Privacy Policy

1. Introduction

1.1. Purpose of this Privacy Policy 

This Privacy Policy explains how Blackridge Group Ltd ("we", "us", "our"), as the data controller for Orbas Learn, collects, uses, stores, shares, and protects your personal data when you access or interact with the Orbas Learn platform, website, applications, and services (collectively, the "Platform"). It aims to ensure transparency, provide clear information, and uphold your legal rights under applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1.2. Scope and Application
This Policy applies to all individuals who interact with the Orbas Learn Platform, including:

• Learners and course participants

• Instructors and content creators

• Website visitors

• Business contacts and partners

It governs the processing of personal data collected online and offline, including through registration forms, cookies, email communications, and API integrations. By using our Platform, you confirm that you have read and understood this Privacy Policy.

1.3. Controller Identity and Contact Details

The data controller responsible for your personal data is:

Blackridge Group Ltd
Registered in England and Wales
Company No: 16482166
Registered Office: 61 Bridge Street, Kington, Hertfordshire, United Kingdom, HR5 3DJ
Email: privacy@orbas.io

1.4. Definitions

The following key terms used in this Policy have the meanings set out below:

• Personal Data: Any information that relates to an identified or identifiable natural person ("data subject"), such as name, email address, IP address, or student ID.

• Processing: Any operation or set of operations performed on personal data, whether or not by automated means, including collection, recording, storage, use, disclosure, and erasure.

• Data Controller: The organisation (in this case, Blackridge Group Ltd) that determines the purposes and means of processing personal data.

• Data Processor: A third party that processes personal data on behalf of the data controller under contractual instructions.

• Special Category Data: Sensitive data types such as health, race, religion, or sexual orientation, subject to additional protections under UK GDPR.

1.5. Contacting the Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) to oversee compliance with data protection laws and to respond to any questions or concerns relating to this Policy or your personal data. You may contact our DPO via:

Data Protection Officer – Blackridge Group Ltd
Email: privacy@orbas.io
Postal Address: 61 Bridge Street, Kington, Hertfordshire, United Kingdom, HR5 3DJ

We are committed to responding promptly and professionally to all data privacy enquiries.

2. What Data We Collect

We collect personal data from a variety of sources to provide, maintain, and improve the Orbas Learn Platform and services. The categories of data collected include information you provide directly, information collected automatically through your use of our services, data received from third parties, and, where relevant, sensitive personal data (special category data).

2.1. Data You Provide to Us

When you interact with the Orbas Learn Platform, you may voluntarily submit personal data through the following means:

• Registration Data: When you create an account, we collect your name, email address, password, country, and age confirmation.

• Profile and Preferences: You may provide profile information including biography, learning interests, social media links, uploaded images, preferred language, and communication preferences.

• Payment and Billing Information: When purchasing or enrolling in paid courses, we collect payment details such as billing address, transaction ID, and card-related metadata (note: actual card numbers are processed securely by third-party payment processors and are not stored by Orbas Learn).

This data is required to enable core services such as course enrolment, personalised recommendations, instructor payments, and customer support.

2.2. Data We Collect Automatically

Certain data is automatically collected when you use our Platform:

• Usage Data: Includes course activity, login times, session duration, navigation behaviour, button clicks, downloads, and course completion rates.

• Device and Log Data: Includes browser type, operating system, IP address, access timestamps, referring URLs, mobile device identifiers, crash logs, and diagnostics.

• Cookies and Tracking Technologies: We use cookies, pixels, beacons, and similar technologies to collect data about your browsing behaviour, login status, and site interactions. This is explained in further detail in our Cookie Policy.

This information allows us to secure the Platform, optimise performance, troubleshoot issues, and deliver personalised experiences.

2.3. Data from Third Parties

We may receive personal data about you from the following third-party sources:

• Social Login Providers: If you register or sign in via third-party services (e.g. Google, Facebook, LinkedIn), we receive your basic profile data and email address as authorised by your account settings.

• Marketing Partners: We may receive lead data or engagement analytics from marketing affiliates, ad networks, or campaign platforms that you have interacted with.

