Privacy Notice | Blackbullion

Blackbullion privacy notice

This document was last updated on 20th November 2023.

Blackbullion Ltd (“Blackbullion”, “we”, “us” or “our”) offers online resources and services to assist our users. Our services are offered on the Blackbullion websites (available at www.blackbullion.com and www.business.blackbullion.com) and the Blackbullion App, as well as other Blackbullion websites and products (together, the “Sites”).

The protection of personal data, as well as compliance with privacy and data protection laws and regulations, is important to our organisation. We aim to ensure the privacy rights of our consumers, business contacts, and employees when we handle information about them.

This policy only applies to personal data collected through our Sites operated by Blackbullion or by third parties acting for and on our behalf as data processors and further processed for the purposes specified herein. This policy does not apply to personal data collected from offline resources and communications. This policy also does not apply to third-party online resources to which our websites may link, where we do not control the content or the privacy practices of such resources.

Should you have any questions about this policy or our data collection, use and disclosure practices, please contact us.

Who are we?

As referred to in this policy, references to “us”, “we”, “our” and “Blackbullion” means Blackbullion Ltd. (company number 07629923) of 5 Technology Park, Colindeep Ln, London NW9 6BX.

For the purposes of the Data Protection Act 2018 and the General Data Protection Regulation 2016/679 (“GDPR”), we are a data controller except where we also act as a data processor under the instructions of a third party (such as educational institutions or scholarship providers).

Changes to this policy

We reserve the right to make changes to this Privacy Policy. If we decide to change this Privacy Policy, we will post the changes on www.blackbullion.com/privacy. It is your responsibility to refer back to this Privacy Policy to review any amendments.

This Privacy Policy was most recently updated on the date stated at the beginning.

Collection of personal data

We have adopted this Privacy Policy to reflect the standards we have in place to protect the data we collect about individuals that is necessary for:

• providing the products and services that we offer; and
• the normal day-to-day operations of our business.

By publishing this Privacy Policy we aim to make it easy for our users, customers and the public to understand what data we collect and store, why we do so, how we receive and/or obtain that information, and the rights each individual has with respect to their data in our possession.

We collect personal data online through our Sites. Individuals may access many parts of our Sites without providing any personal data. If you contact us, we may keep a record of that correspondence. If you choose to provide your personal data, such as your name, address, date of birth, telephone number or e-mail address, by entering into forms or data fields on our Sites and/or corresponding with us, we will collect and may use that personal data.

Who this policy applies to

We handle data in our own right and also for and on behalf of our customers and users.

Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information which we store about the individuals in those businesses or companies.

The Privacy Policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hard copy.

If, at any time, an individual provides data or other information about someone other than himself or herself, the individual warrants that they have that person's consent to provide such information for the purposes specified.

The Sites are not available to persons under the age of 16 years. Individuals who are under 16 years of age have to inform and obtain their parents or guardians consent to the processing of their personal information, show this policy to their parents or guardians, provide their parents or guardians’ name and contact information to us, and have their parents’ consent to us processing their child’s personal information.

The information we collect

In the course of business it is necessary for us to collect data where we have express consent, pursuant to contract or where we have demonstrated a legitimate interest. This information allows us to identify who an individual is for the purposes of providing our services, share data when we are required to do so, contact the individual in the ordinary course of business and transact with the individual. Without limitation, the type of information we may collect includes:

Personal Information. We may collect personal details such as an individual’s name, location, date of birth, nationality, family details, student's university identification number, course information and other information that allows us to identify who the individual is and share details as part of our services. We may collect personal details as required by a funding or scholarship application which may include but is not limited to course information, name, personal circumstances, income and expenditure. We may also collect relevant information via open banking as required by funding and scholarship providers and for functionality of the Sites.

Contact Information. We may collect information such as an individual’s email address, telephone number, third-party usernames, residential, business and postal address and other information that allows us and others to contact the individual.

Bank and Transaction Data. If an individual links a bank account with their Blackbullion account, we may collect data relating to that bank account (including without limitation the institution name, sort code, account number, account balance) or any transaction (including without limitation the transaction amount, date, description, merchant) as is necessary in order for us to provide our services.

Engagement Data. Information about the learning content that an individual has viewed. If a user has opted to link their Blackbullion account with their university account (and that university is a client of ours), that university will be able to view the user’s Engagement Data as well.

Assessment Data. If an individual completes any assessments or challenges as part of completing a learning module, we may collect the answers submitted by the individuals and the results of those assessments or challenges. If a user has opted to link their Blackbullion account with their university account (and that university is a client of ours), that university will be able to view the user’s Assessment Data as well.

