Privacy Policy
How we collect, use, and protect your personal data
Contents
1. Introduction
J&S Software Services Ltd ("we", "us", "our") is committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use the Viizard Virtual Learning System Suite ("Viizard VLSS", "the Platform", "our Services").
We process personal data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection legislation. This policy applies to all users of our Platform, including educators, learners, and organisation administrators.
By using Viizard VLSS, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Services.
2. Data Controller
The data controller responsible for your personal data is:
J&S Software Services Ltd
[INSERT REGISTERED ADDRESS]
Scotland, United Kingdom
Company Registration Number: [INSERT NUMBER]
ICO Registration Number: [INSERT NUMBER]
Data Protection Contact:
Email: [INSERT EMAIL, e.g., privacy@viizard.com]
3. Data We Collect
3.1 Information You Provide Directly
We collect information you provide when you:
- Create an account: Name, email address, password, profile photograph (optional), professional title, organisation name
- Complete your profile: Biography, qualifications, expertise areas, social media links, contact preferences
- Create courses (Educators): Course content, videos, documents, assessments, pricing information
- Enrol in courses (Learners): Enrolment details, course progress, assessment submissions, assignment uploads
- Make payments: Billing address, payment card details (processed securely by our payment providers)
- Communicate with us: Support enquiries, feedback, survey responses
- Participate in live sessions: Video and audio data during WebRTC sessions (if recording is enabled by the educator)
3.2 Information Collected Automatically
When you use our Platform, we automatically collect:
- Device information: IP address, browser type and version, operating system, device type, screen resolution
- Usage data: Pages visited, features used, time spent on pages, click patterns, search queries
- Learning analytics: Course progress, completion rates, assessment scores, time spent on content, engagement metrics
- Log data: Access times, error logs, referring URLs
- Cookies and similar technologies: As described in our Cookie Policy
3.3 Information from Third Parties
We may receive information about you from:
- Payment processors: Transaction confirmations and payment status from Stripe and PayPal
- Your organisation: If your employer or institution provides access, they may share your name, email, and role
- Analytics providers: Aggregated and anonymised usage patterns
3.4 Special Category Data
We do not intentionally collect special category data (such as health information, religious beliefs, or biometric data). If you include such information in course content or communications, you do so at your own discretion.
4. How We Use Your Data
We use your personal data for the following purposes:
4.1 Providing Our Services
- Creating and managing your account
- Enabling course creation, delivery, and enrolment
- Processing payments and managing subscriptions
- Facilitating live teaching sessions via WebRTC
- Issuing certificates and maintaining your Personal Development Portfolio (PDP)
- Providing customer support
4.2 Improving Our Platform
- Analysing usage patterns to improve features and user experience
- Identifying and fixing technical issues
- Developing new features and services
- Conducting research and analytics
4.3 Communication
- Sending service-related notifications (account updates, course reminders, certificate issuance)
- Responding to your enquiries and support requests
- Sending marketing communications (with your consent)
- Notifying you of policy changes
4.4 Security and Compliance
- Protecting against fraud, abuse, and security threats
- Enforcing our Terms of Use
- Complying with legal obligations
- Responding to legal requests and preventing harm
4.5 For Educators
- Processing learner payments and transferring revenue to your connected payment account
- Providing analytics on course performance and learner engagement
- Enabling communication with your learners
5. Legal Basis for Processing
Under UK GDPR, we must have a legal basis for processing your personal data. We rely on the following:
| Purpose | Legal Basis |
|---|---|
| Providing our Services, managing your account | Contract: Necessary to perform our contract with you |
| Processing payments | Contract: Necessary to fulfil transactions |
| Sending service notifications | Contract: Necessary to provide the service |
| Improving our Platform, analytics | Legitimate Interests: To improve our services |
| Security and fraud prevention | Legitimate Interests: To protect our Platform and users |
| Marketing communications | Consent: Only with your explicit consent |
| Legal compliance, tax records | Legal Obligation: Required by law |
| Certificate verification by third parties | Legitimate Interests: To enable credential verification |
Where we rely on legitimate interests, we have conducted a balancing test to ensure your rights and freedoms are not overridden. You may contact us for more information about these assessments.
6. Data Sharing and Third Parties
We do not sell your personal data. We share your information only in the following circumstances:
6.1 Service Providers
We use trusted third-party service providers to help us operate our Platform:
- Cloud Hosting: Google Cloud Platform (GCP) - stores and processes data
- Payment Processing: Stripe and PayPal - process payments securely (we do not store your full card details)
- Analytics: Google Analytics - helps us understand Platform usage
- Email Services: [INSERT PROVIDER] - sends transactional and marketing emails
All service providers are contractually bound to protect your data and use it only for the purposes we specify.