• Referrals or Integrations: Where another user refers you to the Platform or where you interact with integrated services (e.g., Zoom, payment gateways), we may receive data necessary for onboarding or access.

All such data is handled in accordance with UK GDPR and based on contractual or consent-based lawful grounds.

2.4. Special Category Data 

In general, Orbas Learn does not require the collection of special category data (e.g., data revealing racial or ethnic origin, political opinions, health status, or sexual orientation). However, in limited cases—for example, if an instructor offers disability-related accommodations, or if accessibility metadata is required—we may collect such data with your explicit consent.

Where applicable, we apply heightened security and limit access to such data in accordance with Article 9 of the UK GDPR.

3. How We Use Your Data

We use your personal data to operate, enhance, and deliver the Orbas Learn Platform in a lawful, fair, and transparent manner. This section sets out the purposes for which we process your data and the legal bases that justify such processing.

3.1. Lawful Bases for Processing (Article 6 UK GDPR)

Under Article 6 of the UK GDPR, we rely on one or more of the following lawful bases to process your personal data:

• Contractual Necessity: To perform a contract with you, such as providing access to purchased courses or processing payments.

• Consent: Where you have given us clear, informed consent for specific purposes, such as receiving marketing emails or using optional cookies.

• Legitimate Interests: To improve the Platform, prevent fraud, or develop our services in a way that does not override your fundamental rights and freedoms.

• Legal Obligation: To comply with statutory or regulatory requirements, such as tax reporting or dispute resolution.

• Vital Interests: In rare cases, to protect your life or the life of another person (e.g. health-related support in emergencies).

3.2. Core Purposes

We process your personal data for the following core purposes:

• Account Management: To create and administer your user profile, authenticate login credentials, and manage account preferences.

• Platform Functionality: To provide seamless navigation, language settings, personalised dashboards, and device compatibility.

• Course Enrolment and Delivery: To register you for courses, facilitate progress tracking, issue certificates, and allow instructors to deliver content and communicate with learners.

• Communications: To send important transactional emails (e.g. purchase confirmations, course updates, system alerts), and, where consented, marketing communications regarding new courses, promotions, or Orbas Learn initiatives.

3.3. AI and Automated Processing 

Where Orbas Learn incorporates AI tools (e.g., for course recommendations or content support), personal data may be used to:

• Generate suggestions based on your interests or past activity

• Provide automated content formatting assistance

• Improve course discoverability and relevance

We do not use AI tools for decisions that produce legal or similarly significant effects without human review. Automated decision-making processes, if used, will always comply with Article 22 UK GDPR.

3.4. Analytics and Improvements

We use pseudonymised and aggregated user data to:

• Analyse usage trends and platform performance

• Identify errors, bugs, or design inefficiencies

• Evaluate and improve our educational offerings and user experience

Where possible, analytics are conducted using data that does not directly identify individuals unless consent has been given (e.g. via cookies).

3.5. Legal and Compliance Obligations 

We may process your personal data to:

• Comply with applicable laws and regulations, such as anti-money laundering (AML), tax, or employment law

• Investigate and respond to legal requests, subpoenas, or lawful disclosures

• Enforce our Terms and Conditions, Acceptable Use Policy, and other contractual rights.

4. Sharing and Disclosure

We do not sell your personal data. However, to provide the Orbas Learn Platform and fulfil our legal and operational obligations, we may share your personal data under specific conditions and with appropriate safeguards in place.

4.1. Internal Access and Role-Based Controls

Access to your personal data is restricted within Blackridge Group Ltd to employees, agents, or contractors who require such access for legitimate business purposes. Access is governed by role-based access controls, and internal handling is subject to:

• Data minimisation principles

• Confidentiality obligations

• Staff training on data protection and privacy

4.2. External Third Parties

• We may share your personal data with carefully vetted third parties who act as data processors on our behalf or as joint controllers, where appropriate. These include:

  
  

  • Payment Processors: Third-party services such as Stripe or PayPal process payments and issue refunds. Your billing information is securely transmitted and not stored on Orbas Learn servers.

• Cloud Storage Providers: To securely store and manage Platform data, including backups and media content (e.g., AWS, Google Cloud).

