GDPR Privacy Policy (Europe & UK)
Effective Date: January 1, 2026
This Privacy Policy explains how drwalekesh.com (“we”, “us”, “our”) collects, uses, discloses, and protects personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR).
This policy applies to users located in the European Economic Area (EEA) and any individual whose personal data is processed under GDPR.
1. Data Controller
drwalekesh.com is the Data Controller responsible for determining how and why personal data is processed.
2. Personal Data We Collect
We may collect and process the following categories of personal data:
a. Identity and Contact Data
Full name
Email address
Phone number
Country of residence
b. Account and Learning Data (LMS)
User account credentials
Course enrollments
Learning progress and assessments
Certificates and completion records
c. Technical and Usage Data
IP address
Device and browser information
Log files
Pages visited and interaction data
Cookies and similar technologies
d. Payment Data
Transaction references
Payment status
Note: Full payment card or banking details are processed by third-party payment providers and are not stored on our servers.
3. Lawful Basis for Processing (Article 6 GDPR)
We process personal data on one or more of the following lawful bases:
Consent
Contractual necessity
Legal obligation
Legitimate interests, provided your rights and freedoms are not overridden
4. How We Use Your Personal Data
We use personal data to:
Create and manage user accounts
Deliver CFA-focused training and learning services
Track learning progress and issue certificates
Process payments and subscriptions
Communicate service-related updates
Improve platform functionality and security
Comply with legal and regulatory requirements
5. Cookies and Tracking Technologies
We use cookies and similar technologies to:
Enable core LMS functionality
Maintain secure user sessions
Track learning progress
Analyze platform usage
You may manage or withdraw cookie consent through your browser settings or our cookie banner, where applicable.
6. Data Sharing and Processors
We may share personal data with:
Trusted service providers (hosting, analytics, email, payment processing)
Professional advisers where legally required
Regulatory or law enforcement authorities where required by law
All processors operate under Data Processing Agreements (DPAs) and comply with GDPR.
7. International Data Transfers
Where personal data is transferred outside the EEA, appropriate safeguards are implemented, including:
Adequacy decisions
Standard Contractual Clauses (SCCs)
Other lawful transfer mechanisms
8. Data Retention
Personal data is retained only for as long as necessary to fulfill the purposes outlined in this policy or to meet legal, contractual, or regulatory obligations.
When no longer required, data is securely deleted or anonymized.
9. Your Rights Under GDPR
You have the right to:
Access your personal data
Rectify inaccurate data
Request erasure (“Right to be Forgotten”)
Restrict processing
Data portability
Object to processing
Withdraw consent at any time
Lodge a complaint with a supervisory authority in your EU country
10. Data Protection Officer (DPO)
We have appointed a Data Protection Officer (DPO) to oversee GDPR compliance.
DPO Email: dataprotection@meaheadzonline.com
All GDPR-related inquiries, requests, or complaints should be directed to the DPO.
11. Data Security
We implement appropriate technical and organizational measures to protect personal data, including:
Secure hosting environments
Access controls and authentication
Data minimization practices
Staff confidentiality obligations
12. Children’s Data
This platform is intended for adults and professionals. We do not knowingly process personal data of children under the age of 16.
13. Automated Decision-Making
drwalekesh.com does not engage in automated decision-making or profiling that produces legal or similarly significant effects on users.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect legal, technical, or operational changes.
Updates will be posted on this page with a revised effective date.
15. Contact Information
For questions regarding this Privacy Policy or our GDPR practices, please contact the Data Protection Officer.
drwalekesh.com is committed to protecting your personal data and upholding your rights under the General Data Protection Regulation (GDPR).