6.2 Educators and Organisations
- Learner data shared with Educators: When you enrol in a course, the educator can see your name, email, profile information, course progress, assessment submissions, and completion status
- Employee data shared with Organisations: If your employer provides access, organisation administrators can view your training progress, completions, and compliance status
6.3 Certificate Verification
When you earn a certificate, it becomes part of your Personal Development Portfolio (PDP). Employers and other third parties can verify your credentials using the certificate's unique QR code or verification URL. This displays your name, the course completed, completion date, and issuing educator.
6.4 Legal Requirements
We may disclose your information if required to:
- Comply with a legal obligation, court order, or regulatory request
- Protect our rights, property, or safety, or that of our users or the public
- Detect, prevent, or address fraud, security, or technical issues
6.5 Business Transfers
If J&S Software Services Ltd is involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you of any change in ownership or use of your data.
7. International Data Transfers
Your data is primarily stored and processed in the United Kingdom and European Economic Area (EEA) on Google Cloud Platform servers.
Some of our service providers may process data outside the UK/EEA. When this occurs, we ensure appropriate safeguards are in place:
- Adequacy decisions: Transfers to countries the UK government has deemed to provide adequate data protection
- Standard Contractual Clauses (SCCs): EU/UK-approved contractual terms that protect your data
- Supplementary measures: Additional technical and organisational protections where necessary
You may contact us to obtain a copy of the safeguards we use for international transfers.
8. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account plus 2 years after deletion |
| Course content (Educators) | Duration of account; exported upon request before deletion |
| Learning records and certificates | Indefinitely (to enable ongoing credential verification) |
| Payment and billing records | 7 years (UK tax and accounting requirements) |
| Support communications | 3 years after resolution |
| Analytics data | 26 months (aggregated/anonymised thereafter) |
| Marketing consent records | Duration of consent plus 2 years |
After the retention period, data is securely deleted or anonymised so it can no longer be associated with you.
Note for Learners: Your certificates and portfolio remain verifiable even after account deletion, as this is essential for employers to verify your credentials. You may request full deletion including certificates, but this will invalidate your credentials.
9. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
9.1 Right of Access
You can request a copy of the personal data we hold about you. We will provide this within one month of your request.
9.2 Right to Rectification
You can request correction of inaccurate or incomplete data. You can also update most information directly in your account settings.
9.3 Right to Erasure ("Right to be Forgotten")
You can request deletion of your personal data in certain circumstances, such as when the data is no longer necessary or you withdraw consent. Some data may be retained for legal compliance.
9.4 Right to Restriction of Processing
You can request that we limit how we use your data while we address your concerns about accuracy or our legal basis for processing.
9.5 Right to Data Portability
You can request your data in a structured, commonly used, machine-readable format (such as CSV or JSON) and have it transferred to another provider.
9.6 Right to Object
You can object to processing based on legitimate interests or for direct marketing purposes. We will stop unless we have compelling legitimate grounds.
9.7 Rights Related to Automated Decision-Making
We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.
How to Exercise Your Rights
To exercise any of these rights, please contact us at [INSERT EMAIL]. We will respond within one month. If your request is complex, we may extend this by up to two additional months, and we will inform you of the reason.
We may need to verify your identity before processing your request. There is no fee for most requests, but we may charge a reasonable fee for manifestly unfounded or excessive requests.
Right to Complain
If you are not satisfied with how we handle your data or your request, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Information Commissioner's Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk
Helpline: 0303 123 1113
11. Security Measures
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it.
Technical Measures
- Encryption: All data in transit is encrypted using TLS 1.2+. Sensitive data at rest is encrypted using AES-256
- PCI-DSS Compliance: Payment processing meets Payment Card Industry Data Security Standards
- Access Controls: Role-based access, multi-factor authentication for administrative access
- Infrastructure Security: Hosted on Google Cloud Platform with SOC 2 and ISO 27001 certifications
- Regular Testing: Vulnerability scanning and security assessments
Organisational Measures
- Staff training on data protection and security
- Data protection impact assessments for high-risk processing
- Incident response procedures
- Regular policy reviews
While we strive to protect your data, no method of transmission or storage is 100% secure. If you believe your account has been compromised, please contact us immediately.
12. Children's Privacy
Viizard VLSS is not directed at children under the age of 16. We do not knowingly collect personal data from children under 16 without parental consent.
If you are under 16, you may only use our Platform with the involvement and consent of a parent or guardian.
If we become aware that we have collected personal data from a child under 16 without appropriate consent, we will take steps to delete that information promptly.
If you believe we have inadvertently collected data from a child, please contact us at [INSERT EMAIL].
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
When we make changes:
- We will update the "Last Updated" date at the top of this policy
- For material changes, we will notify you by email or through a prominent notice on our Platform
- We may ask for your consent again if required by law
We encourage you to review this policy periodically. Your continued use of our Services after changes are posted constitutes your acceptance of the updated policy.
14. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
J&S Software Services Ltd
[INSERT ADDRESS]
Scotland, United Kingdom
Email: [INSERT EMAIL, e.g., privacy@viizard.com]
General Enquiries: Contact Form
We aim to respond to all enquiries within 5 working days.