Personal Data Processing Policy

Effective Date:


This Personal Data Processing Policy («Policy») is established by FAQ MEDIA HOLDING LTD («Operator», «we», «us», «our») in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This document sets out how we collect, use, store, transfer, and protect personal data obtained through our website https://aidacs.io, and what rights individuals have in relation to their personal data.

1. General Provisions


1.1. The Operator considers the protection of individual rights and freedoms in the processing of personal data, particularly the right to privacy, to be a primary goal and responsibility.

1.2. This Policy applies to all personal data that the Operator collects or receives from users of our website and related services.

1.3. The Policy is publicly available on our website and may be updated periodically.


2. Key Definitions


  • Personal Data: Any information that directly or indirectly identifies a natural person. This includes names, contact information, identification numbers, location data, and online identifiers. Even data that cannot identify a person on its own but does so when combined with other data is considered personal data under the UK GDPR.

  • Data Subject: A natural person whose personal data is collected or processed. All rights and protections provided under the UK GDPR apply to this individual.

  • Processing: Any operation performed on personal data, whether by automated or manual means. This includes collecting, recording, structuring, storing, modifying, retrieving, using, disclosing, deleting, or destroying the data.

  • Controller: A person or legal entity (such as a company or public body) that determines the purposes and means of processing personal data. The controller is responsible for ensuring that data processing is lawful and compliant with data protection laws.

  • Processor: A third party that processes personal data on behalf of the controller. A processor must act only on the controller’s instructions and is obligated to implement appropriate security measures to protect the data.

  • Consent: A freely given, specific, informed, and unambiguous indication of the data subject’s agreement to the processing of their personal data. Consent must be based on a clear affirmative action.

  • Third Country: Any country outside the United Kingdom. Transfers of personal data to third countries require additional safeguards to ensure that an adequate level of data protection is maintained.

3. Operator Rights and Responsibilities


The Operator, as the controller of personal data, has both rights and duties under the UK GDPR and the Data Protection Act 2018.


Rights of the Operator:


  • To request accurate and up-to-date personal data from users to ensure proper service delivery and compliance.

  • To continue processing personal data after consent is withdrawn, where another lawful basis applies (e.g., legal obligations or legitimate interests).

  • To define the scope, procedures, and safeguards necessary for the secure and lawful processing of personal data in line with applicable UK data protection laws.

Obligations of the Operator:


  • To provide clear and accessible information about how personal data is collected, used, and protected.

  • To establish and maintain appropriate technical and organisational measures to safeguard personal data from unauthorized access, loss, or misuse.

  • To respond to data subject requests—such as access, rectification, or erasure—in a timely and lawful manner.

  • To report certain types of data breaches to the Information Commissioner's Office (ICO) without undue delay, and to affected individuals when required.

  • To document and maintain records of personal data processing activities where applicable.

  • To ensure staff and service providers handling personal data are adequately trained and aware of their responsibilities regarding data protection.

4. Data Subject Rights


Individuals whose personal data is processed (data subjects) are entitled to a number of rights under the UK GDPR. These rights are designed to provide transparency and give individuals control over how their data is handled:


  • Right to be Informed: Individuals have the right to be clearly informed about how and why their personal data is being processed. This includes details on the purposes of processing, categories of data, retention periods, and third-party recipients.

  • Right of Access: Individuals may request confirmation as to whether their personal data is being processed and, if so, obtain access to that data and relevant information about the processing.

  • Right to Rectification: If personal data is found to be inaccurate or incomplete, individuals have the right to request that it be corrected or supplemented without undue delay.

  • Right to Erasure (“Right to be Forgotten”): In certain circumstances, individuals can request the deletion of their personal data, such as when the data is no longer needed for the purposes for which it was collected or when consent is withdrawn.

  • Right to Restrict Processing: Individuals may request temporary limitation of processing, for example, when contesting the accuracy or legality of the data processing.

  • Right to Data Portability: Individuals can request a copy of their personal data in a structured, commonly used, and machine-readable format, and have the right to transmit that data to another controller if desired.

  • Right to Object: Individuals have the right to object to the processing of their personal data where it is based on legitimate interests or used for direct marketing purposes.

  • Right to Withdraw Consent: If processing is based on consent, individuals have the right to withdraw that consent at any time, without affecting the lawfulness of prior processing.

  • Right to Lodge a Complaint: Individuals may file a complaint with the Information Commissioner’s Office (ICO) if they believe their data protection rights have been violated.

