Privacy Policy.

Privacy Policy.

Last updated May 2021
  1. INTRODUCTION
    • Welcome to iXperience (Pty) Ltd’s (we, us, our) (​registration number 2013/159509/07) Privacy Policy. We are a private limited liability company duly incorporated under the laws of the Republic of South Africa. We also operate our business from South Africa.
    • We respect your privacy and are committed to protecting your personal data. This Privacy Policy will inform you how we look after and process your personal data when:
      • you provide it to us;
      • it is collected from you for example by your attendance to our program;
      • you contract with our company;
      • you use our various services; or
      • you visit our Website.
    • This Privacy Policy also tells you about your privacy rights and how the law protects your personal data when we process it.
    • Please read all the provisions below, and our other rules, notices, and policies to understand all of your, and our, rights and duties. Some terms referred to below are not defined. You may find the definitions in our other documents.
    • Quick guide to contents:
      • IMPORTANT INFORMATION AND WHO WE ARE
      • THE DATA WE COLLECT ABOUT YOU
      • HOW IS YOUR PERSONAL DATA COLLECTED
      • HOW WE USE YOUR PERSONAL DATA
      • DISCLOSURES OF YOUR PERSONAL DATA
      • INTERNATIONAL TRANSFERS
      • DATA SECURITY
      • DATA RETENTION
      • YOUR LEGAL RIGHTS
      • GLOSSARY
  1. IMPORTANT INFORMATION AND WHO WE ARE
    • Purpose of this Privacy Policy:
      • This Privacy Policy aims to give you information on how we collect and process your or your child’s/ward’s personal data through any form of engagement with us. For example, when you:
      • enrol as a participant with us;
      • use our online services, general services, or Website;
      • provide data through any of our online platforms or gateways (“Website​”)​; or
      • provide personal data to us generally, in any way whatsoever (such as when attending events, completing our forms, contracting with us, participating in surveys, participating in market research, or signing up for newsletters).
    • This Privacy Policy complies with and facilitates the obligations under the
      • General​ Data Protection Regulation, 2016/679 (“GDPR​”)​;
      • South African Protection of Information Act 4 of 2013​ (“POPI​A”); and
      • California Consumer Privacy Act, 2018 (“CCPA”).
    • Due to our services’ nature as a provider of personal educational services, we process your personal data and special categories of personal data, such as biometric data and data concerning health, relating to minors and sensitive information.
    • You must read this Privacy Policy together with any other policies we may provide to you. We may notify you of them on specific occasions when we collect or process personal data about you or any minor or person in your guardianship. Familiarise yourself with these documents so that you are fully aware of how and why we are using your personal data. This Privacy Policy supplements the other notices. We do not intend for the Privacy Policy to override them.
    • Suppose you are a parent or guardian of a minor whose personal data we process under this Privacy Policy. In that case, you warrant that you have read, understood, and agree to this Privacy Policy. You also expressly consent to us processing your, or your child’s/ward’s personal data as per this Privacy Policy.
    • You may not submit any other person’s personal data to us, other than your own or your parents’ information, where if you provide personal data to us on behalf of your parent/s, you warrant that you have your parent’s express permission to submit such personal data to us on their behalf.
    • Controller and Processor
      • We are the data controller and are responsible for your personal data in instances where we decide the processing operations concerning your personal data. Sometimes we also operate as a processor of personal data on behalf of a third-party data controller, where that data controller’s privacy terms will apply. Still, we will draw your attention to them when applicable. We use the words “user”, “ you” and “your” interchangeably. Under this Policy, we use these words to refer to all persons accessing the Website or engaging with us for any reason whatsoever, including your child, ward, or parent for whom you are responsible and on whose behalf you accept this Privacy Policy, as the case may be.
      • We have appointed a data representative who is responsible for overseeing questions about this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the representative using the details set out below.
