Privacy Policy
1. Introduction
Olya Group Ltd ("we", "our", "us", or the "Company") is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, store, share, and protect your personal information when you visit our website www.olyagroup.co.uk (the "Website") or use our services.
We are a data controller under the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018. This means we decide how and why your personal data is processed.
This Privacy Policy explains our data processing practices and your rights related to your personal data. Please read this Privacy Policy carefully to understand our practices regarding your personal data.
2. Personal Information We Collect
We may collect and process the following categories of personal information:
Information you provide to us:
- Contact information: Name, email address, postal address, telephone number
- Account information: Username, password, account preferences
- Academic information: Educational qualifications, transcripts, certificates, personal statements, references
- Identification documents: Passport, national ID, birth certificate, visa documents
- Application information: University preferences, course choices, career goals
- Communication information: Messages, feedback, queries, or other information you provide when contacting us
- Transaction information: Payment details, purchase history, order information
- Parental/guardian information: Contact details and consent records (for applicants under 18)
Information we collect automatically:
- Technical information: IP address, browser type and version, operating system, device information
- Usage information: Pages visited, features used, time spent on the Website, date and time of visits, referral source
- Location information: Approximate location derived from your IP address
- Cookies and similar technologies: Information collected through cookies and similar technologies as described in our Cookie Policy (Section 4A)
3. How We Collect Your Personal Information
We collect your personal information through:
- Direct interactions when you contact us, create an account, subscribe to our newsletter, submit an application, or purchase our services
- Automated technologies or interactions via cookies and similar technologies when you visit our Website
- Third parties or publicly available sources (such as analytics providers, advertising networks, search information providers, payment processors, educational institutions, and references)
- Partner universities and colleges (application status updates, enrolment confirmations)
4. How We Use Your Personal Information
We process your personal information for the purposes listed below, using the lawful bases under UK GDPR:
| Purpose | Type of Data | Lawful Basis |
|---|---|---|
| To provide student advisory and placement services | Contact information, academic records, identification documents | Performance of a contract with you |
| To process applications to partner universities and colleges | Academic qualifications, personal statements, references, passport/ID | Performance of a contract with you |
| To communicate with you about your application status | Contact information, communication records | Performance of a contract with you |
| To coordinate with partner educational institutions | Application documents, academic records | Performance of a contract with you |
| To comply with UK visa and immigration requirements (where applicable) | Immigration documents, identification, proof of enrolment | Legal obligation |
| To process and deliver your orders and manage payments | Transaction information, payment details | Performance of a contract with you |
| To manage our relationship with you, including notifying you about changes to our terms or services | Contact information, account information | Performance of a contract with you; Legitimate interests (keeping records updated and analysing service usage) |
| To administer and protect our business and Website (including troubleshooting, data analysis, testing, maintenance, support, reporting) | Technical information, usage information | Legitimate interests (running our business, provision of services, network security, fraud prevention) |
| To deliver relevant content and advertisements to you and measure the effectiveness of advertising | Usage information, location information, marketing preferences | Legitimate interests (studying how customers use our services, to develop and grow our business); Consent (for certain cookies and tracking) |
| To use data analytics to improve our Website, services, marketing, customer relationships, and experiences | Technical information, usage information | Legitimate interests (defining types of customers, keeping Website updated and relevant, developing business, informing marketing strategy) |
| To send you marketing communications about our services, events, and partner opportunities | Contact information, marketing preferences | Consent (for electronic marketing); Legitimate interests (for non-electronic marketing to existing customers about similar services) |
| To respond to enquiries and provide customer support | Contact information, communication information | Legitimate interests (providing good customer service) |
| To process parental consent for applicants under 18 | Parental contact information, consent records | Legal obligation; Protection of the child's vital interests |
| To comply with legal and regulatory obligations | Various data as required by law | Legal obligation |
| To establish, exercise, or defend legal claims | Relevant personal information to the legal matter | Legitimate interests (protecting our legal rights) |
Your Rights Regarding Our Lawful Bases:
- Where we rely on consent, you may withdraw your consent at any time by contacting us or using opt-out links in our communications
- Where we rely on legitimate interests, you have the right to object to our processing (see Section 9)
- Where we process data for contractual performance, we cannot provide our services without processing this data
4A. Cookie Policy
What are cookies?
