Privacy Notice
Last updated 02.06.2026
This Privacy Notice explains in detail how BBC Maestro collects, uses and discloses your personal data. Please read this Privacy Notice carefully before submitting any personal data to us.
1. What is this notice and who does it apply to?
In this section, you can find general information about the Platform, its owner, and this Privacy Notice.
1.1 We are Maestro Media Limited (the "Company", "we", "us" or "our") and we are the controller, acting under the licence of the BBC. We're an English company (company number 11996244) and our registered office is at 14 New Wharf Road, London, N1 9RT.
1.2 We operate a platform which provides users with access to e-learning, informational and/or instructional audio-visual content delivered by celebrities or other well-known experts (the "Platform"). This privacy notice applies to all users of the Platform (whether they access it through our website (at bbcmaestro.com), via any app we might release from time to time, or through any other means) and the term 'Platform' as used in this notice applies to any and all such channels.
1.3 We respect our users' privacy and are committed to treating any information that we obtain about you with as much care as possible and in a manner that is compliant with all applicable data protection laws. For users in the EU, that includes the EU General Data Protection Regulation 2016/679 ("GDPR"). It will also include any applicable national law, such as (in the UK) the Data Protection Act 2018 and the UK GDPR as transposed into national law (collectively, we'll refer to these as "Data Protection Laws").
1.4 Please read this privacy notice carefully. Among other things, it explains:
1.4.1 what personal data we may collect about you in connection with: (i) our delivery of, and your use of, the Platform; and (ii) any related interaction between you and us (e.g. via email, telephone or social media);
1.4.2 how we collect, store, disclose, transfer, protect and otherwise process that personal data (and for what purposes); and
1.4.3 other important information, such as the lawful basis or bases by which we process your personal data, how long we retain your personal data, and the rights you have in relation to the personal data we hold about you.
1.5 This policy supplements (and its terms apply in addition to) any other terms of use or other terms and conditions agreed between you and the Company from time to time, including the Platform terms and conditions.
1.6 This notice is intended to be communicated to you in a concise, transparent, intelligible and easily accessible manner, but we appreciate that you may have queries or want to seek clarification as to its terms. If so, please email support@bbcmaestro.com and we will endeavour to respond as soon as possible.
1.7 The Company reserves the right to make changes to this notice from time to time, including as may be necessary or prudent to reflect any changes in: (i) the ways in which we gather and process personal data; (ii) Data Protection Laws; or (iii) best practice. We will endeavour to notify you of such changes but you are advised to check for an updated version of this notice here each time you use the Platform or otherwise interact with us through email, phone or social media.
1.8 It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes or if you become aware that any data that we hold is not accurate during your relationship with us.
2. How and when we collect personal data
2.1 We collect personal data about you when you:
2.1.1 purchase a course (or a subscription to one or more courses) on the Platform;
2.1.2 access and use the Platform (including automatically by way of cookies and similar technologies – please refer to paragraph 11 below for more information); (For more information, kindly refer to our cookie policy)
2.1.3 register for an account on the Platform;
2.1.4 subscribe for or participate in competitions, contests, special events, or our mailing list;
2.1.5 make any enquiries about a course, or otherwise contact us about the Platform (whether in writing, by email, by telephone, through social media or via any contact form available on the Platform);
2.1.6 request technical support or other customer care support;
2.1.7 participate in polls, surveys and questionnaires related to the Platform;
2.1.8 post content on our social media pages or on any area of the Platform which allows for user-generated content; or
2.1.9 where you have been invited to join, and subsequently join, our advisory board.
2.1.10 where you have provided us with personal data, including data about your interests, in order to access free content.
2.2 All of the personal data referred to in paragraph 2.1 will be provided by you directly or as set out in 2.3.
2.3 Where lawful, we may also obtain limited personal data from third parties or public sources (for example, the open electoral register or credit reference agencies) and we may process that information where it is an essential component of the products and services we offer you. In addition we may collect personal data relating to your employment, such as your work email address and contact details, from third parties for the purposes of business marketing including from MarketLocation.