    • Our Contact Details
    • Our Contact Details
      • Our full details are:
        Full name of legal entity:    iXperience (Proprietary) Limited
        Name or title of data representative:    Legal Associate
        Email address:    hello@ixperience.co.za
        Postal address:    17 Dock Road, Cape Town, South Africa, 8001
        Telephone number:    +27 21 422 1071
      • We have appointed a data representative who is responsible for overseeing questions about this Privacy Policy. If you have any questions about this Privacy Policy, including any requests to exercise your legal rights, please contact the representative using the details set out below.You have the right to make a complaint at any time to your territories’ specific South African, European Union, or UK information regulator’s office (such as the Information Regulator’s Office of South Africa​, or the UK Information Commissioner’s Office, (www.ico.org.u​k​)). However, we would appreciate the chance to deal with your concerns before approaching any such regulator, so please contact us in the first instance.
    • Changes to the Privacy Policy and Your Duty to Inform us of Changes
      The personal data we hold about you must be accurate and current. Please keep us informed if your personal data changes during your relationship with us. We will notify you of any changes to our Privacy Policy by adding an alert to our Website.
    • Third-Party Links on Website
      The Website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements or terms. When you leave our Website or engage with such third parties, we encourage you to read every third-party's distinct privacy policy with which you engage. You hold us harmless for any claims about your personal data where you submit it via a third-party website.
  1. THE DATA WE COLLECT ABOUT YOU
    • Personal data means any information about you from which you can be identified. It does not include data where your identity has been removed (anonymous data).
    • We may collect, use, store and transfer (​“process”)​ different kinds of personal data about you which we have grouped as follows:
      • Identity Data includes first name, preferred first name, last name, or similar identifier, date of birth, and gender;
      • Contact Data includes physical address, delivery address, email address, social media contact details, and telephone numbers;
      • Financial Data includes bank account details, third-party payment provider information, and payment card details;
      • Transaction Data includes details about payments to and from you, contracts, contractual terms, contract fees, signups, subscriptions, invoices, and other details of products and services you have obtained from us;
      • Social Media Data includes all information accessible on your publicly available profile such as images, photos, photo tags, likes, followers, comments, posts, and stories;
      • Transaction Data includes details about payments to and from you, contracts, contractual terms, contract fees, signups, subscriptions, invoices, and other details of products and services you have obtained from us;
      • Technical Data includes internet protocol address/es, your login data, browser type, and version, time zone setting and location, cookies, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access the Website;
      • Profile Data includes your Website username and hashed password, your interests, preferences, feedback, and form, and survey responses;
      • Biometric Data includes​ your age, gender, visual representation and physical, physiological, or behavioural characteristics, passport information;
      • Special Categories of Data includes race, ethnic origin, or religious affiliation;​
      • Usage Data includes information about how you use our campuses, Website, surveys, events, and services; and
      • Marketing and Communications Data includes your preferences in receiving notices and marketing from our third parties and us and your communication preferences.
    • We also collect, use, and share Aggregated​ Data such as statistical or demographic data. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data does not​ directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Website feature. However, suppose we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you. In that case, we treat the combined data as personal data which we will use under this Privacy Policy.
    • We may need to collect Special Categories of Personal Data about you (this includes details about your race or ethnicity, information about your health, and genetic and biometric data), which you expressly consent to us doing. We process Special Categories of personal data under the GDPR, POPIA, and CCPA. You understand and expressly consent to us processing your personal data to provide our services to you. We enforce additional special precautions regarding the safety and integrity of any Special Categories of the personal information provided to us.
    • Suppose we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested. In that case, we may not perform the contract we have or are trying to enter into with you (for example, to provide you with services or allow your enrolment at our program). In this case, we may have to cancel Website-access or services you have with us, but we will notify you if this is the case at the time.
