1. General Information
In this section, you can find general information about the Platform, its owner, and this Privacy Notice.
1.1 About the Privacy Notice. This BBC Maestro Privacy Notice (the “Privacy Notice”) governs the processing of personal data collected from natural persons (“you” and “your”) through the online platform BBC Maestro available at https://www.bbcmaestro.com (the “Platform”). The Privacy Notice does not cover any third-party websites, applications, software, products or services that integrate with the Platform or are linked to from the Platform.
1.2 About the Platform. The Platform provides you with access to e-learning, informational and/or instructional audio-visual content delivered by celebrities or other well-known experts (the “Content”).
1.3 Data controller. The Platform is owned and operated by Maestro Media Limited having a registered office at 10 Kelham Gardens, Marlborough, England, SN8 1PW (“we”, “us”, or “our”).
1.4 Your consent. Before you submit any personal data through the Platform, you are encouraged to read this Privacy Notice that is always available on the Platform to understand on what legal bases (other than your consent) we rely when handling your personal data. In some cases, if required by the applicable law, we may seek to obtain your informed consent for the processing of your personal data. For example, you consent may be necessary if: (i) we intend to collect other types of personal data that are not mentioned in this Privacy Notice; (ii) we would like to use your personal data for other purposes that are not specified in this Privacy Notice; or (iii) we would like to transfer your personal data to third parties that are not listed in this Privacy Notice.
1.5 Minors. We do not knowingly collect any personal information about children under the age of 18. Our Platform is not directed to children under the age of 18. If we become aware that a child under 18 has provided any personal data, it will be erased from our database as soon as reasonably possible, except when we need to keep that information for legal purposes or to notify a par-ent or guardian. However, portions of this data may remain in back-up archives or web logs even after we erase it from our databases. If you are a parent or a guardian of a child and you believe that the child has sent us personal data, please send us an e-mail to [email protected]
1.6 Term and termination. This Privacy Notice enters into force on the effective date indicated at the top of the Privacy Notice and remains valid until terminated or updated by us.
1.7 Amendments. The Privacy Notice may be changed from time to time to address the changes in laws, regulations, and industry standards. We encourage you to review our Privacy Notice to stay informed. For significant material changes in the Privacy Notice or, where required by the applicable law, we may seek your consent.
2. What Personal Data Do We Collect and For What Purposes Do We Use It?
When you use certain functionalities of the Platform, we ask you to provide us with your personal data. In this section, we explain what types of personal data we collect from you, for what purposes we use that data, and on what legal bases we rely when processing your personal data.
2.1 We comply with data minimization principles. Thus, we collect only a minimal amount of personal data through the Platform that is necessary for your use of the Platform. We use your personal data for limited, specified and legitimate purposes explicitly mentioned in this Privacy Notice. In short, we use it only for the purposes of enabling you to use the Platform, providing you with the requested services, maintaining and improving the Platform, conducting research about the Platform and our business activities, replying to your enquiries, and pursuing our legitimate business interests. We do not repurpose your personal data. It means that we do not use it for any purposes that are different from the purposes for which your personal data was provided.
2.1.1 Registration of User Account. When you register your user account, we collect your name, email address and country. We use such data to register and maintain your user account, enable your access to the Platform, provide you with the requested services, contact you, if necessary, and maintain our business records. The legal bases on which we rely are ‘performing a contract with you’ and ‘pursuing our legitimate business interests’ (i.e., analyse, grow, and administer the Platform).
2.1.2 Payments. When you make a payment for the Courses or purchase a gift card, we ask you to provide us with your name, credit card number, expiration date, security code, billing address, and email address. Please note that we do not process payments - it is done by our third-party payment processor. We use your payment data to process your payments and maintain our business records. The legal bases on which we rely are ‘performing a contract’ and ‘pursuing our legitimate business interests’ (i.e., administer our business).
2.1.3 Contact form and email enquiries. When you contact us by email or using the contact form available on the Platform, we collect your name, email address, and any information that you decide to include in your message. We use such data to respond to your enquiries. The legal bases on which we rely are ‘pursuing our legitimate business interests’ (i.e., to grow and promote our business) and ‘your consent’ (for optional personal data).
2.1.4 IP address. When you visit and browse the Platform, we or our third-party analytics service providers (as explained in section 3 below) collect your IP address. We use your IP address to analyze the technical aspects of your use of the Platform, prevent fraud and abuse of the Platform, and ensure the security of the Platform. The legal basis that we rely on when processing your IP address is ‘pursuing our legitimate business interests’ (i.e., to analyze and protect the Platform).