Information an individual sends us. We may collect any other personal information that an individual sends us.

Statistical & Device Information. We may also collect statistical and device information about an individual’s activity as specified in our Cookie Policy below. We use this information to tailor and improve our services.

You can refuse to provide your personal data to us. However, if you do not provide your data, this can have an effect on your use of the Sites, or some features on our Sites may not fully function.

The purposes for processing data

We will not use any data other than for the purpose for which it was collected, other than with the individual’s permission, or where we have a legitimate interest. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.

We may process your personal data to the extent permitted or required under applicable laws, for the following purposes:

• to verify your identity and to provide and deliver our services and products to you (“Performance Purposes”);

• to respond to inquiries from you and/or communicating with you as necessary for the provision of our services (“Contact Purposes”);

• to display your banking and financial information (including your open banking data) in your account on our Sites as necessary for the provision of our services and to process your data in relation to funding opportunities (“Financial and Funding Purposes”);

• to provide you with research, reports and business intelligence and insights (“Analytics Purposes”);

• to provide you with promotional information on Blackbullion’s product and services and to carry out other promotional activities, and to invite you to participate in surveys and market research activities and analyse your interests to improve Blackbullion’s products and services (“Marketing Purposes”);

• investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; or

• to comply with and enforce our rights and perform our obligations under applicable laws (including GDPR).

We process your personal data for Performance Purposes and Analytics Purposes in order to perform our contractual obligations to you. It is also in our legitimate interests to process your personal data for Performance Purposes as it allows us to ensure the proper administration of our Sites and to improve the user experience within our Sites.

Similarly, it is in our legitimate interests to process your personal data for Contact Purposes in order to respond to any inquiries you may have and in order for us to be able to provide the services.

Where we process your personal data for the Financial and Funding Purposes, we will ask for your consent before conducting any such processing. We will ask you for this consent when you link your bank account to your Blackbullion account. If you do not consent to any such use of your data, or if you withdraw your consent, you will not be able to access certain services on our Sites, such as your financial overview.

Where we process your personal data for Marketing Purposes, we will ask for your consent before conducting any such processing. You will be asked to opt in to receiving promotional information when you sign up to our services and can opt in or out to any marketing activities at any time via your Blackbullion account.

Finally, we may process your personal data to comply with and enforce our rights and perform our obligations under applicable laws.

How information is collected

Most information will be collected in association with an individual’s use of the Sites and our products and services. However, we may also receive data from other sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors, staff, and recruitment agencies. In particular, information is likely to be collected as follows:

Registrations/Subscriptions/Purchases. When an individual registers, subscribes and/or purchases a product, service, list, account, connection or other process whereby they enter data details or grant access to information in order to receive or access something, including a transaction or services.

Accounts/Memberships. When an individual submits their details to open an account and/or become a member with us.

Supply/Contact. When an individual supplies us with services or contacts us in any way.

Pixel Tags. Pixel tags enable us to send email messages in a format customers can read and they tell us whether mail has been opened.

When you visit our Sites, we automatically collect information about your computer or other electronic devices which may include your Internet Protocol (IP) address, date and time of your request and information provided by tracking technologies, such as cookies. For more details concerning cookies, please refer to our Cookie Policy below.

We will publish changes to the way that information is collected at the point of collection and within this Privacy Policy.

We may also collect anonymous data such as traffic, IP addresses and transaction statistics, which may be used and shared on an aggregated and anonymous basis.

When data is disclosed

We disclose an individual’s information as necessary to perform the services on the Sites. It may also be necessary for us to disclose an individual’s data to third parties in a manner compliant with GDPR in the course of our business, such as for processing activities like website hosting.

If a user has opted to link their Blackbullion account with their university account (and that university is a client of ours), we may share that user’s Assessment Data and Engagement Data with staff of the linked university to enhance and inform their service provision as appropriate. Any such processing of Assessment Data and Engagement Data will be conducted for the purpose of performing our services and our contractual obligations to that user. Users that do not wish for their Assessment Data and/or Engagement Data to be shared with any linked universities in this way may choose not to link their accounts, in which case we will not share that data with any universities (but any such users may not have full access to our services).

