Privacy Policy

Introduction

Practice Pal respects your privacy and will protect your personal information as carefully as a violinist would guard their Stradivarius. This privacy policy explains how we look after your personal information when you visit our website and use our services, and tells you about your privacy rights and how the law protects you (particularly in relation to the General Data Protection Regulation 2016 (GDPR) and the UK Data Protection Act 2018 (DPA 2018)).

Please read this privacy policy together with any other privacy notices we may provide on specific occasions where we collect or process your personal information in connection with our services. We keep our privacy policy under regular review to make sure it is up to date and accurate.

This privacy policy is provided in an expandable format so you can click through to the specific areas set out below.

We are Practice Pal Limited. Our registered office is at:

18 Benett Gardens,
London
SW16 4QE.

Our company number is 11154632

We are registered with the Information Commissioner's Office and our ICO number is ZA758944.

We are the “data controller” - the company that’s responsible for protecting your privacy - for all Practice Pal services, unless we specifically tell you that somebody else is the data controller.

If you have any questions about this policy or the ways in which we may process your personal information, please send us an email at: [email protected]

If you have any concerns with the way we process your personal information, please raise these concerns with us by email or by sending us a letter at our address above. The ICO website gives some useful information about when and how you might want to do this.

You can also make a complaint at any time to the ICO, through the 'Make a complaint' page on their website. We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

Personal information is information that can be used to identify you or tell us about you. We will only collect what we consider necessary to be able to provide the Practice Pal services.

When you sign up for a Practice Pal service as a parent, you will also need to provide personal information about your child or children who are using the service. Please ensure that you have the right to provide this information about the relevant child(ren).  

The personal information we collect, use, store and transfer may include the following:

  • Identity Information, including:
    • name, age/date of birth and gender for you and your child; and
    • what instrument(s) your child plays, what standard they are at, and what school they attend.
  • Contact Information, including your contact details, including [address], email address and telephone numbers (including mobile numbers).
  • Service Information, including what Practice Pal services you have ordered (including the dates and times of all mentoring sessions which are ordered and provided), and data generated during the provision of the Practice Pal services (such as communications between the student and mentor, and the reports written by the mentor).
  • Usage Information, including your online browsing activities on the Practice Pal website.
  • Marketing Information, including your communication and marketing preferences.
  • Profile Information, including:
    • your password;
    • your interests, preferences, feedback and survey responses; and
    • your correspondence and communications with Practice Pal.
  • Technical Information, including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website and the app.

We do not collect payment details. If you enter payment details into Practice Pal, these are sent directly to our payments provider Stripe, who store them securely, and you acknowledge and accept Stripe’s terms and policies at the point of purchase, as detailed on our payment checkout page. Stripe has its own privacy policy which governs how your information is handled.

This list is not exhaustive and, in specific instances, we may need to collect additional data for the purposes set out in this policy.

We do not collect any special categories of personal information about you or your child(ren) (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). We also do not collect any information about criminal convictions and offences (other than where this is specifically required by law).

Where we need to collect personal information by law, or under the terms of a contract we have with you, and you fail to provide that information when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide the Practice Pal services). In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.

Some of the personal information is collected directly, for example when you set up an account on our website, submit an enquiry, or send a message to our customer services team. Other personal information is collected indirectly, for example your browsing activity. We may also collect personal information from third parties who have your consent to pass your details to us, or from publicly available sources.

When someone visits our website we use one or more third party services, including Google Analytics, to collect standard internet log information and details of visitor behaviour patterns. We do this to find out things like the number of visitors to different pages on our site, and their usage patterns within those pages. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Google or other organisations to make, any attempt to find out the identities of those visiting our website.

We will only use your personal information when the law allows us to. Most commonly, we will use your personal information in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you - for example, for Practice Pal services.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal obligation - for example, in order for us to comply with safeguarding best practice.

We do not usually rely on consent as a legal basis for processing your personal information, although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

In the following table we have set out how we use your personal information, and what the lawful basis we are relying on to do so. In some cases we are relying on more than one lawful basis. Where we are relying on our legitimate interests, we have given some information about what those are.

What are we doing with your data?

What information are we processing?

What is our lawful basis for doing this?

Registering you as a new customer/creating a Practice Pal account

(a) Identity

(b) Contact

Performance of a contract with you

Processing an order for services, including:

(a) Manage payments, fees and charges

(b) Collect and recover money owed to us

(a) Identity

(b) Contact

(c) Service

(d) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to recover debts due to us)

Managing our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Asking you to leave a review or take a survey

(a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

Enabling you to partake in a prize draw, competition or complete a survey

(a) Identity

(b) Contact

(c) Profile

(d) Usage

(e) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

Administering and protecting our business and our website and app (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)  

(a) Identity

(b) Contact

(c) Technical

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation exercise)

(b) Necessary to comply with a legal obligation

Delivering relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you

(a) Identity

(b) Contact

(c) Profile

(d) Usage

(e) Marketing and Communications

(f) Technical

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

Using data analytics to improve our website and app, products/services, marketing, customer relationships and experiences. This may include anonymising this information.

