Privacy Policy - Kip McGrath Education Centres

Kip McGrath Education Centres Ltd Privacy Policy

Purpose of policy

Commitment to Privacy: The Group, encompassing Kip McGrath Education Centres Limited and its subsidiary legal entities (the group - as listed below in 2.3), is committed to protecting the privacy of individuals. We adhere to the Australian Privacy Principles set out in the Privacy Act 1988 (Cth); the United Kingdom General Data Protection Regulation; the Children's Online Privacy Protection Act (COPPA) in the United States; state-specific privacy laws such as the California Consumer Privacy Act (CCPA), the Virginia Consumer Data Protection Act (VCDPA), and others; the Privacy Act 2020 in New Zealand; the Protection of Personal Information Act (POPIA) in South Africa; and other applicable data privacy and protection laws globally. This Privacy Policy outlines our practices for collecting, using, disclosing, and managing personal information, emphasizing our commitment to complying with both global and local data protection standards, including those specifically protecting children's privacy.

Data Controllers and Processors: For the purpose of the General Data Protection Regulation, Kip McGrath Education Centres Limited and its subsidiary legal entities are generally the data controllers. In specific contexts, such as when offering business intelligence services to our corporate affiliates, we act as data processors.

About Kip McGrath Education Centres Limited

Kip McGrath Education Centres Limited is an Australian listed company. Kip McGrath Education Centres Limited is incorporated and registered in Australia with Australian company number 003 415 889 and has its registered office at Newcastle East, NSW 2300. The Group operates tutoring service centres in Queensland, New South Wales, Victoria, Tasmania, Western Australia, the Australian Capital Territory, New Zealand, the United States and the United Kingdom.The Group operates as a franchisor in Australia, New Zealand, United Kingdom, South Africa, Kenya and the United Arab Emirates, where centres are operated by franchisees. It also provides tutoring services in the United States through the subsidiary company Tutorfly Holdings Inc.

This Privacy Policy applies to the Group and its privacy practices in Australia (including privacy practices concerning European Economic Area and United Kingdom based website visitors), the United States, New Zealand and other countries the Group has a presence in unless a separate privacy policy applies to a particular Group business. Our separate privacy policies applicable to different businesses within the Group are:

Service Centres in Australia (Kip McGrath Direct Pty Ltd)
Franchises in Australia (Kip McGrath Education Australia Pty Ltd)
Service Centres in NZ (Kip McGrath Education New Zealand Limited)
Franchises in NZ (Kip McGrath Education New Zealand Limited)
Service Centres in UK (Kip McGrath Education United Kingdom Ltd)
Franchises in UK (Kip McGrath Global Pty Limited)
Operations in the US (Tutorfly Holdings, Inc.)
Service Centres in the US (Kip McGrath Inc.)
Franchises in other international locations (Kip McGrath Global Pty Limited)

Name, Country of incorporation, percentage ownership

Company Name	Country	Ownership Percentage
Kip McGrath Education Australia Pty Ltd	Australia	100%
Kip McGrath Global Pty Limited	Australia	100%
Kip McGrath Direct Pty Ltd	Australia	100%
Kip McGrath Education United Kingdom Ltd	United Kingdom	100%
Kip McGrath Education New Zealand Limited	New Zealand	100%
Tutorfly Holdings, Inc.	United States of America	100%
Kip McGrath Inc.	United States of America	100%

Collection: The kinds of personal information we collect and hold

We collect and hold personal information about you depending on your interaction with us. This includes, but is not limited to, Identity Data, Contact Data, Marketing and Communications Data, and Usage Data. We have clarified the types of personal data we collect and the context in which we collect them to avoid any ambiguity.