We will not disclose or share an individual’s data to unrelated third parties under any circumstances unless: (a) applicable consent has been obtained for us to share your personal data with that third party (for example, where you indicate you are interested in an establishment and would like us to share your contact details with them so they can tell you about their offerings, or where you want to share Learning Information with a third party); (b) we are processing your personal data (such as Learning Information, Assessment Data and Engagement Data) as a service provider for or on behalf of that third party, and that third party is the controller in respect of your personal data (for example, where you are signing into Blackbullion in connection with your studies or prospective studies, and we are providing a service to your university, in which case please refer to your university's privacy policy to understand your rights and how your personal data is used); or (c) we engage other third-party services providers to perform tasks on our behalf and we need to share your information with them to provide products and services to you (in which case we will not permit those third parties to use your personal data for their own independent purposes). We will only provide our service providers with personal data which is necessary for them to perform their services, and we require them not to use your information for any other purpose. We will use our best efforts to ensure that all our service providers keep your personal data secure and comply with the requirements of GDPR. These service providers may be located outside the United Kingdom and/or European Economic Area (“EEA”), in which case the provisions of the section below will apply.

There are some circumstances in which we must disclose an individual’s information:

Third parties permitted by law. In certain circumstances, we may be required to disclose or share personal data in order to comply with legal or regulatory obligations (for example, we may be required to disclose personal data to the police, regulators, government agencies or to judicial or administrative authorities). We may also disclose personal data to:

• regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts; or

• any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example, in response to a court order).


Third parties connected with business transfers. We may transfer your personal data to third parties in connection with a reorganisation, restructuring, merger or acquisition or transfer of assets, provided that the receiving party agrees to treat your personal data in a manner consistent with this Privacy Policy. If we are involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of the business to another company, you consent to us sharing information with that company before and after the transaction closes.

We will not sell your personal data to third parties.

Please note our Sites may, from time to time, contain links to and from the websites of our business contacts or affiliates. Please note that these websites have their own privacy policies and we have no control over how they may use your personal data. You should check the privacy policies of third party websites before you submit any personal data to them.

Transfer of data outside of the EEA

We will not transfer personal data relating to you to a country which is outside the EEA unless one of the following scenarios under GDPR applies:

• the country or recipient is covered by UK adequacy regulations under GDPR Article 45;

• appropriate safeguards have been put in place which meets the requirements of GDPR Article 46; or

• one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer. This includes, in summary:

• where the transfer is necessary to perform, or to form, a contract to which we are a party (i) with you, or (ii) with a third party where the contract is in your interests;

• the transfer is necessary for the establishment, exercise or defence of legal claims;

• you have provided your explicit consent to the transfer; or

• the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.

Cookie policy

Our website may use cookies to distinguish you from other users of our Sites. This helps us to provide you with a good experience when you browse our Sites and also allows us to improve our Sites.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your device if you agree. Cookies contain information that is transferred to your device’s hard drive. We use the following cookies on our Sites:

Strictly necessary cookies. These are cookies that are required for the operation of our website. These essential cookies are always enabled because our Sites won’t work properly without them. They include, for example, cookies that enable you to log into secure areas of our Sites. You can switch off these cookies in your browser settings but you may then not be able to access all or parts of our Sites.

Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our Sites when they are using it. This helps us to improve the way our Sites work, for example, by ensuring that users are finding what they are looking for easily.

Functionality cookies. These are used to recognise you when you return to our Sites. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).

Targeting cookies. These cookies record your visit to our Sites, the pages you have visited and the links you have followed. We will use this information to make our Sites and the advertising displayed on them more relevant to your interests.

Please note that we may share information collected by the cookies with the following third parties. These named third parties may include, for example, advertising networks and providers of external services like web traffic analysis services. These third party cookies are likely to be analytical cookies or performance cookies or targeting cookies:

• AWS, which we use to host the Blackbullion platform.
• Mixpanel, which provides us with product analytics to improve the service.
• Other service providers such as Hotjar, HubSpot, Google Analytics and Facebook.

When you use our Sites you will be asked to consent to our use of cookies and to the sharing of any information collected by the cookies with any third parties. You can choose which analytical, functionality and targeting cookies we can set by selecting the applicable options on our Sites, or by switching off cookies in your browser settings. You can also choose to "Reject All" cookies in the cookie banner. However, if you use your browser settings to disable or block cookies or withdraw your consent to our use of cookies (or to the sharing of information collected by the cookies with any third parties), you may not be able to access all or parts of our Sites and parts of our Sites may not function properly.

Opting “in” or “out” for Marketing Purposes

As stated above, we will only process your personal data for Marketing Purposes with your consent. You may withdraw your consent or opt out of any marketing at any time via your Blackbullion account. You will be aware of this when:

Opt In. Where relevant, you will have the right to choose to have information collected and/or receive marketing information from us by clicking on the ‘opt in’ button; or

Opt Out. Where relevant, you will have the right to choose to exclude yourself from some or all collection of information and/or receiving marketing information from us.