• Analytics and Advertising Vendors: To understand user behaviour, improve user experience, and deliver relevant marketing, we may use services such as Google Analytics or Meta Ads. Data shared is anonymised or pseudonymised where feasible.

All third parties are bound by contractual agreements, including Data Processing Agreements (DPAs), which ensure:

• Compliance with UK GDPR and PECR

• Use of data only for instructed purposes

• Implementation of robust security measures

• No unauthorised onward sharing.

4.3. Legal and Regulatory Disclosures

We may disclose your personal data when required to:

• Comply with legal obligations, court orders, or lawful authority requests

• Respond to subpoenas or regulatory investigations

• Protect or defend the legal rights, safety, or property of Orbas Learn, our users, or others

Such disclosures are limited to the minimum amount of data necessary and documented in accordance with internal governance policies.

4.4. Corporate Transactions (e.g. merger, acquisition)

In the event of a merger, acquisition, asset transfer, corporate restructuring, or insolvency, user data may be disclosed or transferred to the acquiring entity as part of the transaction. We will:

• Notify affected users in advance, where legally required

• Ensure that the receiving party is subject to privacy obligations no less protective than those in this Policy

• Maintain lawful bases for continued processing.

5. International Data Transfers

Orbas Learn is committed to ensuring that your personal data remains protected when transferred outside of the United Kingdom (UK) or the European Economic Area (EEA). This section outlines how such transfers are handled in compliance with the UK GDPR and other relevant legislation.

5.1. Transfers Outside UK or EEA

In the course of operating the Platform and engaging third-party service providers (e.g., cloud storage, analytics, and payment services), we may transfer personal data to jurisdictions outside the UK or EEA. These jurisdictions may not have the same legal protections for personal data as those within the UK.

Examples of such transfers include:

• Storage of course materials and user data on non-UK servers

• Use of international email delivery or communication tools

• Processing of transactions by global payment platforms.

5.2. Legal Safeguards (IDTA, SCCs, etc.)

To ensure that your personal data remains secure and subject to an adequate level of protection when transferred internationally, we implement appropriate safeguards, which may include:

• UK International Data Transfer Agreements (IDTAs) or Addendums to EU Standard Contractual Clauses (SCCs), where applicable

• Binding Corporate Rules (BCRs) where transfers occur within an international corporate group

• Adequacy Regulations issued by the UK Secretary of State confirming equivalent data protection in the destination country

• Additional security measures including encryption in transit, access restrictions, and pseudonymisation of personal data.

All such safeguards are reviewed regularly, and we require our third-party processors to maintain equivalent protections through data processing agreements.

5.3. Data Subject Rights on International Transfers

If your personal data is transferred outside of the UK or EEA, you continue to enjoy all your data protection rights under the UK GDPR, including:

• The right to request information about the safeguards applied to such transfers

• The right to object to international transfers where there is no adequate protection

• The right to lodge a complaint with the Information Commissioner’s Office (ICO) if you believe that your data is not being handled in accordance with the law.

You may contact our Data Protection Officer (DPO) for further details about the specific safeguards applied to international data transfers relevant to your data.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, to comply with our legal obligations, to resolve disputes, and to enforce our agreements. This section outlines our data retention principles, including how long data is kept, how it may be anonymised or archived, and how it is securely deleted.

6.1. Retention Periods by Data Type

The specific retention periods for different types of personal data vary based on legal, operational, and contractual requirements:

• Account and Profile Data: Retained for as long as the user maintains an active account. Deleted within 90 days of account closure, unless otherwise required

• Transaction and Payment Records: Retained for up to seven (7) years to comply with financial reporting and tax obligations

• Course Enrolment and Progress Data: Retained for up to five (5) years from the last interaction or course activity

• Marketing Preferences and Communications Logs: Retained for three (3) years from the date of the last interaction, or until consent is withdrawn

Customer Support Interactions: Retained for two (2) years from the resolution of the support request.