Type of personal data	Description
Identity Data	Data which identifies you (including name, username, title, school year, date of birth and gender)
Contact Data	Contact details (including postal address, telephone number and email address)
Marketing and Communications Data	Data which we capture when you sign up to newsletters, including your communication preferences
Usage Data	Information about how you use this site and our services, including how you navigate this site and if you encounter any problems
Educational Data	Information about you or your child’s education history and academic cycle that you submit on this site when you book a free assessment or which you may provide to us when you make an enquiry
Social Media Data	When you connect with us or like or follow our social media accounts we may have access to your personal data through the social media platform, including your social media handle, photograph, date of birth, location, occupation, interests and other information and content you make available via your social media accounts
Technical Data	Electronic information which is automatically logged/stored by processing equipment, including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this site.

We may also collect, use and share aggregated data such as statistical or demographic data for any purpose.

Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature of this site. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

We do not collect special categories of personal data about you through the use of our websites. This includes details about your race or ethnicity, religious or philosophical beliefs, political opinions, information about your health and genetic and biometric data. Nor do we collect any information about criminal convictions and offences.

If you apply to work with us, we will for the purpose of assessing and progressing your employment application collect the details that you include in your application and during any interview process with us. This collection of data is limited to the scope of information in which we have a legitimate interest as your potential future employer, e.g. your name, contact details and information about your education and employment history. If we decide not to employ you, we will delete your personal information: (i) upon your request; or (ii) after a transition period of three months after the employment decision, unless we have a legitimate interest in keeping your personal information for a longer period.

How we collect and hold personal information

4.1 Direct interactions:

The Group collects personal data from you in a number of different ways. We may collect personal information directly from you (or someone on your behalf) or in the course of our dealings with you, for example when you:

browse or use our Websites (including via cookies and other information collection technologies);
book a free assessment;
subscribe to receiving marketing communications;
reserve a place at one of our franchise information sessions;
complete a survey;
connect with us, follow us or ‘like’ us on social media;
apply to work with us; or
contact and correspond with us, for example to ask for information or make a complaint.

Automated technologies or interactions:

Data Collection Through Technologies: When you navigate our websites, we employ automated technologies to gather Technical Data and Usage Data concerning your devices, as well as your browsing activities and patterns. This collection is facilitated through the use of cookies, server logs, and comparable technologies, aiming to enhance user experience and site functionality.
Purpose and Use of Data: The primary goal of collecting this data is to analyze trends such as visitor traffic across various sections of our site, enabling us to understand user preferences and improve our services accordingly. For detailed information on how we use such technologies, please refer to our dedicated Cookies Policy available on our website.
Recording of Online Sessions: To maintain and elevate the quality of our online tutoring sessions, we might record these interactions (both audio and video). Such recordings serve multiple purposes, including enhancing the educational experience, providing material for teacher training, and offering a reference point for addressing any concerns related to class absences or feedback from parents.
Transcription Services: Occasionally, we may utilize automatic transcription services, such as Amazon Transcribe, to convert spoken language in our tutoring sessions into text. This practice is primarily aimed at bolstering our child protection measures, ensuring a safe and supportive learning environment.
CCTV Surveillance: Selected premises of our organization are monitored using CCTV cameras as a part of our commitment to ensure safety and security. Footage captured by these cameras is used exclusively for security purposes and assisting in investigations related to any incidents or accidents on our properties.
Data Retention and Privacy: Information collected through these automated technologies is handled in strict adherence to our privacy policy, ensuring that data retention aligns with our operational requirements and compliance obligations.

4.3 Third parties:

We engage with various third-party sources to collect personal data, enhancing our services and ensuring a tailored user experience. Below are the categories and types of third parties from which we may receive personal data:

Social Media Platforms: We obtain Social Media Data from platforms like Facebook, Instagram, LinkedIn, Twitter, and Google+. This data, which may include your interactions with our social media content or ads, helps us understand your preferences and improve our engagement strategies. These platforms may be located both within and outside the EU, adhering to their respective privacy policies.
Technical Data Providers:
1. Analytics Providers: Tools such as Google Analytics and Facebook pixel tags offer insights into user behavior on our website, aiding us in refining our content and service offerings.
2. Advertising Networks: We collaborate with advertising networks to present relevant advertisements to you, utilizing data to ensure the ads align with your interests.
3. Search Information Providers: Data from providers that offer insights based on search engine usage helps us optimize our online presence and content relevance.
Publicly Available Sources: We may access publicly available information, including data available on social media platforms or public registries, to better understand market trends and to validate or enrich the information we hold.
Franchisee Data Sharing: Our franchisees play a crucial role in service delivery. We may receive information from them to facilitate the provision of requested services, ensuring a consistent and seamless user experience across our network.
Data Usage: Information received from these third parties will be utilized in accordance with this Privacy Policy, respecting your privacy preferences and adhering to applicable data protection laws.
Transparency and Control: We are committed to transparency regarding the third-party sources we engage with. You have the right to know how your data is being collected and used and to exercise control over your personal information.

How and why we use personal data

We will only collect and process your personal data where we have a legal basis to do so. This legal basis will vary depending on the manner and purpose for which we are collecting your personal information. The circumstances in which we may use your personal data are as follows:

Where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract;
Where it is necessary to comply with a legal or regulatory obligation that we are subject to;
Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
Where we have your consent to do so, subject to your right to withdraw consent (further details provided in the section headed “Your rights” below).

We have set out in the table below a description of all the ways we plan to use your personal data, and which of the above legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you require further detail about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

What we use your personal information for	Type of data	Lawful basis for processing	Basis of legitimate interest (where applicable)
To manage our relationship with you, this will include notifying you about changes to our terms or Privacy Policy.	Identity Contact Profile Social Media Marketing and Communications	Necessary to comply with a legal obligation Necessary for our legitimate interests	To conduct our business and to keep our records updated
To administer and protect our business and systems, including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data	Identity Contact Usage Technical	Necessary to comply with a legal obligation Necessary for our legitimate interests	For running of our business, provision of administration and IT services, network security and to prevent fraud
To set up, manage access to, and maintain the security of, your online account for the Student Portal and Parent Portal	Identity Contact Profile Technical Usage	Consent – given at the time of registering an online account for the Student Portal and Parent Portal Necessary for our legitimate interests Necessary for the performance of a contract with you	To conduct our business – to be able to perform our contracts with students and conduct our business
To deliver relevant website content and advertisements to you based upon your preferences.	Identity Contact Profile Usage Marketing and Communications	Consent - given at time of enrolment	To let you know about promotions or products that may be of interest to you
To use data analytics to improve our websites and our services, marketing, customer relationships and experiences	Identity Contact Technical Usage	Necessary for our legitimate interests	To define our customer base, to keep our websites and services updated and relevant, to inform our product and marketing strategy to grow our business
To deal with and respond to queries submitted to us via this site, social media accounts, by post, email or by telephone	Identity Contact Social Media Profile Marketing and Communications	Consent – given at the time of contact Necessary for our legitimate interests	To conduct our business and improve our services and keep our records up-to-date
To assess and progress your employment application, including conducting reference checks and any psychometric or other testing used as part of the recruitment process	Identity Contact	Necessary for our legitimate interests	To assess job suitability and protect company assets and employees by hiring appropriate candidates.
To carry out our business and franchisor functions and activities, including meeting our legal and regulatory obligations.	Identity Contact	Necessary for compliance with a legal obligation or our legitimate interests	To comply with legislation and comply with requests of competent authorities or orders
To administer our share registry, including communications with our shareholders and receiving tax file number notifications from the Australian Tax Office.	Identity Contact	Necessary for our legitimate interests	To process for legitimate interests of administering our share registry

Marketing

Marketing communications from us: We may send you marketing communications if you:

are a student or a student’s parent/guardian and you have not opted out of receiving marketing communications from us;
have booked an assessment and you have consented to receive marketing communications from us; or
have otherwise consented to receive marketing communications from us.

Third party marketing:

we will only share your personal data with another company for marketing purposes if you have expressly consented to us doing so.

