V2.2 (GDPR) July 2022
BLACKBULLION LIMITED (Company Number 7629923) of 5 Technology Park, Colindeep Ln, London NW9 6BX
we, us or our) provides the products and services
offered on the Blackbullion platform www.blackbullion.com (Platform). There are a
number of other Blackbullion websites (sites).
For the purposes of the Data Protection Act 2018 (Act) and the General Data Protection
Regulation (EU) 2016/679 (GDPR), we are a data controller except where we also act as a data processor
under the instructions of a third party (such as educational institutions).
We have adopted this Privacy Notice to reflect the standards we have in place to protect the data we
collect about individuals that is necessary for:
• providing the products and services that we offer; and
• the normal day-to-day operations of our business.
By publishing this Privacy Notice we aim to make it easy for our users, customers and the public to
understand what data we collect and store, why we do so, how we receive and/or obtain that information,
and the rights each individual has with respect to their data in our possession.
We handle data in our own right and also for and on behalf of our customers and users.
Our Privacy Notice does not apply to information we collect about businesses or companies, however it
does apply to information which we store about the individuals in those businesses or companies.
The Privacy Notice applies to all forms of information, physical and digital, whether collected or
stored electronically or in hard copy.
If, at any time, an individual provides data or other information about someone other than himself or
herself, the individual warrants that they have that person's consent to provide such information for
the purposes specified.
The Platform is not available to persons under the age of 13 years.
We reserve the right to make changes to this Privacy Notice. We will make sure to keep users notified in
advance of any such changes.
In the course of business it is necessary for us to collect data where we have express consent, pursuant
to contract or where we have demonstrated a legitimate interest. This information allows us to identify
who an individual is for the purposes of our business, share data when we are required to do so by third
parties, contact the individual in the ordinary course of business and transact with the individual.
Without limitation, the type of information we may collect is:
Personal Information. We may collect personal details such as an individual’s name,
location, date of birth, nationality, family details, student's university identification number, and
other information, - that allows us to identify who the individual is and share details as part of our
services;
Contact Information. We may collect information such as an individual’s email address,
telephone number, third-party usernames, residential, business and postal address and other information
- that allows us to contact the individual;
Learning Information. We collect information about how an individual uses our platform
- including but not limited to lessons begun and completed, tools used, assessment scores and results
achieved - this allows us to determine the effectiveness of our pedagogy and the impact of our platform
to users and clients.
Information an individual sends us. We may collect any personal correspondence that an
individual sends us, or that is sent to us by others about the individual’s activities, including
activities with our partners (such as Facebook, LinkedIn or Twitter) – that allows us to track those
activities and share details as part of our services.
Statistical & Device Information. We may also collect statistical and device
information about an individual’s online and offline activity as specified in our Cookies Policy. We use
this information to tailor and improve our services.
We may collect other similar information and personal data about an individual, which we will maintain
in accordance with the principles established in this Privacy Notice.
We may also collect data by which an individual cannot be identified such as information regarding their
computer, network and browser. This may include their IP address.
Most information will be collected in association with an individual’s use of the Platform, products and
services, an enquiry about us or generally dealing with us. However, we may also receive data from other
sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors,
staff, and recruitment agencies. In particular, information is likely to be collected as follows:
Registrations/Subscriptions/Purchases. When an individual registers, subscribes and or
purchases a product, service, list, account, connection or other process whereby they enter data details
or grant access to information in order to receive or access something, including a transaction or
services;
Accounts/Memberships. When an individual submits their details to open an account
and/or become a member with us;
Partners. When an individual grants us access to their accounts with our business
partners (such as Facebook or Twitter);
Supply/Contact. When an individual supplies us with services or contacts us in any way;
and
Pixel Tags. Pixel tags enable us to send email messages in a format customers can read
and they tell us whether mail has been opened.
If, at any time, a third party provides data or other information about any individual, we will require
consent to provide such information to us for the purpose specified.
We will publish changes to the way that information is collected at the point of collection and within
this notice. As there are many circumstances in which we may collect information both electronically and
physically, we will ensure that an individual provides express consent when their data is being
collected in any other way.
We may also collect anonymous data such as traffic, IP addresses and transaction statistics, which may
be used and shared on an aggregated and anonymous basis.
The data that we collect from you may be transferred to, and stored outside the European Economic Area
(EEA) and with third parties. It may also be processed by staff operating outside the EEA who work for
us or for one of our suppliers. In these instances if your data is shared with organisations who reside
in countries or territories where they are not subject to broadly similar rights to those you have in
the United Kingdom/EEA, we will take all reasonable steps to establish that the appropriate safeguards
are in place at recipient partner organisations.
