This Privacy Policy (hereinafter "Policy") constitutes the complete and binding statement of the privacy practices of Golding Education Ltd, a company incorporated and registered in England and Wales under Company Registration Number 16396444 (hereinafter "EduAtlas," "the Company," "we," "us," or "our"). Golding Education Ltd is the data controller for all personal data processed through the EduAtlas platform, including but not limited to the website accessible at eduatlas.org, all associated subdomains, application programming interfaces, and related digital services (collectively, the "Platform"). The Company is registered with the Information Commissioner's Office of the United Kingdom (hereinafter "ICO") under Registration Number 00013805394.
All inquiries, requests, and correspondence relating to the processing of personal data, the exercise of data subject rights, or the contents of this Policy shall be directed to the Company's designated data protection contact at the following electronic mail address: privacy@eduatlas.org. The Company shall respond to all legitimate data subject requests within thirty (30) calendar days of receipt, subject to verification of identity where reasonably required.
The Platform is exclusively designed for, and directed at, professional educators and education professionals who are at least eighteen (18) years of age. By accessing or using the Platform in any manner, you represent and warrant that you are at least eighteen (18) years of age. The Company does not knowingly collect, process, or retain personal data from any person under the age of eighteen (18) years. Any person under the age of eighteen (18) years is expressly prohibited from using the Platform.
This Policy has been prepared in accordance with and to satisfy the requirements of the United Kingdom General Data Protection Regulation as retained and modified in United Kingdom law by the European Union (Withdrawal) Act 2018 (hereinafter "UK GDPR"), the Data Protection Act 2018 (hereinafter "DPA 2018"), the Privacy and Electronic Communications Regulations 2003 as amended (hereinafter "PECR"), applicable guidance and codes of practice issued by the Information Commissioner's Office, the Google API Services User Data Policy and associated terms governing the use of Google authentication services, the LinkedIn API Terms of Use and associated terms governing the use of Sign In with LinkedIn (OpenID Connect), the Apple Developer Program License Agreement and associated Sign in with Apple guidelines, and all other applicable laws and regulations of jurisdictions in which the Platform operates or from which users access the Platform.
This Policy applies to all personal data collected, received, generated, stored, used, disclosed, transferred, or otherwise processed by the Company in connection with the operation of the Platform, whether collected directly from data subjects, received from third-party authentication providers, derived from usage of the Platform, or generated through the Company's automated systems.
The Company processes personal data under the following lawful bases as defined by Article 6 of the UK GDPR: performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (Article 6(1)(b)); compliance with a legal obligation to which the Company is subject (Article 6(1)(c)); the legitimate interests pursued by the Company or by a third party, where such interests are not overridden by the interests or fundamental rights and freedoms of the data subject (Article 6(1)(f)); and, where applicable, the consent of the data subject (Article 6(1)(a)).
AUTHENTICATION AND ACCOUNT DATA. When a user creates an account on the Platform, the Company collects and processes the following data: electronic mail address, which serves as the primary account identifier and is used to deliver authentication communications, platform notifications, and transactional correspondence, processed on the basis of contract; full name as provided by the user or retrieved from a third-party authentication provider, processed on the basis of contract; a secure session credential stored as a browser cookie used to maintain the user's authenticated session, processed on the basis of contract; a security token used to protect against cross-site request forgery, processed on the basis of legitimate interests in platform security; a short-lived one-time authentication code or authentication link delivered by electronic mail, stored temporarily and deleted immediately upon use or expiry, processed on the basis of contract; and a pioneer number, being a sequentially assigned identifier reflecting the user's position in the order of account creation, processed on the basis of legitimate interests in community recognition.
GOOGLE AUTHENTICATION DATA. Where a user elects to authenticate via Google Sign-In, the Company receives from Google LLC the following data: the user's Google account email address, the user's display name as registered with Google, and a reference to the user's Google profile photograph. The Company uses this data solely for the purposes of creating and authenticating the user's account on the Platform, and displaying the user's name and profile image within the Platform. The Company does not use Google authentication data for advertising, profiling beyond what is necessary for Platform operation, or any purpose inconsistent with the Google API Services User Data Policy. Users may revoke the Company's access to their Google account data at any time through their Google Account settings at myaccount.google.com. Revocation of Google access does not delete the user's EduAtlas account; the user's account will remain accessible via alternative authentication methods or may be deleted upon request. The Company's use of data received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.