2.2 Sensitive data. We do not collect or have access to any special categories of personal data (“sensitive data”) from you, unless you decide, at your own discretion, to provide such data to us. Sensitive data is information that relates to your health, genetics, biometrics, religious and political beliefs, racial origins, membership of a professional or trade association, sex life, or sexual orientation.
2.3 Refusal to provide personal data. If you refuse to provide us with your personal data when we ask to, we may not be able to perform the requested operation and you may not be able to use the full functionality of the Platform, get access to the Courses, or get our response. Please con-tact us immediately if you think that any personal data that we collect is excessive or not necessary for the intended purpose.
2.4 Sources of personal data. We obtain your personal data from the following categories of sources:
2.4.1 Directly from you. For example, if you submit certain personal data directly to us when registering on the Platform, completing the necessary forms, or contacting us.
2.4.2 Directly or indirectly through your activity on the Platform. When you use the Platform, we automatically collect technical information about your use of the Platform.
2.4.3 From third parties. We may receive information about your from third parties to whom you have previously provided your personal data, if those third parties have a lawful basis for dis-closing your personal data to us.
3 What Technical (Non-Personal) Data Do We Collect?
When you use the Platform, we receive some technical data about your device for analytics purposes. In this section, we inform you what non-personal data we collect from you and for what purposes we use that data.
3.1 Log files and analytics data. In order to analyze your use of the Platform, we and our analytics service providers Google Analytics (Google LLC), DataBox Inc. automatically collect certain technical non-personal data about your use of the Platform. Such data does not allow us to identify you as an individual person in any manner. The non-personal data includes the following information:
Your activity on the Platform;
Your device type;
The operating system of your device;
Your browser type;
URL addresses clicked to and from the Platform; and
Your other online behavior.
3.2 Your feedback. If you contact us, we may keep records of any questions, complaints, recommendations, or compliments made by you and any subsequent responses. Where reasonably possible, we remove all personal data that is not necessary for keeping such records.
3.3 Purposes of technical (non-personal) data. We use your technical (non-personal) data for the following purposes:
3.3.1 To analyze what kind of users visit the Platform;
3.3.2 To examine the relevance, popularity, and engagement rate of the Content;
3.3.3 To investigate and help prevent security issues and abuse;
3.3.4 To develop and provide additional features to the Platform; and
3.3.5 To personalize the Platform for your specific technical needs (e.g., to adjust the design and resolution for your device).
4. How Do We Communicate With You?
From time to time, you may receive messages from us. In this section, we explain when you may receive commercial and service-related notices from us and what you can do to decline our promotional messages.
4.1 Newsletters. If we have your email address, we may send you a newsletter to keep you updated about the latest developments related to the Platform and our special offers. You will receive our newsletters in the following instances:
If we receive your express (“opt-in”) consent to receive marketing messages;
If you voluntarily subscribe for our newsletter;
We decide to send you information closely related to the Content that you have purchased.
4.2 Opting-out. You can opt-out from receiving our commercial communication at any time free of charge by clicking on the “unsubscribe” link included in our newsletters, adjusting the settings of your user account, or by contacting us directly.
4.3 Service-related notices. If necessary, we will send you important informational notices, such as confirmation receipts, payment information, technical or administrative emails, and other administrative updates. Please note that such notices are sent on an “if-needed” basis and they do not fall within the scope of commercial communication that may require your prior consent. You cannot opt-out from service-related notices.
5. How Long Do We Keep Your Personal Data
We keep your personal data for the shortest possible period and only if it is necessary. In this section, we specify the retention periods for your personal and non-personal data.
5.1 Retention of personal data. Your personal data is stored in our systems only for as long as such personal data is required for the purposes described in this Privacy Notice or until you re-quest us to delete your personal data, whichever comes first. After your personal data is no longer necessary for its primary purposes and we do not have another legal basis for storing it, we securely delete your personal data from our systems.
5.2 Retention of technical (non-personal) data. We retain non-personal data pertaining to you for as long as necessary for the purposes described in this Privacy Notice. For example, we can store it for the period of time needed for us to pursue our legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes and enforce our agreements.
5.3 Retention as required by law. In certain cases, we are required by law to store your personal data for certain period of time (e.g., for business records or accountancy purposes). Thus, we keep your personal data for the time period stipulated by the applicable law and securely delete it as soon as the required storage period expires.