Data Protection Policy
Wale-Kesh Learning
Document Owner: Compliance and Operations Team
Version: 1.0
Effective Date: 15 May 2026
Review Date: 15 May 2027
1. Purpose
This Data Protection Policy explains how the organization collects, processes, stores, shares, and protects personal data in connection with its educational services, including:
• Self-paced online video courses
• Live online classes
• In-person classroom training
• Online payment processing
• Student support services
• Marketing and communications
• Learning management systems (LMS)
The organization is committed to complying with:
• The UK General Data Protection Regulation (UK GDPR)
• The Data Protection Act 2018
• Applicable electronic communications and privacy laws
• Payment Card Industry Data Security Standards (PCI DSS), where applicable
This policy applies to all employees, contractors, tutors, consultants, and third-party service providers handling personal data on behalf of the organization.
2. Scope
This policy applies to all personal data processed by the organization relating to:
• Students
• Prospective students
• Parents or sponsors
• Employees and contractors
• Tutors and instructors
• Website visitors
• Corporate clients
• Event attendees
It covers both digital and paper-based records.
3. Definitions
Personal Data
Any information relating to an identified or identifiable individual, including:
• Name
• Email address
• Phone number
• Billing information
• Identification documents
• Learning progress
• Attendance records
• IP address
• Device information
Special Category Data Sensitive personal data such as:
• Health information
• Racial or ethnic origin
• Religious beliefs
• Biometric data
The organization generally does not intentionally collect special category data unless legally required or voluntarily provided for accessibility or support purposes.
Processing
Any operation performed on personal data, including:
• Collection
• Storage
• Use
• Sharing
• Recording
• Deletion
4. Data Protection Principles
The organization follows the UK GDPR principles by ensuring that personal data is:
1. Processed lawfully, fairly, and transparently
2. Collected for specified and legitimate purposes
3. Adequate, relevant, and limited to what is necessary
4. Accurate and kept up to date
5. Retained only as long as necessary
6. Processed securely and confidentially
7. Accountable through documented compliance measures
5. Lawful Bases for Processing
The organization relies on one or more of the following lawful bases:
Activity Lawful Basis
Student enrolment Contract
Course delivery Contract
Payment processing Contract and legal obligation
Attendance tracking Legitimate interests
Student communications Contract
Marketing emails Consent or legitimate interests
Regulatory compliance Legal obligation
Fraud prevention Legitimate interests
Recording live classes Legitimate interests
6. Types of Data Collected
Student Data
• Full name
• Email address
• Telephone number
• Date of birth (if required)
• Address
• Course enrolment details
• Attendance records
• Examination performance
• Learning analytics
• Identification documents where required
Payment Data
Online payments are processed through secure third-party payment providers. The organization does not store full card details on internal systems.
Payment-related information may include:
• Billing name
• Billing address
• Transaction reference
• Payment status
Technical Data
• IP addresses
• Browser type
• Device information
• Cookies and tracking data
• Login activity
• Platform usage data
Employee and Tutor Data
• Payroll information
• Contracts
• Qualifications
• Background checks
• Contact information
7. How Personal Data Is Collected
Personal data may be collected through:
• Website registration forms
• Course sign-up forms
• Online payment gateways
• Learning management systems
• Email communications
• Live class participation
• In-person attendance sheets
• Customer support requests
• Marketing subscriptions
• Recruitment processes
8. Use of Personal Data
The organization uses personal data to:
• Deliver educational services
• Provide access to online learning platforms
• Conduct live classes
• Manage in-person classes
• Process payments
• Issue invoices and receipts
• Provide student support
• Monitor academic progress
• Improve course quality
• Prevent fraud and abuse
• Meet legal and regulatory obligations
• Send service-related communications
• Conduct marketing activities where permitted
9. Online Learning Platforms and Recordings
Self-Paced Video Courses
The organization may track:
• Video completion status
• Quiz results
• Login activity
• Course engagement metrics
Live Online Classes
Live classes may be recorded for:
• Revision purposes
• Quality assurance
• Internal training
• Student access
Students will be informed when sessions are recorded.
Participants should avoid sharing unnecessary personal or confidential information during
recorded sessions.
10. In-Person Classes
For classroom-based training, the organization may collect:
• Attendance records
• Visitor logs
• CCTV footage where applicable
• Emergency contact information
CCTV systems are used only for security and safety purposes.
