Privacy Policy

Version 1.0 · Effective: 2026 · UK GDPR · Data Protection Act 2018

This Privacy Policy ("Policy") explains how Horizon Intelligence Systems ("we," "us," "the Provider") collects, uses, stores, and protects your personal data when you purchase, register for, or access any of our training programmes. It applies to all three programme tiers: Foundation, Professional, and Expert.

We are committed to protecting your privacy and processing your personal data transparently and lawfully. This Policy complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Please read this Policy carefully before purchasing or accessing any programme. By creating an account or purchasing a licence, you acknowledge that you have read and understood this Policy.

SECTION 1

Who we are and how to contact us

Horizon Intelligence Systems is the data controller for all personal data collected in connection with our training programmes. As data controller, we determine the purposes and means of processing your personal data and are responsible for ensuring it is handled lawfully.

Organisation

Horizon Intelligence Systems

Data controller

Horizon Intelligence Systems

Company number

17058068 — Registered in England and Wales

General enquiries

info@horizonintelligence.co.uk

Privacy / data

info@horizonintelligence.cm.uk

For all data protection enquiries — including subject access requests, erasure requests, complaints, and consent withdrawals — please contact us at the privacy email address above. We will respond within thirty (30) days.

SECTION 2

What personal data we collect

We collect the following categories of personal data. We only collect what is necessary for the purposes set out in this Policy.

2.1 Registration and account data

Full name
Email address
Password (stored in encrypted form — we do not have access to your plaintext password)
Professional role and job title
Organisation or employer name
Professional sector (e.g. education, policing, social services, healthcare)
Country and region

2.2 Programme progress and assessment data

Lesson completion status and timestamps
Time spent on each lesson and section
Quiz and assessment scores
Interactive exercise results
Certificate of Completion issuance date and score

2.3 Payment data

We do not store your full payment card details. Payment processing is handled by our third-party payment processor. We receive only a transaction confirmation, the amount paid, and your billing email address. Your card details are processed and stored by the payment processor under their own privacy and security arrangements.

2.4 Technical and usage data

IP address (used for security and fraud prevention)
Browser type and version
Device type and operating system
Session logs — pages visited, time of access, and duration
Cookie identifiers (see Section 9)
Error logs and technical diagnostics

2.5 Communications data

Content of emails, support requests, or enquiries you send to us
Your responses to any optional feedback requests or surveys

2.6 Data you choose not to provide

Where fields are marked optional at registration, you may choose not to provide them. Mandatory fields are those required to create your account and provide access to the programme. Withholding mandatory data means we cannot provide the service.

Note on sensitive data: We do not intentionally collect special category personal data (such as health, ethnicity, religion, or political opinion). If you include such data in communications with us, we will process it only to the extent necessary to respond to your enquiry.

SECTION 3

How and why we use your data

The table below sets out each purpose for which we process personal data, the legal basis under UK GDPR, and the categories of data involved.

Purpose

Legal basis

Data categories

Provide programme access and track progress

Performance of contract (Art. 6(1)(b))

Account data, progress data, technical data

Issue Certificate of Completion

Performance of contract (Art. 6(1)(b))

Account data, assessment data

Process payment and manage your account

Performance of contract (Art. 6(1)(b))

Account data, payment confirmation

Send account and access notifications

Performance of contract (Art. 6(1)(b))

Account data

Send content update notifications to active subscribers

Legitimate interests (Art. 6(1)(f))

Account data

Send licence renewal reminders

Legitimate interests (Art. 6(1)(f))

Account data

Respond to support and data rights enquiries

Legal obligation / Legitimate interests

Account data, communications data

Improve programme content using anonymised analytics

Legitimate interests (Art. 6(1)(f))

Anonymised progress and usage data

Fraud prevention and platform security

Legitimate interests (Art. 6(1)(f))

Technical data, account data

Comply with legal and regulatory obligations

Legal obligation (Art. 6(1)(c))

As required by applicable law

Send optional marketing communications (with consent)

Consent (Art. 6(1)(a))

Email address, sector, role

3.1 Legitimate interests

Where we rely on legitimate interests as our legal basis, we have balanced our interests against your rights and freedoms. In each case, we have concluded that our interests are proportionate, that you would reasonably expect us to process data in this way, and that processing does not outweigh your privacy interests. You have the right to object to processing based on legitimate interests — see Section 7.

3.2 Marketing communications

We will only send marketing communications — such as information about new programme content, related products, or professional development resources — where you have given explicit consent at registration or subsequently. You can withdraw consent at any time by clicking the unsubscribe link in any marketing email or by contacting us at the privacy email address in Section 1.

Withdrawing marketing consent does not affect our ability to send you transactional communications about your account, access, and programme completion.

SECTION 4

How long we keep your data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by law. The table below sets out our standard retention periods.