LINKEDIN AUTHENTICATION DATA. Where a user elects to authenticate via Sign In with LinkedIn using OpenID Connect, the Company receives from LinkedIn Ireland Unlimited Company the user's email address, display name, and a reference to the user's LinkedIn profile photograph. This data is used solely to create and authenticate the user's account and to display the user's name and profile image within the Platform. The Company does not request or receive the user's connections, posts, or any other LinkedIn data, and does not use authentication data for advertising. Users may revoke the Company's access at any time from LinkedIn's permitted-services settings; revocation does not delete the user's EduAtlas account.
APPLE AUTHENTICATION DATA. Where a user elects to authenticate via Sign in with Apple, the Company receives from Apple Inc. the following data: the user's name as registered with Apple (transmitted by Apple on the first authentication only); and either the user's real Apple ID email address or, where the user has elected to use Apple's Private Email Relay service, an Apple-assigned relay email address. The Company stores and uses the Apple-provided email address as the account identifier. Where Apple provides a relay email address, the Company may request that the user provide their real work or institutional email address for the purposes of connecting with professional colleagues; in such cases the Company stores both addresses for their respective purposes. The Company does not use Sign in with Apple data for advertising or any purpose inconsistent with Apple's guidelines. Users may revoke the Company's access to their Apple ID at any time through their Apple ID account settings at appleid.apple.com. Biometric data used during Face ID or Touch ID authentication is processed entirely by Apple's operating system on the user's device and is never transmitted to, received by, or processed by the Company in any form.
PASSKEY CREDENTIAL DATA. Where a user registers a passkey for authentication on the Platform, the Company stores the public key component of the passkey's cryptographic key pair, a credential identifier, a usage counter for security purposes, and timestamps of creation and last use. The private key is generated on, and never leaves, the user's device. Biometric data used to unlock a passkey, including fingerprint data and facial geometry, is processed exclusively by the user's device and by Apple Inc. or Google LLC as applicable; such data is never transmitted to or processed by the Company.
PROFESSIONAL PROFILE DATA. The Platform collects and processes the following professional profile information provided voluntarily by users: employment history including the names of schools and educational institutions, job titles, dates of employment, subjects taught, and curriculum experience (including but not limited to International Baccalaureate, Cambridge Assessment International Education, Advanced Placement, British curricula, European Baccalaureate, and national curricula); educational history including institutions attended, qualifications, and dates of study; a professional biography and headline; professional contributions including authored articles, conference presentations, created materials, and awards; and a publicly accessible profile photograph. Avatar photographs undergo technical validation and metadata removal prior to storage; embedded metadata, including any geographic location data, is stripped before the photograph is stored, for the protection of user privacy and safety.
SALARY DATA. Users may voluntarily disclose salary information to contribute to the Platform's anonymised regional compensation tool. This disclosure is entirely optional. Salary data is never displayed in a manner that identifies an individual user and is only incorporated into aggregate statistics once a minimum threshold of contributions has been met for a given region and role category. Salary data is processed on the basis of the user's explicit consent, which may be withdrawn at any time.
COMMUNITY VERIFICATION DATA. The Platform operates a peer verification system through which users may professionally vouch for one another. The Company processes records of verification actions, including the identifiers of the verifying and verified users and the timestamp of verification. A user's verification status is displayed publicly on their profile. This data is processed on the basis of legitimate interests in establishing the authenticity of professional profiles.
INVITATION DATA. The Company processes data relating to the Platform's invitation system, including the identifier of the inviting user, the email address of the invited person, any associated school context, and the timestamp and status of the invitation. This data is processed on the basis of contract and legitimate interests in growing the professional network.
PROFESSIONAL NOTES. The Platform enables users with a verified professional relationship to leave structured notes on one another's profiles, including a declared relationship type, institutional context, dates of the relationship, a brief free-text observation, and optional professional skill tags. Professional notes are displayed publicly on the subject's profile and are processed on the basis of the legitimate interests of both parties in professional credibility. Users may request removal of any note appearing on their profile by contacting privacy@eduatlas.org.
