Privacy Policy

1. Who We Are (Data Controller)

GST Global Study Trainer (‘GST’, ‘we’, ‘us’, or ‘our’) is the data controller responsible for your personal data. We are a university admissions and student finance consultancy based in Manchester, England, operating through our website at gstglobal.co.uk.

As data controller, we determine the purposes and means by which your personal data is processed. We are responsible for ensuring that all processing activity complies with UK GDPR, the Data Protection Act 2018, and all applicable UK data protection legislation.

2. What Personal Data We Collect

We collect personal data in three main ways: information you provide to us directly, information we collect automatically when you use our website, and information we receive from third parties in limited circumstances. We only collect the data that is necessary for the purpose described.

2.1 Information You Provide Directly

When you use our website, register for a student account, submit an enquiry, book a consultation, subscribe to our newsletter, or use our English assessment tool, you may provide us with:

• Full name
• Email address
• Telephone number (including WhatsApp)
• Postal address or area of residence (city, town, or postcode)
• Date of birth or age range
• Nationality and immigration status (relevant for student finance eligibility assessments)
• Educational background and qualifications held or in progress
• Course preferences and target universities
• Employment history (where relevant to your application or eligibility)
• Financial circumstances (where relevant to student finance eligibility assessments)
• Any additional information you volunteer in correspondence, consultation notes, or form submissions

2.2 Information We Collect Automatically

When you visit gstglobal.co.uk, our website automatically collects certain technical and usage data through cookies and similar tracking technologies. This includes:

• IP address and approximate geographic location (country or city level)
• Browser type and version
• Device type (desktop, mobile, tablet) and operating system
• Pages visited and time spent on each page
• Referring website or search query that brought you to our site
• Date and time of visits
• Links clicked within our website

For full details of how we use cookies and how to manage your preferences, see Section 9 (Cookies) of this policy.

2.3 Special Category Data

We do not routinely collect special category personal data (as defined in Article 9 of UK GDPR). However, in the course of providing admissions or student finance guidance, you may voluntarily share information relating to disability, health conditions, or learning difficulties (for example, when assessing eligibility for the Disabled Students’ Allowance). Where such information is shared:

• We process it only with your explicit consent
• We retain it only for as long as is necessary to provide the guidance you have requested
• We do not share it with third parties without your express permission, except where legally required

3. Why We Collect Your Data and Our Lawful Basis for Processing

UK GDPR requires us to identify a lawful basis for every category of personal data processing we undertake. The table below sets out each processing activity, our purpose, and the lawful basis under UK GDPR Article 6 that justifies it.

Where we rely on legitimate interests (Article 6(1)(f)) as our lawful basis, we have assessed that our interests are balanced against and do not override your rights and freedoms. You may object to processing based on legitimate interests at any time by contacting us at info@gstglobal.co.uk.

4. Who We Share Your Personal Data With

We do not sell, rent, or otherwise disclose your personal data to third parties for their own commercial purposes. We share your data only in the following limited and controlled circumstances:

4.1 Service Providers and Data Processors

We share personal data with carefully selected third-party service providers who process data on our behalf, strictly under our instruction, and subject to contractual obligations that meet UK GDPR requirements. These include:

• Website hosting provider — to store and serve our website and user accounts (currently hosted on secure UK/EEA-based servers)
• Email and communication platform — to send confirmation emails, newsletter communications, and appointment reminders
• Customer relationship management (CRM) system — to manage student records and consultation notes
• Payment processor — where applicable for any paid services (we do not store payment card details; these are handled directly by our payment provider under PCI-DSS compliance)
• Analytics provider — to analyse aggregated, anonymised website usage data (e.g. Google Analytics with IP anonymisation enabled)
• Social media platforms — Facebook, Instagram, and LinkedIn, where you interact with our pages or use social login features

4.2 Universities and Educational Institutions

With your explicit consent, we may share relevant elements of your personal data (such as your name, contact details, educational background, and course preferences) with partner universities or colleges in England as part of our admissions support service. We will always inform you before sharing your data with any specific institution and obtain your agreement.

4.3 Student Finance England / Student Loans Company

Where we assist you in completing a Student Finance England application, data you provide to us may be used to populate your application. However, this application is submitted through the Student Finance England portal in your name and under your control. We do not transmit your personal data directly to Student Finance England or the Student Loans Company without your knowledge and involvement.

4.4 Legal Disclosure

We may disclose personal data to law enforcement agencies, regulatory authorities, or courts where we are legally required to do so, or where disclosure is necessary to protect the safety of individuals, prevent fraud, or enforce our legal rights. We will notify you of any such disclosure where we are lawfully permitted to do so.

4.5 International Transfers

We aim to process and store all personal data within the UK or the European Economic Area (EEA). Where any transfer of personal data outside the UK or EEA is necessary (for example, where a third-party service provider operates international infrastructure), we ensure that adequate safeguards are in place in accordance with UK GDPR transfer rules, including the use of UK International Data Transfer Agreements (IDTAs) or adequacy decisions.

5. How Long We Keep Your Personal Data (Retention Periods)

We retain personal data only for as long as is necessary for the purpose for which it was collected, and in line with applicable legal or regulatory requirements. The following retention periods apply:

At the end of the applicable retention period, we securely delete or irreversibly anonymise your personal data. If you request deletion before the end of the retention period, we will comply unless we have a legal obligation to retain the data (for example, financial records required by HMRC).