Data category

Retention period

Account and registration data

Duration of active licence + 3 years after expiry

Programme progress and assessment data

Duration of active licence + 3 years after expiry

Certificate of Completion records

Duration of active licence + 3 years after expiry (or longer if you request extended retention for professional development purposes)

Payment transaction records

Up to 7 years (legal and tax obligation)

Communications and support records

3 years from the date of the last communication

Technical and session logs

12 months (rolling)

Marketing consent records

Until consent is withdrawn, then 1 year (evidence of withdrawal)

After the relevant retention period, data is securely deleted or irreversibly anonymised. Anonymised data may be retained indefinitely for analytics and programme development purposes, as it can no longer be used to identify you.

Extended retention: If you require your completion records to be retained for longer than our standard period — for example, for regulatory compliance or professional portfolio purposes — please contact us. We will consider reasonable requests for extended retention on a case-by-case basis.

SECTION 5

Who we share your data with

5.1 We do not sell your data

We do not sell, rent, broker, or otherwise transfer your personal data to third parties for their own commercial purposes. Your data is not used for advertising, profiling, or targeted marketing by any third party.

5.2 Service providers (data processors)

We use a limited number of trusted third-party service providers who process personal data on our behalf and under our instructions. These providers act as data processors and are contractually bound to process data only as directed by us, to implement appropriate security measures, and to comply with UK GDPR. Our current categories of data processor include:

Hosting and infrastructure provider — stores programme content and account data on servers located in the UK or EEA
Payment processor — processes payment transactions; does not receive your full programme account data
Email delivery service — sends transactional and marketing emails on our behalf
Analytics platform — provides anonymised platform usage analytics; no personal data is shared in identifiable form
Customer support platform — if used, processes communications data for support ticket management

We review all data processor relationships regularly and maintain data processing agreements with each provider. A list of current data processors is available on request.

5.3 Legal disclosure

We may disclose your personal data to law enforcement agencies, regulatory bodies, or courts where we are required to do so by law, or where disclosure is necessary to protect the rights, property, or safety of ourselves, our users, or the public. We will notify you of such disclosure where we are legally permitted to do so.

5.4 Business transfers

In the event of a merger, acquisition, or sale of all or part of our business, your personal data may be transferred to the acquiring entity. We will notify you by email and update this Policy before your data is transferred and becomes subject to a different privacy policy. You will have the right to request deletion of your data at that point if you do not wish it to be transferred.

5.5 Professional verification

Where a third party — such as an employer, regulatory body, or professional association — requests verification of a named Certificate of Completion, we will confirm or deny the validity of the certificate. We will not provide any further personal data about you to a third party without your written consent, except as required by law.

SECTION 6

International transfers

We aim to keep your personal data within the UK and the European Economic Area (EEA). Where any data processor operates outside the UK or EEA, we ensure that appropriate safeguards are in place before any transfer takes place, in accordance with UK GDPR Chapter V requirements.

Appropriate safeguards for international transfers include: UK adequacy regulations in respect of the receiving country; standard contractual clauses approved by the UK Information Commissioner's Office (ICO); binding corporate rules; or other lawful transfer mechanisms.

If you would like further information about the safeguards applicable to any international transfer of your data, please contact us at the privacy email address in Section 1.

SECTION 7

Your rights under UK GDPR

Under UK GDPR, you have the following rights in relation to your personal data. These rights are not absolute and may be subject to exceptions in specific circumstances.

Right of access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you, along with information about how and why we process it. Requests are free of charge and will be responded to within thirty (30) days. Where requests are complex or numerous, we may extend this period by a further two months with notice.

Right to rectification

You have the right to request correction of inaccurate personal data we hold about you. You can update most of your account information directly through your account settings. For data you cannot update yourself, contact us and we will make the correction within thirty (30) days.

Right to erasure ("right to be forgotten")

You may request that we delete your personal data. We will comply unless retention is required for a legitimate purpose, including: compliance with a legal obligation; establishment, exercise, or defence of legal claims; or completion of a service you have contracted for. Where erasure is not possible in full, we will erase or anonymise as much data as we lawfully can and explain what we have retained and why.

Right to restriction of processing

You may request that we restrict our processing of your data in certain circumstances — for example, while the accuracy of data is contested, or where you have objected to processing and we are considering your objection. During a restriction, we will continue to store your data but will not process it further without your consent.

Right to data portability

Where processing is based on your consent or performance of a contract, and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller. On request, we will provide your account and progress data in CSV or JSON format.

Right to object

You have the right to object to processing based on our legitimate interests. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or unless processing is necessary for the establishment, exercise, or defence of legal claims.

You have an absolute right to object to processing of your data for direct marketing purposes at any time, including profiling related to direct marketing. We will cease such processing immediately on receipt of your objection.