  1. HOW IS YOUR PERSONAL DATA COLLECTED?
    • We use different methods to collect data from and about you including through:
      • Direct interactions: You may give us your Identity, Contact, biometrics, Data Concerning Health, and Financial Data by filling in various forms, Website forms, or by corresponding with us by post, phone, email, or otherwise. This data includes the personal data you provide when you:
      • enrol as a participant with us;
      • complete our forms;
      • use our Website or Student Portal;
      • subscribe to our services or any publications;
      • participate as a research subject in a market or cultural research study;
      • provide any services to us as a service provider or independent contractor on contract with us;
      • request us to send marketing information to you;
      • attend any of our events; or
      • give us some feedback.
    • Technologies or interactions: As you interact with our Website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We may collect this personal data by using cookies, server logs, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
    • Third parties or publicly available sources: We may receive personal data about you from various third parties and public sources as set out below.
      • Technical Data from the following parties:
      • enrol as a participant with us;analytics such as Google in Ireland; Hotjar in Malta; Facebook in the United States of America and Ireland; HubSpot in Ireland;
      • social networks such as Facebook;
      • survey data such as Google Forms in Ireland;
      • marketing platforms such as HubSpot, Intercom in Ireland, Mailchimp in Georgia, OptinMonster in the United States of America, Facebook, Google, LinkedIn in the United States of America, Twitter in the United States of America; and
      • marketing platforms such as HubSpot, Intercom based in Ireland, Mailchimp based in Georgia, OptinMonster based in the United States of America, Facebook, Google, LinkedIn based in the United States of America, Twitter based in the United States of America; and
      • search information providers such as Google.
      • Contact, Financial and Transaction Data from providers of technical, payment, and delivery services such as PayPal in the United States of America; Chase Bank in the United States of America; First National Bank in The Republic of South Africa.
      • Identity, Market Research Data, and Contact Data from publicly available sources such as HubSpot, Intercom, Facebook, Google, or Linkedin.
  1. HOW WE USE YOUR PERSONAL DATA
    • We will only use your personal data when the law allows us to and for legitimate reasons, which you understand and expressly consent to. Most commonly, we will use your personal data in the following circumstances:
      • Where we need to perform on the contract we are about to enter into or have entered into with you;
      • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; and
      • Where we need to comply with a legal or regulatory obligation.
    • Purposes for which we will use your personal data:
      • Note that we may process your personal data for more than one lawful ground depending on the specific purpose of using your data. Please contact us at hello@ixperience.co.za if you need details about the specific legal ground we rely on to process your personal data.
      • We will not use Special Categories of Data for any marketing or provide them to any External Third Parties without your express written consent. We will strictly reserve its use for limited and necessary purposes, such as participating as a participant with us.
    • Marketing
      We strive to provide you with choices regarding personal data uses, particularly around marketing and advertising. To manifest your rights attached to any marketing sent to you, please use the in-built prompts provided on those communications, or contact us.
    • Promotional services from us
      We may use your Identity, Contact, Technical, Usage, and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This process is how we decide which events, services, and offers may be relevant for you (we call this marketing). You will receive marketing communications from us if you:
      • have requested information from us,
      • have participated in any of our services or events, or
      • if you provided us with your details when registering for a promotion, event, or the program, and
      • in each case, have not opted-out of receiving that marketing.
    • Third-Party Marketing
      Whilst we may use your personal data within our company group, we will get your express opt-in consent before sharing your personal data publicly with any company outside our group of companies for public purposes.
    • Opting Out
      • You can ask third parties or us to stop sending you marketing messages at any time by logging into the Website and checking or unchecking relevant boxes to adjust your marketing preferences or by following the opt-out links on any marketing message sent to you, or by contacting us at any time.
      • Where you opt-out of receiving these marketing messages, this will not apply to personal data provided to us when you use the Website, our services, or you participate in any of our events or programs.
    • Change of purpose
      • We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason. We will ensure the reason is compatible with the original purpose. If you want to understand how the new purpose's processing is consistent with the original purpose, please contact us.
      • If we need to use your personal data for an unrelated purpose, we will notify you, and we will explain the legal basis, which allows us to do so.
      • Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
  1. DISCLOSURES OF YOUR PERSONAL DATA
    • We may have to share your personal data with the parties set out below.
      • Internal Third Parties as set out in the Glossary below;
      • External Third Parties as set out in the Glossary below;
      • Specific third parties; and
      • Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses/universities or merge with them. If a change happens to our company, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
    • We require all third parties to respect your personal data security and treat it in compliance with the law. We do not allow our third-party service providers to use your personal data for their purposes and only permit them to process your personal data for specified purposes and under our instructions and standards.
  1. INTERNATIONAL TRANSFERS
    • We may have to share your personal data with the parties set out below.We share your personal data within our group of companies, and this may involve transferring and processing your data outside of the Republic of South Africa.
    • Whenever we transfer your personal data out of the country, we ensure a similar degree of protection is afforded to it. We do this by checking that at least one of the following safeguards are implemented:
      • We will only transfer your personal data to countries that the European Commission has deemed to provide an adequate level of protection for personal data.
      • Where we use certain service providers, we may use specific contracts approved by the European Commission, giving personal data the same protection it has in Europe.
      • Where we use providers based in the US, we may transfer data to them if they subscribe to an appropriate privacy framework endorsed by the US government which requires them to provide similar protection to personal data shared between Europe and the US.
    • Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the Republic of South Africa.
  1. DATA SECURITY
    • We have implemented appropriate security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
    • We have created procedures to deal with any suspected personal data breach. We will notify you and any applicable regulator of a breach where we are legally required to do so.
  1. DATA RETENTION
    • We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including to satisfy any legal, accounting, or reporting requirements.
    • To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data, and whether we can achieve those purposes through other means, and the applicable legal requirements.
    • Details of retention periods for different aspects of your personal data are available from us by contacting us.
    • In some circumstances, you can ask us to delete your data; see below for further information.
    • In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
  1. YOUR LEGAL RIGHTS
    • You have rights under data protection laws about your personal data. Please contact us to find out more about, or manifest, these rights:
      • Request access to your personal data;
      • Request correction of your personal data;
      • Request erasure of your personal data;
      • Not to be discriminated against because you do not want to share your data with us;
      • Object to processing of your personal data;
      • Request restriction of processing your personal data;
      • Request transfer of your personal data; and
      • Right to withdraw consent.
    • No fee usually required
      You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
    • What we may need from you
      We may need to request specific information from you to confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This measure ensures we do not disclose personal data to any person who has no right to receive it. We may also contact you to ask you for further information about your request to speed up our response.
    • Time limit to respond
      We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is incredibly complex or you have made several requests. In this case, we will notify you and keep you updated.
  1. GLOSSARY
    • LAWFUL BASIS
      • Legitimate Interest means our company's interest in conducting and managing our business to enable us to give you the best service and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where the impact on you overrides our interests (unless we have your consent or are otherwise required or permitted by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you regarding specific activities by contacting us.
      • Performance of Contract means processing your data where it is necessary for a contract's performance to which you are a party or to take steps at your request before entering into such a contract.
      • Comply with a legal or regulatory obligation means processing your personal data where it is necessary for compliance with a legal or regulatory obligation to which we are subject.
      • Express consent means​ the confirmed express consent you provide to us by accepting this Privacy Policy or signing any subsequent agreement with us.
    • THIRD PARTIES
      • Internal Third Parties means​ other entities or parties in our group acting as joint controllers or processors and who are based in South Africa and provide IT and system administration services and undertake reporting.
      • External Third Parties means:
      • Service providers acting as processors based in South Africa who provide IT, system administration services and contractual obligations required for the rendering of the Program;
      • Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors, and insurers based in South Africa and other jurisdictions who provide consultancy, banking, legal, insurance, and accounting services as required;
      • European Union, South African or United States of America regulators and other authorities acting as processors or joint controllers based in the United Kingdom or European Union or the Republic of South Africa or the United States of America may require reporting of processing activities; and
      • The South African courts or similar tribunals.