Information on this site is advertising in nature

GDPR Compliance

Our commitment to data protection under UK GDPR

Last updated: January 2026

Our Commitment

merry-ash is fully committed to complying with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We take data protection seriously and have implemented measures to ensure your personal information is handled lawfully, fairly, and transparently.

Data Controller

merry-ash acts as the data controller for personal information collected through our website and services. This means we determine the purposes and means of processing your personal data.

Contact:
merry-ash Learning Centre
47 Hartley Street
Birmingham B5 4TU
United Kingdom
Email: [email protected]

Lawful Basis for Processing

We process personal data only when we have a valid legal basis. Our processing activities rely on:

Contract Performance

Processing necessary to deliver the courses you have enrolled in, including:

  • Creating and managing your student account
  • Providing access to course materials
  • Scheduling live sessions
  • Issuing certificates
  • Processing payments

Consent

Where we rely on your consent, you have the right to withdraw it at any time. Consent-based processing includes:

  • Recording live sessions for review purposes
  • Sending marketing communications
  • Collecting testimonials and feedback for publication

Legitimate Interests

We may process data based on legitimate interests when these do not override your rights:

  • Improving and developing our services
  • Preventing fraud and ensuring security
  • Responding to enquiries and support requests

Legal Obligation

Processing required to comply with legal requirements, such as financial record-keeping and responding to lawful requests from authorities.

Your Rights Under UK GDPR

You have the following rights regarding your personal data:

Right of Access

You can request a copy of the personal data we hold about you. We will respond within one month, providing information free of charge in most cases.

Right to Rectification

If any information we hold is inaccurate or incomplete, you have the right to have it corrected.

Right to Erasure

In certain circumstances, you can request deletion of your personal data. This right is not absolute and may be limited by legal obligations or legitimate interests.

Right to Restrict Processing

You can request that we limit how we use your data while a complaint is being investigated or if you contest the accuracy of your data.

Right to Data Portability

You can request your data in a structured, commonly used format and have it transmitted to another organisation where technically feasible.

Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes at any time.

Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affect you, with certain exceptions.

Exercising Your Rights

To exercise any of these rights, contact us at [email protected]. We may need to verify your identity before processing your request. We will respond within one month, though this may be extended for complex requests.

Data Security Measures

We implement appropriate technical and organisational measures to protect personal data, including:

  • Encryption of data in transit and at rest
  • Access controls limiting data access to authorised personnel
  • Regular security assessments and penetration testing
  • Staff training on data protection responsibilities
  • Secure data backup and recovery procedures
  • Incident response plans for potential breaches

Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office within 72 hours. If the breach is likely to result in high risk to you, we will also inform you directly without undue delay.

International Transfers

Some of our service providers operate outside the UK. When transferring data internationally, we ensure appropriate safeguards are in place, such as:

  • Standard Contractual Clauses approved by the UK ICO
  • Transfers to countries with adequacy decisions
  • Other lawful transfer mechanisms

Data Protection Impact Assessments

Where processing is likely to result in high risk to individuals, we conduct Data Protection Impact Assessments to identify and mitigate risks before proceeding.

Record Keeping

We maintain records of our processing activities as required by Article 30 of UK GDPR, including purposes, categories of data, recipients, retention periods, and security measures.

Complaints

If you are unhappy with how we handle your personal data, please contact us first so we can address your concerns. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Website: ico.org.uk

Updates

This page may be updated to reflect changes in our practices or legal requirements. Please review it periodically for any updates.

We use cookies to enhance your experience on our website. By continuing to browse, you agree to our use of cookies. Learn more