Our Commitment to Your Privacy
If you cannot, or will not, provide us with the personal information we reasonably require, we may be unable to provide you with the information, goods or services you have requested.
“Personal Data” is information or pieces of information that could allow you to be identified. We may collect, store and use the following information about you:
· Name and contact details (e.g. postal and email address, telephone number)
· Account information or user ID (e.g. user name, profile picture or social media account ID)
· Country of residence or citizenship
· Birth date
· Technical information, e.g. screen/user name, IP address, browser and device data, information collected through cookies, pixel tags and other technologies, server log file data, app usage data and location data, page views and website navigation
· Preferences (e.g. shopping habits, preferred educational courses)
· Credit and debit card number, payment data or bank account details
How do we collect Personal Data?
We collect Personal Data in a variety of ways:
· Directly from you: Information is collected directly from you, either by you providing the information directly to us or you acting in a manner that provides us with the information, for example:
o Offline: We collect Personal Data from you offline, for example when you contact customer service, enrol in a product or service or provide information to us in writing.
o Online: We collect your Personal Data through the EF Products, for example when you sign up for a newsletter or a brochure, enrol in a product or service. We also collect Personal Data:
· Through your use of a mobile application. When you download and use one of our mobile applications, and to the extent allowed by your privacy settings in the application, we track and collect mobile application usage data, such as the date and time the mobile application on your device accessing our servers and what information and files have been downloaded to the mobile application based on your device number as well as statistics on malfunctions and crashes that the users experience. The EF Hello mobile application is using a crash reporting tool, Instabug, to send us information about bugs and crashes that users experience. The application automatically collects certain information that does not personally identify users of it. This information includes, but is not limited to, information on the device such as device ID, device mode, time of failure and the physical location of a device at the time of a crash.
· Through your device. Provided that you have enabled that function on your device, we collect the physical location of it to provide you with personalized location-based services and content. Read more about such services under “How do we use Personal Data?”
· From our corporate affiliates, business partners, assistance providers or claim handlers. We may receive Personal Data from other parties in conjunction with your course/program, including:
o Our corporate affiliates, such as the local EF company that promotes the sales of our services and offers customer service in your country of residence and provides us with the Personal Data that is needed to come to an agreement with you.
How do we use Personal Data?
We will use your Personal Data for the following purposes:
· Your Personal Data will be processed by EF for the purposes of providing you with the products and services that you have ordered, for customer service, administrative services or as otherwise necessary to perform the contract between you and us or as further described in this policy.
· We may also use Personal Data:
o For statistical purposes, system maintenance, backup, calculating usage levels, and helping diagnose server problems with the EF Products, for business development as well as to ensure that the EF Products function properly.
o To allow you to contact and be contacted by other users through the EF Products, as permitted by the applicable product.
o To provide customer service or send service related information, via various channels such as SMS, messenger services like WhatsApp, Facebook Messenger, chat bots or email.
o To allow you to participate on message boards, chat, profile pages and blogs and use other services enabling you to post information and materials.
o Where relevant, to establish, exercise or defend legal claims;
o To detect, investigate or prevent information security incidents, fraud, misrepresentation, security incidents or crime;
o To meet applicable legal, regulatory and compliance requirements.
o If you have given your consent:
· To analyse and improve our offers by identifying usage trends, determining the effectiveness of our promotional campaigns and tailoring the EF Products experience and content based on your past activities on the EF Products. For example, depending on what EF Product you have searched for on our website, or in previous browsing, the offer presented to you on the EF Products may be limited to a specific language, course length or budget.
· To provide you with personalized location-based services and content through the use of your device’s physical location. For example, you will be redirected to the local EF website in your language if your device indicates that you are browsing from that country, or you may be suggested the nearest EF office to your location for visits or information.
· To market our products and services, including special promotions based on your interests, for example through email marketing solutions such as Salesforce Marketing Cloud’s management software which maintains mailing lists and schedules and modifies email messages based on what recipients read, click-on or forward, or through other channels such as SMS, other instant messenger services or chat bots, telephone calls with operator (so-called telemarketing) or traditional mail. All such communication will include a clear unsubscribe link or offer another opt-out function.
· For the transmission and communication to third-party companies or other EF companies for their marketing purposes, including direct marketing activities and telemarketing.
How do we share Personal Data?
· Corporate affiliates
Our corporate affiliates include, for example, a local EF company that promotes the sales of our services and offers customer service in your country of residence, or EF companies that provide internal service functions such as IT, legal or other shared services. If we have obtained your consent, we may also share your Personal Data with our EF corporate affiliates for their own marketing purposes. These are [name, address of those affiliates].
· Third party service providers
We share Personal Data with third parties in connection with the delivery of services to you and the operation of our business. For example, we may share Personal Data to providers of IT systems in order to manage customer relations, process credit cards or other payment solutions, schedule classes or store learning results; or to providers of software and services for digital marketing automation and analytics; to advertising platforms; and to other third parties to provide customer service, business analytics, and fraud prevention and compliance services to serve you with advertising tailored to your interests [and to visa processing agencies].