Cookies are small text files placed on your device when you visit our Website. They help us provide you with a better experience by remembering your preferences and understanding how you use our site.
Types of cookies we use:
Strictly Necessary Cookies (Always Active)
These cookies are essential for the Website to function properly. They enable core functionality such as security, network management, and accessibility. You cannot opt-out of these cookies.
Examples:
- Session management cookies
- Security cookies
- Load balancing cookies
Performance/Analytics Cookies (Requires Your Consent)
These cookies help us understand how visitors interact with our Website by collecting and reporting information anonymously.
We use:
- Google Analytics - to analyse website traffic and user behaviour (IP addresses are anonymised)
- Website performance monitoring tools
Functionality Cookies (Requires Your Consent)
These cookies enable enhanced functionality and personalisation, such as remembering your preferences.
Examples:
- Language preferences
- Region selection
- User interface customisation
Targeting/Marketing Cookies (Requires Your Consent)
These cookies are used to deliver advertisements relevant to you and your interests. They may be set through our site by our advertising partners.
We may use:
- Facebook Pixel - for retargeting and conversion tracking
- LinkedIn Insight Tag - for professional audience targeting
- Google Ads remarketing
Managing Your Cookie Preferences:
When you first visit our Website, you will see a cookie banner where you can accept or reject non-essential cookies. You can change your preferences at any time by:
- Using our Cookie Preference Centre: [Link in website footer]
- Browser Settings: Most browsers allow you to refuse cookies through their settings. Please note that disabling cookies may affect Website functionality.
- Chrome: Settings > Privacy and Security > Cookies
- Firefox: Settings > Privacy & Security
- Safari: Preferences > Privacy
- Edge: Settings > Cookies and Site Permissions
- Opt-out Tools:
- Google Analytics: tools.google.com/dlpage/gaoptout
- Facebook: Your Facebook Ad Preferences
- Network Advertising Initiative: optout.networkadvertising.org
Third-Party Cookies:
Some cookies are placed by third-party services that appear on our pages. We do not control these cookies. Please review their privacy policies:
- Google: policies.google.com/privacy
- Facebook: facebook.com/privacy
- LinkedIn: linkedin.com/legal/privacy-policy
Cookie Duration:
- Session cookies: Deleted when you close your browser
- Persistent cookies: Remain on your device for a set period (typically 1-24 months)
For more information about cookies, visit www.allaboutcookies.org.
5. Disclosure of Your Personal Information
We may share your personal information with the following categories of recipients:
Partner Educational Institutions
- UK and international universities and colleges where you submit applications
- Academic institutions in Paris, Dubai, Malta, United States, and other global destinations
- Shared information includes: application documents, academic records, personal statements, references, identification documents
- Purpose: To process your application and facilitate enrolment
- Safeguard: Data sharing agreements requiring compliance with data protection laws
Service Providers Who Process Data on Our Behalf
- IT and cloud hosting providers (website hosting, email hosting, data storage)
- Customer relationship management (CRM) system providers
- Email communication platforms
- Payment processors (for application or service fees)
- Document management and verification services
- Analytics providers (e.g., Google Analytics)
These service providers are bound by data processing agreements and can only use your data on our instructions.