5. Principles of Personal Data Processing


All personal data processing activities carried out by the Operator are based on the following core principles established by the UK GDPR:


  • Lawfulness, Fairness, and Transparency: Personal data is processed in a lawful manner, based on a valid legal basis (e.g., consent, contract, legal obligation). Processing is fair, meaning it aligns with individuals’ reasonable expectations, and is transparent, meaning individuals are clearly informed about how their data is used.

  • Purpose Limitation: Data is collected only for specified, explicit, and legitimate purposes. It is not further processed in a way that is incompatible with those original purposes.

  • Data Minimisation: Only personal data that is adequate, relevant, and limited to what is necessary for the intended processing purpose is collected and used.

  • Accuracy: Reasonable steps are taken to ensure that personal data is accurate and, where necessary, kept up to date. Inaccurate or outdated data is corrected or erased without delay.

  • Storage Limitation: Personal data is kept in a form that permits identification of data subjects only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required by law or regulation.

  • Integrity and Confidentiality (Security): Personal data is protected through appropriate technical and organisational measures against unauthorised or unlawful processing, accidental loss, destruction, or damage.

6. Purposes of Data Processing


The Operator processes personal data only for specific, explicit, and legitimate purposes, in accordance with the UK GDPR. These purposes include but are not limited to the following:


  • Managing website functionality and user accounts: To ensure the proper operation, security, and personalization of our website, and to enable users to create, access, and manage their accounts.

  • Providing educational services and certifications: To deliver access to AI-related training programs, monitor learning progress, issue certificates, and track participation in courses.

  • Customer support and communication: To respond to inquiries, provide assistance, and maintain records of communication in order to improve the quality and effectiveness of support.

  • Processing payments and issuing invoices: To manage financial transactions related to our services, including billing, refunds, and payment confirmations, while complying with financial and accounting regulations.

  • Sending service-related messages and marketing communications: To provide users with updates about services, changes to policies, or new offerings. Marketing communications (e.g. newsletters, promotions) are sent only when the user has provided valid consent, which can be withdrawn at any time.

  • Service improvement and user experience enhancement: To analyse usage trends, gather feedback, and make data-driven improvements to the platform, its content, features, and interface.

  • Compliance with legal and regulatory obligations: To meet statutory requirements under applicable laws, including tax reporting, data protection compliance, and responding to lawful requests from authorities.

7. Use of Cookies


Our website uses cookies and similar technologies (such as pixels and local storage) to ensure technical functionality, analyze user activity, enhance the user interface, and deliver personalized content. Cookies are small text files that are stored on a user’s device when they visit a website and are recognized on future visits.


Categories of cookies we use:


  • Strictly necessary cookies: These cookies are essential for the functioning of the website. They enable core functions such as navigation, session management, security, and access to secure areas. These do not require user consent as they are necessary for providing the requested service.

  • Analytical and performance cookies: These cookies help us understand how visitors interact with the website, such as which pages are visited and how much time is spent on each. We use this data to improve the website's structure and content. All data is collected in an aggregated and anonymized format.

  • Functionality cookies: These cookies allow the website to remember user choices (e.g., language, region, interface preferences) to provide a more personalized and user-friendly experience.

  • Marketing cookies (used only with consent): These cookies are used to display relevant advertisements to users, both on our website and across other platforms. They also help measure the effectiveness of advertising campaigns and track post-ad interactions.

Consent and cookie settings


In accordance with UK GDPR and the Privacy and Electronic Communications Regulations (PECR), users are presented with a cookie banner on their first visit, allowing them to consent to non-essential cookies (e.g., marketing or analytics). Users may withdraw or change their consent at any time through their browser settings or cookie management tools available on the site.

We do not use cookies to collect sensitive personal information, and no personally identifiable data is shared with third parties without a lawful basis.


Contact


If you have any questions about our use of cookies or how we handle your personal data, please contact us at:

Email: info@aidacs.io


8. Legal Bases for Processing


Under the UK General Data Protection Regulation (UK GDPR), every instance of personal data processing must have a lawful basis. The Operator processes personal data relying on

the following legal grounds:


  • Consent: We obtain freely given, specific, informed, and unambiguous consent from individuals for certain types of data processing, such as receiving marketing emails, the use of non-essential cookies, or enabling optional analytical tools. Consent can be withdrawn at any time without affecting the lawfulness of processing already carried out.

  • Contractual Necessity: Personal data is processed when it is necessary to enter into or perform a contract with the data subject. This includes delivering access to training programs, issuing certificates, processing payments, and providing customer support.

  • Legal Obligation: In some cases, we are legally required to process personal data to comply with applicable laws and regulations. This includes tax reporting, maintaining accounting records, and fulfilling obligations under data protection laws.

