you provide it to us;
it is collected from you for example by your attendance to our program;
you contract with our company;
you use our various services; or
you visit our Website.
Please read all the provisions below, and our other rules, notices, and policies to understand all of your, and our, rights and duties. Some terms referred to below are not defined. You may find the definitions in our other documents.
enrol as a participant with us;
use our online services, general services, or Website;
provide data through any of our online platforms or gateways (“Website”); or
provide personal data to us generally, in any way whatsoever (such as when attending events, completing our forms, contracting with us, participating in surveys, participating in market research, or signing up for newsletters).
General Data Protection Regulation, 2016/679 (“GDPR”);
South African Protection of Information Act 4 of 2013 (“POPIA”); and
California Consumer Privacy Act, 2018 (“CCPA”).
Due to our services’ nature as a provider of personal educational services, we process your personal data and special categories of personal data, such as biometric data and data concerning health, relating to minors and sensitive information.
You may not submit any other person’s personal data to us, other than your own or your parents’ information, where if you provide personal data to us on behalf of your parent/s, you warrant that you have your parent’s express permission to submit such personal data to us on their behalf.
Controller and Processor
Our Contact Details
Our full details are:
Full name of legal entity: iXperience (Proprietary) Limited
Name or title of data representative: Legal Associate
Email address: email@example.com
Postal address: 17 Dock Road, Cape Town, South Africa, 8001
Telephone number: +27 21 422 1071
You have the right to make a complaint at any time to your territories’ specific South African, European Union, or UK information regulator’s office (such as the Information Regulator’s Office of South Africa, or the UK Information Commissioner’s Office, (www.ico.org.uk)). However, we would appreciate the chance to deal with your concerns before approaching any such regulator, so please contact us in the first instance.
Third-Party Links on Website
THE DATA WE COLLECT ABOUT YOU
Personal data means any information about you from which you can be identified. It does not include data where your identity has been removed (anonymous data).
We may collect, use, store and transfer (“process”) different kinds of personal data about you which we have grouped as follows:
Identity Data includes first name, preferred first name, last name, or similar identifier, date of birth, and gender;
Contact Data includes physical address, delivery address, email address, social media contact details, and telephone numbers;
Financial Data includes bank account details, third-party payment provider information, and payment card details;
Transaction Data includes details about payments to and from you, contracts, contractual terms, contract fees, signups, subscriptions, invoices, and other details of products and services you have obtained from us;
Social Media Data includes all information accessible on your publicly available profile such as images, photos, photo tags, likes, followers, comments, posts, and stories;
Technical Data includes internet protocol address/es, your login data, browser type, and version, time zone setting and location, cookies, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website;
Profile Data includes your Website username and hashed password, your interests, preferences, feedback, and form, and survey responses;
Biometric Data includes your age, gender, visual representation and physical, physiological, or behavioural characteristics, passport information;
Data Concerning Health includes the physical or mental health status, health insurance information, or characteristics of a natural person;
Special Categories of Data includes race, ethnic origin, or religious affiliation;
Usage Data includes information about how you use our campuses, Website, surveys, events, and services; and
Marketing and Communications Data includes your preferences in receiving notices and marketing from our third parties and us and your communication preferences.
We may need to collect Special Categories of Personal Data about you (this includes details about your race or ethnicity, information about your health, and genetic and biometric data), which you expressly consent to us doing. We process Special Categories of personal data under the GDPR, POPIA, and CCPA. You understand and expressly consent to us processing your personal data to provide our services to you. We enforce additional special precautions regarding the safety and integrity of any Special Categories of the personal information provided to us.
Suppose we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested. In that case, we may not perform the contract we have or are trying to enter into with you (for example, to provide you with services or allow your enrolment at our program). In this case, we may have to cancel Website-access or services you have with us, but we will notify you if this is the case at the time.
HOW IS YOUR PERSONAL DATA COLLECTED?
We use different methods to collect data from and about you including through:
Direct interactions: You may give us your Identity, Contact, biometrics, Data Concerning Health, and Financial Data by filling in various forms, Website forms, or by corresponding with us by post, phone, email, or otherwise. This data includes the personal data you provide when you:
enrol as a participant with us;
complete our forms;
use our Website or Student Portal;
subscribe to our services or any publications;
participate as a research subject in a market or cultural research study;
provide any services to us as a service provider or independent contractor on contract with us;
request us to send marketing information to you;
attend any of our events; or
give us some feedback.
Technologies or interactions: As you interact with our Website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We may collect this personal data by using cookies, server logs, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below.
Technical Data from the following parties:
analytics such as Google in Ireland; Hotjar in Malta; Facebook in the United States of America and Ireland; HubSpot in Ireland;
social networks such as Facebook;
survey data such as Google Forms in Ireland;
marketing platforms such as HubSpot, Intercom in Ireland, Mailchimp in Georgia, OptinMonster in the United States of America, Facebook, Google, LinkedIn in the United States of America, Twitter in the United States of America; and
marketing platforms such as HubSpot, Intercom based in Ireland, Mailchimp based in Georgia, OptinMonster based in the United States of America, Facebook, Google, LinkedIn based in the United States of America, Twitter based in the United States of America; and
search information providers such as Google.