3. What personal data we collect
3.1 The type of personal data we process may include (if and as applicable):
3.1.1 identity and contact information, such as your name, user name, email address, postal address, location of account registration, date of birth, telephone number and other information provided by you when you register for an account on the Platform, purchase a course, or subscribe for other services, contests, special events or our mailing list ("Identity and Contact Data");
3.1.2 technical data including the information obtained through the use of cookies when you use the site such as time zone, IP address click behaviour, scroll behaviour, navigation patterns, interaction telemetry, session replay/heatmapand connection speed) (please refer to paragraph 11 below for more information) ("Technical Data");
3.1.3 information which you provide in any correspondence with us, including details of any enquiries or requests for technical support you might send us ("Correspondence Data");
3.1.4 in relation to any order, purchase or subscription made by you, details of the course(s) ordered, purchased or subscribed for by you (including the type of course, purchase price and any relevant information added by our admin), your payment information, your preferences and other transaction information provided or obtained in connection with any such order, purchase or subscription ("Product and Service Data");
3.1.5 your responses to any polls, surveys and questionnaires we may run from time to time ("Response Data");
3.1.6 marketing and communications data, which includes your preferences in receiving marketing from us and our third party partners and your communication preferences ("Marketing and Communications Data");
3.1.7 any personal data contained in content you post (as reviews on the Platform, on our social media pages or through any other posting any user-generated content) ("UGC Data"); and
3.1.8 information ascertained by your interaction with us through the Platform, including your interests and purchase history ("Transaction Data").
Information about why and according to what lawful basis we process this data is set out in the table at paragraph 4.6 below.
3.1.9 information related to your work and professional details.
3.2 We do not process:
3.2.1 any special categories of personal data (including details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health and genetic and biometric data);
3.2.2 any information about criminal convictions and offences; or
3.2.3 any information about children under the age of 13, and you should not provide us with any such information.
4. The purposes for which we process your personal data
4.1 We use your personal data for a number of purposes but only where the law allows us to.
4.2 We may process your personal data in any circumstances where such processing is necessary:
4.2.1 in order to perform any agreement between us (including pursuant to our Platform terms and conditions and your purchase of any course or subscription);
4.2.2 to comply with any applicable law or regulation; or
4.2.3 for the purposes of the legitimate interests pursued by us or third parties. These legitimate interests include the purposes identified above in the table below at 4.6 but also include other commercial interests and our internal administrative purposes.
4.3 Consent
4.3.1 Generally, we don't rely on consent as a lawful basis for processing your personal data. Occasionally, though, to avoid sending you unwanted emails, we will get your consent before sending certain marketing communications to you. You are not required to opt-in to marketing communications in order to access the Platform.
4.3.2 You may withdraw your consent at any time by contacting support@bbcmaestro.com. You can also unsubscribe from different types of emails by following the unsubscribe link displayed at the bottom of each email. The withdrawal of your consent doesn't affect the lawfulness of processing based on consent before withdrawal or the lawfulness of processing based on other lawful grounds set out below.
4.4 We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data and the nature of services you avail on our platform.
4.5 We may process your personal data ourselves or in conjunction with our third-party service providers in accordance with paragraph 6.
