Privacy Policy

Last Updated: November 2025

1. Introduction

The Virtuoso Academy (“we,” “us,” or “our”) respects your privacy and is committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, courses, and services (collectively, the “Services”).

Data Controller:
The Virtuoso Academy
United Kingdom
Email: [email protected]
Phone: +44 7448 190917

For data protection queries:
Email: [email protected]

2. Information We Collect

2.1 Information You Provide Directly

Account Information:

  • Name and professional credentials
  • Email address and phone number
  • Password (encrypted)
  • Professional licensure information (optional)
  • Billing and payment information
  • Organisation/employer details (for enterprise users)

Course and Learning Data:

  • Course enrolment and progress
  • Quiz and assignment submissions
  • Completion certificates
  • Learning preferences and settings
  • Forum posts and community contributions
  • Feedback and survey responses

Communication Data:

  • Correspondence with support team
  • Newsletter subscriptions
  • Marketing preferences
  • Event registrations

2.2 Information Collected Automatically

Technical Data:

  • IP address and geolocation data
  • Browser type and version
  • Device information (type, operating system)
  • Time zone and language settings
  • Referring website addresses

Usage Data:

  • Pages visited and navigation paths
  • Course viewing patterns and time spent
  • Feature usage and interactions
  • Search queries within platform
  • Click-stream data

Cookies and Tracking Technologies:
We use cookies, web beacons, and similar technologies. See our separate Cookie Policy for details.

2.3 Information from Third Parties

Payment Processors:

  • Transaction details and payment status
  • Billing information (we do not store full credit card numbers)

Social Media:

  • If you connect via social media, we may receive profile information as permitted by your privacy settings

Analytics Providers:

  • Aggregated usage statistics
  • Performance metrics

3. How We Use Your Information

We process your personal data for the following purposes:

3.1 Service Provision (Legal Basis: Contract Performance)

  • Creating and managing your account
  • Providing access to purchased courses
  • Processing payments and transactions
  • Issuing certificates of completion
  • Providing customer support
  • Communicating about your courses and account

3.2 Service Improvement (Legal Basis: Legitimate Interests)

  • Analysing platform usage to improve Services
  • Conducting research and development
  • Testing new features and content
  • Monitoring service quality and performance
  • Preventing fraud and ensuring security

3.3 Marketing and Communications (Legal Basis: Consent or Legitimate Interests)

  • Sending promotional emails about new courses (with your consent)
  • Newsletter delivery (with your consent)
  • Informing you about updates to existing courses you’ve purchased
  • Conducting surveys and feedback requests
  • Showing relevant advertising (see Cookie Policy)

3.4 Legal Compliance (Legal Basis: Legal Obligation)

  • Complying with applicable laws and regulations
  • Responding to legal requests and preventing illegal activity
  • Enforcing our Terms of Use
  • Protecting our rights and safety

3.5 Enterprise Services (Legal Basis: Contract Performance)

  • Providing learning analytics to employers/organisations
  • Generating completion reports for corporate clients
  • Managing group licences and access

4. Legal Basis for Processing (GDPR/UK GDPR)

We process your personal data under the following legal bases:

  • Contract Performance: To provide Services you’ve purchased
  • Consent: For marketing communications and certain cookies
  • Legitimate Interests: To improve Services, prevent fraud, and ensure security
  • Legal Obligation: To comply with applicable laws and regulations

You have the right to withdraw consent or object to processing based on legitimate interests at any time.

5. How We Share Your Information

We do not sell your personal data. We share information only in the following circumstances:

5.1 Service Providers and Contractors

We engage third-party companies to perform functions on our behalf:

  • Hosting and Infrastructure: AWS, Google Cloud
  • Payment Processing: Stripe, PayPal (subject to their privacy policies)
  • Email Communications: Mailchimp, SendGrid
  • Analytics: Google Analytics, Mixpanel
  • Customer Support: Zendesk, Intercom
  • Video Hosting: Vimeo, YouTube (for course content)

These providers access personal data only as necessary to perform their functions and must protect it in accordance with data protection laws.

5.2 Enterprise Clients

If your access is provided through your employer or organisation:

  • We share learning progress, completion status, and assessment results with your organisation
  • The specific data shared is defined in our enterprise agreement
  • Your organisation is the data controller for this information

5.3 University Partners

Aggregated, anonymised data may be shared with our university partners (Oxford, UCL, Birmingham) for research and educational purposes. No personally identifiable information is shared without explicit consent.