6 How Do We Share and Disclose Your Data?
We share some of your personal data with our external service providers. In this section, you can find information about third parties that have access to your personal data and the instances when we make data transfers.
6.1 Disclosure to data processors. From time to time, your personal data is disclosed to our service providers with whom we cooperate (our data processors). For example, we share your personal and non-personal data with entities that provide certain technical support services to us, such as hosting and email distribution services. We do not sell your personal data to third parties. The disclosure is limited to the situations when your personal data is required for the following purposes:
Ensuring the proper operation of the Platform;
Ensuring the delivery of the Content that you have purchased;
Providing you with the requested information;
Pursuing our legitimate business interests;
Enforcing our rights, preventing fraud, and security purposes;
Carrying out our contractual obligations; or
If you provide your prior consent to such a disclosure.
6.2 List of our data processors. We use a limited number of data processors. We choose them only if they agree to ensure an adequate level of protection of your personal data that is consistent with this Privacy Notice and the applicable data protection laws.
6.3 Disclosure of technical (non-personal) data. Your technical (non-personal) data may be dis-closed to third parties for any purpose. For example, we may share it with prospects or partners for business or research purposes, for improving the Platform, planning the Content, responding to lawful requests from public authorities or developing new products and services.
6.4 Legal requests. If we are contacted by a public authority, we may need to disclose information about you to the extent necessary for pursuing a public interest objective, such as national security or law enforcement.
6.5 Successors. In case the Platform is sold partly or fully, we will provide your personal data to a purchaser or successor entity and request the successor to handle your personal data in line with this Privacy Notice. We will notify you of any changes of the data controller.
6.6 Selling personal data. We do not directly sell your personal data to third parties. However, some of your personal data, including online identifiers (e.g., cookie-generated data and IP ad-dresses) may be used for advertising, marketing, and monetisation purposes (e.g., programmatic advertising, retargeting, third-party marketing, profiling, or cross-device tracking). To make sure that you have full transparency and control over your personal data, we provide you with a possibility to manage your personal data used for such purposes as described in this notice below.
7. Do We Transfer Your Personal Data Internationally?
Your personal data may be transferred outside the country where you reside. In this section, we explain when we transfer personal data abroad and what safeguards we implement to ensure that your personal is properly protected.
Some of our data processors listed in section 6 of this Privacy Notice are located outside the country in which you reside. For example, if you reside in the European Economic Area (EEA), we may need to transfer your personal data to jurisdictions outside the EEA. In case it is necessary to make such a transfer, we will make sure that the jurisdiction in which the recipient third party is located guarantees an adequate level of protection for your personal data or we conclude a data processing agreement with the respective third party that ensures such protection. We will not transfer your personal data internationally if no appropriate level of protection can be granted.
8. How Do We Protect Your Personal Data?
We strive to ensure that your personal data is kept safe and secure. In this section, we inform you about our measures that help us to protect your personal data.
8.1 Our security measures. We implement organizational and technical information security measures to protect your personal data from loss, misuse, unauthorized access, and disclosure. The security measures taken by us include:
Limited access to your personal data by our staff; and
Anonymization of personal data (when possible).
8.2 Security breaches. Although we put our best efforts to protect your personal data, given the nature of communications and information processing technology and the Internet, we cannot be liable for any unlawful destruction, loss, use, copying, modification, leakage, and falsification of your personal data that was caused by circumstances that are beyond our reasonable control. In case a serious breach occurs, we will take reasonable measures to mitigate the breach, as required by the applicable law. Our liability for any security breach will be limited to the highest ex-tent permitted by the applicable law.
9. What Rights Do You Have With Regard to Your Personal Data?
You have certain rights to control how we process your personal data. Below, we list the rights that you can exercise with regard to your personal data and explain how you can exercise those rights.
9.1 The list of your rights. You can exercise your rights listed below, unless, in very limited cases, the applicable law provides otherwise:
Right of access: you can get a copy of your personal data that we store in our systems and a list of purposes for which your personal data is processed;
Right to rectification: you can rectify inaccurate personal data that we hold about you;
Right to erasure (‘right to be forgotten’): you can ask us to erase your personal data from our systems;
Right to restriction: you can ask us to restrict the processing of your personal data;
Right to data portability: you can ask us to provide you with a copy of your personal data in a structured, commonly used and machine-readable format and move that personal data to another processor;
Right to object: you can ask us to stop processing your personal data;
Right to withdraw consent: you have the right to withdraw your consent, if you have provided one; or
Right to complaint: you can submit your complaint regarding our processing of your personal data.