4.6 Information about the purposes for which we use your personal data, the types of personal data we process to achieve these purposes, and the lawful basis by which we process it, is listed below:
4.6.1 Data we process in accordance with (a) Performance of a contract with you:
To register you as a new customer: Identify and contract data, technical data, and marketing and communications data
To process and deliver orders, purchases and subscriptions, including to (a) Manage payments, fees and charges, (b) Collect and recover money owed to us, and (c) Issue refunds where required: Identify and contract data, technical data, and transaction data
To allow users to access the Platform and access their purchased content: Identify and contract data, technical data, product and service data, and transaction data
To manage our relationship with you which will include (a) notifying you about operational changes to our Platform, and any changes to our T&Cs and/or privacy notice; and (b) respond to enquiries, messages and requests for technical support: Identify and contract data, technical data, and correspondence data
4.6.2 Data we process in accordance with (b) Our legitimate interests (to acquire new customers, to study how customers use our products/services, for running our business):
To administer and protect our business and our platform, website or app (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data): Identity and contact data. technical data, correspondence data, product and service data, response data, marketing and communications data, UGC data, and transaction data
To improve our Platform, products/services, marketing, customer relationships and experiences including by combining survey data you provide with data on our platform: Identity and contact data. technical data, correspondence data, product and service data, response data, marketing and communications data, UGC data, and transaction data
To contact you about our products and services including our business to business offering where you have not opted out
4.6.3 Data we process in accordance with (c) Consent:
To enable you to partake in a prize draw or competition, to leave a review or to complete a survey: Identity and contact data. technical data, response data, marketing and communications data, UGC data, and transaction data
To deliver relevant and personalised platform content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you: Marketing and communications data, response data, product and service data, identity and contract data, UGC data, and transaction data
To make suggestions and recommendations to you about goods or services that may be of interest to you: Transaction data and marketing and communications data
4.6.4 Data we process in accordance with (d) To comply with our legal obligations:
To keep accountancy records: Identity and contract data, product and services data, and transaction data
4.7 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
4.8 If we need to use your personal data for an unrelated purpose, we will notify you (which may be by way of update to this notice) and we will explain the legal basis which allows us to do so.
4.9 Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5. What if you refuse to provide us with any personal data?
5.1 Where we need to collect personal data by law, or under the terms of an agreement we have with you, and you fail to provide that data when requested (or fail to consent to the processing of that data, if necessary), we may not be able to perform the contract or arrangement we have or are trying to enter into with you (for example, to provide you with products or services). In this case, we may have to cancel a product or service you have with us but we will endeavour to notify you if this is the case at the time.
5.2 Whilst we may be able to provide you with certain products and services notwithstanding your refusal to submit personal data, this may limit your ability to participate in some activities, or use certain features, services or functionality.
6. Sharing information with affiliates and third parties
6.1 We may share your personal data with third parties where necessary for the purposes described in this privacy policy, where required by law, where we have a legitimate business need to do so, or where you have otherwise consented to or been informed of such sharing.
6.2 We may share personal data with companies within our corporate group, affiliated organisations, clients, strategic partners, and other organisations with whom we work (together, “Affiliates”) where necessary to:
● operate, administer, maintain, and improve our website, platforms, products, services, and content;
● provide training, courses, support, or other services;
● manage commercial relationships and contractual arrangements;
● monitor participation, engagement, and service usage;
● support trust and safety, moderation, fraud prevention, compliance, security, and risk management activities; and
● comply with legal and regulatory obligations.
Where you access our services through an employer, insurer, educational institution, client, partner organisation, or other Affiliate, we may share limited personal data with that organisation where necessary to administer the relationship, facilitate access to services, provide support, monitor usage, or improve service delivery.
6.3 We may also share personal data with licensors, broadcasters, distributors, content providers, production partners, media partners, research collaborators, or other third parties where necessary to support the development, licensing, operation, delivery, promotion, administration, security, or improvement of our services, platforms, and content.
Where personal data is shared for marketing purposes, we will do so only where permitted by applicable law and, where required, with your consent.