Rights related to automated decision-making

We do not make decisions about you solely by automated means that produce legal or similarly significant effects. Our programme assessments are scored automatically, but the scoring methodology is transparent and the results do not produce legal effects — they produce a training certificate. You may request human review of any assessment result that you believe is erroneous.

How to exercise your rights

To exercise any of the above rights, contact us at the privacy email address in Section 1. Please include your full name, email address, and a clear description of the right you wish to exercise. We may ask for proof of identity before processing a request, to protect your data from unauthorised access.

ICO complaints: If you believe we have not handled your personal data in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by telephone on 0303 123 1113. We would, however, welcome the opportunity to address your concerns directly before you contact the ICO.

SECTION 8

How we protect your data

8.1 Technical measures

All data transmitted between your browser and our platform is encrypted using TLS (Transport Layer Security)
Account passwords are stored using industry-standard hashing — we cannot retrieve your plaintext password
Access to personal data within our systems is restricted to authorised personnel on a need-to-know basis
Platform infrastructure is hosted with providers that hold recognised security certifications
Regular security assessments and penetration testing are conducted on our platform

8.2 Organisational measures

Staff with access to personal data receive data protection training
Data access is logged and audited
Data processing agreements are in place with all third-party service providers
An incident response procedure is in place for data breaches

8.3 Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within seventy-two (72) hours of becoming aware of the breach, as required by UK GDPR. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly without undue delay, describing the nature of the breach, its likely consequences, and the measures we are taking to address it.

SECTION 9

Cookies and tracking technologies

9.1 What we use cookies for

Our platform uses cookies and similar technologies for the following purposes:

Authentication — keeping you logged in to your account during a session
Progress tracking — recording which lessons you have completed and your position within lessons
Assessment state — preserving your answers during an assessment session
Security — detecting and preventing fraudulent or abusive account access
Performance — identifying pages or features with technical issues

9.2 Types of cookies

Cookie type

Purpose

Can be disabled?

Strictly necessary

Authentication, session management, security

No — disabling prevents access to the platform

Functional

Progress saving, lesson state, quiz results

No — disabling prevents progress from being saved

Analytics

Anonymised usage data for platform improvement

Yes — opt out via cookie preferences

Marketing

Not used on our platform

N/A

We do not use third-party advertising cookies or tracking pixels. We do not share cookie data with advertising networks.

9.3 Managing cookies

You can manage cookie preferences through your browser settings. Please note that disabling strictly necessary or functional cookies will prevent you from accessing or using the programme normally. Most browsers allow you to view, delete, and block cookies — refer to your browser's help documentation for instructions.

SECTION 10

Children's data

Our programmes are designed for and marketed to adult professionals. We do not knowingly collect personal data from anyone under the age of 18. If you believe that we have inadvertently collected data from a person under 18, please contact us immediately and we will delete the data without delay.

If you are a professional working in a setting that includes young people, please ensure that your programme access is used in an appropriate professional context and that programme content — which covers sensitive safeguarding material — is not accessible to young people.

SECTION 11

Third-party links and platforms

Our programme content or communications may contain links to third-party websites, resources, or platforms. This Privacy Policy applies only to data we collect and process — it does not apply to third-party websites, even where we have linked to them. We are not responsible for the privacy practices of third parties. We encourage you to read the privacy policy of any third-party website you visit.

Where programme content is delivered through an embedded format on a third-party platform operated by your organisation, that organisation may have its own data processing activities. Your organisation is separately responsible as a data controller for any personal data it processes in connection with your use of its platform.

SECTION 12

Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or our programmes. When we make material changes, we will notify active Subscribers by email at least fourteen (14) days before the changes take effect, and we will update the version number and effective date at the top of the Policy.

Minor changes — such as correcting typographical errors or updating contact details — may be made without advance notice. The current version of this Policy is always available on our platform and website.

Your continued use of the programme after the effective date of a revised Policy constitutes your acknowledgement of the changes. If you do not accept the revised Policy, you may contact us to close your account and request deletion of your data.

SECTION 13

Contact and complaints

For all privacy-related enquiries, data rights requests, and complaints, please contact us using the details below. We aim to respond to all privacy enquiries within ten (10) business days and to data rights requests within thirty (30) days.

Organisation

Horizon Intelligence Systems

Privacy contact

info@horizonintelligence.co.uk

General contact

info@horizonintelligence.co.uk

Company number

17058068— Registered in England and Wales

ICO (complaints)

ico.org.uk · 0303 123 1113

If you are unhappy with our response to a privacy enquiry or data rights request, you have the right to escalate your complaint to the Information Commissioner's Office (ICO), which is the UK supervisory authority for data protection.

Horizon Intelligence Systems · Privacy Policy · Version 1.0 · UK GDPR · England and Wales