9.2 How to exercise your rights? If you would like to exercise any of your rights listed in section 9.1, please contact us by email at [email protected] and explain your request in detail. In order to verify the legitimacy of your request, we may ask you to provide us with an identifying piece of information that allows us to identify you in our system. We will answer your request within a reasonable time frame but no later than 2 weeks.
9.3 Complaints. If you would like to launch a complaint about the way in which we process your personal data, we kindly ask you to contact us first and express your concerns. If we receive your complaint, we will investigate it and provide you with our response as soon as possible. If you are not satisfied with the outcome of your complaint, you have the right to lodge a complaint with your local data protection authority.
9.4 Non-discrimination. We do not discriminate you if you decide to exercise your rights. It means that we will not (i) deny any goods and services, (ii) charge you different prices, (iii) deny any discounts or benefits, (iv) impose penalties, or (v) provide you with a lower quality services.
10. Targeted Advertising
We may show you targeted advertising on the Platform. In this section, we explain the specifics of targeted advertising and provide you with options on how to opt-out.
10.1 You may be served targeted interest-based advertisements on the Platform and other web-sites on the Internet. Such advertisements are generated on the basis of your use of the Platform, other websites on the Internet, and the data generated by cookies installed in your browser.
10.2 You can control how targeted advertising is shown to you or opt-out from targeted advertising. Please note that, depending on the country where you reside, advertisements are served and third-party marketing activities are conducted on an opt-in or opt-out basis. For example:
10.2.1 If you are a consumer based in the State of California (US), your personal data will be collect-ed and used for marketing purposes until you opt-out. It means that, if you wish to opt-out from the collection and use of your personal data for advertising and marketing purposes and/or sale of your personal data to third parties, you have to use any of the available CCPA opt-out tools. The description of such tools for websites and applications and further instructions can be consulted at https://www.privacyrights.info. You can request us to stop selling your personal data (only if we do so) by clicking on the “Do Not Sell My Personal Data” link that will be made available on the Platform. The link will direct you to a webpage that will al-low you to submit your request. We will follow the “Do-not-sell” and “Do-not-track” signals from your browser plug-in, privacy settings, or any other mechanisms enabled by you.
10.2.2 Despite your location, you can consult the universal guides powered by the Digital Advertising Alliance available at https://youradchoices.com and Network Advertising Initiative (NAI) avail-able at https://www.networkadvertising.org. They provide you with more information and instructions on how to manage your personal data used for interest-based marketing and advertising purposes.
11. CCPA Disclosure
IMPORTANT INFORMATION FOR RESIDENTS OF CALIFORNIA: In this section, we explain how we comply with the CCPA with regard to the personal data of California residents.
11.2 What is personal information under the CCPA? Under the CCPA, the term ‘personal in-formation’ refers to information that identifies, relates to, or could reasonably be linked directly or indirectly with a particular consumer or household based in California. The term does not cover certain types of personal information (e.g., information subject to the Gramm-Leach-Bliley Act).
11.3 Types of personal information that we collect. In the past 12 months, we have collected and disclosed to third parties for our legitimate business purposes, the following categories of personal information relating to California residents (please refer to section 2.1 for more in-formation):
- A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol ad-dress, email address, account name, Social Securi-ty number, driver’s license number, passport num-ber, or other similar identifiers.
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).
- A name, signature, Social Security number, physical characteristics or description, address, tele-phone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.
|C. Protected classification characteristics under California or federal law.
- Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).
D. Commercial information.
- Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.
|E. Biometric information.
- Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.
|F. Internet or other similar network activity.
- Browsing history, search history, information on a consumer’s interaction with a website, application, or advertisement.
|G. Geolocation data.
- Physical location or movements.
|H. Sensory data.
- Audio, electronic, visual, thermal, olfactory, or similar information.
|I. Professional or employment-related information.
- Current or past job history or performance evaluations.
|J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).
- Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.
|K. Inferences drawn from other personal information.
- Profile reflecting a person’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.
11.4 The categories of sources from whom we collect your personal information. We obtain your personal data from the following categories of sources:
Directly from you. For example, if you submit certain personal data directly to us when registering on the Platform, completing the necessary forms, or contacting us.
Directly or indirectly through your activity on the Platform. When you use the Platform, we automatically collect technical information about your use of the Platform.
