Privacy Policy

1. Who we are

This learning platform is operated by Dementia Educators Limited ("we", "us", "our").

We provide online training courses for individuals and organisations, including training for people working across health and social care.

If you have any questions about this Privacy Policy or how we use your personal data, you can contact us using the details above.

2. What personal data we collect

We collect only the personal data necessary to deliver and manage our training services.

Learner information

When you create an account or complete a course, we collect:

• Your name (used for certificates)
• Your email address (used for login and course-related communication)
• Your learning records, including:
  • Course enrolment
  • Lesson completion timestamps
  • Video viewing progress
  • Assessment attempts and results
  • Time spent on lessons
  • Certificates awarded (including date passed and expiry date)

Organisation information

Where training is purchased or assigned by an organisation, we also collect:

• The organisation name linked to your learner account, so you can see which organisation you are enrolled with and who may access your learning record

Authentication data

When you log in, we process:

• Email addresses for account identification
• One-time passcodes (OTPs) sent to your email
• Session tokens to keep you logged in
• Login timestamps for security purposes

We do not collect special category data such as health information, ethnicity, or religious beliefs.

3. How we use your personal data

We use personal data to:

• Create and manage learner accounts
• Authenticate users and maintain secure sessions
• Provide access to courses and learning materials
• Track learning progress and assessment outcomes
• Issue certificates of completion
• Enable certificate verification
• Communicate with learners about their training, account access, and course updates
• Maintain training, certification, and compliance records
• Administer organisational training accounts where applicable
• Process payments through our payment provider
• Prevent fraud and ensure platform security

We do not send marketing emails through this platform. All emails are transactional and related to your account, courses, or orders.

4. Lawful basis for processing

Under UK GDPR, we process personal data using the following lawful bases:

Contract

Most processing is necessary to perform our contract with learners, including delivering training, tracking completion, issuing certificates, and managing your account.

Legitimate interests

We also process data where it is in our legitimate interests, including:

• Maintaining accurate training records for audit and compliance
• Enabling organisations to view learner progress for workforce training and compliance
• Preventing certificate fraud through verification
• Ensuring platform security and preventing unauthorized access

These interests do not override the rights and freedoms of learners.

5. Learning records and organisational access

Where training is provided through an organisation:

• The organisation that enrolled you may have access to your learning records, including:
  • Course completion status
  • Lesson progress and timestamps
  • Assessment results and scores
  • Certificates awarded
  • Time spent on courses
• This access is provided solely for training, compliance, and quality assurance purposes
• Learners are made aware of the organisation they are enrolled with

6. Certificates and verification

When a course is successfully completed, a certificate is issued in the learner's name.

To support authenticity and prevent misuse, we provide a certificate verification service:

• Each certificate includes a unique certificate number
• Entering this number into the verification service displays limited information only:
  • Learner name
  • Course name
  • Date passed
  • Certificate expiry date (if applicable)
• This information is shown only when the correct certificate number is provided

The purpose of verification is to allow employers, regulators, and third parties to confirm that a certificate is genuine.

7. Who we share data with

We may share personal data with:

• The organisation that enrolled you, where applicable
• Trusted service providers who support our platform:
  • Microsoft Azure (UK South region) - hosting and infrastructure
  • Microsoft 365 - transactional email delivery
  • Stripe - payment processing (Stripe handles all card data, we do not store payment card details)

All service providers are required to handle personal data securely and in accordance with UK data protection law.

We do not sell personal data.

8. International data transfers

Your data is primarily stored and processed within the United Kingdom using Microsoft Azure's UK South region.

Some of our service providers (such as Stripe for payment processing) may process data outside the UK/EEA. Where this occurs, we ensure appropriate safeguards are in place in accordance with UK GDPR requirements.

9. How long we keep your data

We retain personal data only for as long as necessary:

• Active learner accounts are retained while in use
• Training records and progress data are retained for 3 years after your last activity
• Certificate records are retained for 3 years after your last activity
• After deletion of personal data, we may retain anonymous certificate verification records for fraud prevention purposes

When personal data is no longer required, it is securely deleted or anonymised.

10. Automated decision-making

We do not use automated decision-making or profiling in relation to your personal data.

11. Security

We take appropriate technical and organisational measures to protect your personal data, including:

• Hosting on secure Microsoft Azure infrastructure in the UK
• Encrypted data transmission (HTTPS/TLS)
• Secure authentication using one-time passcodes
• Access controls to limit who can view personal data
• Regular security monitoring and updates
• Payment data is processed by Stripe using industry-standard security - we do not store payment card details

12. Data breaches

In the event of a data breach that affects your personal data, we will notify you and the Information Commissioner's Office in accordance with UK GDPR requirements (within 72 hours of becoming aware of the breach).

13. Your data protection rights

Under UK GDPR, you have the right to:

• Access your personal data
• Rectify inaccurate or incomplete data
• Erasure of your data (subject to our legitimate interests in retaining anonymised certificate verification records)
• Restrict certain types of processing
• Object to processing based on legitimate interests
• Data portability - receive your data in a portable format
• Withdraw consent where processing is based on consent
• Complain to the Information Commissioner's Office (ICO)

To exercise any of these rights, please contact us at dan@demed.co.uk

14. Cookies

We use essential cookies to ensure the platform functions correctly, including:

• Authentication cookies to keep you logged in
• Session cookies to maintain your learning progress during your visit

These cookies are essential for the service to work and do not require consent under UK law.

We do not use analytics, advertising, or marketing cookies.

15. Changes to this policy

We may update this Privacy Policy from time to time. Any changes will be published on this page and take effect when posted. The "Last updated" date at the top of this page shows when it was last revised.

16. Contact and complaints

If you have questions or concerns about this Privacy Policy or how your data is handled, please contact:

You also have the right to complain to the UK Information Commissioner's Office at www.ico.org.uk