  • Legitimate Interests: We may process personal data where it is necessary for our legitimate business interests, provided such interests are not overridden by the data subject’s rights and freedoms. Examples include improving website performance, ensuring system security, conducting internal analytics, and preventing fraudulent activity.

9. Data Collection, Storage, and Transfer


The Operator collects, stores, and transfers personal data in a lawful, secure, and transparent manner, ensuring compliance with applicable data protection laws.


  • Data Collection: Personal data is collected directly from users through various means, including registration and contact forms on the website, email correspondence, user interactions with platform features, and through the use of cookies and third-party analytics tools. We ensure that users are informed about the data being collected and its intended use.

  • Data Storage: All personal data is stored on secure servers located within the UK or in jurisdictions that provide an adequate level of data protection. We implement appropriate technical and organisational measures such as encryption, firewalls, access controls, and data backup procedures to protect the confidentiality and integrity of personal data. Access to data is restricted to authorised personnel only.

  • Third-party Data Sharing: When it is necessary to engage third-party service providers (such as hosting services, email platforms, learning management systems, or payment processors), personal data may be shared with them under strict contractual conditions. These providers act as data processors and are bound by data processing agreements that require them to adhere to security standards and process the data only on our instructions.

  • International Data Transfers: If personal data is transferred outside the United Kingdom, such transfers are conducted in accordance with UK GDPR requirements. We ensure that the recipient provides appropriate safeguards, such as being located in a country with an adequacy decision or by entering into Standard Contractual Clauses (SCCs) approved by the UK regulator. We take all reasonable steps to ensure that data subjects' rights remain protected.

10. Confidentiality and Security


The Operator is committed to protecting the confidentiality, integrity, and availability of personal data, in accordance with the principles of UK GDPR and industry best practices.

  • Access Control: Access to personal data is granted strictly on a need-to-know basis. Only authorised personnel—those whose job roles require it—are permitted to access personal data. Access rights are regularly reviewed and updated based on role changes or departures.

  • Technical Security Measures: We implement a range of technical safeguards to protect personal data, including but not limited to: data encryption (both in transit and at rest), secure authentication protocols (e.g., passwords, two-factor authentication), firewalls, intrusion detection systems, and secure backup solutions.

  • Organisational Measures: Staff members with access to personal data are trained in data protection principles and required to comply with internal policies on confidentiality and secure handling. Confidentiality agreements are signed where necessary.

  • Monitoring and Risk Assessment: We regularly conduct internal audits, security reviews, and risk assessments to identify potential vulnerabilities and improve existing protections. Where risks are identified, we apply proportionate mitigation strategies and monitor their effectiveness.

  • Incident Response: In the event of a data breach or security incident, we follow a documented incident response procedure, which includes investigation, containment, and notification to the Information Commissioner’s Office (ICO) and affected individuals, where legally required.

11. Retention and Deletion


The Operator retains personal data only for as long as necessary to fulfil the purposes for which it was collected. Once those purposes are fulfilled, and there is no ongoing legal or business need to keep the data, it will be securely deleted or anonymised so that it can no longer be associated with an identifiable individual.


In cases where specific legal or regulatory obligations apply—such as for financial records, invoices, or tax documentation—personal data may be retained for up to six years or longer, depending on the applicable legislation.


Data subjects may request the deletion of their personal data at any time. Such requests will be honoured unless there are overriding lawful grounds for continued processing, such as legal compliance, contractual obligations, or the establishment, exercise, or defence of legal claims.


12. Transborder Data Transfers


When personal data is transferred outside the United Kingdom to a third country or international organisation, the Operator ensures that such transfers comply with the UK GDPR’s international transfer requirements.


Transfers are permitted only when:


  • The destination country benefits from an adequacy decision issued by the UK government, confirming that it provides an appropriate level of data protection.

  • Or the Operator and the recipient have entered into legally binding instruments or adopted Standard Contractual Clauses (SCCs) approved by the UK’s data protection authority to ensure appropriate safeguards are in place.

No cross-border transfers of personal data will occur without a valid legal basis and sufficient protection for the rights and freedoms of the data subjects.


13. Final Provisions


This Personal Data Processing Policy is publicly available and accessible at: https://aidacs.io/personal_policy. It reflects the Operator’s current data protection practices and may be updated from time to time to reflect changes in legislation, guidance from the Information Commissioner’s Office (ICO), or the Operator’s internal procedures.


Any significant updates will be communicated appropriately, and the latest version will always be available on our website.


For all questions, concerns, or requests regarding personal data processing, users may contact:


  • Email: info@aidacs.io
  • Regulator: Information Commissioner’s Office (ICO)
  • Website: https://aidacs.io