You can ask us to stop sending you marketing messages at any time by logging into the Sites and checking or unchecking relevant boxes to adjust your marketing preferences, by following the opt-out links on any marketing message sent to you or by contacting us at any time.

If you believe that you have received information from us that you did not opt in to receive, you should contact us using the details below.

The safety & security of data

We have implemented appropriate technical and organisational security measures to protect personal data in our possession from unauthorised access, disclosure, alteration or destruction. Such measures include administrative, technical and physical safeguards, for example, limiting access to personal data only to employees and authorised service providers who need to know such information for the purposes described in this Privacy Policy.

We will take all reasonable precautions to protect an individual’s data from unauthorised access. This includes appropriately securing any electronic networks.

Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, data where the security of information is not within our control.

We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s data to in accordance with this Privacy Policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies. If an individual suspects any misuse, loss of, or unauthorised access to their data, they should let us know immediately.

To the extent permitted by law, we are not liable for any loss, damage or claim arising out of another person’s use of the data where we were authorised to provide that person with the data.

Your rights

If you are a resident in the UK, you have the following rights in accordance with applicable laws and regulations:

Access. You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to request access to the personal data. You have the right to obtain one copy of the personal data we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs.

Rectification. You have the right to have incomplete or inaccurate personal data that we process about you rectified.

Erasure. You have the right to request that we delete personal data that we process about you, except we are not obliged to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.

Restriction. You have the right to restrict our processing of your personal data where you believe such data to be inaccurate; our processing is unlawful; or that we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it.

Portability. You have the right to obtain personal data we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (1) personal data which you have provided to us, and (2) if we are processing that personal data on the basis of your consent or to perform a contract with you.

Objection. Where the legal justification for our processing of your personal data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.

Withdrawing Consent. If you have consented to our processing of your personal data, you have the right to withdraw your consent at any time, free of charge. This includes where you wish to opt-out from marketing messages.

Where you wish to exercise any of these rights, please contact us using the details below. For your own privacy and security, we may require evidence of your identity or to be provided with additional information before we are able to act on your request when the information we have is insufficient to accommodate your request. We will attempt to provide any requested information or make requested changes in accordance with applicable laws.

If you cannot update your own information, we will correct any errors in the data we hold about you within 7 days of receiving written notice from you about those errors. Information will be provided within one month of receipt of the request.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

It is an individual’s responsibility to provide us with accurate and truthful data. We cannot be liable for any information that is provided to us that is incorrect.

The foregoing (and your right to object as discussed below) apply unless (and to the extent) we hold personal data about you on behalf of a third party and only process it on their instructions, for example where we provide learning and assessment services to a third party such as your university, and you access those services through our Sites, in which case, we will forward your request to that third party which is the controller in respect of the processing of your personal data, and you should liaise with them to discuss your request.

Complaints and disputes

You have the right to object to any processing of personal data that is not based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), and direct marketing, unless we hold legitimate grounds for processing or the processing is for the establishment, exercise or defence of legal claims.

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your data infringes upon GDPR.

If an individual has a complaint about our handling of their data, they should address their complaint in writing to us using the contact us details below.

If we have a dispute regarding an individual’s data, we both must first attempt to resolve the issue directly between us.

If we become aware of any unauthorised access to an individual’s data which is likely to result in a high risk for the rights and freedoms of the data subject we will inform them at the earliest practical opportunity once we have established what was accessed and how it was accessed.

If you are based in the UK, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office, if you believe that we have not complied with applicable personal data protection laws. Please see further information on their website: www.ico.org.uk.

Your personal data retention period

Unless we are required or permitted by law to hold on to your data for a specific retention period we will hold your personal data only for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements, in particular:

• contact data is retained for as long as you are an active user of our Sites and for two years after you delete your account;

• marketing data is retained unless and until you withdraw your consent; and

• funding applications data is retained for the period required by the applicable university for that application.

We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Where possible, we aim to anonymise the information or remove unnecessary identifiers from records that we may need to keep for periods beyond the original retention period. Where we no longer need your personal data, we will dispose of it in a secure manner.

Contacting us

All correspondence with regards to privacy should be addressed to:

data@blackbullion.com
The Data Protection Officer
Blackbullion Ltd
5 Technology Park, Colindeep Ln, London NW9 6BX