Opting out: You can ask us and our franchisees to stop sending you marketing communications at any time, by:

clicking the unsubscribe link in the footer of any marketing email from us;
contacting us in accordance with section 18.

Children's Personal Data in the UK

We recognize the importance of protecting children's privacy, especially in the online environment. Our practices are designed to comply with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 regarding the collection, use, and disclosure of personal information related to children.
Age of Digital Consent: In the UK, children under the age of 13 require parental or guardian consent to process their personal data. Our services are not intentionally directed at children below this age, and we do not knowingly collect personal data from them without proper consent.
Obtaining Parental Consent: When we need to collect personal data from children under 13, we take steps to verify the age of the individual and will seek consent from a parent or guardian before any data processing occurs. The process for providing this consent is straightforward and secure, ensuring that the rights of the child are fully protected.
Data Processing: Any personal data collected from children is used solely for the purpose it was collected for, such as providing educational services or responding to inquiries. We ensure that the data is processed in a manner that is respectful of children's privacy rights.
Children's Rights: Children have the same rights as adults regarding their personal data. They can access their data, request corrections, object to processing, and request the deletion of their data. Parents or guardians can exercise these rights on behalf of their children.
Communication: Information aimed at children will be presented in a clear, concise, and age-appropriate manner. We are committed to ensuring that children understand how their data is used and how they can control it.
Use of Online Services by Children: If any of our online services are likely to be accessed by children, we adhere to the standards set forth by the Age Appropriate Design Code, focusing on providing a high level of privacy protection.
Safeguards: We implement specific safeguards to protect children's personal data, reflecting the enhanced duty of care required when processing their information.

We are dedicated to safeguarding the personal data of all our users, especially children, and are committed to complying with all applicable laws and regulations concerning children's data protection in the UK.

Children's Personal Data in the United States

In compliance with the Children's Online Privacy Protection Act (COPPA), our organization is committed to protecting the privacy of children in the United States. This section outlines our practices concerning the collection, use, and disclosure of personal information from children under the age of 13.

COPPA Compliance: We adhere to the requirements of COPPA, which necessitates parental consent for collecting, using, or disclosing personal information from children under 13 years of age. Our website and services are not directed to children under this age, and we do not knowingly collect personal information from them without obtaining verifiable parental consent.
Verifiable Parental Consent: When we identify that the user is under 13 and personal information is about to be collected, we take steps to inform parents, seeking their verifiable consent before any data collection or processing begins. We provide parents with a clear and comprehensive description of the data being collected, how it will be used, and who will have access to it.
Parental Rights: Parents have the right to review the personal information collected from their child, request deletion, and refuse to allow further collection or use of the information. We provide parents with easy-to-follow instructions on how they can exercise these rights.
Use of Information: Any personal information collected from children under 13 is used solely for the purpose for which it was collected, such as providing our educational services or responding to inquiries. It is not used for marketing or any other purposes without explicit parental consent.
Data Sharing: We do not disclose any personal information collected from children to third parties unless it is necessary to provide our services, as permitted by law, or with explicit parental consent.
Data Security: We implement stringent security measures to protect the personal information of children, ensuring it is treated with the highest level of confidentiality and security.
Training and Awareness: Our staff is trained on the requirements of COPPA and the importance of children's privacy, ensuring that all interactions with children's data are conducted in compliance with this policy.

By adhering to these principles, we ensure our compliance with COPPA and demonstrate our commitment to protecting the privacy of children in the United States.

Change of purpose

We will only use your personal data for the purposes for which we originally collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we wish to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

If you fail to provide personal data

If we are not able to collect personal data about you we may not be able to provide you with products, services and assistance to the extent that they require us to collect, use or disclose your personal data. For example, we will be unable to progress your employment application if you cannot provide us with details of your employment history.

