Bernardine Ltd is committed to protecting your personal data and handling it transparently, lawfully, and securely under the UK GDPR and the Data Protection Act 2018.
1. Who We Are
Bernardine Ltd is the data controller responsible for your personal data. We are based in Cheltenham, Gloucestershire, United Kingdom. For any data protection query, including to exercise your rights, contact jmalhotra@bernardine.co.uk.
2. The Data We Collect
- Identity & contact data — name, date of birth, address, email, phone number.
- Participant data — enrolment details, attendance, progress, assessments, and tracking records.
- Guardian data — for participants under 18, the name and contact details of a parent/guardian and consent records.
- Special category data — only where necessary (e.g. health, accessibility, or safeguarding information), and always with an appropriate lawful basis and additional safeguards.
- Technical data — IP address, browser type, and usage data collected via our website.
3. How We Use Your Data and Our Lawful Bases
| Purpose | Lawful basis |
|---|---|
| Delivering and administering the Programme | Contract |
| Tracking progress and issuing certificates | Contract / Legitimate interests |
| Safeguarding participants | Legal obligation / Vital interests |
| Reporting outcomes to a funding council (pilot) | Legitimate interests / Public task |
| Marketing communications | Consent |
| Processing health/accessibility needs | Explicit consent / Substantial public interest |
4. Children's Data
Where a participant is under 18, we collect parental or guardian consent before processing their data for any purpose beyond what is strictly necessary for safeguarding or the performance of the Programme. We apply the strictest standard of care to all children's data and minimise what we collect. See our Safeguarding Policy and Consent Form.
5. Sharing Your Data
We do not sell your data. We may share it with: trainers and coaches engaged to deliver the Programme; a referring or funding council where a pilot is in place; safeguarding, social care, or law-enforcement authorities where we are legally required or where there is a risk to a person; and trusted processors (e.g. secure hosting and email providers) under written data-processing agreements.
6. International Transfers
Where data is transferred outside the UK, we ensure appropriate safeguards are in place, such as UK adequacy regulations or the International Data Transfer Agreement.
7. How Long We Keep Data
We retain personal data only as long as necessary for the purposes set out above. Specific periods are detailed in our Data Retention Policy.
8. Your Rights
Under the UK GDPR you have the right to access, rectify, erase, restrict, and object to the processing of your data, the right to data portability, and the right to withdraw consent at any time. To exercise any right, contact us at jmalhotra@bernardine.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
9. Security
We use appropriate technical and organisational measures — including access controls, encryption in transit, and staff confidentiality obligations — to protect your data against unauthorised access, loss, or disclosure.
10. Cookies
Our website uses only essential cookies required for it to function, plus optional analytics cookies where you consent. You can manage cookies through your browser settings.
11. Changes
We may update this Policy. The version on this page is current. We will notify participants of material changes.