DIRECT MESSAGE DATA. The Platform provides a private direct messaging system. Message content is encrypted at rest using industry-standard encryption before storage, such that the Company is not able to read message content in the ordinary course of its operations. The Company processes unencrypted message metadata comprising the identifiers of sender and recipient, the conversation identifier, message type, timestamp, and read status, on the basis of contract. Users should be aware that while message content is encrypted, the fact of communication between two users and the timing thereof are visible to the Company as metadata.
VOICE NOTE DATA. Voice notes transmitted through the messaging system are stored in encrypted cloud storage, subject to a maximum duration of forty-five (45) seconds and a maximum file size of two (2) megabytes. Voice notes are processed on the basis of contract.
NOTIFICATION DATA. The Company processes records of platform notifications, including the notification type, the identifiers of the relevant users, and the timestamp and read status, on the basis of contract.
FEED PERSONALISATION DATA. The Platform uses an algorithmic system to personalise the content displayed in each user's feed, drawing on profile data including subjects taught, curriculum experience, career trajectory, international experience, geographic regions of employment, and school affiliations. The Company also processes implicit engagement signals such as job listing interactions to improve personalisation. This processing constitutes profiling within the meaning of the UK GDPR and is described further in Section 4. Users may contact privacy@eduatlas.org to obtain information about the factors applied to their personalisation.
USAGE AND SECURITY DATA. The Company processes IP addresses, timestamps, and request identifiers for security monitoring, abuse prevention, and rate limiting, on the basis of legitimate interests. IP address data is retained for a maximum of ninety (90) days.
SCHOOL AND INSTITUTION PAGE DATA. The Platform maintains pages for educational institutions derived from publicly available datasets. Where a user's employment history references an institution, a relationship is established between the user's profile and that institution's page and displayed publicly, on the basis of legitimate interests in providing an accurate professional directory.
The Company's feed personalisation system processes profile and engagement data to rank and select professional content for display, as described in Section 3. This constitutes profiling under Article 4(4) of the UK GDPR. This profiling does not produce legal effects or other similarly significant effects upon users and is used solely to curate content relevance. The Company does not use automated processing to make hiring, creditworthiness, or other consequential decisions. Users may object to profiling at any time by contacting privacy@eduatlas.org, and the Company will present content on a non-personalised basis upon such request.
The Company discloses personal data to the following third-party processors, each of which processes personal data solely on the Company's documented instructions and subject to binding contractual data protection commitments:
CLOUDFLARE, INC. (United States of America). Cloudflare, Inc. provides the Company with cloud computing, storage, content delivery, email delivery, security monitoring, and network services. Substantially all personal data processed through the Platform transits through or is stored on infrastructure operated by Cloudflare. Cloudflare is certified under the UK Extension to the EU-US Data Privacy Framework (hereinafter "UK-US Data Bridge"), which the Secretary of State for Science, Innovation and Technology has determined provides an adequate level of protection for personal data transferred from the United Kingdom to the United States.
GOOGLE LLC (United States of America). Google LLC provides authentication services through which users may sign in to the Platform using their Google account, as described in Section 3. Google LLC is certified under the UK-US Data Bridge. The Company's use of Google services is subject to the Google API Services User Data Policy.
LINKEDIN IRELAND UNLIMITED COMPANY (Ireland) and LINKEDIN CORPORATION (United States of America). LinkedIn provides authentication services through which users may sign in to the Platform using their LinkedIn account, as described in Section 3. Transfers to the United States are made under standard contractual clauses or equivalent appropriate safeguards consistent with UK GDPR.
APPLE INC. (United States of America). Apple Inc. provides Sign in with Apple authentication services through which users may sign in to the Platform using their Apple ID, as described in Section 3. The Company transfers data to Apple under appropriate safeguards consistent with UK GDPR requirements.
The Company does not sell, rent, or otherwise commercialise personal data. The Company does not disclose personal data to third parties for advertising or marketing purposes and does not permit third parties to use Platform data for targeted advertising.