5.4 Legal Requirements

We may disclose information when required by law or to:

  • Comply with legal process or government requests
  • Enforce our Terms of Use
  • Protect our rights, property, or safety
  • Protect users or the public from harm or illegal activities

5.5 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred. You will be notified of any such change and provided with choices regarding your data.

5.6 With Your Consent

We may share information for purposes not described in this Policy when you provide explicit consent.

6. International Data Transfers

6.1 Where We Store Data

Our primary servers are located in the European Economic Area (EEA). However, some service providers may process data outside the EEA, UK, or Australia.

6.2 Safeguards for Transfers

When transferring data internationally, we use:

  • EU Standard Contractual Clauses (SCCs) for transfers from EU/UK
  • Adequacy decisions where available
  • Binding Corporate Rules for intra-group transfers
  • Australian APP compliance for transfers involving Australian data

6.3 US Data Transfers

For transfers to the US, we rely on:

  • Service providers’ participation in recognised data transfer frameworks
  • Standard Contractual Clauses
  • Additional safeguards as required by law

7. Data Retention

We retain your personal data only as long as necessary:

7.1 Account and Course Data

  • Active accounts: Retained while your account is active
  • Inactive accounts: Deleted after 3 years of inactivity (with 30-day notice)
  • Purchased course access: Retained to honour “lifetime access” promises
  • Deleted accounts: Most data deleted within 30 days, except as required for legal/accounting purposes

7.2 Specific Data Types

  • Transaction records: 7 years (tax and accounting requirements)
  • Support tickets: 2 years after resolution
  • Marketing data: Until you unsubscribe or object
  • Analytics data: Aggregated/anonymised after 26 months
  • Security logs: 12 months

7.3 Legal Requirements

We may retain data longer when required by law or for legitimate purposes (e.g., ongoing disputes, regulatory investigations).

8. Your Privacy Rights

Your rights vary by jurisdiction, but generally include:

8.1 Rights for All Users

  • Access: Request a copy of your personal data
  • Correction: Update inaccurate or incomplete data
  • Deletion: Request deletion of your data (subject to exceptions)
  • Objection: Object to certain processing activities
  • Portability: Receive your data in a portable format
  • Withdraw Consent: Withdraw consent for marketing or optional processing

8.2 UK/EU (GDPR/UK GDPR) Rights

In addition to the above:

  • Right to restriction: Limit how we process your data
  • Right to object to automated decisions: Challenge decisions made solely by automated processing
  • Right to lodge a complaint: Contact your data protection authority
    • UK: Information Commissioner’s Office (ICO) – https://ico.org.uk
    • EU: Your national supervisory authority

8.3 California (CCPA/CPRA) Rights

  • Right to know: What personal information we collect, use, and share
  • Right to delete: Request deletion of your personal information
  • Right to opt-out: Opt out of “sale” or “sharing” of personal information
  • Right to non-discrimination: We will not discriminate for exercising your rights
  • Right to correct: Correct inaccurate personal information
  • Right to limit: Limit use of sensitive personal information

Do Not Sell or Share My Personal Information:
We do not sell personal information. For targeted advertising opt-out, see our Cookie Policy.

8.4 Australian Privacy Act Rights

  • Access and correction: Request access to and correction of your information
  • Complaint: Lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
  • Anonymity: Where practicable, interact with us anonymously or using a pseudonym

8.5 How to Exercise Your Rights

To exercise any of these rights:

  • Email: [email protected]
  • In-platform: Use account settings for access, correction, and deletion
  • Phone: +44 7448 190917

We will respond to requests within:

  • 30 days (GDPR/UK GDPR)
  • 45 days (CCPA/CPRA), extendable to 90 days with notice
  • 30 days (Australian Privacy Act)

9. Children’s Privacy

Our Services are not directed at children under 18. We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at [email protected].

10. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

10.1 Security Measures

  • Encryption: Data encrypted in transit (TLS/SSL) and at rest (AES-256)
  • Access controls: Role-based access with multi-factor authentication
  • Regular security audits: Penetration testing and vulnerability assessments
  • Employee training: Staff trained in data protection and security
  • Incident response: Procedures for detecting and responding to breaches
  • Secure development: Security by design in all development processes

10.2 Your Responsibilities

  • Keep your password confidential
  • Use strong, unique passwords
  • Log out of shared devices
  • Report suspicious activity immediately

10.3 Data Breach Notification

In the event of a data breach:

  • We will notify affected users without undue delay
  • We will notify relevant supervisory authorities as required by law (within 72 hours for GDPR breaches)
  • Notification will include nature of breach, likely consequences, and mitigation measures

11. Cookies and Tracking Technologies

We use cookies and similar technologies. For detailed information, please see our separate Cookie Policy.