· Business partners
We may share your Personal Data with business partners. This may happen, for example, when we promote a program or offer a service or product in conjunction with a third-party business partner or when we use local sales agents to promote our services in your country of residence. In most cases, the program or offer will include the name of the third-party business partner, either alone or with ours, or you will be redirected to the website of that business with notice.
· Other third parties
If you log in to an EF product/service by using a single sign-on through a third party app or platform, you will share certain information with that social media platform, such as the fact that you have visited or interacted with us.
· Corporate transactions
In the event that our business is directly or indirectly sold or combined with another business, your Personal Data may be disclosed to our advisers, a prospective purchaser and any prospective purchaser’s advisers and may be transferred to the new owners of the business.
· Legal rights and obligations
We also share Personal Data as we believe to be necessary: (a) under applicable law; (b) to comply with legal process; (c) to respond to requests from public and government authorities including public and government authorities outside your country of residence; (d) to enforce our terms and conditions or a contract; (e) to protect our operations or those of any of our affiliates; (f) to protect our rights, privacy, safety or property, and/or that of our affiliates, you or others; and (g) to allow us to pursue available remedies or limit the damages that we may sustain.
International Data Transfers
EF has business activities in several different countries, and your Personal Data may be shared with affiliates of EF or other recipients as described above that have a need to receive such data for the purpose of performing the services you have requested, or according to this policy. Such recipients may be located outside your own country, including countries outside the EEA/Switzerland that do not ensure the same level of protection as the country where you are domiciled. Unless the European Commission has decided that a country ensures an adequate level of protection for personal data, EF will use contracts based on the European Commission’s standard data protection clauses for international transfers of personal data to ensure compliance with applicable law. You have a right to ask us for a copy of the standard data protection clauses (by contacting us as set out in the Contact Us section below).
On what do we base our right to collect and use Personal Data?
We have documented the lawful bases for our processing activities in Annex 1.
On some occasions, we process your Personal Data on the basis of your consent (for example, when you agree that we may set cookies other than those that are strictly necessary). To the extent we use sensitive Personal Data, we base this on your explicit consent. Sensitive data can for example be information about health, ethnicity or religious beliefs - read more under “Sensitive data”. Where we process data based on consent, your consent is revocable at any time.
The processing of some of your Personal Data is necessary in order to provide services to you pursuant to the agreement that you enter into with us. Without this information, we would not be able to provide certain services to you.
On other occasions, we process your data when we are required by law (for example, if we are required by court order or any applicable law to process data).
We also process your Personal Data when it is in our, or a third party’s, legitimate interests to do so, provided that your data protection rights do not override these interests. This may be to market products or services similar to the one(s) you have already purchased from that same legal entity. Where we are not relying on consent, legal requirements or contractual necessity, we process your Personal Data based on legitimate interests as described in this Policy.
We use appropriate organizational, technical and administrative measures to keep the Personal Data under our control accurate and up-to-date, as well as to protect the Personal Data against unauthorised or unlawful processing and the accidental loss, destruction or damage of the Personal Data.
If at any time you wish to stop receiving marketing communications from us you can use the unsubscribe feature in the marketing communication you received or let us know by contacting us at email@example.com. In your request, please indicate that you wish to stop receiving marketing communications from us.
Please note that changes may not be effective immediately. We will endeavour to comply with your request(s) as soon as reasonably practicable.
THIRD PARTY SITES
HOW LONG DO WE STORE PERSONAL DATA?
We will only keep your Personal Data for 2-5 years after the expiry of your account, in order to be able to provide you the possibility to re-activate your account, should you decide to purchase additional courses from us; or otherwise for as long as it is necessary for the purposes for which it has been collected or in accordance with time limits stipulated by law and market practice, unless further retention is necessary for compliance with a legal obligation or for the establishment, exercise or defence of legal claims or unless a specific time period has been communicated.
We will keep limited parts of your Personal Data which are necessary for marketing purposes until you withdraw your consent, but in no event for longer than 5 years after your last completed service or delivery of product.
IF YOU ARE UNDER THE AGE OF 16
To use EF Products, you must be at least 16 years old. We are not responsible for checking your age but sometimes we still do verification checks. If we learn that you are under the age of 16 and that we have collected information about you without consent from your parent or guardian, we will delete the information as soon as possible and you will not be able to use EF Products.
We do not generally seek to collect any sensitive Personal Data. Sensitive Personal Data is data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, health or medical condition, criminal background or trade union membership. In certain situations, this might however be necessary (for example in order to provide you with the services and products you have ordered). We will make sure that we receive your explicit consent to such processing and treat this information securely.
SPECIAL NOTICE TO CALIFORNIA RESIDENTS – Please click here
Under California Civil Code Section 1798.83, California residents have the right to request and receive from us, once per year and free of charge, information about the personal information we have disclosed (if any) to third parties for their marketing purposes during the previous calendar year, and a description of the categories of personal information shared. To make such a request, please send an email to firstname.lastname@example.org including the phrase “California Privacy Request” in the subject line, and provide us with your name, postal address and email address.