(a) Technical

(b) Usage

(c) Service

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)

Making suggestions and recommendations to you about goods or services that may be of interest to you

(a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Profile

(f) Marketing and Communications

(g) Service

Necessary for our legitimate interests (to develop our products/services and grow our business)

Complying with safeguarding best practice by storing information for the period required (see also section [8.] below).

(a) Identity

(b) Contact

(c) Service

(a) Necessary for our legitimate interests (to enable us to have the information we need if there is a safeguarding incident)

(b) Necessary to comply with a legal obligation

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We may use your Identity, Contact, Technical, Usage and Profile Information to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving that marketing.

We will get your express opt-in consent before we share your personal with any third party for marketing purposes.

You can ask us or third parties to stop sending you marketing messages at any time [by contacting us at any time].

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a service purchase, service experience or other transactions.

Generally we will not share your personal information other than with our employees, agents and contractors for the purposes set out in sections [4.] and [5.].

We will not share your information with any third parties for the purposes of direct marketing.

In some cases we use data processors who are third parties who provide elements of services for us.

We may also share your personal information with third parties if we choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

We require all third parties to respect the security of your personal information and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only permit them to process your personal information for specified purposes and in accordance with our instructions.

We do not transfer your personal data outside the European Economic Area.

We will only retain your personal information for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal information for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

In order to comply with safeguarding best practice and legal requirements, we will retain certain personal information about the services which are provided to students by Practice Pal or through the Practice Pal platform (such as the identity of the students and the time and date of the relevant session) for a much longer period of time, which we will review from time to time to ensure we are compliant with safeguarding best practice and to ensure that the information we retain is justified for that reason.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

In some circumstances you can ask us to delete your data - see section [10.] below for further information.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.

Examples of how we implement technical security safeguards include but are not limited to:

  • Encryption of all passwords using an industry standard hashing and salting algorithm
  • Always using secure HTTP with SSL (HTTPS) to serve pages on our website
  • Mitigating the effects of possible DDoS or other attacks using a third party CDN (Content Distribution Network)

We have put in place procedures to deal with any suspected personal information breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

We want to make sure you know what rights you have under data protection laws in relation to your personal information, and how you can exercise them.

The ICO has provided useful guidance on how and when you can exercise these rights, so we have provided links to this information to help you.

Your rights

You have a right to:

  • Ask us for copies of the personal information we hold on you, known as a data subject access request. This right always applies. There are some exemptions, which means you may not always receive all the information we process. More information on this right can be found here .
  • Ask us to rectify information which you think is inaccurate, and to ask us to complete information you think is incomplete. This right always applies. More information on this right can be found here .
  • Ask us to erase your personal information in certain circumstances. More information on this right can be found here .
  • Ask us to restrict the processing of your personal  information in certain circumstances. More information on this right can be found here .
  • Object to us processing   your personal information, where we are doing so for direct marketing or under the lawful basis of the processing being in our legitimate interests. Where you object to direct marketing we must stop using your personal information for direct marketing purposes. However, please note that we may be able to continue with such processing under the lawful basis of legitimate interests despite your objection. More information on this right can be found here .
  • For personal information which you have provided to us and is held electronically, ask for us to provide you with a copy of personal information in a portable (machine-readable) format or ask us to send the same to someone else. More information on this right can be found here .
  • Where we are processing your personal information on the basis of consent, withdraw your consent. Where we are relying on consent to process your personal information, If you withdraw your consent, we may not be able to provide certain services to you. We will advise you if this is the case at the time you withdraw your consent. Please note that the lawful basis of our processing is not usually consent (see section [4.] above).

If you wish to exercise any of the rights set out above, please contact us by sending an email to: [email protected] or by sending us a letter to our address set out above.

The ICO website (using the links above) gives you templates which you can use to make it easier to exercise your rights.

Not usually a fee

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

Cookies are small pieces of data stored in your browser when you visit our website. We may use cookies to facilitate the data collection described in this policy, and we may allow other business partners to use cookies and other tracking technology on our website.

For example, Google Analytics may store a cookie in your browser when you visit our website, which will allow us to gather anonymised statistics about which of our pages are visited most frequently.

There are two types of cookies used on the website, namely “persistent cookies” and “session cookies”. Session cookies will normally expire when you close your browser, while persistent cookies will remain on your device after you close your browser, and can be used again the next time you access the website.

We may, either directly or through third party companies and individuals we engage to provide services to us, also continue to track your behaviour on our own website and/or mobile apps for purposes of our own customer support, analytics, research, product development, fraud prevention, risk assessment, regulatory compliance, investigation, as well as to enable you to use and access the platform and pay for your activities on it.

We may also, either directly or through third party companies and individuals we engage to provide services to us, track your behaviour on our own platform to market and advertise our services to you on the platform and third party websites.

Most browsers automatically accept cookies, but you can modify your browser setting to decline cookies by visiting the Help portion of your browser’s toolbar. If you choose to decline cookies, please note that you may not be able to sign in, customise, or use some of the interactive features of the website.

As part of the Practice Pal website or app, we may create links allowing you to access third-party sites.  We are not responsible for the content that appears on these sites, and we do not endorse these sites.  We encourage you to read those sites’ respective privacy policies to understand how they use personal information.