Such staff maybe engaged in, among other things, the fulfilment of your order, the processing of your
payment details and the provision of support services.
You hereby consent to this transfer, storing or processing.
We will not use any data other than for the purpose for which it was collected other than with the
individual’s permission, or where we have a legitimate interest. The purpose of collection is determined
by the circumstances in which the information was collected and/or submitted.
We will retain data for the period necessary to fulfil the purposes outlined in this Privacy Notice,
being not longer than 7 years unless a longer retention period is required or permitted by law.
Information is used to enable us to operate our business, especially as it relates to an individual.
This may include, subject to necessary consent (as required):
the provision of goods and services between an individual and us;
• verifying an individual’s identity, work experience or qualifications;
• communicating with an individual about:
• their relationship with us;
• our goods and services;
• our own marketing and promotions to customers and prospects; and/or
• competitions, surveys and questionnaires, for which we will get expressed consent at the point of
submission;
• investigating any complaints about or made by an individual, or if we have reason to suspect that an
individual is in breach of any of our terms and conditions or that an individual is or has been
otherwise engaged in any unlawful activity; and/or
• as required or permitted by any law (including the GDPR).
If you publicly post about us, or communicate directly with us, on a social media website, we may
collect and process the data contained in such posts or in your public profile for the purpose of
addressing any customers services requests you may have and to monitor and influence public opinion.
We disclose an individual’s information as necessary to perform the services on the Platform. It may
also be necessary for us to disclose an individual’s data to third parties in a manner compliant with
the GDPR in the course of our business, such as for processing activities like website hosting.
We may share assessment and engagement data with university student service departments to enhance and
inform their service provision as appropriate. WE do NOT share financial data unless the user explicitly
“opts-in” to sharing this with their university.
We will not disclose or sell an individual’s data to unrelated third parties under any circumstances
unless: (a) applicable consent has been obtained for us to share your personal data with that third
party (for example, where you indicate you are interested in an establishment and would like us to share
your contact details with them so they can tell you about their offerings, or where you want to share
Learning Information with a third party); (b) we are processing your personal data (such as Learning
Information, assessment and engagement data) as a service provider for or on behalf of that third party,
and that third party is the controller in respect of your personal data (for example, where you are
signing into Blackbullion to complete an assessment in connection with your studies or prospective
studies, and we are providing a service to your university, in which case please refer to your
university's privacy policy to understand your rights and how your personal data is used); or (c) we
engage other companies to perform tasks on our behalf and we need to share your information with them to
provide products and services to you (in which case we will not permit those third parties to use your
personal data for their own independent purposes). We will ensure that any such providers comply with
the principles of the GDPR.
There are some circumstances in which we must disclose an individual’s information:
where we reasonably believe that an individual may be engaged in fraudulent, deceptive or unlawful
activity that a governmental authority should be made aware of;
as required by any law, including but not limited to court orders; and/or
in order to sell our business (as we may transfer data to a new owner).
We may share assessment and engagement data with university student service departments to enhance and
inform their service provision as appropriate. WE do NOT share financial data or information unless the
user explicitly “opt-in” to sharing this with their university.
We will not disclose an individual’s data to any entity outside of the EEA, unless that entity operates
in an environment governed by requirements that are at least equivalent to the GDPR. We will take
reasonable steps to ensure that any disclosure to an entity outside of the United Kingdom will not be
made until that entity has agreed in writing with us to safeguard data as we do.
We may partner with or utilise third-party service providers (such as Gmail from Google, Inc) to
communicate with an individual and to store contact details about an individual. These service providers
may be located outside the United Kingdom, including the United States of America (subject to the
Privacy Shield), another adequate protection country or otherwise in compliance with the GDPR.
If we are involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all
or some portion of the business to another company, you consent to us sharing information with that
company before and after the transaction closes.
We disclose an individual’s information as necessary to perform the services on the Platform. It may
also be necessary for us to disclose an individual’s data to third parties in a manner compliant with
the GDPR in the course of our business, such as for processing activities like website hosting.
We may share an individual’s information with third parties for the processing and storage of certain
personal information on terms which are substantially the same as those set out in this Privacy Notice.
We may link your account with a third party (such as Facebook, LinkedIn or Twitter) to our services to
enable certain functionality, which allows us to obtain information from those accounts (including your
profile picture, friends or contacts).
