Privacy Policy

1. PURPOSE OF THIS POLICY

•  what personal data we collect
•  how and why we use it
•  how we share and protect it
•  how we transform data into anonymised insights
•  your rights under UK data protection law

•  users of our websites and digital platforms
•  students, graduates, and professionals engaging with GGI
•  participants in events, programmes, and services
•  institutional partners and stakeholders

2. DATA MINIMISATION PRINCIPLE

We only collect personal data that is necessary and proportionate for the relevant purpose.

•  To create an account: name, email, and login credentials
•  To participate in programmes: relevant academic or professional data
•  To personalise services: preferences and engagement data

Optional data will always be clearly indicated.

3. THE DATA WE COLLECT

Identity Data
Name, title, date of birth, nationality

Contact Data
Email address, telephone number, address

‍Education & Career Data
Academic history, qualifications, employment history, career interests

‍Transaction Data
Payments, billing information, purchases of services or reports

‍Technical Data
IP address, device type, browser, login data

‍Usage Data
Interaction with our platform, services, and content

‍Marketing & Communications Data
Preferences in receiving communications and engagement behaviour

•  health or accessibility data (e.g. event accommodations)
•  diversity data (e.g. nationality, ethnicity for research and reporting)

•  with explicit consent, or
•  where required for legal, safeguarding, or equality monitoring purposes

4. HOW WE USE YOUR DATA

•  provide access to our platform, programmes, and services
•  manage accounts and transactions
•  facilitate participation in events and initiatives

•  recommend courses, opportunities, or services
•  match users with institutions, employers, or programmes
•  tailor content and communications

•  analyse trends in education, careers, and employability
•  develop reports, benchmarks, and insights
•  support institutional and policy decision-making

•  monitor usage and improve user experience

•  meet legal obligations
•  prevent fraud and misuse

5. OUR LEGAL BASIS FOR PROCESSING

Purpose Legal Basis
Providing services and programmes   Contract
Managing relationships with users and partners   Legitimate interests
Personalisation and matching   Legitimate interests
Marketing communications   Consent
Processing special category data   Explicit consent (or legal obligation where applicable)
Compliance with legal requirements   Legal obligation
Security and fraud prevention   Legitimate interests

Where we rely on legitimate interests, we conduct a balancing assessment to ensure our interests do not override your rights and freedoms.

Examples include improving services, analysing user behaviour to enhance outcomes, and maintaining platform security.

6. PERSONALISATION, PROFILING AND INTELLIGENCE

•  user preferences
•  education and career pathways
•  engagement patterns

•  personalise recommendations
•  improve services
•  generate insights

We may use profiling techniques to segment users and enhance relevance.

We do not carry out automated decision-making that produces legal or similarly significant effects without human involvement.

7. FROM PERSONAL DATA TO INTELLIGENCE

A core part of GGI’s work is transforming data into aggregated, anonymised insights.

•  graduate employability trends
•  salary outcomes and career trajectories
•  education pathway analysis
•  behavioural and decision-making patterns

•  it no longer identifies individuals
•  it is no longer considered personal data
•  it may be retained and used indefinitely

8. MARKETING COMMUNICATIONS

•  where you have given consent, or
•  where permitted under applicable law

•  clicking the unsubscribe link
•  contacting us directly

We maintain suppression lists to ensure individuals who opt out are not contacted again.

We do not sell personal data. We may share data with partners only where necessary to deliver services or where you have provided consent.

We do not sell personal data. We may share data with partners only where necessary to deliver services or where you have provided consent.

9. COOKIES AND TRACKING

•  operate and secure our platform
•  analyse performance and usage
•  personalise content and communicationsarea

•  strictly necessary cookies
• analytics cookies
•  marketing cookies (where applicable)

You will be asked to provide explicit consent for non-essential cookies via a cookie banner.

You can manage your preferences at any time.

10. SHARING YOUR DATA

•  hosting providers
•  payment processors
•  CRM and analytics platforms

•  universities
•  employers
•  programme collaborators

•  to deliver services
•  or with your consent

Depending on the context, third parties may act as independent data controllers or as data processors acting on our instructions.

Where required, we enter into appropriate data processing agreements.

ConteLegal and Regulatory Authoritiesnt area

Where required by law.

•  process data securely
•  comply with data protection obligations

11. DATA FROM THIRD PARTIES

•  institutional partners
•  event collaborators
•  service providers

•  expressed interest in relevant services, or
•  consented to your data being shared

•  appropriate notices have been provided
•  data is processed lawfully and transparently

12. INTERNATIONAL DATA TRANSFERS

As a global organisation, we may transfer personal data outside the UK.

•  UK International Data Transfer Agreements (IDTAs), or
•  Standard Contractual Clauses (SCCs)

Where required, we carry out transfer risk assessments to ensure that personal data remains adequately protected.

13. DATA SECURITY

•  access controls and role-based permissions
•  encryption where appropriate
•  secure storage systems

Access to personal data is limited to those with a legitimate business need.

14. DATA RETENTION

Data Category   Retention Period
Enquiries and prospective users   Up to 48 months from last interaction
Registered users / participants   Duration of relationship + up to 6 years
Financial data   Minimum 6 years (legal requirement)
Marketing data   Until consent withdrawn or inactivity (24–36 months)
Technical and usage data   Up to 48 months
Special category data   Only as long as necessary for the specific purpose

International education journeys often span multiple years. Retaining enquiry and engagement data for up to 48 months enables continuity, better support, and longitudinal insight while remaining proportionate.

•  securely deleted, or
•  anonymised for long-term use

15. DATA BREACHES

•  notify the ICO, and
•  notify affected individuals

where required by law.

16. YOUR RIGHTS

•  Access your personal data
•  Correct inaccurate data
•  Request deletion
•  Restrict processing
•  Object to processing
•  Data portability
•  Withdraw consent at any time

Where deletion is requested, we will remove personal data unless we are required to retain it for legal reasons.

We may retain anonymised data that can no longer identify you.

17. CHILDREN’S DATA

Our services are generally not intended for individuals under 18.

•  appropriate consent is obtained
•  additional safeguards are applied

18. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time.

Where changes are significant, we will notify users appropriately.

19. CONTACT