Privacy Policy
Last updated: 1 July 2026
This policy explains how CoursePay Ltd ("we", "us") handles personal data when you use our website, marketing pages and application. It is written to meet the UK GDPR and the Data Protection Act 2018.
Who is the controller?
For visitors to our marketing site, prospects, and account owners, CoursePay is the data controller. For personal data about your students, staff and customers that you upload to the platform, you are the controller and we are the processor. See our Data Processing Agreement for that relationship.
What we collect
- Account data: name, email, phone, company name, password hash.
- Billing data: last-four of card, billing address, invoice history. Card numbers are held by Stripe, not by us.
- Usage data: pages visited, features used, IP address, browser, timestamps, audit trail entries.
- Support data: messages you send us, screenshots you attach.
- Marketing data: name, email and company from the "Book a demo" form.
Why we use it (lawful basis)
- Contract: to provide and bill for the service.
- Legitimate interest: to secure the platform, prevent fraud, improve the product, and contact you about your account.
- Consent: for optional marketing emails and non-essential cookies.
- Legal obligation: to keep records for tax, accounting and anti-fraud purposes.
Who we share it with
We use a small set of vetted processors listed on our Subprocessors page (hosting, database, email delivery, payment processing, error monitoring). We do not sell personal data.
International transfers
Some subprocessors are located outside the UK/EEA. Where that is the case, transfers rely on the UK International Data Transfer Addendum or the EU Standard Contractual Clauses.
Retention
- Account and billing records: for the life of the account plus 7 years for tax.
- Audit log: 24 months rolling.
- Support tickets: 24 months after resolution.
- Marketing enquiries with no follow-up: 24 months.
- Backups: rolling 30 days of daily snapshots.
Your rights
You have the right to access, correct, delete, restrict, port and object to processing of your personal data, and to withdraw consent at any time. Email privacy@coursepay.co and we will respond within one month. If you believe we have mishandled your data you can complain to the UK Information Commissioner's Office at ico.org.uk.
Security
Data is encrypted in transit (TLS 1.2+) and at rest. Access to production is restricted, logged, and requires strong authentication. See our status page for current operational health and subprocessors for third-party dependencies.
Cookies
See our Cookie Notice.
Contact
CoursePay Ltd — privacy@coursepay.co.
