.
– Automatically: Through cookies and analytics (see our cookie policy).
– Third Parties: From analytics providers (e.g., Google), payment processors (e.g., WorldPay), or GDPR-compliant data providers for contacts.
6. Email Marketing and Campaign Data Processing
We collect contact data (e.g., names, emails) of UK school staff from public directories or GDPR-compliant lists to promote our Level 3 Software Testing Course. We use tools like FunnelKit to send emails and track engagement (e.g., opens, replies). Our legal basis is legitimate interest (UK GDPR Article 6(1)(f)) for B2B communications. You can opt out via unsubscribe links in emails. Data is retained until opt-out or campaign end and shared only with trusted email providers under data protection agreements.
7. Safeguarding and Educational Data
Processing of Student Data (Ages 13-19)
For students aged 13-19 enrolled through educational institutions, we process personal data, including names, emails and assessment results.
Legal Basis: We process this data based on parental consent (for students under 16) or the student’s own consent (for students aged 16-19), in accordance with school authorisation where the school acts as joint data controller with us.
Security: We implement appropriate technical and organisational security measures to protect student data. Access to personal information is restricted to authorised personnel who have received appropriate training.
Safeguarding: Any safeguarding concerns identified through our services are reported to the relevant school and/or appropriate authorities in accordance with UK safeguarding guidelines.
Contact us for details.
8. Data Sharing
We share data with:
– Service Providers: WorldPay (payments), FunnelKit (email marketing), Google Analytics.
– Professional Advisers: Lawyers, accountants for legal/tax compliance.
– Authorities: If required by law.
Third parties process data only for specified purposes under our instructions. We do not sell data.
9. International Transfers
Some providers (e.g., Google, WorldPay) are outside the UK/EEA. We ensure data protection via:
– UK International Data Transfer Agreement (IDTA).
– Countries with UK adequacy decisions (e.g., EU, Canada).
– Standard Contractual Clauses where no adequacy exists.
For specific transfers, we may seek your consent, which you can withdraw.
10. Data Security
We use SSL encryption, access controls and secure servers to protect data. Only authorised staff access your data. We have procedures for data breach response, notifying you and the ICO if required.
11. Data Retention
– Customer Data: 7 years for tax compliance (HMRC).
– Marketing Data: Until opt-out or campaign end.
– Technical Data: 26 months (Google Analytics).
– Educational Data: Until course completion or school request for deletion.
Anonymised data may be retained for research.
12. Your Rights
Under UK GDPR, you can:
– Access, correct, or delete your data.
– Restrict or object to processing.
– Request data portability.
– Withdraw consent.
Contact us. We respond within 30 days, free unless requests are excessive. We may verify your identity. If unsatisfied, contact the ICO (www.ico.org.uk).
13. Third-Party Links
Our site links to third parties (e.g., Trustpilot for 5-star reviews). We are not responsible for their privacy practices. Review their policies when leaving our site.
14. Changes to This Policy
We may update this policy. Check our privacy policy for the latest version. Significant changes will be notified via email or website notice.