6.4 We may engage trusted third-party service providers who process personal data on our behalf where necessary to support the operation of our business and services. These providers may include organisations providing:
6.4.1 video production, editing, creative, and media services;
6.4.2 marketing, communications, advertising, and campaign management services;
6.4.3 email delivery, messaging, and marketing automation services;
6.4.4 customer relationship management and customer engagement services;
6.4.5 analytics, reporting, product analytics, and business intelligence services;
6.4.6 payment processing, billing, and e-commerce services;
6.4.7 cloud hosting, infrastructure, storage, and content delivery services;
6.4.8 software development, code hosting, version control, and collaboration tools;
6.4.9 social media, social advertising, and audience engagement platforms;
6.4.10 accounting, finance, bookkeeping, and financial administration services;
6.4.11 customer support, helpdesk, and ticket management services;
6.4.12 online advertising, attribution, and campaign measurement services;
6.4.13 promotion, competition, event, and campaign administration services;
6.4.14 website analytics, behavioural analytics, and user interaction insight services;
6.4.15 online forms, surveys, questionnaires, and feedback collection services;
6.4.16 data integration, synchronisation, migration, and automated data transfer services;
6.4.17 data warehousing, storage, intelligence, reporting, and visualisation services;
6.4.18 mobile application marketplace and application distribution services;
6.4.19 website optimisation, experimentation, conversion optimisation, and landing page services;
6.4.20 business-to-business marketing, lead generation, and partnership services; and
6.4.21 similar or replacement service providers and partners engaged from time to time in connection with the operation of our business and services.
6.5 We take reasonable steps to ensure that any third party processing personal data on our behalf implements appropriate technical and organisational measures to protect personal data and complies with applicable data protection laws.
6.6 Where personal data is transferred to or accessed by third parties located outside the United Kingdom or European Economic Area, we will ensure that appropriate safeguards are implemented in accordance with applicable data protection laws and as described in the section titled “International transfers”.
6.7 Unless otherwise stated, we remain the controller responsible for your personal data where third parties act on our behalf as processors or service providers.
6.8 We may also disclose personal data:
● where required to comply with a legal obligation, regulatory request, court order, or lawful request from public authorities;
● in connection with the establishment, exercise, or defence of legal claims;
● to investigate fraud, abuse, security incidents, harmful activity, or breaches of our terms, policies, or agreements;
● where we believe disclosure is necessary to protect the rights, property, safety, security, or integrity of our business, services, users, clients, employees, or others; or
● where otherwise permitted or required by applicable law.
6.9 In the event of a merger, acquisition, restructuring, financing, sale of assets, insolvency event, or other corporate transaction involving all or part of our business, personal data may be shared with advisers, prospective purchasers, investors, counterparties, and successor organisations, and may be transferred as part of that transaction.
7. International transfers of personal data
7.1 From time to time it may be necessary for us to transfer your information internationally. In particular your information may be transferred to and/or stored on the servers of our Affiliates or other third parties identified in paragraph 6 which are based outside of the EEA.
7.2 However, we will not transfer your personal data outside of the EEA unless:
7.2.1 such transfer is to a country or jurisdiction which the UK Government and EU commission has approved as having an adequate level of protection;
7.2.2 appropriate safeguards are in place as set out in Article 46 GDPR or equivalent provisions of other Data Protection Laws; such as:
7.2.2.1 Standard Contractual Clauses (SCCs) + UK Addendum or
7.2.2.2 International Data Transfer Agreement (IDTA) ;or
7.2.2.3 Binding Corporate Rules (BCRs)
7.2.3 the transfer is otherwise allowed by applicable Data Protection Laws (such as in the form of a derogation under Article 49 GDPR).
8. A. Your rights as a data subject
8.1 Subject to any conditions and requirements set out in the relevant Data Protection Laws, you may have some or all of the following rights in relation to the personal data we hold about you:
8.1.1 the right to request a copy of your personal data held by us;
8.1.2 the right to correct any inaccurate or incomplete personal data held by us. You can amend any personal data which cannot be modified on the Platform by emailing us at support@bbcmaestro.com;
8.1.3 the right to request that we erase personal data we hold about you. You can deactivate your account on the Platform or by emailing us at support@bbcmaestro.com
8.1.4 the right to request that we restrict the processing of your data;
8.1.5 the right to have your personal data transferred to another organisation;
8.1.6 the right to object to certain types of processing of your personal data by us;
8.1.7 the right to object against automated decision making; and
8.1.8 the right to complain to supervisory authority (please see paragraph 12 of this notice).