Information collection technologies (including cookies)

Our websites use cookies and other technologies such as internet tags and navigational data collection, which passively collect information (which means it is collected without you actively providing it). The technologies we use collect information such as your IP address, your device’s unique identifier number, date, time and duration of your visit and the web address of the website that you visited before you arrived at our Website.

We use Google Analytics to help analyse use of our websites. This analytical tool uses “Cookies” which are small text files placed on your computer to collect standard internet log information and visitor behaviour information.

Our websites use cookies for a number of purposes, for instance to enable us to identify which pages are being used, analyse data about web page traffic, build a demographic profile and improve our sites in order to tailor it to customer needs. Overall, cookies help us to provide you with a better site, by enabling us to monitor which pages you find useful and which you do not.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies (and the above websites tell you how to do this). If you disable or refuse cookies, please note that some parts of our sites may become inaccessible or not function properly. For more information about the cookies we use and the reasons why we use them, please see our Cookies Policy on our website.

Disclosure

We may have to share your personal data with third parties, including third party service providers and other group companies.

We require third parties to respect the security of your data, keep it confidential, and to treat it in accordance with the law.

We will share your personal information with third parties where required by law, where it is necessary to perform a contract with you (if you are a student, an employee or a franchisee) or where we have another legitimate interest in doing so.

We may share your personal data with the third parties set out below:

Franchisees who operate the Kip McGrath Education Centres, hire personnel and provide tuition services to students subject to a written franchise agreement. We will share this data in order to perform a contract with you, to comply with a legal obligation and/or in our legitimate interests of maintaining a viable franchise network.
Tutorfly Holdings who operate the Kip McGrath Education Centres and deliver tuition services direct to schools and government organisations in the United States. They will operate in accordance with their privacy policy: Tutorfly Privacy Policy
Third party service providers, including hosting providers, IT support providers, analytics and search engine providers, social media platform providers. These third party service providers are only permitted to process personal data for specified purposes and, where they are processing data on our behalf, in accordance with our instructions.
Where you apply for employment with us, we may disclose your personal information to your referees and also to third party suppliers who help with our recruitment processes, such as recruitment agencies and organisations that conduct competency or psychometric tests.We may also disclose your personal information to law enforcement agencies to verify whether you have a criminal record, if relevant to the role.
Other group companies as part of our regular reporting activities on company performance, in the context of a business reorganisation or group restructuring exercise, for system maintenance support and hosting of data.
Third parties to whom we may choose to sell, transfer or merge parts of our business or assets. Alternatively, we may seek to acquire other businesses or merge with them.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce any agreements, or to protect the rights, property or safety of the KIP MCGRATHC group, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction, with regulators and other authorities where we are required to do so by law.
Professional advisers, including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
In connection with the administration of our share registry, including third parties who assist with our investor relations analysis and reporting requirements.

We require all our data processors to respect the security of your personal data and to treat it in accordance with the law. We do not allow our data processors to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions as set out in our data sharing agreements.

In some instances where we share data with third parties, those third parties will also be controllers of your data. We shall not be responsible or liable for the way in which other data controllers hold or process your personal data. Please contact those third parties for further information regarding how they will use your data. We shall only share your personal data with third parties in accordance with this Privacy Policy.

Our websites may contain links to the websites of our partner networks, advertisers and affiliates, which are outside of our control and are not covered by this Privacy Policy. If you access other sites using the links provided, the operators of these sites may collect information from you which will be used by them in accordance with their own privacy policies. We would encourage you to read the privacy policies on the other websites you visit.

Some of the third parties to whom we disclose your personal data may be located outside Australia. See section 12.

If we need to use or disclose your personal information for any other purpose, we will obtain your consent first, unless we are required or authorised by law (including the Data Protection Laws) to do so. This exception will often cover our dealings with law enforcement authorities.

Where the processing activities rely upon your consent, you have the right to withdraw that consent at any time. You may do so by contacting us in accordance with section 18.