From third parties. We may receive information about your from third parties to whom you have previously provided your personal data, if those third parties have a lawful basis for disclosing your personal data to us.
11.5 The categories of third parties to whom we disclose your personal information. If necessary for our legitimate business purposes, we disclose the relevant personal information to the following third parties (please refer to section 6 for more information):
11.5.1 Sassy Films, operated by Sassy Films Limited, our video production and editing partner
11.5.2 Ethix Digital operated by Ethix Digital Ltd.
11.5.3 MailChimp, operated by The Rocket Science Group LLC, our email marketing service;
11.5.4 Klaviyo, operated by Klaviyo, Inc., which we use in addition to MailChimp to administer our email marketing;
11.5.5 Segment, operated by Segment.io, Inc., a data management platform that we use to inform and tar-get our marketing;
11.5.6 Stripe, operated by Stripe, Inc., our e-commerce partner;
11.5.7 Heroku, operated by Salesforce.com, Inc., our hosting service provider;
11.5.8 GitHub, operated GitHub, Inc., our software hosting provider;
11.5.9 Cloud Front, operated by Amazon Web Services EMEA SARL, our content delivery network provider;
11.5.10 Facebook and Instagram, operated by Facebook, Inc., our social media partners;
11.5.11 Xero, operated by Xero Limited, our accountancy software provider;
11.5.12 Zendesk, operated by Zendesk Inc., our customer service software provider;
11.5.13 Google Analytics and Google Ads, operated by Google LLC, our provider of online marketing tools
11.5.14 VWO, operated by Wingify Ltd, our A/B testing solution provider
11.5.15 Databox, operated by Databox Inc., our provider of analytics dashboards; and
11.5.16 any similar or replacement third parties from time to time.
11.5.17 Our independent contractors and consultants.
11.6 Use of personal information. In the past 12 months, we have used your personal information for the following purposes (please refer to section 2.1 for more information):
Registering, verifying and maintaining your user account;
Providing you with the requested services (e.g., enabling your access to the Courses);
Performing our contractual obligations;
Maintaining and improving the Platform;
Conducting research about the Platform and our business activities;
Replying to your enquiries;
Maintaining our business records;
Developing new services;
Ensuing security of the Platform;
Showing you relevant advertising; and
Complying with the applicable laws.
11.7 Sale of personal information. In the past 12 months, we have not sold your personal information. The term ‘sold’ refers to the disclosure of your personal information to a third-party for monetary or other valuable consideration.
11.8 Your rights regarding your personal information. As a California resident, you have certain rights granted by the CCPA with regard to your personal information. Such rights are:
I. To receive information about, within the last 12 months:
The categories of personal information that we collected from you;
The categories of sources from which we collected your personal information;
The purposes for which we collected your personal information;
The categories of third parties to which your personal information was disclosed and the personal information that was disclosed; and
The specific pieces of personal information that we collected about you;
II. To request us to delete your personal information that we hold about you, unless there is an exception under the CCPA; and
III. Remain free from unlawful discrimination for exercising your rights.
11.9 Making requests under the CCPA. If you have not found sufficient information in this Privacy Notice, you can submit your requests for exercising your rights to us by email at [email protected] with “CCPA request” in the subject line. We will reply to you as soon as possible but no later than 10 days or you can send us a written request to [insert address in US]. Please note that we may need to verify your identity by requesting you to submit certain identify-ing details.
11.10 Authorized agent. You can exercise your rights through an authorized agent. To do so, you will need to (i) provide us with a copy of your written permission for the authorized agent to act on your behalf; and (ii) verify your identity with us. Alternatively, you can (i) provide your authorized agent with a power of attorney under the California Probate Code sections 4000 to 4465 and (ii) submit a copy of the power of attorney to us.
11.11 Declining your requests. In some instances, we may not honor your request. Such instances include: (i) the failure to verify your identity; (ii) if you do not have authority to exercise the rights on behalf of another person; (iii) if there is an exception under the CCPA; or (iv) where the person-al information that we hold about you is not subject to the CCPA.
11.12 Filing a formal complaint. If you are not satisfied with our response to your request, you have the right to file a formal complaint with the Attorney General’s Office (see https://oag.ca.gov/contact/consumer-complaint-against-business-or-company for more information).
12. How to Contact Us?
If you have any questions about this Privacy Notice or our data protection practices, please contact us by:
Email: [email protected]
Contact form: https://www.bbcmaestro.com/contact