Registered Office: Courtyard Offices, Apsley House, Waterloo Lane, Chelmsford, CM1 1BD
Website: https://whitefiretechnologies.com
1. Purpose of This Policy
This GDPR & Data Protection Policy sets out how White Fire Technologies (“we”, “our”, “us”) collects, stores, processes, and protects personal data in compliance with:
- UK General Data Protection Regulation (UK GDPR)
- Data Protection Act 2018
- Privacy and Electronic Communications Regulations (PECR)
- Guidance issued by the Information Commissioner’s Office (ICO)
We are committed to ensuring that all personal data is:
- Processed lawfully, fairly, and transparently
- Collected for specific, explicit, and legitimate purposes
- Adequate, relevant, and limited to what is necessary
- Accurate and kept up to date
- Stored securely and retained only as long as necessary
- Processed in a way that ensures appropriate security
2. Scope
This Policy applies to:
- All students, learners, graduates, freshers, and career switchers enrolled in our programmes
- All staff, trainers, and contractors who process personal data on behalf of White Fire Technologies
- All systems, platforms, and databases used to store or process data
- Both digital services (online courses, e-learning) and in-person training programmes
3. Data Controller
White Fire Technologies acts as the Data Controller for the personal data it collects and processes.
Contact details:
Data Protection Officer (DPO)
White Fire Technologies
Courtyard Offices, Apsley House, Waterloo Lane, Chelmsford, CM1 1BD
Email: info@whitefiretechnologies.com
4. Data We Process
We process the following categories of data (as outlined in our Privacy Policy but detailed further here):
- Personal identifiers: Name, date of birth, gender (optional)
- Contact data: Address, phone number, email
- Academic & professional data: Qualifications, CVs, learning records
- Financial data: Payment history (via third-party gateways)
- Technical data: IP addresses, device identifiers, cookies
- Special category data: Only when strictly necessary (e.g., accessibility needs, health-related adjustments)
5. Lawful Basis for Processing
Under Article 6 of UK GDPR, processing must have a lawful basis. White Fire Technologies relies on:
- Consent – e.g., marketing communications, optional surveys
- Contractual necessity – to deliver training and internships you have enrolled in
- Legal obligation – to comply with HMRC, employment, or regulatory requirements
- Legitimate interest – for service improvements, fraud prevention, and internal reporting
For special category data, Article 9 UK GDPR requires additional conditions, which may include:
- Explicit consent
- Employment and social protection law obligations
- Vital interests of the individual (e.g., health emergencies)
6. Data Minimisation & Retention
We adopt a data minimisation principle – collecting only what is necessary.
- Student records: Retained for 6 years post-completion (for verification of qualifications).
- Financial data: Retained for 7 years (for HMRC compliance).
- Marketing data: Retained until consent is withdrawn.
- Job/internship applications: Retained for 12 months unless longer retention is consented to.
Data is securely deleted or anonymised when no longer needed.
7. Data Subject Rights
Under UK GDPR, all individuals have the following rights:
- Right to be informed – about how their data is used.
- Right of access – to request a copy of their personal data (Subject Access Request).
- Right to rectification – to correct inaccurate or incomplete data.
- Right to erasure – to request deletion (“right to be forgotten”).
- Right to restrict processing – in specific circumstances.
- Right to data portability – to transfer their data in a machine-readable format.
- Right to object – to processing, including direct marketing.
- Rights related to automated decision-making – including profiling.
We respond to such requests within one calendar month unless complex circumstances require an extension (up to two months).
8. Subject Access Requests (SARs)
8.1 Process for Request
- Submit a request via email to info@whitefiretechnologies.com.
- We may require proof of identity.
8.2 Response Time
We will respond within 30 days of receiving a valid request.
8.3 Fees
Requests are free of charge unless they are manifestly unfounded, excessive, or repetitive.
9. Data Sharing & Processors
We may share data with trusted third parties such as:
- Payment providers (Stripe, PayPal)
- Learning platforms (LMS providers, video hosting services)
- Partner institutions (for joint certifications)
- Regulators and government authorities (if required by law)
We ensure that:
- All third parties are GDPR-compliant
- Data Processing Agreements (DPAs) are in place
- Data is not shared for marketing purposes without consent
10. International Data Transfers
Where data is transferred outside the UK or EEA, we ensure:
- Adequacy decisions (UK-approved countries)
- Standard Contractual Clauses (SCCs) where required
- Appropriate security measures (encryption, access control)
11. Data Security Measures
We use robust technical and organisational security measures, including:
- Encryption (at rest and in transit)
- Role-based access control
- Two-factor authentication for internal systems
- Secure cloud hosting in the UK/EU
- Regular penetration testing and security audits
- Staff training on data protection responsibilities
12. Data Breach Management
12.1 Definition
A data breach is any event that leads to unauthorised access, loss, alteration, or disclosure of personal data.
12.2 Breach Response Plan
1. Identification – breach detected via monitoring or staff reporting
2. Containment – immediate measures to stop further risk
3. Assessment – evaluation of impact and categories of data affected
4. Notification –
- ICO notified within 72 hours if required
- Individuals notified where there is a high risk to their rights
5. Review – root cause analysis and corrective actions
13. Responsibilities
13.1 Senior Management
- Ensure overall compliance with GDPR obligations.
13.2 Data Protection Officer (DPO)
- Act as point of contact for data subjects and ICO
- Monitor compliance and staff training
13.3 Staff & Trainers
- Handle personal data responsible
- Follow internal policies and report breaches immediately
14. Children & Young Learners
Our services are aimed at individuals aged 16+.
- If we knowingly collect data from under-16s, we require verifiable parental consent.
- Parents/guardians may exercise GDPR rights on behalf of their children.
15. Privacy by Design & Default
We incorporate data protection principles into all our processes:
- New courses or systems undergo a Data Protection Impact Assessment (DPIA) where risks exist.
- Only necessary data fields are requested in forms.
- Access to data is restricted by default.
16. Training & Awareness
All staff undergo mandatory GDPR and data protection training, covering:
- Recognising personal data
- Handling sensitive information
- Responding to SARs
- Data breach reporting procedures
Refresher training is provided annually.
17. Monitoring & Review
This Policy is reviewed:
- Annually, or
- When significant legal, operational, or technological changes occur.
18. Enforcement
Breaches of this Policy by staff may result in disciplinary action, including termination of employment or contract.
19. Contact & Complaints
For queries, requests, or complaints:
Data Protection Officer (DPO)
White Fire Technologies
Courtyard Offices, Apsley House, Waterloo Lane, Chelmsford, CM1 1BD
Email: info@whitefiretechnologies.com
If unresolved, you may complain directly to the: Information Commissioner’s Office (ICO) — https://ico.org.uk