If you are a California resident under the age of 18, and a registered user of any site where this policy is posted, California Business and Professions Code Section 22581 permits you to request and obtain removal of content or information you have publicly posted. To make such a request, please send an email with a detailed description of the specific content or information to the email address listed below including the phrase “California Privacy Request” in the subject line. Please be aware that such a request does not ensure complete or comprehensive removal of the content or information you have posted and that there may be circumstances in which the law does not require or allow removal even if requested.
• Access to Specific Information and Data Portability Rights. California residents have the right to request that we disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verified consumer request, we will disclose to you: (i) the categories of personal information we collected about you; (ii) the categories of sources for the personal information we collected about you; (iii) our business or commercial purpose for collecting that personal information; (iv) the categories of third parties with whom we share that personal information; (v) the specific pieces of personal information we collected about you (also called a data portability request); (vi) if we sold or disclosed your personal information for a business purpose, two separate lists disclosing any sales (identifying the personal information categories that each category of recipient purchased) and disclosures for a business purpose (identifying the personal information categories that each category of recipient obtained).
• Deletion Request Rights. You have the right to request that we delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verified consumer request, we will delete (and direct any service providers to delete) your personal information from our records unless an exception applies, which may include but is not limited to information needed: (i) to complete the transaction for which we collected the personal information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you; (ii) detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities; (iii) enable solely internal uses that are reasonable aligned with consumer expectations based on your relationship with us; (iv) comply with a legal obligation; and (v) make other internal and lawful uses of that information that are compatible with the context in which you provided it.
• Exercising Access, Data Portability, and Deletion Rights. To exercise the access, data portability, and deletion rights above, please submit a verifiable consumer request to us by emailing us at email@example.com
Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verified consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.
You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must: (i) provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative; and (ii) describe your request with sufficient detail that allows us properly to understand, evaluate, and respond to it. We cannot response to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make a request.
Response Timing and Format. We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without issue. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. Non-Discrimination. We will not discriminate against you for exercising any of your rights under the CCPA.
We respect your rights to access and control your information and will respond to requests in according with applicable privacy and data protection legislation. We may ask you to verify your identity and to provide other details to help us to respond to your request.
Depending on the lawful basis for processing upon which we rely, you have a right to:
1 . request access to your Personal Data;
2. request that we correct or complete Personal Data that is inaccurate or incomplete;
3. request that we erase your Personal Data, which we will do where required by applicable privacy and data protection legislation;
4. restrict our processing of your Personal Data, in certain circumstances;
5. request that we provide you with copies of your Personal Data in a machine-readable format or transfer it across different services;
6. object to certain types of processing, including where we process your Personal Data on the basis of our legitimate interests and for direct marketing purposes;
7. and where we have asked for your consent to process your data, to withdraw this consent.
These rights are limited in some situations under applicable privacy and data protection legislation – for example, where we can demonstrate that we are under a legal obligation or have other legitimate grounds to process your data.
If you wish to exercise these rights, please contact us using the contact details below. We hope that we can satisfy any queries you may have about the way we process your data. However, if you have unresolved concerns you also have the right to complain to data protection authorities.
If you would like to have a copy of the information EF holds about you; a copy of the standard data protection clauses or would like to exercise any of your rights, please contact us at the address EF Language Learning Solutions Ltd., Haldenstrasse 4, 6006 Lucerne, Switzerland or firstname.lastname@example.org.
If you have complaints about our handling of your Personal Data, you have a right to contact the supervisory authority in the country where you live.
Completing your booking, providing you with the products and services that you have ordered (including travel insurance coverage), for customer service, administrative services.
· Processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract.
For statistical purposes, system maintenance, backup, calculating usage levels, and helping diagnose server problems with the EF Products, for business development as well as to ensure that the EF Products function properly.
· Legitimate interest in administering and improving the EF Products for the benefit of users.
To allow you to contact and be contacted by other users through the EF Products
· Processing is necessary for the performance of a contract
To provide customer service or send service related information, via various channels such as SMS, messenger services like WhatsApp, Facebook Messenger, chat bots or email.
· Processing is necessary for the performance of a contract
To establish, exercise or defend legal claims
· Legal obligation
· Legitimate interest in bringing and defending legal claims to protect the business.
To detect, investigate or prevent information security incidents and/or report fraud, misrepresentation or crime
· Legal obligation
· Legitimate interest in detecting, investigating or preventing information security incidents, misrepresentation and crime to protect (a) users of the EF Products, and (b) our directors, employees and consultants.
To meet applicable legal, regulatory and compliance requirements.
· Legal obligation
· Legitimate interest in ensuring compliance with applicable laws and regulations.
To analyse and improve our offers by identifying usage trends, determining the effectiveness of our promotional campaigns and tailoring the EF Products experience and content based on your past activities on the EF Products.
To provide you with personalized location-based services and content through the use of your device’s physical location.
To market our products and services, including special promotions based on your interests
· Legitimate interest, for direct marketing of products or services similar to the one(s) you have already purchased from that same legal entity within a limited period of time
For the transmission and communication to third-party companies for the purpose of offering payment solutions, travel arrangement or IT service
· Performance of contract
· Legitimate interest in running a commercial enterprise which employs the services of appropriate third party service providers