Privacy Policy

Course Search ("we", "our", "us") is the controller of the personal data described in this Policy. We comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data we collect

We collect data in three main ways:

• From providers — name, work email, phone, company registration details, billing details and any profile content you submit (about, logo, accreditations).
• From learners — name, email, optional phone, and the message you send when enquiring about a course. We pass these directly to the relevant provider.
• From visitors — basic analytics about how the site is used (pages visited, device type, referrer), and any preferences you set (see "Manage preferences").

2. How we use your data

We use personal data to:

• Operate the marketplace and provider portal.
• Verify providers via Companies House and our internal moderation.
• Pass learner enquiries to the relevant provider.
• Process payments for promoted placement.
• Send transactional emails (account, billing, moderation outcomes).
• Send marketing emails — only if you have opted in or are a provider with an active account (you can opt out at any time).
• Detect fraud, abuse and breaches of our Terms.
• Improve the platform through privacy-respecting analytics.

3. Lawful bases

We rely on the following bases under UK GDPR:

• Contract — to operate provider accounts and process enquiries.
• Legitimate interests — to keep the platform secure, prevent fraud, and improve our services.
• Consent — for non-essential cookies and optional marketing communications.
• Legal obligation — for accounting, tax and regulatory record-keeping.

4. Sharing your data

We share personal data only with:

• Training providers — when a learner enquires about their course.
• Service providers — hosting (AWS, in the UK/EU), database (Supabase), payments (Stripe), email delivery, and verification services (Companies House API). Each is contractually required to protect your data.
• Authorities — where we are legally required to do so.

We never sell personal data.

5. International transfers

Where personal data is processed outside the UK or EEA, we rely on UK-approved transfer mechanisms (UK International Data Transfer Agreement, adequacy decisions, or Standard Contractual Clauses).

6. How long we keep data

We keep provider account data while your account is active and for up to 24 months after closure. Learner enquiries are kept for 24 months unless the provider deletes them earlier. Billing and tax records are retained for 7 years as required by UK law.

7. Your rights

Under UK GDPR you have the right to:

• Access the personal data we hold about you.
• Request correction of inaccurate data.
• Request deletion of your data (where applicable).
• Restrict or object to processing.
• Receive a copy of your data in a portable format.
• Withdraw consent at any time where consent is the lawful basis.
• Complain to the Information Commissioner's Office (ICO) at ico.org.uk.

To exercise any of these rights, contact privacy@coursesearch.co.uk. We will respond within one month.

8. Cookies and tracking

We use a small number of cookies and similar technologies. Essential cookies are required to operate the site (e.g. keep you signed in). Optional analytics and marketing cookies only run with your consent. You can change your settings at any time on the Manage preferences page.

9. Security

We protect personal data with industry-standard measures — encrypted connections, encrypted-at-rest databases, role-based access controls, and regular reviews. No system is 100% secure; if a breach occurs that is likely to affect your rights, we will notify you and the ICO within 72 hours where required.

10. Changes to this Policy

We may update this Policy from time to time. The "Last updated" date above reflects the most recent change. Material changes will be communicated to registered providers by email.

11. Contact

Questions about this Policy can be sent to privacy@coursesearch.co.uk.