Privacy Policy
This page explains how we collect, use, disclose and protect personal data on our mobile-first booking funnel (Subject → Course → Policy → Contact → Slot → Confirm) and related admin/reporting tools.
Who we are (Controller)
Controller: NANEDIRI WEERATUNGA SENA JULIA MELANIE (sole trader, established in Italy)
Trading name: Bloomers Global Academy
P. IVA: 13784790969
Address: V DON GIOVANNI BOSCO 2 SC C INT 12, CINISELLO BALSAMO, 20092, ITALY
Email: privacy@bloomersglobalacademy.com
Data Protection Officer: NANEDIRI WEERATUNGA SENA JULIA MELANIE — dpo@bloomersglobalacademy.com
EU/EEA & UK coverage:We offer services to individuals in the EU/EEA.
Lead supervisory authority (EU): Italy — Garante per la protezione dei dati personali.
Data we collect
- Identity & contact: phone (E.164), name (optional), language (EN/SI).
- Lead & booking context: selected subject/course, slot selections, submission timestamps, consent metadata (policy URL/version/time, IP hash).
- Technical: device/user-agent, strictly necessary cookies (see below).
- Analytics/ads (only with consent): page views and events via tools like Meta Pixel.
Why we use your data (legal bases)
- Service delivery: manage leads and bookings; send confirmations/operational messages. Legal basis: contract/pre-contractual steps (GDPR/UK GDPR Art. 6(1)(b)).
- Security & fraud prevention: rate-limiting, bot controls, audit logs. Legal basis: legitimate interests; and where applicable, legal obligation.
- Analytics (non-essential): understand traffic and improve UX. Legal basis: your consent (opt-in).
- Advertising/retargeting (Meta Pixel): measure campaigns and show relevant ads. Legal basis: your consent (opt-in).
- Communications with students: course updates and information after enrollment. Legal basis: contract/legitimate interests.
- Marketing to non-students: only if you explicitly opt-in (e.g., checkbox or in-chat “YES”). Legal basis: consent.
International transfers
When data is transferred outside the EU/UK (for example to the United States by Meta or Cloudflare), we rely on recognised safeguards: the EU-US Data Privacy Framework (and UK-US Data Bridge) where applicable, and/or the Standard Contractual Clauses (EU) and UK IDTA/Addendum with transfer impact assessments.
Retention
- Leads who do not enroll: deleted automatically after 90 days.
- Students: retained for the duration of the course and as required by legal, tax or accounting rules.
- Consent logs: retained for 24 months to demonstrate compliance.
- Audit logs/backups: rotated and deleted on a set schedule.
Children
Our services are intended for adults (parents/guardians) booking on behalf of children. We do not knowingly collect personal data directly from children under 16 through this site. If you believe a child has provided personal data to us, please contact us and we will take appropriate steps.
Your rights
You may request access, rectification, erasure, restriction, portability, and object to processing. You can withdraw consent at any time (this does not affect processing before withdrawal).
How we protect your data
- HTTPS end-to-end; strict security headers
- CSRF protection, honeypot, and rate-limits
- Admin 2FA (TOTP), audit logs, least-PII emails
- Passwords hashed with Argon2id; regular rehash policy
Changes
We may update this policy to reflect legal or technical developments. Updates will be dated at the top; material changes will be notified on-site.
Contact
Privacy contact: privacy@bloomersglobalacademy.com
DPO: dpo@bloomersglobalacademy.com
Postal: V DON GIOVANNI BOSCO 2 SC C INT 12, CINISELLO BALSAMO, 20092, ITALY