6.2. Anonymisation and Archiving

Where personal data is no longer required for its original purpose but may still hold value for analytics, reporting, or legal evidence, it may be:

• Anonymised: Data is irreversibly altered so that individuals can no longer be identified. Anonymised data is retained indefinitely for legitimate business intelligence

• Archived: Data is moved to a restricted-access environment, stored securely for a specified period based on business or legal requirements, and reviewed regularly for relevance and deletion

We ensure that anonymisation processes comply with the UK Information Commissioner’s Office (ICO) guidance on anonymisation and de-identification.

6.3. Secure Deletion Procedures

When data reaches the end of its retention period, it is securely deleted or destroyed in accordance with industry standards and data protection laws. Our deletion protocols include:

• Cryptographic wiping or secure file erasure

• Destruction of physical records where applicable

• Confirmation and audit logging of deletion events

Users may also request the erasure of their data under the UK GDPR’s Right to Erasure (see Section 7). We will honour such requests where no overriding legal basis or statutory obligation exists for continued retention.

7. Your Data Protection Rights

Under the UK General Data Protection Regulation (UK GDPR), individuals whose personal data is processed by Orbas Learn are entitled to exercise a number of rights, which are outlined below. These rights are not absolute and may be subject to lawful limitations, exemptions, or verification processes where applicable.

7.1. Right to Access

You have the right to obtain confirmation as to whether we are processing your personal data and, where that is the case, access to the data and information about the purposes of processing, data categories, recipients, storage periods, and your associated rights. This is commonly known as a “data subject access request” (DSAR).

7.2. Right to Rectification

If you believe that any of the personal data we hold about you is inaccurate or incomplete, you may request that it be corrected or updated without undue delay.

7.3. Right to Erasure (“Right to be Forgotten”)

You may request that we erase your personal data, provided that:

• The data is no longer necessary for the purposes for which it was collected

• You withdraw consent (where applicable)

• You object to the processing and there is no overriding legitimate interest

• The data was processed unlawfully

• The data must be deleted to comply with a legal obligation.

We may retain certain data where we have a legal basis or obligation to do so.

7.4. Right to Restriction of Processing

You may request that we restrict the processing of your personal data in circumstances where:

• You contest the accuracy of the data (pending verification)

• Processing is unlawful but you oppose erasure

• We no longer need the data but you require it for legal claims

• You have objected and we are verifying overriding interests

7.5. Right to Data Portability

You have the right to receive your personal data, which you provided to us under contract or consent, in a structured, commonly used, and machine-readable format. Where technically feasible, you may also request that we transmit such data directly to another controller.

7.6. Right to Object

You may object to the processing of your personal data where it is based on our legitimate interests or where it is being used for direct marketing purposes. We will cease processing unless we can demonstrate compelling legitimate grounds.

7.7. Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or significantly affects you, unless:

• It is necessary for a contract

• You have given explicit consent

• It is authorised by law

We do not currently engage in such processing without human intervention.

7.8. Right to Lodge a Complaint (ICO)

If you believe that your rights have been violated or that your personal data has been processed unlawfully, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO):

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Website: https://ico.org.uk
Helpline: +44 (0)303 123 1113

Before contacting the ICO, we encourage you to contact our Data Protection Officer (DPO) to allow us an opportunity to resolve your concerns informally and promptly.

8. Security Measures

We are committed to safeguarding your personal data through a combination of technical, organisational, and procedural safeguards. These measures are designed to prevent unauthorised access, misuse, alteration, and loss of personal data in accordance with Article 32 of the UK GDPR.

8.1. Technical and Organisational Safeguards

Orbas Learn implements a layered security approach that includes, but is not limited to:

• Encryption: Data is encrypted both in transit (using TLS) and at rest (using industry-standard AES protocols) to prevent interception or access by unauthorised parties

• Access Controls: Role-based access policies, password strength requirements, multi-factor authentication (MFA), and administrative audit logs restrict access to personal data

• Monitoring and Intrusion Detection: Continuous system monitoring, firewalls, and automated alerts for suspicious activities or unauthorised attempts

• Data Minimisation and Pseudonymisation: Only data that is strictly necessary for service delivery is collected, and where feasible, it is pseudonymised to reduce risk

• Staff Training and Confidentiality: Employees and contractors undergo data protection training and are bound by confidentiality agreements and internal data handling policies

These controls are regularly reviewed and updated to respond to emerging threats and regulatory changes.