Data Security

We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed (including appropriate firewalls, encryption technology such as HTTPS, and passwords). Unfortunately, however, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our websites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

In addition, the personal information you provide to us is only available to authorised personnel of the KIP MCGRATHC group who need access to the information to fulfil their duties. They will only process your personal information on our instructions and they shall be subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

Once we no longer require your personal information, we will take reasonable steps to destroy it or anonymize it in a secure manner.

Data storage

We are committed to ensuring the security and integrity of your personal information. Our data storage solutions exclusively utilize Amazon Web Services (AWS) and Microsoft Azure, industry-leading cloud service providers known for their robust security measures and global compliance standards.

Cloud Storage: All personal data collected by us is stored securely on AWS and Azure cloud servers. These platforms provide advanced security features that ensure your data is protected against unauthorized access, disclosure, alteration, and destruction.
Data Location: While AWS and Azure operate data centers globally, we predominantly use servers located in the regions that best align with our operational requirements and compliance with data protection laws. This approach helps in minimizing latency, ensuring data resilience, and complying with jurisdictional legal requirements.
Data Encryption: We implement encryption in transit and at rest to protect your personal data. AWS and Azure offer built-in encryption features that secure your data as it is stored and when it is transmitted across networks.
Data Access: Access to data stored on AWS and Azure is strictly controlled and monitored. Only authorized personnel within our organization have access to this data, and such access is based on the principle of least privilege, ensuring that individuals only have access to the information necessary for their role.
Compliance and Certifications: AWS and Azure comply with a comprehensive set of international and industry-specific compliance standards, such as GDPR, HIPAA, and ISO 27001, among others. We leverage these compliance frameworks to ensure that our data storage practices meet or exceed industry standards and regulatory requirements.
Data Retention: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, as detailed in our policy, or as required by law. Following this period, personal data is securely deleted or anonymized.
Data Resilience: AWS and Azure provide robust data backup and disaster recovery solutions, ensuring that personal data is protected against loss, corruption, and other potential risks. Our use of these platforms ensures that we can quickly restore data in the event of an incident.

By utilizing AWS and Azure, we ensure that your personal data is stored on secure, compliant, and reliable platforms, reflecting our commitment to protecting your privacy and data security.

Overseas disclosures

In our commitment to transparency and protecting your personal data, we acknowledge that, due to our exclusive use of Amazon Web Services (AWS) and Microsoft Azure, your data may be stored and processed globally. Additionally, we disclose how third parties may access data where necessary for business operations.

Global Data Storage: Your personal information may be stored and processed on servers provided by AWS and Azure, which are located in various countries around the world. The choice of data center locations is influenced by operational needs, data center capabilities, and compliance with applicable data protection laws.

Third-Party Access: In the course of doing business, certain third-party service providers may have limited access to your data. These parties include but are not limited to:
- IT support and maintenance providers
- Data analytics and business intelligence services
- Customer service platforms and support tools
- Payment processing services
- Marketing and communication service providers
All third parties with access to personal data are rigorously vetted and bound by contractual obligations to ensure data confidentiality and compliance with relevant data protection laws.
Legal Compliance and Data Transfer Mechanisms: We ensure all international data transfers comply with applicable legal requirements, using mechanisms like Standard Contractual Clauses or adherence to recognized frameworks like the EU-US Privacy Shield, where applicable.
User Rights and Transparency: We remain committed to ensuring your rights are protected, regardless of where your data is processed. Our policy includes provisions for you to exercise rights over your personal data, including access, rectification, erasure, and objection to processing.
Review and Oversight: Our data transfer and storage practices are regularly reviewed to ensure they align with legal standards and best practices in data security and privacy.

By utilizing the global infrastructure of AWS and Azure and engaging with third-party service providers where necessary, we aim to offer secure and efficient services while upholding our commitment to data protection and user privacy.

