1. Who We Are

Powdrr PMU Training Academy ("Powdrr", "we", "us", "our") is a UK-based permanent makeup training provider. We are the data controller responsible for your personal data. Our registered address is available upon request. For any data protection enquiries, contact us at [email protected].

2. Information We Collect

We collect personal data when you interact with our website, complete our training quiz, submit an application, enrol on a course, or contact us. This includes:

2.1 Information You Provide

Full name, email address, phone number, and postal address
Quiz responses (location, career situation, training interests, experience level, priorities)
Application data (motivation, timeline, budget, commitment level)
Marketing experience and previous training history
Website and brand preferences (if applicable)
Payment and billing information (processed securely by Stripe)
Training records, assessment results, and portfolio submissions

2.2 Information Collected Automatically

Device and browser information (type, version, operating system)
IP address and approximate geographic location
Pages visited, time spent, and navigation patterns
Referral source and campaign attribution data (UTM parameters, click IDs)
Cookies and similar tracking technologies (see Section 8)

3. How We Use Your Information

We process your personal data for the following purposes:

Service delivery: To process your application, manage your enrolment, deliver training, and issue qualifications
Communication: To respond to enquiries, send course updates, and provide support
Marketing: To send relevant training information, educational content, and promotional offers (only with your explicit consent)
Personalisation: To recommend suitable training packages based on your quiz responses and goals
Analytics: To understand how our website is used and improve our services
Legal compliance: To meet our regulatory obligations, including Ofqual and VTCT requirements
Advertising: To measure the effectiveness of our advertising campaigns and optimise future campaigns

4. Legal Basis for Processing

Under the UK GDPR, we rely on the following legal bases:

Consent: For marketing communications and non-essential cookies. You can withdraw consent at any time.
Contract: To process your enrolment and deliver training services you have purchased.
Legitimate interests: To improve our services, prevent fraud, and ensure network security.
Legal obligation: To comply with regulatory requirements (e.g., Ofqual record-keeping).

5. Data Sharing

We share your personal data only with the following categories of recipients:

Payment processors: Stripe processes all payments. We never store your full card details.
Awarding bodies: VTCT/iTEC for qualification registration and certification.
CRM systems: GoHighLevel for managing communications and the sales pipeline.
Analytics providers: Google Analytics and Meta (Facebook) for website analytics and advertising measurement.
Email service providers: For sending transactional and marketing communications.
Insurance providers: Where required for professional indemnity verification.

We do not sell your personal data to third parties. We do not share your data with any party not listed above without your explicit consent, except where required by law.

6. Data Retention

Quiz and application data: Retained for 3 years from collection, or until you request deletion.
Enrolled student records: Retained for 7 years after course completion (regulatory requirement for Ofqual-regulated qualifications).
Marketing consent records: Retained for as long as consent is active, plus 1 year after withdrawal for audit purposes.
Payment records: Retained for 6 years (HMRC requirement).
Website analytics data: Retained for 26 months (Google Analytics default).

7. Your Rights

Under the UK GDPR, you have the following rights:

Right of access: Request a copy of the personal data we hold about you.
Right to rectification: Request correction of inaccurate or incomplete data.
Right to erasure: Request deletion of your data where there is no compelling reason for continued processing.
Right to restrict processing: Request that we limit how we use your data.
Right to data portability: Request your data in a structured, machine-readable format.
Right to object: Object to processing based on legitimate interests or for direct marketing.
Right to withdraw consent: Withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, email [email protected]. We will respond within 30 days.

8. Cookies and Tracking

Our website uses cookies and similar technologies:

Essential cookies: Required for the website to function (session management, security). Cannot be disabled.
Analytics cookies: Google Analytics to understand website usage patterns. Set only with your consent.
Advertising cookies: Meta (Facebook) Pixel and Google Tag Manager for campaign measurement and retargeting. Set only with your consent.
UTM and click tracking: We capture URL parameters (utm_source, utm_medium, utm_campaign, utm_content, utm_term, gclid, fbclid) to understand which advertising channels are most effective.

9. Data Security

We implement appropriate technical and organisational measures to protect your personal data, including encrypted data transmission (TLS/SSL), secure authentication, access controls, and regular security reviews. However, no method of transmission over the internet is 100% secure.

10. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay.

11. International Transfers

Some of our service providers (e.g., Stripe, Google) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions, in compliance with UK data protection law.

12. Children's Privacy

Our services are not directed at individuals under the age of 18. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a minor, please contact us immediately.

13. Limitation of Liability

While we take all reasonable steps to protect your personal data, Powdrr shall not be held liable for any unauthorised access, loss, or disclosure of personal data that occurs despite our implementation of appropriate security measures, except where such loss is caused by our negligence or wilful misconduct. Our total liability in connection with any data protection claim shall not exceed the fees paid by you to Powdrr in the 12 months preceding the claim.

14. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised.

15. Complaints

If you are unhappy with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113

16. Contact Us

For any questions about this Privacy Policy or your personal data, contact us at:

Email: [email protected]
Website: powdrr.com