Pagoda Enterprises Ltd ("Pagoda", "we", "us", "our") is committed to protecting your personal data and respecting your privacy. This notice explains what personal data we collect, why we collect it, the lawful basis we rely on, and your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
This notice applies to all personal data collected through our website pagoda.academy (the "Website"), our services, and any related communications, sales, marketing or events.
Please read this notice carefully before using our Website or services.
1. Who we are and how to contact us
The data controller responsible for your personal data is:
- Pagoda Enterprises Ltd
- Registered in England and Wales — Company Number: 13113228
- Registered address: 12 International House, Constance Street, London, E16 2DQ
- Contact: jarrod@pagoda.academy
We are not required to appoint a Data Protection Officer (DPO) but you may direct any data protection queries to the contact above. We will respond within one calendar month.
2. What personal data we collect
In Short: We collect data you give us directly and limited technical data collected automatically when you visit our Website.
Data you provide to us
When you contact us, submit an enquiry form, or engage our services, we may collect:
- Full name
- Email address
- Phone number
- University and course details
- Career interests and goals
- Any other information you voluntarily include in correspondence with us
All personal data you provide must be accurate, complete and up to date. Please notify us of any changes.
Data collected automatically
When you visit our Website, we may automatically collect limited technical data that does not directly identify you, including:
- Log and usage data — IP address, browser type and version, pages viewed, time and date of visit, referring URL, and error reports.
- Device data — device type, operating system, and browser settings.
This data is used solely to maintain the security and performance of our Website and for aggregate, anonymised analytics. We do not use it to build individual profiles.
3. Lawful basis for processing
Under the UK GDPR, we must have a lawful basis before processing your personal data. We rely on the following bases:
- Performance of a contract (Article 6(1)(b)): Where you have engaged us to provide mentoring or career consulting services, processing your data is necessary to deliver those services and manage the client relationship.
- Legitimate interests (Article 6(1)(f)): We process limited technical and enquiry data to operate and improve our Website, respond to enquiries, and communicate relevant information about our services. We have carried out a legitimate interests assessment and are satisfied that our interests do not override your rights and freedoms. You may object to processing on this basis at any time (see Section 9).
- Compliance with a legal obligation (Article 6(1)(c)): Where we are required by law to retain or disclose certain records (for example, for tax or accounting purposes).
- Consent (Article 6(1)(a)): Where we rely on consent — for example, for any optional marketing communications — we will ask for your explicit agreement beforehand. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.
4. How we use your personal data
We use the personal data we hold for the following purposes:
- To deliver our services — providing career consulting, mentoring sessions, and application support to clients. (Basis: contract performance)
- To respond to enquiries — replying to messages submitted via our contact form or by email. (Basis: legitimate interests)
- To manage our client relationship — sending session reminders, follow-up communications, and service-related updates. (Basis: contract performance / legitimate interests)
- To maintain and improve our Website — analysing technical data to ensure reliability, security and performance. (Basis: legitimate interests)
- To comply with legal obligations — retaining records as required by UK law. (Basis: legal obligation)
We will not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects.
5. Who we share your data with
In Short: We only share your data where necessary to deliver our services or where required by law. We do not sell your data.
We may share your personal data with the following categories of recipients:
- Service providers and data processors — third-party vendors who provide services on our behalf (such as website hosting, email delivery, and scheduling tools). These parties act only on our documented instructions and are bound by data processing agreements that comply with UK GDPR requirements.
- Professional advisers — accountants, lawyers, and auditors where required in connection with our legal and regulatory obligations.
- Regulatory and law enforcement authorities — where we are legally required to do so, for example in response to a court order, subpoena, or request from a UK public authority.
- Business successors — in the event of a merger, acquisition, or sale of all or part of our business, your data may be transferred to the successor entity. You will be notified of any such transfer in advance where reasonably practicable.
We do not share, sell, rent or trade your personal data with any third party for their own marketing or commercial purposes.
Where any data processor is based outside the United Kingdom, we will ensure that appropriate safeguards are in place (such as UK International Data Transfer Agreements or adequacy decisions) before making any such transfer.