Accessing and correcting the information we keep about you and other rights

Right to Access and Correct Your Personal Data: As a data subject, you are entitled to request access to your personal data that is held by our organization. Should you seek to review, verify, correct, or update any of your personal information, you are encouraged to contact us using the details provided in Section 18 of this policy. We are committed to facilitating your rights in accordance with applicable data protection laws.
No Charge for Requests: We do not impose a fee for initial requests to access or correct your personal data. However, should your request be particularly complex or if you submit repetitive requests, we reserve the right to charge a reasonable fee based on administrative costs or to refuse your request in line with the exceptions provided under relevant Data Protection Laws.
Additional Rights for EEA and UK Residents: If you reside within the European Economic Area or the United Kingdom, you are afforded additional rights under data protection legislation. This includes the right to request the deletion of your personal data, the restriction of processing your data, or to receive a copy of the personal information you have provided to us in a structured, commonly used, and machine-readable format. Furthermore, you may object to the processing of your personal data under certain conditions, especially in cases where our processing activities are not mandated by contractual or legal obligations or do not serve a significant interest.
Exercising Your Rights: To exercise any of the rights delineated above, please reach out to us as specified in Section 18. Upon receiving your request, we will take appropriate steps to verify your identity before proceeding with any action. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
Timely Response: We endeavor to respond to all legitimate requests within one month. Occasionally, it may take us longer if your request is particularly complex or if you have made multiple requests. In such cases, we will notify you and keep you updated on the progress.

Notifiable data breaches scheme

Commitment to Data Security: We prioritize the security of your personal information and employ robust measures to protect it from unauthorized access, loss, or disclosure. Despite our best efforts, should there be any breach of our security safeguards, we are prepared to take immediate action in accordance with our comprehensive incident response plan.
Breach Notification Protocol: In the unfortunate event of a data breach that is likely to result in a risk of serious harm to you, we commit to following a strict breach notification protocol. This includes conducting a thorough investigation to understand the nature and extent of the breach, taking necessary steps to mitigate any potential harm, and determining the likelihood of serious harm to affected individuals.
Timely Communication: If we ascertain that the breach poses a serious risk to your rights and freedoms, we will notify you without undue delay. Our notification will provide a clear description of the nature of the breach, the categories of data involved, the likely consequences of the breach, and the measures we have taken or will take to address the breach, including any measures to mitigate its possible adverse effects.
Reporting to Authorities: Consistent with Data Protection Laws, we will also report the breach to the relevant data protection authority within the timeframe stipulated by the applicable regulation. Our report will include all necessary details of the breach, its effects, and the actions we have undertaken in response.
Continuous Improvement: Following a breach, we will conduct a post-incident review to identify and implement improvements to our data security and breach response processes. Our goal is to prevent future breaches and to continually enhance our data protection practices.
Support and Assistance: We understand the concern and distress data breaches can cause. We will provide you with appropriate support and guidance on how to protect yourself from potential adverse effects following a breach, including how to exercise your rights under the applicable Data Protection Laws.

How to lodge a complaint

Commitment to High Standards: We are dedicated to maintaining the highest standards in the collection and use of personal information. Your privacy is of paramount importance to us, and we take any concerns or complaints regarding your privacy seriously.
Raising Concerns: If you believe that our handling of your personal information is unfair, misleading, or inappropriate, or if you have suggestions for improving our privacy practices, we strongly encourage you to inform us. We view your feedback as an opportunity to enhance our policies and practices.
Lodging a Complaint: Should you have any questions, concerns, or complaints about our treatment of personal information, or if you suspect a breach of this Privacy Policy or applicable Data Protection Laws, please reach out to us as outlined in Section 18. Provide detailed information about your concern or complaint to facilitate a thorough investigation.
Complaint Handling Process: We assure you that your complaints will be evaluated by the appropriate personnel with the objective of resolving any issues promptly and efficiently. We may require your cooperation to provide additional information as part of our investigation.
Escalation: If you are dissatisfied with the handling or outcome of your complaint, you have the right to escalate the matter to the relevant data protection authority. Below are the contact details for the data protection authorities in Australia, the European Economic Area, the United Kingdom, and the United States:

Region	Address	Contact
Australia	Office of the Australian Information Commissioner (OAIC) GPO Box 5288, Sydney NSW 2001	Tel: 1300 363 992 Email: foi@oaic.gov.au
United Kingdom	United Kingdom Information Commissioner's Office Wycliffe House, Water Lane Wilmslow SK9 5AF	Tel: 0303 123 1113 Email: casework@ico.org.uk
United States	COPPA mailbox	Email: CoppaHotLine@ftc.gov

Continuous Improvement: We are committed to continuously improving our privacy practices based on the feedback and concerns raised by our users and stakeholders.

Accuracy and Updating of your data

Commitment to Data Accuracy: Kip McGrath group is dedicated to maintaining the accuracy and relevance of the personal information we hold. We implement rigorous measures to ensure that the data we collect, and process is up-to-date and correct.
Your Participation: We value and rely on your active participation to keep your personal information accurate. We encourage you to inform us promptly of any changes to your contact details or other personal information. This proactive communication is vital for the effectiveness of our services and the protection of your rights.
Right to Rectification: You possess the inherent right to request the correction or updating of any personal information we hold about you that may be incorrect, outdated, or incomplete. Should you need to update your data or believe that any information we possess is inaccurate, please reach out to us using the contact details provided in Section 18.
Verification and Correction Process: Upon receiving your request to correct or update your information, we will engage in a verification process to ensure the authenticity and accuracy of the provided data. We commit to taking reasonable steps to correct any inaccuracies or to complete any incomplete information in a timely manner.
Regular Updates and Reminders: For our student users, we will initiate periodic reminders on a termly basis, prompting you to review and confirm the accuracy of the information we hold. This practice is aimed at fostering a collaborative approach to data accuracy, ensuring that the personal data we process reflects your current and accurate information.
Responsiveness: We acknowledge the importance of your input in maintaining the accuracy of our data records. Our team is prepared to respond promptly to your inquiries and requests related to data accuracy, underscoring our commitment to uphold the integrity of your personal information.

Revisions to this Privacy Policy

Policy Version and Date: This Privacy Policy is effective as of February 2024. We reserve the right to amend this policy at our discretion to reflect changes in legal requirements, our data processing practices, or advances in privacy protection.
Ongoing Review and Updates: We commit to conducting regular reviews of our Privacy Policy to ensure it remains comprehensive, relevant, and compliant with applicable data protection laws. The latest version of this policy will always be accessible on our website.
Notification of Changes: While minor changes may be made periodically, we recognize the importance of keeping you informed about any significant amendments that could affect your privacy rights. Should we implement substantial modifications to this Privacy Policy, we pledge to provide you with clear and timely notification. This may be achieved through direct communication to your provided email address or by displaying a conspicuous notice on our website.
Engaging with the Updated Policy: We encourage you to review any updated versions of this Privacy Policy to stay informed about how we are protecting your personal information. Your continued use of our website or services after such modifications signifies your acknowledgment and acceptance of the revised policy.
Feedback and Inquiries: We welcome your feedback and questions regarding any aspect of this Privacy Policy. Should you have any inquiries or require clarification about the changes and how they may affect you, please do not hesitate to contact us as detailed in Section 18.

Contact us

Region	Address	Contact
Australia and New Zealand	Kip McGrath Education Centres Global Head Office 7 Bond Street Newcastle East, NSW 2300	Phone: +61 2 4929 6711 Email: contactus@kipmcgrath.com.au
United Kingdom	Kip McGrath Education Centres UK Head Office Railway House Bruton Way Gloucester GL1 1DG	Telephone: 01452 382282 Email: contactus@kipmcgrath.com.au
United States of America	Tutorfly Holdings Inc. Attn: Privacy Officer 4925 Marcus Ave Apt 3204 Addison TX 75001	Email: info@Tutorfly.org