Echo3 Privacy Policy
Last updated: 31st March 2026
This Policy sets out the obligations of Echo3 Education Ltd, company address 2/7 Loaning Mills, Edinburgh, EH7 6LL (“the Company”) regarding data protection and the rights of customers, learners, and business contacts (“data subjects”) in respect of their personal data under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.
The UK GDPR defines “personal data” as any information relating to an identified or identifiable natural person (a “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Policy Summary
Registration – Echo3 Education Limited are registered with the Information Commissioner’s Office (ICO).
Data We Hold – We store the minimum data for the minimum time. Only learners emails, learner names, courses taken and their pass dates. Customers who pay require a password that is securely stored. We store no payment information or user addresses.
Data Expiry – Names & Emails are deleted when course certificates expire.
Training Records Data – Administrators can see their staffs training records until the certificates expire (usually 3 years from completion).
Expired Training Records Retained (Optional) – Administrators have the option to retain expired training records by emailing the request to support@echo-3.co.uk.
Email Usage – Under ‘Account’ learners and customers choose what emails they receive. For example ‘Learner Certificates on Pass’ or ‘Learner Course Expiry Notifications’. We do not send marketing emails.
Echo3 Privacy Policy in Detail
“Personal data” means any information relating to an identified or identifiable natural person (a “data subject”).
This Policy sets the Company’s obligations regarding the collection, processing, transfer, storage, and disposal of personal data.
The Company is committed to lawful, fair, and transparent handling of personal data.
The Data Protection Principles
All personal data must be:
- Processed securely
- Processed lawfully, fairly, and transparently
- Collected for specified purposes
- Adequate and limited
- Accurate and up to date
- Retained only as long as necessary
The Rights of Data Subjects
- The right to be informed
- The right of access
- The right to rectification
- The right to erasure
- The right to restrict processing
- The right to data portability
- The right to object
- Rights relating to automated decision-making
Lawful, Fair, and Transparent Processing
Processing is lawful if based on consent, contract, legal obligation, vital interests, public task, or legitimate interests.
Data Retention
Personal data will not be kept longer than necessary and will be securely deleted when no longer required.
Accountability and Record-Keeping
Data Protection Officer: Alex King
Email: info@echo-3.co.uk
Tel: 0131 661 8253
The Company maintains records of data processing activities.
Data Subject Access
Data subjects may request access to their personal data (SAR).
Requests should be sent to:
Echo3 Education Ltd
2/7 Loaning Mills, Edinburgh, EH7 6LL
Email: info@echo-3.co.uk
Responses are provided within one month.
Personal Data Collected, Held, and Processed
The following categories of personal data are collected, held, and processed by the Company:
| Category | Examples | Purpose | Legal Basis |
|---|---|---|---|
| Identity data | Name | Course enrolment, certification | Contract |
| Contact data | Email, phone | Course delivery, support | Contract / Consent |
| Transaction data | Purchase records | Order processing | Contract / Legal |
| Technical data | IP, browser | Analytics, security | Consent / Legitimate interest |
| Usage data | Pages visited | Website improvement | Consent |
| Marketing data | Ad interactions | Advertising optimisation | Consent |
| Learner records | Progress, certificates | Training delivery | Contract |
Cookies and Online Tracking
Our website uses cookies and similar tracking technologies to operate, analyse usage, and deliver advertising.
We use:
Google Analytics – collects anonymous usage data.
Opt-out: https://tools.google.com/dlpage/gaoptout
Meta Pixel – tracks advertising performance and behaviour across Facebook/Instagram.
Legal basis: Consent under UK GDPR and PECR.
You can withdraw consent at any time.
Data Security
The Company uses encryption, secure storage, and access controls to protect personal data.
Transferring Personal Data to a Country Outside the UK
The Company may transfer personal data outside the UK where:
- The UK has approved the country as adequate
- Appropriate safeguards exist (IDTA or UK-approved clauses)
- Consent is given
- It is necessary for contract or legal purposes
Data Breach Notification
Breaches are reported within 72 hours to the ICO where required.
Implementation of Policy
This Policy was last reviewed and updated on 31st March 2026.
It applies to all personal data processed from that date onward.