Immigration and Visa Services
- Immigration consultants and advisors (where applicable)
- UK Visas and Immigration (UKVI) when required for student visa applications
- Purpose: To support your visa application and compliance with immigration requirements
Professional Advisers
- Lawyers, accountants, auditors, and insurance providers
- Purpose: To obtain professional advice and services
Regulatory and Government Authorities
- HM Revenue & Customs (HMRC)
- Information Commissioner's Office (ICO)
- Office for Students (OfS)
- Other regulatory bodies as legally required
- Purpose: To comply with legal and regulatory obligations
Business Transfers
- Potential buyers or investors in the event of a sale, merger, or acquisition of our business
- Purpose: Due diligence and business continuity
- Safeguard: Confidentiality agreements and data protection obligations
With Your Consent
- Other third parties where you have given us explicit consent to share your information
We do not:
- Sell your personal information to third parties for marketing purposes
- Share your data with third parties for their independent use without your consent or a lawful basis
Security Requirements:
All third parties with whom we share data are required to:
- Respect the security of your personal information
- Treat it in accordance with UK data protection laws
- Process data only on our documented instructions
- Maintain appropriate technical and organisational security measures
- Enter into data processing agreements where required
6. International Transfers
Some of our partner universities and service providers are located outside the United Kingdom, which means your personal information may be transferred to, and processed in, countries outside the UK and European Economic Area (EEA).
Where We Transfer Your Data:
Your personal information may be transferred to the following countries/regions:
1. Countries with UK Adequacy Decisions:
- European Economic Area (EEA) countries (adequate protection recognised)
- Other countries deemed adequate by UK Government
2. Countries Requiring Additional Safeguards:
- United States - Partner universities, cloud service providers (Google, Microsoft)
- United Arab Emirates - Partner universities in Dubai
- Malta - Partner universities
- France - Partner universities in Paris
- Other countries where you choose to apply for education programmes
Safeguards We Use:
When transferring personal information to countries without an adequacy decision, we implement the following safeguards:
For Service Providers:
- Standard Contractual Clauses (SCCs) approved by the UK Government
- Data Processing Agreements incorporating UK GDPR protections
- Due diligence assessments of the recipient's security measures
- Additional security measures as appropriate (e.g., encryption)
For Partner Educational Institutions:
- Data Sharing Agreements requiring GDPR-equivalent protections
- Contractual clauses ensuring lawful processing
- Assessment of the institution's data protection practices
- Transfer only of information necessary for the application process
For Countries With Adequacy Decisions:
Where we transfer data to countries the UK Government has recognised as providing adequate protection (such as EEA countries), we rely on that adequacy decision as the safeguard.
Your Rights:
You have the right to request further information about our international transfers and to obtain a copy of the safeguards we have put in place. Please contact us using the details in Section 11.
We regularly review our international transfer practices to ensure continued compliance with UK data protection laws.
6A. Data Protection Responsibility
Data Controller:
Olya Group Ltd is the data controller responsible for your personal information.
Company Details:
- Company Name: Olya Group Ltd
- Registered Address: 500 Larkshall Road, Office 10, London, E4 9HH, United Kingdom
- Company Registration Number: 11300410
- ICO Registration Number: ZB542402
Data Protection Contact:
For all data protection enquiries, please contact:
- Name: Magdalena Ionescu
- Title: CEO
- Email:info@olyagroup.co.uk
- Telephone: +447551697235
- Postal Address: 500 Larkshall Road, Office 10, London, E4 9HH, United Kingdom
Data Protection Officer (DPO):
Based on the nature and scale of our data processing activities, we are not required to appoint a formal Data Protection Officer under UK GDPR. However, Magdanela Ionescu has been designated as responsible for overseeing data protection compliance and is your primary contact for all data protection matters.
Our Commitment:
We take data protection seriously and are committed to:
- Processing your data lawfully, fairly, and transparently
- Responding to your data protection requests within one month
- Maintaining appropriate security measures
- Regularly reviewing and updating our practices
- Training our staff on data protection obligations
- Investigating and addressing any data breaches promptly
Response Times:
- Subject Access Requests: Within one month of receipt
- Other rights requests (erasure, rectification, etc.): Within one month
- General enquiries: Within 5 working days
7. Data Security
We have implemented appropriate security measures to prevent your personal information from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed.
These measures include:
- Encryption of data in transit and at rest
- Secure access controls and authentication
- Regular security assessments and updates
- Staff training on data protection and security
- Secure disposal procedures for data no longer required
- Business continuity and disaster recovery plans
We limit access to your personal information to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal information on our instructions and are subject to a duty of confidentiality.