6. Cookies and tracking technologies
In Short: We use cookies and similar technologies to operate the Website. You can control cookies through your browser settings.
Our Website may use cookies and similar technologies (such as web beacons and pixels) to support essential functions and improve your browsing experience. Cookies that are strictly necessary for the Website to function do not require your consent. Any non-essential cookies (for example, analytics or preference cookies) will only be set with your prior consent.
You may manage or disable cookies at any time through your browser settings. Disabling certain cookies may affect the functionality of our Website. For more information on managing cookies, visit www.allaboutcookies.org.
7. How long we keep your data
In Short: We retain your data only for as long as is necessary for the purposes for which it was collected, or as required by law.
Our general retention periods are:
- Client records (including name, contact details, and service history) — retained for up to 6 years from the end of the client relationship, in line with the UK Limitation Act 1980 (the standard limitation period for contract claims).
- Enquiry and contact form submissions — retained for up to 2 years from the date of submission, unless they lead to a client engagement.
- Financial and accounting records — retained for 6 years as required by HMRC and UK tax legislation.
- Website technical/log data — retained for a maximum of 12 months, after which it is deleted or anonymised.
Where we no longer have a legitimate purpose to retain your data, we will securely delete or anonymise it. Where deletion is temporarily not possible (for example, data held in backup archives), we will isolate it from further processing until deletion can take place.
8. How we keep your data secure
In Short: We use appropriate technical and organisational measures to protect your personal data against accidental loss, unauthorised access, disclosure, alteration or destruction.
We have implemented appropriate technical and organisational security measures, including encrypted transmission (HTTPS/TLS), access controls limited to authorised personnel, and regular reviews of our data handling practices. However, no method of electronic transmission or storage is completely secure. You are responsible for ensuring that any personal data you transmit to us is sent through a secure environment.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware and, where required, we will also notify you directly.
9. Your rights under UK GDPR
In Short: As a UK data subject you have a comprehensive set of rights over your personal data. You can exercise any of these rights by contacting us at jarrod@pagoda.academy.
Under the UK GDPR and the Data Protection Act 2018, you have the following rights:
- Right of access (Subject Access Request) — you may request a copy of the personal data we hold about you, along with information about how it is used. We will respond within one calendar month at no charge.
- Right to rectification — you may ask us to correct any inaccurate or incomplete personal data we hold about you.
- Right to erasure ("right to be forgotten") — you may ask us to delete your personal data where it is no longer necessary for the purpose it was collected, where you withdraw consent (and no other lawful basis applies), or where we have no legitimate grounds to retain it.
- Right to restrict processing — you may ask us to suspend processing of your personal data in certain circumstances, for example while the accuracy of the data is contested.
- Right to data portability — where processing is based on consent or contract and carried out by automated means, you may request that we provide your personal data in a structured, commonly used, machine-readable format.
- Right to object — you may object to processing based on our legitimate interests or for direct marketing at any time. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests.
- Rights related to automated decision-making — you have the right not to be subject to a decision based solely on automated processing (including profiling) that has a legal or similarly significant effect on you. We do not currently carry out such processing.
- Right to withdraw consent — where processing is based on your consent, you may withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, please contact us at jarrod@pagoda.academy. We will respond within one calendar month. In complex cases we may extend this by a further two months, in which case we will notify you. We will not charge a fee unless a request is manifestly unfounded or excessive.
10. Complaints
If you have a concern about the way we handle your personal data, please contact us in the first instance at jarrod@pagoda.academy and we will do our best to resolve the matter.
If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection:
- Website: ico.org.uk/make-a-complaint
- Helpline: 0303 123 1113
- Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF
You also have the right to seek a judicial remedy in the courts of England and Wales.
11. Changes to this notice
We may update this privacy notice from time to time to reflect changes in our practices or in applicable law. The "Last updated" date at the top of this page will be revised whenever material changes are made. Where changes are significant, we will take reasonable steps to bring them to your attention — for example by posting a prominent notice on our Website.
We encourage you to review this notice periodically. Continued use of our Website or services after any update constitutes acceptance of the revised notice.