Substantially all personal data processed through the Platform is transferred to and processed in the United States of America by the Company's service providers. Transfers to Cloudflare, Inc. and Google LLC are made under the UK-US Data Bridge, under which those organisations are certified. Transfers to Apple Inc. are made under standard contractual clauses or equivalent appropriate safeguards consistent with UK GDPR. Users accessing the Platform from outside the United Kingdom should be aware that their data may be transferred to and processed in the United Kingdom and the United States under the safeguards described above.
The Company retains personal data only for as long as is necessary for the purposes for which it was collected and in accordance with applicable law. Account data, profile data, employment and education history, verification records, invitation records, and notification data are retained for the duration of the user's account and deleted within thirty (30) days of account deletion. Message content and voice notes are retained for the duration of the relevant conversation or until deleted by the user, and removed within thirty (30) days of account deletion. Message metadata is retained for ninety (90) days following deletion of the relevant message or account. Salary data is retained until consent is withdrawn. Feed personalisation data is periodically refreshed. Authentication credentials and one-time codes are short-lived and deleted upon use or expiry. Security and access logs are retained for a maximum of ninety (90) days. Where a legal obligation requires retention beyond these periods, such data is retained for the legally mandated period notwithstanding a deletion request.
Under UK GDPR and the DPA 2018, users have the right of access to personal data held about them; the right to rectification of inaccurate data; the right to erasure in specified circumstances; the right to restriction of processing in specified circumstances; the right to data portability; the right to object to processing based on legitimate interests including profiling; and the right to withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, users should contact privacy@eduatlas.org with sufficient information to identify their account. The Company may request verification of identity before fulfilling a request and will respond within thirty (30) days, with a possible extension of a further sixty (60) days for complex requests, with prior notice of any extension.
Users dissatisfied with the Company's response may lodge a complaint with the Information Commissioner's Office at ico.org.uk, by telephone at 0303 123 1113, or by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
The Platform uses strictly necessary cookies to operate securely. These include a session authentication cookie used to maintain the user's logged-in state, and a security cookie used to protect against cross-site request forgery attacks. Both are set solely for the purpose of operating the Platform and are not used for advertising, tracking, or analytics. The Platform does not use advertising cookies, tracking pixels, or third-party analytics that identify users across other websites. Third-party cookies are not served or permitted. Strictly necessary cookies cannot be disabled without ceasing to use the Platform.
The Company implements appropriate technical and organisational measures to protect personal data, including encryption of data in transit and of sensitive data at rest, removal of metadata from uploaded files prior to storage, technical file validation on all uploads, protections against cross-site request forgery on all state-changing operations, content security policies to mitigate cross-site scripting, rate limiting on sensitive endpoints, and restricted access to production systems. Passkey authentication is phishing-resistant by cryptographic design. In the event of a personal data breach likely to result in risk to data subjects' rights and freedoms, the Company will notify the ICO within seventy-two (72) hours of becoming aware and will notify affected users as required.
The Platform is exclusively for educators and professionals aged eighteen (18) or over. The Company does not knowingly collect data from anyone under eighteen (18). If such data is inadvertently collected, the Company will delete it promptly upon becoming aware. Anyone with reason to believe a minor's data has been collected should contact privacy@eduatlas.org immediately.
Users may publish content on the Platform that contains personal data relating to third parties, including colleagues and employers. Users are solely responsible for ensuring a lawful basis exists for any third-party personal data they publish. The Company is not responsible for the accuracy or lawfulness of user-generated content.
The Company may amend this Policy to reflect changes in law or practice. Material changes will be notified to users by electronic mail before taking effect. The current Policy is always available at eduatlas.org/privacy. Continued use of the Platform after notification of changes constitutes acceptance of the amended Policy.
Golding Education Ltd
Data Protection Contact
Electronic mail: privacy@eduatlas.org
Company Registration No. 16396444 (England and Wales)
ICO Registration No. 00013805394
Complaints may also be directed to the Information Commissioner's Office at ico.org.uk.
EduAtlas | Golding Education Ltd | Company No. 16396444 | ICO Reg. 00013805394 | © 2026 Golding Education Ltd. All rights reserved.