6. Your Data Protection Rights

Under UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. We take all rights requests seriously and respond within one calendar month of receipt, free of charge.

To exercise any of these rights, please contact us at info@gstglobal.co.uk with the subject line ‘Data Rights Request’. Please include your full name and the email address associated with your account or enquiry so we can identify your records. We may need to verify your identity before processing your request.

If you are not satisfied with our response to a rights request, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at any time — see Section 10 for ICO contact details.

7. How We Protect Your Personal Data

We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it against accidental loss, unlawful access, disclosure, alteration, or destruction. Our security measures include:

• SSL/TLS encryption — all data transmitted between your browser and gstglobal.co.uk is encrypted using HTTPS/TLS protocols
• Secure password storage — user account passwords are stored using industry-standard hashing and salting techniques; we never store passwords in plain text
• Access controls — access to personal data within our organisation is restricted to staff members who need it to perform their role, on a least-privilege basis
• Staff awareness — all staff members with access to personal data are aware of their obligations under UK GDPR and our internal data protection policies
• Secure hosting — our website is hosted on infrastructure with robust physical and network security controls
• Regular security reviews — we periodically review our security practices and update them in line with evolving threats and best practice guidance from the National Cyber Security Centre (NCSC)
• Data minimisation — we collect only the personal data that is necessary for the specific purpose, and retain it only for as long as required

Despite these measures, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to responding promptly and effectively to any suspected data security incident.

Data Breach Procedure

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we will notify the ICO within 72 hours of becoming aware of the breach, as required by UK GDPR Article 33. Where the breach is likely to result in a high risk to affected individuals, we will also notify those individuals directly and without undue delay, as required by UK GDPR Article 34.

8. Third-Party Websites and External Links

Our website may contain links to third-party websites and services, including university and college websites, Student Finance England (studentfinance.direct.gov.uk), UCAS (ucas.com), GOV.UK, and social media platforms. This Privacy Policy applies solely to gstglobal.co.uk and the services we directly provide.

We are not responsible for the privacy practices of third-party websites and encourage you to read the privacy policies of any website you visit via a link from our site. Clicking a link to a third-party website does not imply that we endorse that website or its privacy practices.

9. Cookies and Tracking Technologies

Cookies are small text files placed on your device when you visit a website. They allow the website to recognise your browser and remember certain information. We use cookies to make our website function correctly, to understand how it is used, and (with your consent) for marketing analytics.

9.1 Types of Cookies We Use

9.2 Managing Your Cookie Preferences

When you first visit gstglobal.co.uk, you will be shown a cookie consent banner that allows you to accept, reject, or customise non-essential cookies. You can change your cookie preferences at any time by clicking the ‘Cookie Settings’ link in our website footer, or by clearing cookies in your browser settings.

Please note that disabling certain cookies may affect the functionality of our website. Strictly necessary cookies cannot be disabled as they are required for the site to operate.

9.3 Specific Cookies in Use

10. Direct Marketing and Your Communication Preferences

We may wish to send you information about our services, new courses, university funding updates, and educational resources that we think may be of interest to you. We will only do so where:

• You have given us explicit consent to receive marketing communications by ticking the relevant opt-in box when submitting an enquiry or registering your account, or
• You are an existing client and we are sending information about services similar to those you have already used (soft opt-in, under UK PECR), and you have not objected to receiving such communications

You can opt out of marketing communications at any time by:

• Clicking the ‘Unsubscribe’ link in any marketing email we send you
• Emailing info@gstglobal.co.uk with the subject line ‘Unsubscribe’
• Contacting us by telephone on +44 7586 442 899

Opting out of marketing communications will not affect your receipt of service-related communications (such as appointment confirmations, application updates, or policy notices), which are necessary for the performance of our service.

11. Children’s Privacy

Our services are primarily directed at adult learners aged 18 and over. We do not knowingly collect personal data from children under the age of 13. If you are under 18 and wish to use our services, you should do so with the knowledge and consent of a parent or guardian.

If we become aware that we have collected personal data from a child under the age of 13 without appropriate parental consent, we will delete that data promptly. If you believe we have inadvertently collected data from a child under 13, please contact us immediately at info@gstglobal.co.uk.

12. Changes to This Privacy Policy

We review and update this Privacy Policy periodically to reflect changes in our services, our data processing activities, and applicable data protection legislation. The current version will always be available at gstglobal.co.uk/privacy-policy with the ‘Last updated’ date shown at the top.

Where we make significant changes to this policy that materially affect how we process your personal data, we will notify you by email (if we hold your email address) and/or by displaying a prominent notice on our website prior to the change taking effect. We encourage you to review this policy periodically.

Your continued use of our website or services after a policy update constitutes your acknowledgement of the revised policy. If you do not agree with any changes, you should stop using our services and may request deletion of your personal data by contacting us.

13. How to Contact Us and How to Complain

13.1 Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or how we handle your personal data, please contact us using the details below:

We aim to respond to all privacy-related correspondence within five business days. For formal Subject Access Requests and rights requests, we will respond within one calendar month as required by UK GDPR.