Summary:

  • Essential cookies: Required for platform functionality
  • Analytics cookies: Help us understand usage patterns
  • Marketing cookies: Enable targeted advertising
  • Preference cookies: Remember your settings

You can control cookies through your browser settings and our cookie preference centre.

12. Third-Party Links

Our Services may contain links to third-party websites, plugins, or applications. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

Third-Party Services We Use:

  • Payment processors: Stripe, PayPal
  • Video platforms: Vimeo, YouTube
  • Social media: LinkedIn, Twitter, Facebook
  • Analytics: Google Analytics

Each has its own privacy policy governing data collection and use.

13. Marketing Communications

13.1 Email Marketing

We send marketing emails only with your consent (opt-in). You may unsubscribe at any time via:

  • “Unsubscribe” link in every marketing email
  • Email preferences in your account settings
  • Email: [email protected]

13.2 Transactional Emails

We send essential service emails (receipts, course updates, security alerts) regardless of marketing preferences as necessary for service provision.

13.3 SMS/Phone Marketing

We do not engage in SMS or phone marketing without explicit opt-in consent.

14. California Privacy Rights

14.1 California Consumer Privacy Act (CCPA/CPRA)

Categories of Personal Information We Collect:

  • Identifiers (name, email, IP address)
  • Professional information (credentials, licensure)
  • Commercial information (purchase history)
  • Internet activity (browsing, course usage)
  • Education information (course completions, assessments)
  • Inferences (learning preferences, interests)

Sources: Directly from you, automatically collected, from third parties (payment processors)

Purposes: Service provision, improvement, marketing, legal compliance

Recipients: Service providers, enterprise clients (if applicable), legal authorities (when required)

Sale of Personal Information: We do not sell personal information

Sharing for Cross-Context Behavioral Advertising: We may share for targeted advertising. Opt out via our Cookie Policy.

14.2 Shine the Light Law

California residents may request information about disclosure of personal information to third parties for direct marketing purposes. Contact [email protected].

15. Nevada Privacy Rights

Nevada residents have the right to opt out of the sale of certain personal information. We do not sell personal information as defined by Nevada law. For questions, contact [email protected].

16. Changes to This Privacy Policy

We may update this Privacy Policy periodically to reflect changes in our practices or legal requirements. Changes will be effective:

  • Immediately upon posting for new users
  • 30 days after notice to existing users (via email or platform notification)

Material changes will be prominently highlighted. Continued use after changes constitutes acceptance.

Version History:

  • November 2024: Initial version

17. Contact Us

17.1 General Privacy Enquiries

Email: [email protected]
Phone: +44 7448 190917

17.2 Data Protection Officer

Email: [email protected]

17.3 Supervisory Authorities

UK Users:
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Phone: 0303 123 1113

EU Users:
Contact your national data protection authority

California Users:
California Attorney General
Website: https://oag.ca.gov/privacy

Australian Users:
Office of the Australian Information Commissioner (OAIC)
Website: https://www.oaic.gov.au
Phone: 1300 363 992

18. Jurisdiction-Specific Addendums

18.1 UK/EU Users (GDPR/UK GDPR)

This Privacy Policy complies with the UK General Data Protection Regulation and EU General Data Protection Regulation. You have all rights set forth in Articles 12-22 of GDPR.

Legal basis for processing: As described in Section 4
Cross-border transfers: As described in Section 6
Right to lodge complaint: With ICO (UK) or your national supervisory authority (EU)

18.2 California Users (CCPA/CPRA)

This section serves as our Notice at Collection for California residents. Categories, purposes, and retention periods are described throughout this Policy.

California Privacy Rights: See Section 14
Sensitive Personal Information: We limit use to service provision and legal compliance
Retention: See Section 7

18.3 Australian Users (Privacy Act 1988)

This Privacy Policy complies with the Australian Privacy Principles (APPs).

Overseas disclosure: See Section 6
Access and correction: See Section 8.4
Complaints: OAIC contact information in Section 17.3

Last Reviewed: November 2025

Acknowledgment: By using The Virtuoso Academy’s Services, you acknowledge that you have read and understood this Privacy Policy.