8.2. Account Protection Responsibilities

While we implement robust security controls, users also play a critical role in maintaining the security of their personal data. You are responsible for:

• Keeping your login credentials confidential and secure

• Not sharing your account with others

• Using strong, unique passwords for your Orbas Learn account

• Reporting any suspected unauthorised access or account compromise to our support team immediately

We are not liable for losses arising from unauthorised use of your credentials due to your failure to maintain appropriate security.

8.3. Breach Notification Protocols

In the unlikely event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

• Notify the Information Commissioner’s Office (ICO) within 72 hours of becoming aware of the breach, where legally required

• Inform affected individuals without undue delay, where there is a high risk of harm

• Provide clear, actionable information on the nature of the breach, its potential consequences, and recommended steps for self-protection

• Conduct a full internal investigation, document findings, and implement remedial measures to prevent recurrence

All incidents are managed in accordance with our formal Data Breach Response Plan and are subject to review and audit.

9. Marketing and Communication Preferences

We respect your choices and control over how we communicate with you. This section explains how Orbas Learn handles marketing communications and cookie-based personalisation in compliance with the UK GDPR and Privacy and Electronic Communications Regulations (PECR).

9.1. Consent for Marketing

We will only send you marketing communications (including newsletters, promotional offers, and information about new courses or services) where we have your explicit consent or where you are an existing customer and such communications relate to similar services.

Consent is obtained through:

• Opt-in checkboxes during account registration or course enrolment

• Preference management within your user profile settings

• Clear notices where we collect your contact information offline (e.g., at events)

You can manage or withdraw your consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

9.2. Opt-Out and Unsubscribe Mechanisms

All marketing emails include an easy-to-use unsubscribe link allowing you to opt out of future marketing communications. You may also:

• Adjust your preferences via the communications section of your Orbas Learn account

• Email our support team or Data Protection Officer with a request to opt out

Please note that even if you opt out of marketing emails, you will still receive transactional or service-related communications (e.g., password resets, payment confirmations, critical platform updates).

9.3. Cookie-Based Personalisation

We may use cookies and similar technologies to tailor marketing content to your interests based on:

• Your course browsing or enrolment history

• Page views, clicks, or engagement patterns

• Campaign responses or ad interactions

Such personalisation relies on your cookie preferences, as captured via our Cookie Banner and Consent Management Platform. You can modify these preferences at any time by visiting our [Cookie Policy] or accessing the banner. We do not use third-party behavioural profiling tools without your prior consent.

10. Children’s Privacy

Protecting the privacy of minors is a priority for Orbas Learn. Our platform is designed primarily for adults, and we take additional precautions to comply with legal requirements concerning the processing of children’s personal data under the UK GDPR and the Data Protection Act 2018.

10.1. Minimum Age Requirement

To create an account or use the core services of Orbas Learn, individuals must be at least 16 years of age. By registering an account, you confirm that you meet this minimum age requirement.

We do not knowingly collect personal data from children under the age of 16 without appropriate consent mechanisms in place. If we become aware that a child under 16 has registered without valid consent, we will delete the account and associated data promptly.

10.2. Parental Consent for Users Under 16

In certain jurisdictions or under specific educational arrangements (e.g., school-led access), users aged 13–15 may access the Platform with the verifiable consent of a parent or legal guardian. In such cases:

• We may collect limited personal data necessary for access (e.g., name, email, school)

• Consent must be documented and retained

• Parents may access, update, or request the deletion of their child’s information at any time

We do not use children’s data for marketing, profiling, or third-party advertising purposes.

10.3. Data Handling for Minors

Where personal data of minors is processed (e.g., via instructor reports, assessments, or accessibility accommodations), we:

• Apply additional security and minimisation principles

• Restrict access to authorised personnel only

• Avoid retention of unnecessary or sensitive data

• Ensure such data is stored, transferred, and deleted in compliance with applicable safeguarding laws and best practices

Parents or legal guardians can contact our Data Protection Officer (DPO) to:

• Withdraw consent

• Review or update data held about their child

• Lodge a concern about data collection practices

11. Third-Party Links and Integrations

The Orbas Learn Platform may include links to external websites, embedded tools, or social media features that are not operated or controlled by Blackridge Group Ltd. This section outlines the limitations of our responsibility with respect to third-party services and the precautions users should take when interacting with them.