11. Cookies and Website Tracking
The organization’s website may use cookies and analytics technologies to:
• Improve website functionality
• Analyze website traffic
• Remember user preferences
• Enhance user experience
• Support marketing campaigns
Users can manage cookie preferences through browser settings or website cookie banners.
12. Data Sharing
The organization may share personal data with:
• Payment processors
• Cloud hosting providers
• Learning management system providers
• Email communication platforms
• IT support providers
• Professional advisers
• Regulatory authorities where legally required
Third-party providers are required to:
• Maintain appropriate security controls
• Process data only under instructions
• Comply with UK GDPR obligations
The organization does not sell personal data.
13. International Data Transfers
Where personal data is transferred outside the United Kingdom, the organization ensures appropriate safeguards are in place, including:
• UK adequacy regulations
• International Data Transfer Agreements (IDTAs)
• Standard contractual clauses
• Approved certification mechanisms
14. Data Security Measures
The organization implements appropriate technical and organizational security measures, including:
• Secure cloud-based systems
• Password protection and multi-factor authentication
• Encryption of sensitive data
• Access controls based on business need
• Secure payment gateways
• Anti-virus and endpoint protection
• Staff training on data protection
• Secure disposal of records
• Regular system updates and monitoring
Employees must:
• Keep passwords confidential
• Avoid sharing login credentials
• Report suspicious activity immediately
• Use approved systems only
• Lock devices when unattended
15. Data Retention
Personal data is retained only for as long as necessary.
Typical retention periods include:
Data Type Retention Period
Student records 6 years after course completion
Financial records 6 years
Marketing consent records Until withdrawal of consent
Website analytics 12–24 months
CCTV footage Up to 30 days unless required for investigation
Recruitment records 12 months
Data may be retained longer where required by law or for legitimate legal purposes.
16. Individual Rights
Under UK GDPR, individuals may have the right to:
• Access their personal data
• Correct inaccurate data
• Request deletion of data
• Restrict processing
• Object to processing
• Withdraw consent
• Request data portability
• Lodge a complaint with the Information Commissioner’s Office (ICO)
Requests should be submitted in writing to the organization’s Data Protection Contact.
The organization will normally respond within one calendar month.
17. Marketing Communications
Marketing emails and promotional communications will only be sent where:
• Consent has been obtained, or
• Another lawful basis applies under applicable law
Recipients may unsubscribe at any time using the unsubscribe link or by contacting the
organization.
18. Data Breach Management
A personal data breach may include:
• Unauthorized access
• Loss of data
• Disclosure of confidential information
• Malware attacks
• Accidental deletion
All suspected breaches must be reported immediately to management.
The organization will:
1. Investigate the incident
2. Contain and mitigate risks
3. Assess legal reporting obligations
4. Notify affected individuals where required
5. Report qualifying breaches to the ICO within statutory time limits
6. Maintain breach records
19. Staff Responsibilities
All employees and contractors must:
• Follow this policy
• Complete data protection training
• Handle personal data securely
• Report incidents promptly
• Use company systems responsibly
• Avoid unauthorized disclosure of information
Failure to comply with this policy may result in disciplinary action.
20. Children and Young Learners
The organization primarily provides professional education services intended for adults.
Where services involve individuals under 18 years of age, additional safeguards and
consent requirements may apply.
21. Data Protection Contact
Questions regarding this policy or personal data requests should be directed to:
Data Protection Contact
Compliance Team
Wale-Kesh Learning
Email: info@drwalekesh.com
22. Complaints
Individuals have the right to lodge a complaint with the UK Information Commissioner’s
Office:
Information Commissioner’s Office (ICO)
Website: https://ico.org.uk
Telephone: 0303 123 1113
23. Policy Review
This policy will be reviewed at least annually or whenever there are:
• Material business changes
• Legal or regulatory updates
• Significant technology changes
• Security incidents affecting data processing
24. Related Documents
• Privacy Notice
• Information Security Policy
• Cookie Policy
• Data Retention Policy
• Incident Response Procedure
• Acceptable Use Policy
• Employee Confidentiality Agreement