Privacy Policy

Version: 2025-09-18 • Effective date: 2025-09-18

This page explains how we collect, use, disclose and protect personal data on our mobile-first booking funnel (Subject → Course → Policy → Contact → Slot → Confirm) and related admin/reporting tools.

Who we are (Controller)

Controller: Julia Senanayake (sole trader, established in Italy)

Address: Via don Giovanni bosco, Cinisello Balsamo

Email: privacy@bloomersglobalacademy.com

Data Protection Officer: Julia Senanayake — dpo@bloomersglobalacademy.com

EU/EEA & UK coverage:We offer services to individuals in the EU/EEA.

Lead supervisory authority (EU): Italy — Garante per la protezione dei dati personali.

Data we collect

  • Identity & contact: phone (E.164), name (optional), language (EN/SI).
  • Lead & booking context: selected subject/course, slot selections, submission timestamps, consent metadata (policy URL/version/time, IP hash).
  • Technical: device/user-agent, strictly necessary cookies (see below).
  • Analytics/ads (only with consent): page views and events via tools like Meta Pixel.

Why we use your data (legal bases)

  • Service delivery: manage leads and bookings; send confirmations/operational messages. Legal basis: contract/pre-contractual steps (GDPR/UK GDPR Art. 6(1)(b)).
  • Security & fraud prevention: rate-limiting, bot controls, audit logs. Legal basis: legitimate interests; and where applicable, legal obligation.
  • Analytics (non-essential): understand traffic and improve UX. Legal basis: your consent (opt-in).
  • Advertising/retargeting (Meta Pixel): measure campaigns and show relevant ads. Legal basis: your consent (opt-in).
  • Communications with students: course updates and information after enrollment. Legal basis: contract/legitimate interests.
  • Marketing to non-students: only if you explicitly opt-in (e.g., checkbox or in-chat “YES”). Legal basis: consent.

Cookies & Pixels

We set strictly necessary cookies to operate the booking funnel, remember your progress, and keep the service secure (e.g., session and CSRF). These are essential and do not require consent.

With your consent, we use optional cookies for analytics and ads measurement (e.g., Meta Pixel). These are blocked until you choose “Accept” in the cookie banner. You can change your choices any time via Cookie Settings.

Sharing your data (processors & recipients)

  • Hosting & edge security: Krystal.io (EU hosting), Cloudflare (global CDN/WAF).
  • Email delivery: SMTP provider for confirmations/alerts.
  • Analytics/advertising: Meta Platforms (only if you consent).

We require processors to follow our instructions, implement security, and not use your data for their own purposes.

International transfers

When data is transferred outside the EU/UK (for example to the United States by Meta or Cloudflare), we rely on recognised safeguards: the EU-US Data Privacy Framework (and UK-US Data Bridge) where applicable, and/or the Standard Contractual Clauses (EU) and UK IDTA/Addendum with transfer impact assessments.

Retention

  • Leads who do not enroll: deleted automatically after 90 days.
  • Students: retained for the duration of the course and as required by legal, tax or accounting rules.
  • Consent logs: retained for 24 months to demonstrate compliance.
  • Audit logs/backups: rotated and deleted on a set schedule.

Children

Our services are intended for adults (parents/guardians) booking on behalf of children. We do not knowingly collect personal data directly from children under 16 through this site. If you believe a child has provided personal data to us, please contact us and we will take appropriate steps.

Your rights

You may request access, rectification, erasure, restriction, portability, and object to processing. You can withdraw consent at any time (this does not affect processing before withdrawal).

How we protect your data

  • HTTPS end-to-end; strict security headers
  • CSRF protection, honeypot, and rate-limits
  • Admin 2FA (TOTP), audit logs, least-PII emails
  • Passwords hashed with Argon2id; regular rehash policy

Changes

We may update this policy to reflect legal or technical developments. Updates will be dated at the top; material changes will be notified on-site.

Contact

Privacy contact: privacy@bloomersglobalacademy.com

DPO: dpo@bloomersglobalacademy.com

Postal: Via don Giovanni bosco, Cinisello Balsamo