• 11.1. External Site Responsibilities

  
  

  Links to third-party websites are provided for informational or educational purposes only. When you click such a link, you are leaving our Platform and entering a domain governed by separate terms and privacy practices. We do not:

  
  

  • Endorse or accept responsibility for the content, security, or data handling practices of these external sites

• Guarantee the accuracy or availability of such websites;

• Control how your personal data is used once you leave our Platform.

We strongly recommend that you review the privacy policy and terms of any third-party website before submitting any personal data.

• 11.2. Embedded Services 

  
  

  Orbas Learn may embed video or content hosted by third-party platforms such as YouTube, Vimeo, or cloud document services. These integrations may:

  
  

  • Collect usage data, device data, or browser settings directly from you
  • 
    
  • Set third-party cookies or tracking pixels
  • 
    
  • Require authentication to access premium content.

  
  

  Where applicable, these services are subject to their own privacy policies and may process your data independently of Orbas Learn. We take reasonable steps to implement such integrations in compliance with the UK GDPR, including cookie consent requirements.

  
  

  11.3. Social Media Plugins

  
  Our Platform may include social media sharing buttons or login features (e.g., “Login with Facebook,” “Share on Twitter”). These features:

  
  

  • May collect your IP address, pages visited, and timestamp of interaction
  • 
    
  • May set third-party cookies for marketing or analytics purposes
  • 
    
  • Are governed by the respective platform’s privacy policy (e.g., Facebook, LinkedIn, Google)

  
  

  Use of such features is entirely voluntary. Users are encouraged to manage their privacy settings within each social media platform and to log out of those services when not actively using them to reduce tracking.

  
  

  12. Changes to This Privacy Policy

  
  

  We reserve the right to amend or update this Privacy Policy at any time to reflect changes in our practices, legal obligations, or the features of the Orbas Learn Platform. Users will be notified of significant updates and will have an opportunity to review the revised terms.

  
  

  12.1. Notice of Material Updates

  
  

  If we make material changes to this Privacy Policy—such as modifications to the types of data we collect, how we use it, or your rights—we will:

  
  

  • Provide notice via email (if you have provided one)
  • 
    
  • Post a prominent notification on the Orbas Learn Platform

  
  

  We encourage you to check the Privacy Policy periodically to remain informed about how we protect your personal data.

  
  

  12.2. User Rights in Response to Updates

  
  

  If you do not agree with the revised Privacy Policy, you have the right to:

  
  

  • Withdraw your consent (where applicable)
  • 
    
  • Terminate your account
  • 
    
  • Contact our Data Protection Officer with any objections or concerns

  
  

  Continuing to use the Platform following a policy update constitutes acceptance of the revised terms, unless otherwise stated.

  
  

  
  

  12. Contact Us

  
  

  If you have any questions about this Privacy Policy, your rights, or how we handle your personal data, please get in touch using the contact details below.

  
  

  12.1. Contacting the Data Protection Officer (DPO)

  
  Our Data Protection Officer (DPO) is responsible for overseeing compliance with this Privacy Policy and data protection legislation.You can contact the DPO via:

  
  

  Blackridge Group Ltd
  61 Bridge Street, Kington, Hertfordshire, United Kingdom, HR5 3DJ
  Email: privacy@orbas.io

  
  

  We endeavour to respond to all legitimate inquiries within one calendar month, in accordance with the UK GDPR.

  
  

  12.2. ICO Complaints and Support

  
  

  If you believe your rights under the UK GDPR have been infringed or that your data has been handled unlawfully, you have the right to lodge a complaint with the UK’s supervisory authority:

  
  

  Information Commissioner’s Office (ICO)
  Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
  Website: https://ico.org.uk
  Helpline: +44 (0)303 123 1113

  
  

  We encourage you to contact us in the first instance to resolve any issues informally and efficiently.