8.2 NOTE that these rights are not absolute in all situations and may be subject to conditions and provisos set out in the Data Protection Laws. We cannot therefore guarantee that we'll be able to honour any request from you in connection with the rights set out above. (For example, even if you request that we delete your personal data, we may be required by law to retain some personal data for accounting and record keeping purposes.)
8.3 For further information, or to see if you can exercise any particular right, please contact us at support@bbcmaestro.com
8. B. Additional Rights for Certain Jurisdictions
Depending on where you are located, you may be entitled to additional rights under applicable privacy and data protection laws. These rights are subject to applicable legal limitations and exceptions.
New Zealand
If you are located in New Zealand, we will handle your personal information in accordance with the New Zealand Privacy Act 2020. You have the right to request access to and correction of personal information that we hold about you. Where we disclose personal information overseas, we will take reasonable steps to ensure that the recipient protects your information in a manner comparable to the protections available under New Zealand law. If you believe your privacy rights have been infringed, you may lodge a complaint with the Office of the Privacy Commissioner.
South Africa
If you are located in South Africa, we process personal information in accordance with the Protection of Personal Information Act, 2013 ("POPIA"). You have the right to access, correct, delete, object to the processing of, or restrict the processing of your personal information where provided by law. You also have the right to lodge a complaint with the Information Regulator (South Africa). Requests for access to records may additionally be made in accordance with the Promotion of Access to Information Act, 2000 ("PAIA"), where applicable.
Switzerland
If you are located in Switzerland, we process personal data in accordance with the Swiss Federal Act on Data Protection ("FADP"). References in this Privacy Notice to rights under the GDPR should be interpreted, where applicable, as including substantially equivalent rights available under Swiss data protection law. You may also lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC).
United Arab Emirates
If you are located in the United Arab Emirates, we process personal data in accordance with applicable UAE data protection laws, including where applicable the UAE Federal Personal Data Protection Law (Federal Decree-Law No. 45 of 2021). You may have rights to access, correct, erase, restrict or object to certain processing of your personal data, withdraw consent where processing is based on consent, and request the transfer of your personal data where provided by law.
United States
If you are located in a U.S. state with an applicable privacy law, including California, Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland or other applicable states, you may have rights to:
● Know and access personal information we collect, use, disclose or sell/share about you;
● Correct inaccurate personal information;
● Delete personal information;
● Obtain a portable copy of certain personal information;
● Opt out of targeted advertising, the sale of personal information, or profiling in furtherance of decisions producing legal or similarly significant effects, where applicable; and
● Appeal a decision relating to a privacy rights request where required by law.
We do not sell personal information for monetary consideration. Any use of cookies or similar technologies for advertising purposes will be subject to applicable legal requirements and choices available through our cookie management tools.
Singapore
If you are located in Singapore, we process personal data in accordance with the Personal Data Protection Act 2012 ("PDPA"). You may request access to, correction of, and information regarding the use and disclosure of your personal data. Where processing is based on consent, you may withdraw consent at any time, subject to legal or contractual restrictions and reasonable notice. We may transfer personal data outside Singapore where permitted by law and where appropriate protection is provided.
India
If you are located in India, we process personal data in accordance with applicable Indian data protection laws, including the Digital Personal Data Protection Act, 2023 ("DPDP Act"), where applicable. Subject to applicable law, you may have rights to obtain information regarding the processing of your personal data, seek correction, updating or erasure of personal data, nominate another individual to exercise your rights in certain circumstances, withdraw consent where processing is based on consent, and lodge a grievance regarding our processing activities.
Brazil
If you are located in Brazil, we process personal data in accordance with Lei Geral de Proteção de Dados ("LGPD"). Subject to applicable law, you may have the right to:
● Obtain confirmation of the existence of processing;
● Access your personal data;
● Correct incomplete, inaccurate or outdated data;
● Request anonymisation, blocking or deletion of unnecessary or excessive data;
● Request portability of your personal data;
● Obtain information about public and private entities with which we have shared your data;
● Withdraw consent where processing is based on consent; and
● Request review of decisions made solely on the basis of automated processing where applicable.