We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
8. Data Retention
We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
Specific Retention Periods:
| Data Category | Retention Period | Reason |
|---|---|---|
| Active application files | Duration of application process + 2 years | To support your application, handle queries, and provide references |
| Successful placement records | 6 years after course completion | Regulatory compliance, alumni relations, reference provision, maintaining placement history |
| Unsuccessful application records | 2 years from application closure | Future application opportunities, service improvement, queries resolution |
| Marketing consents and preferences | Until consent withdrawn + 3 months | To honour your preferences and process any pending communications |
| Newsletter subscribers | Until unsubscribed + 30 days | To process unsubscribe request and prevent re-addition |
| Financial and transaction records | 7 years from end of financial year | UK tax law and accounting requirements |
| Contract and agreement records | 6 years after contract end | Legal obligations, potential claims under Limitation Act |
| Correspondence and enquiries | 3 years from last contact | Customer service, query resolution, service improvement |
| Website analytics data | 26 months (Google Analytics default) | Understanding user behaviour, improving services |
| CCTV footage (if applicable) | 30 days | Security purposes, unless required for investigation |
| Safeguarding records (if applicable) | Until the individual reaches 25 years, or 6 years after record creation (whichever is later) | Child protection and safeguarding obligations |
Criteria for Determining Retention Periods:
When not specified above, we consider:
- The amount, nature, and sensitivity of the personal information
- The potential risk of harm from unauthorised use or disclosure
- The purposes for which we process your personal information and whether we can achieve those purposes through other means
- Applicable legal, regulatory, tax, accounting, or other requirements
- Industry best practices and guidance from the ICO
Secure Disposal:
When personal information is no longer required, we will:
- Securely delete electronic records using industry-standard methods
- Securely destroy physical records (shredding or secure disposal services)
- Anonymise data where it needs to be retained for statistical purposes
- Instruct third-party processors to delete or return data
Early Deletion Requests:
You may request earlier deletion of your personal information by contacting us. We will consider your request, but we may need to retain certain information where:
- We have a legal or regulatory obligation to keep it
- We need it to establish, exercise, or defend legal claims
- We have another lawful basis for retaining it
Regular Reviews: We review our retention practices annually to ensure compliance with current legal requirements and best practices.
9. Your Legal Rights
Under UK data protection laws, you have the following rights:
Right to be informed
You have the right to be informed about how we use your personal information (which this Privacy Policy aims to provide).
Right of access
You have the right to access the personal information we hold about you. This is commonly known as a "subject access request". This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
Right to rectification
You have the right to request correction of any inaccurate or incomplete personal information we hold about you.
Right to erasure
You have the right to request deletion of your personal information in certain circumstances, such as:
- The personal information is no longer necessary for the purposes for which it was collected
- You withdraw your consent (where processing was based on consent)
- You object to the processing and there are no overriding legitimate grounds
- The personal information has been unlawfully processed
- The personal information must be erased to comply with a legal obligation
Right to restrict processing
You have the right to request restriction of processing of your personal information in certain circumstances, such as:
- You contest the accuracy of the personal information
- The processing is unlawful but you do not want it erased
- We no longer need the personal information but you need it for legal claims
- You have objected to processing and are awaiting verification of our legitimate grounds
Right to data portability
You have the right to receive your personal information in a structured, commonly used, and machine-readable format and to transmit it to another data controller in certain circumstances.
Right to object
You have the right to object to processing of your personal information in certain circumstances:
- Processing based on legitimate interests or for a public task
- Direct marketing (including profiling)
- Processing for research or statistical purposes
Rights relating to automated decision-making and profiling
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you.
Exercising Your Rights:
You will not have to pay a fee to access your personal information or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information (or to exercise any of your other rights). This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
To exercise any of these rights, please contact us using the details provided in Section 11.
10. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last Updated" date at the top of this Privacy Policy.