The information we may obtain from those services often depends on your settings or their privacy
policies. We recommend that you read any third party privacy policies before entering any personal
information.
Our website may use cookies to distinguish you from other users of our Platform. This helps us to
provide you with a good experience when you browse our Platform and also allows us to improve our
Platform. By continuing to browse the Platform, you are agreeing to our use of cookies.
A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your
device if you agree. Cookies contain information that is transferred to your device’s hard drive. You
block cookies by activating the setting on your browser that allows you to refuse the setting of all or
some cookies. However, if you use your browser settings to block all cookies (including essential
cookies) you may not be able to access all or parts of our Platform.
Please refer to our Cookie Policy, contained in the Terms of Use document, for further information.
An individual may withdraw consent or opt to not have us collect their data and communicate with them at
certain times by not providing express content. This may prevent us from offering them some, or all, of
our services and may terminate their access to some or all of the services they access with or through
us. They will be aware of this when:
Opt In. Where relevant, the individual will have the right to choose to have
information collected and/or receive information from us; or
Opt Out. Where relevant, the individual will have the right to choose to exclude
himself or herself from some or all collection of information and/or receiving information from us. An
individual may revoke their consent at any time, and the decision to opt out will be made through the
same media which allowed the individual to opt in (and other additional media).
If an individual believes that they have received information from us that they did not opt in to
receive, they should contact us on the details below.
We will take all reasonable precautions to protect an individual’s data from unauthorised access. This
includes appropriately securing our physical facilities and electronic networks.
The security of online transactions and the security of communications sent by electronic means or by
post cannot be guaranteed. Each individual that provides information to us via the internet or by post
does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access
to, data where the security of information is not within our control.
We are not responsible for the privacy or security practices of any third party (including third parties
that we are permitted to disclose an individual’s data to in accordance with this Notice or any
applicable laws). The collection and use of an individual’s information by such third parties may be
subject to separate privacy and security policies.
If an individual suspects any misuse, loss of, or unauthorised access to, their data, they should let us
know immediately.
To the extent permitted by law, we are not liable for any loss, damage or claim arising out of another
person’s use of the data where we were authorised to provide that person with the data.
The Act gives you the right to request from us the data that we have about you.
If an individual cannot update his or her own information, we will correct any errors in the data we
hold about an individual within 7 days of receiving written notice from them about those errors.
It is an individual’s responsibility to provide us with accurate and truthful data. We cannot be liable
for any information that is provided to us that is incorrect.
We may charge an individual a reasonable fee for our costs incurred in meeting any of their requests to
disclose the data we hold about them if such a request is manifestly unfounded or excessive. We reserve
the right to clarify the specific information your request relates to.
Information will be provided within one month of receipt of the request.
Upon your request, we will delete your information and personal data from our active databases.
The foregoing (and your right to object as discussed below) apply unless (and to the extent) we hold
personal data about you on behalf of a third party and only process it on their instructions, for
example where we provide learning and assessment services to a third party such as your university, and
you access those services through our platform, in which case, we will forward your request to that
third party which is the controller in respect of the processing of your personal data, and you should
liaise with them to discuss your request.
You have the right to object to processing not based on legitimate interests or the performance of a
task in the public interest/exercise of official authority (including profiling); and direct marketing;
unless we hold legitimate grounds for processing or the processing is for the establishment, exercise or
defence of legal claims.
You have the right to lodge a complaint with a supervisory authority if you consider that the processing
of your data infringes upon the General Data Protection Regulation.
If an individual has a complaint about our handling of their data, they should address their complaint
in writing to the details below.
If we have a dispute regarding an individual’s data, we both must first attempt to resolve the issue
directly between us.
If we become aware of any unauthorised access to an individual’s data which is likely to result in a
high risk for the rights and freedoms of the data subject we will inform them at the earliest practical
opportunity once we have established what was accessed and how it was accessed.
If we decide to change this Privacy Notice, we will post the changes on our website at
www.blackbullion.com/privacy. It is your responsibility to refer back to this Privacy Notice to review
any amendments.
We may do things in addition to what is stated in this Privacy Notice to comply with the Act and nothing
in this Privacy Notice shall deem us to have not complied with the Act.
All correspondence with regards to privacy should be addressed to:
The Data Protection Officer
Blackbullion Ltd
5 Technology Park, Colindeep Ln, London NW9 6BX
data@blackbullion.com
You may contact us by email in the first instance.