Contact, Financial and Transaction Data from providers of technical, payment, and delivery services such as PayPal in the United States of America; Chase Bank in the United States of America; First National Bank in The Republic of South Africa.
Identity, Market Research Data, and Contact Data from publicly available sources such as HubSpot, Intercom, Facebook, Google, or Linkedin.
HOW WE USE YOUR PERSONAL DATA
We will only use your personal data when the law allows us to and for legitimate reasons, which you understand and expressly consent to. Most commonly, we will use your personal data in the following circumstances:
Where we need to perform on the contract we are about to enter into or have entered into with you;
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
Where we need to comply with a legal or regulatory obligation.
Purposes for which we will use your personal data:
Note that we may process your personal data for more than one lawful ground depending on the specific purpose of using your data. Please contact us at firstname.lastname@example.org if you need details about the specific legal ground we rely on to process your personal data.
We will not use Special Categories of Data for any marketing or provide them to any External Third Parties without your express written consent. We will strictly reserve its use for limited and necessary purposes, such as participating as a participant with us.
We strive to provide you with choices regarding personal data uses, particularly around marketing and advertising. To manifest your rights attached to any marketing sent to you, please use the in-built prompts provided on those communications, or contact us.
Promotional services from us
We may use your Identity, Contact, Technical, Usage, and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This process is how we decide which events, services, and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you:
have requested information from us,
have participated in any of our services or events, or
if you provided us with your details when registering for a promotion, event, or the program, and
in each case, have not opted-out of receiving that marketing.
Whilst we may use your personal data within our company group, we will get your express opt-in consent before sharing your personal data publicly with any company outside our group of companies for public purposes.
You can ask third parties or us to stop sending you marketing messages at any time by logging into the Website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you, or by contacting us at any time.
Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us when you use the Website, our services, or you participate in any of our events or programs.
Change of purpose
We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason. We will ensure the reason is compatible with the original purpose. If you want to understand how the new purpose's processing is consistent with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you, and we will explain the legal basis, which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
DISCLOSURES OF YOUR PERSONAL DATA
We may have to share your personal data with the parties set out below.
Internal Third Parties as set out in the Glossary below;
External Third Parties as set out in the Glossary below;
Specific third parties; and
We require all third parties to respect your personal data security and treat it in compliance with the law. We do not allow our third-party service providers to use your personal data for their purposes and only permit them to process your personal data for specified purposes and under our instructions and standards.
We share your personal data within our group of companies, and this may involve transferring and processing your data outside of the Republic of South Africa.
Whenever we transfer your personal data out of the country, we ensure a similar degree of protection is afforded to it. We do this by checking that at least one of the following safeguards are implemented:
We will only transfer your personal data to countries that the European Commission has deemed to provide an adequate level of protection for personal data.
Where we use certain service providers, we may use specific contracts approved by the European Commission, giving personal data the same protection it has in Europe.
Where we use providers based in the US, we may transfer data to them if they subscribe to an appropriate privacy framework endorsed by the US government which requires them to provide similar protection to personal data shared between Europe and the US.
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the Republic of South Africa.
We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have created procedures to deal with any suspected personal data breach. We will notify you and any applicable regulator of a breach where we are legally required to do so.
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available from us by contacting us.
In some circumstances, you can ask us to delete your data; see below for further information.
In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
YOUR LEGAL RIGHTS
You have rights under data protection laws about your personal data. Please contact us to find out more about, or manifest, these rights:
Request access to your personal data;
Request correction of your personal data;
Request erasure of your personal data;
Not to be discriminated against because you do not want to share your data with us;
Object to processing of your personal data;
Request restriction of processing your personal data;
Request transfer of your personal data; and
Right to withdraw consent.
No fee usually required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
What we may need from you
We may need to request specific information from you to confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This measure ensures we do not disclose personal data to any person who has no right to receive it. We may also contact you to ask you for further information about your request to speed up our response.
Time limit to respond
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is incredibly complex or you have made several requests. In this case, we will notify you and keep you updated.
Legitimate Interest means our company's interest in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where the impact on you overrides our interests (unless we have your consent or are otherwise required or permitted by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you regarding specific activities by contacting us.
Performance of Contract means processing your data where it is necessary for a contract's performance to which you are a party or to take steps at your request before entering into such a contract.
Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation to which we are subject.
Internal Third Parties means other entities or parties in our group acting as joint controllers or processors and who are based in South Africa and provide IT and system administration services and undertake reporting.
External Third Parties means:
Service providers acting as processors based in South Africa who provide IT, system administration services and contractual obligations required for the rendering of the Program;
Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers based in South Africa and other jurisdictions who provide consultancy, banking, legal, insurance, and accounting services as required;
European Union, South African or United States of America regulators and other authorities acting as processors or joint controllers based in the United Kingdom or European Union or the Republic of South Africa or the United States of America may require reporting of processing activities; and