We will notify you by email or through a prominent notice on our Website of any significant changes to this Privacy Policy.
You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.
11. Contact Us
If you have any questions about this Privacy Policy or our privacy practices, please contact us:
Email: or info@olyagroup.co.uk
Postal Address:
Olya Group Ltd
500 Larkshall Road, Office 10
London, E4 9HH
United Kingdom
Telephone: +447551697235
We aim to respond to all enquiries within 5 working days.
12. Complaints
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues.
Information Commissioner's Office:
- Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Helpline: 0303 123 1113
- Website: www.ico.org.uk
- Email: casework@ico.org.uk
We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.
13. Children and Young People
Age Restrictions and Safeguards:
Our services are primarily aimed at students seeking further and higher education opportunities. We recognise that many of our users may be under 18 years of age, and we take additional measures to protect young people's personal information.
Services for Different Age Groups:
Under 13 Years:
Our services are not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us immediately so we can delete it.
Ages 13-15:
For individuals aged 13-15, we require verifiable parental or guardian consent before:
- Processing personal information for our services
- Creating an account or profile
- Processing application documents
- Sending any communications
Parents or guardians must:
- Provide consent on behalf of the young person
- Be involved in the application process
- Receive copies of important communications
Ages 16-17:
Individuals aged 16-17 may provide their own consent for:
- Using our student advisory services
- Submitting university applications
- Receiving guidance and support
However, we strongly encourage:
- Involvement of parents/guardians in the application process
- Parental awareness of application decisions
- Joint decision-making for significant choices
Information We Process for Under-18s:
We only collect and process information necessary for providing our student advisory and placement services:
- Contact details (student and parent/guardian where applicable)
- Academic records and qualifications
- Personal statements and references
- Identification documents (as required by universities and visa authorities)
- Communication records
- Application preferences and choices
Special Protections for Under-18s:
We implement enhanced safeguards including:
- Limited Marketing: We do not send marketing communications to under-18s without explicit parental consent
- Enhanced Security: Additional security measures for data relating to minors
- Staff Training: All staff receive training on:
- Safeguarding and child protection
- Age-appropriate communication
- Recognising and reporting concerns
- Privacy by Design: Our processes are designed with young people's privacy in mind
- No Profiling: We do not use automated decision-making or profiling for under-18s
Parental Rights:
Parents or legal guardians of individuals under 18 have the right to:
- Access their child's personal information
- Request correction of inaccurate information
- Request deletion of their child's information (subject to legal obligations)
- Object to certain types of processing
- Withdraw consent at any time
- Receive information about how their child's data is used
To exercise these rights, please contact us with:
- Proof of parental responsibility
- Identification for verification purposes
- Clear details of your request
Safeguarding and Child Protection:
We are committed to the safety and wellbeing of all young people who use our services.
If we become aware of:
- Safeguarding concerns
- Risks to a young person's welfare
- Inappropriate behaviour or communication
We will:
- Follow appropriate reporting procedures
- Contact relevant authorities if necessary
- Inform parents/guardians (unless doing so would put the young person at risk)
- Maintain detailed records
Our staff are trained to recognise signs of:
- Abuse or neglect
- Exploitation
- Mental health concerns
- Radicalisation or extremism
Age Verification:
We may request proof of:
- Age (e.g., passport, birth certificate)
- Parental authority (e.g., birth certificate, court order)
- Identity of parent/guardian
This is to ensure we apply appropriate protections and obtain proper consent.
Transitioning to Adult Services:
When a young person reaches 18:
- They assume full control over their personal information
- Parental access rights cease (unless separately authorised)
- The young person must provide their own consent for ongoing processing
- We will communicate this transition clearly
Questions About Young People's Data:
If you have any questions or concerns about how we handle young people's personal information, please contact our Data Protection Contact at the email address in Section 11.
Resources:
- NSPCC: www.nspcc.org.uk
- Childline: 0800 1111 / www.childline.org.uk
- UK Safer Internet Centre: www.saferinternet.org.uk