You may also submit complaints to the Brazilian National Data Protection Authority (ANPD).
Hong Kong
If you are located in Hong Kong, we process personal data in accordance with the Personal Data (Privacy) Ordinance ("PDPO"). You may request access to and correction of personal data we hold about you. We will handle such requests in accordance with applicable legal requirements and may charge any fee permitted by law for responding to access requests.
Canada
If you are located in Canada, we process personal information in accordance with applicable Canadian privacy laws, including the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation. You have the right to access and request correction of personal information we hold about you, subject to legal limitations. You may also withdraw consent to certain processing activities, subject to legal or contractual restrictions and reasonable notice. Personal information may be processed or stored outside Canada and may be subject to lawful access by foreign governments, courts or regulatory authorities.
9. Storage and retention of your personal data
9.1 As a minimum, we need to store your data for as long as is necessary to enable us to provide you with the content and services that you have requested from us (or to support your other uses of our Platform, such as maintaining your account(s)). So we'll usually store your personal data for as long as you have an account with us, and will usually delete it when you delete your account.
9.2 However, we will retain certain of your personal data for longer if we think it is reasonably necessary to do so in the circumstances, taking into consideration factors such as:
9.2.1 our need to perform any agreements between you and us (including order fulfilment);
9.2.2 our need to answer any queries or resolve any problems you may have;
9.2.3 your continued consent to receive marketing and other emails and communications from us;
9.2.4 our continued provision of any content or services to you; and
9.2.5 our need to comply with legal requirements (e.g. relating to record keeping).
9.3 If you tell us that you would like to delete your account, we will take steps to delete all the personal data we hold about you once it is no longer necessary for us to hold it (e.g. to fulfil any outstanding orders, resolve disputes, or as is permitted by applicable law or regulation).
9.4 For as long as we do store your data, the Company follows generally accepted industry standards and maintains reasonable safeguards to attempt to ensure the security, integrity, and privacy of the information you have provided. The Company has security measures in place designed to protect against the loss, misuse, and alteration of the information under our control. Personal data collected by the Company in connection with this notice is stored in secure operating environments that are not available to the public through our hosting and storage providers outlined above at paragraph 6.4. The Company maintains information behind a firewall-protected server and uses SSL encryption for purchases made through our online store.
9.5 You are responsible for maintaining the strength and confidentiality of any login credentials.
9.6 We will notify you as soon as reasonably practicable if we have reason to believe that there has been a personal data breach by us which could adversely affect your rights and freedoms.
10. Links to third parties
10.1 Our Platform may link or redirect to other websites, apps, social media accounts or other content which is not in our control. Such links or redirections are not endorsements of such websites or representation of our affiliation with them in any way and such third party websites are outside the scope of this notice.
10.2 If you access such third party websites, please ensure that you are satisfied with their respective privacy policies before you provide them with any personal data. We cannot be held responsible for the activities, privacy policies or levels of privacy compliance of any website operated by any third party.
11. Questions and complaints
11.1 For all questions or complaints about this notice, we would appreciate the chance to deal with your concerns before you approach the relevant data protection authority. Please contact us in the first instance using the details provided in paragraph 1.6.
11.2 Data Rep is our EU data representative and can be contacted for any personal data requests in the EU at: datarequest@datarep.com. UK queries should be directed to dpo@maestro-media.com. For information about our Data Protection Representative for the purposes of GDPR in the EU/EE see here: www.bbcmaestro.com/privacycontacts
11.3 You also have the right to lodge a complaint with the competent data protection or privacy regulator in your country, state, province or territory of residence where such right is provided by applicable law.
Data requests and complaints form
Complete the form below to request access to your data, to submit a deletion request, or raise a privacy concern. We’ll respond in line with our data protection obligations.