This privacy policy applies for processing of personal data when Keystone Education Group AB ("we" or "us") processes personal data in the capacity of data controller, for instance related to personal data about prospective students, visitors of our websites and contact information of contact persons at institutions and universities.
1. WHO WE ARE
We are a part of the Keystone Education Group (“Keystone”), which is trusted by more than 120 million unique prospective students every year to help them make one of the most important decisions of their lifetimes, namely, which educational program to attend. At Keystone, we help prospective students find the right education to pursue their dreams, whether they are seeking higher education, wanting to expand their knowledge through a course, or upskilling as a professional.
As part of its services, Keystone offers distinct websites tailored to each level of study, assisting prospective students in exploring and discovering thousands of degree programs and institutions worldwide. These platforms provide detailed information and allows users to compare various educational programs. Additionally, Keystone facilitates the opportunity to connect and communicate directly with the admissions offices of relevant institutions, enabling prospective students to obtain the necessary information and assistance for their educational journey. Keystone also provides similar services for other individuals or representatives of businesses or organisations seeking to connect with various providers of activities and courses.
For the purpose of this privacy policy, schools, universities, course providers, leisure activity providers, and other institutions, are jointly referred to as "education providers").
2. About the privacy policy
This privacy policy applies for processing of personal data when we processes personal data in the capacity of data controller, for instance related to personal data about prospective students, visitors of our websites and contact information of contact persons at education providers.
This privacy policy does not cover instances where we act as a data processor, processing personal data on behalf of an education provider, or when the education provider itself act as a controller for the relevant processing of personal data. This is the case when the relevant education provider communicates with prospective students, enrols them into programs, courses or activities, or otherwise manages and stores their data using our CRM platform after we have facilitated the initial connection. In these situations, the respective education provider is the independent data controller, and we advise you to read the privacy policy of the respective education provider for details on their processing of personal data.
3. WHO WE PROCESS PERSONAL DATA ABOUT
The privacy policy governs the processing of personal data for the following persons:
- Prospective students and others submitting personal information through lead forms or by registering a user account
- Prospective students and others who send inquiries directly to us via our website's contact form or via e-mail
- Education provider representatives
- Visitors to our websites
4. PURPOSE, CATEGORIES OF PERSONAL DATA, LEGAL BASIS, AND RETENTION PERIOD
All processing of personal data is carried out in accordance with the applicable data protection rules, including the General Data Protection Regulation (GDPR).
4.1 Processing of personal data relating to student information request forms
Certain education providers have customized information request forms located within their dedicated profiles on our websites. When you express interest in education providers by submitting such forms, we process the personal data provided in the forms—typically your name, email address, telephone number, country of residence, and any information entered into free text fields— to deliver it to the respective education provider.
The primary purpose of the information request form is to establish a direct connection between you and the education provider of your interest and to facilitate further communication. It is the responsibility of the education provider to configure these forms and specify the information that prospective students must provide to initiate contact or submit an inquiry.
Upon submission of an information request form through our websites, the information you provide is directly transmitted to the relevant education provider. The education provider that receives this data acts as the separate data controller for the processing of this personal data. For detailed information regarding an education provider’s data processing practices, please consult the privacy policy of the specific education provider.
The legal basis for our processing of your personal data in this context is established under Article 6 no. 1 (a) of the GDPR, which necessitates your consent for us to submit the information request form to the relevant education provider. Upon submission, the education provider then becomes the separate controller of this data. Additionally, if the education provider is located outside of the EU/EEA, the transfer of your personal data is correspondingly based on your explicit consent, pursuant to Article 49 no. 1 (a) of the GDPR. For further details on transfer of personal data outside of EU/EEA, please refer to Section 6 below.
The personal data requested by the relevant education provider in the information request form will be processed by us solely for the purpose of creating a user account, as detailed in Section 4.2. Any additional information provided in the lead form that is not necessary for creating a user account will not be stored or processed by us once the lead form has been submitted to the relevant institution or university.
4.2 Processing of personal data relating to user accounts
You can create a user account to facilitate access to our platform and enable direct communication with education providers following your initial inquiry or request via the information request form. The user account allows you to view and track your academic interests directly within our websites.
You can choose to create a user account directly on our websites by filling out the Sign-up form. A user account is also automatically created for you when you submit an information request form to an education provider through our websites, or as embedded on the website of a relevant education provider.
The personal data we process about you as a user within the user account includes:
- Your name, username, email address, telephone number, and country of residence, and any additional information about you that you have provided
- Information about your academic interests
The legal basis for the processing of personal data is GDPR Article 6 no. 1 (f), our legitimate interest in establishing and administrating a user account to connect you with education providers that you have expressed an interest in and facilitate communication after submitting the information request form.
The personal data collected in this context will be retained until you delete your user profile. Your personal data will also be deleted if no activity has been registered on your user account for a period of two years unless you have given us written permission for continued storage.
4.3 Entering into and administration of service agreements with institutions or universities
We process personal data of contact persons at education providers, solely to the extent necessary to enter into and administer service agreements with the education providers. This processing of personal data is conducted based on Article 6 no. 1 (f) GDPR, which pertains to our legitimate interest to facilitate the initiation and ongoing management of the agreement with customers. As such, the processing of your personal data as a contact person for an education provider is justified by our need to effectively establish and maintain the contractual relationship.
The personal data we receive in connection with this processing will be deleted upon the termination of the agreement with the specific customer. However, certain information may be retained for a longer period, if necessary, in the context of bookkeeping and accounting purposes or for us to defend against potential legal claims. All personal data will be permanently deleted once the legal deadlines for filing complaints have expired.
4.4 Requests and inquiries
When you contact us via the contact forms on our websites, e-mail or phone, with inquiries related to our services, platform or otherwise, we process the personal data you provide, such as your name and contact information, along with any other personal data included in your request. The processing of this personal data is necessary to effectively respond to your inquiries and provide the information or support you are seeking.
The legal basis for this processing is established under GDPR Article 6 no. 1 (f), which is our legitimate interest in responding to your requests. We process your personal data solely to provide the necessary responses and assistance you require. Your personal data will be deleted within two years after your request has been fully responded to.
4.5 Providing feedback and submitting reviews
When you provide feedback or submit reviews on our websites, we process the personal data you provide, which typically includes your name, contact information, and any personal data you include in free text fields within the feedback or review form. Reviews submitted by you may also be published on our website, making them accessible to visitors. The purpose of the processing is to use your feedback to improve our services and make your reviews available on our websites.
The legal basis for processing your personal data relating to feedback is Article 6 no. 1 (f) GDPR, our legitimate interest to improve our services based on the feedback we receive. The personal data collected for this purpose will be deleted when your feedback/review is no longer relevant or the service that you have reviewed or provided feedback on is removed from our websites.
The legal basis for submitting your reviews on our websites is your consent, cf. Article 6 no. 1 (a) GDPR. Your personal data will be deleted if you withdraw your consent.
4.6 Administration of contests and surveys
We may conduct surveys and organize contests as part of our services or as an offer to you as a user of our platform. Should you choose to participate in a contest or survey, we will process personal data such as your name, contact information, and any other personal data you provide through free text fields. This information is collected to facilitate your participation, manage the contest or survey effectively, and communicate with you as a participant in the contest or survey.
The legal basis for processing your personal data when you participate in a contest or survey is your consent, as outlined in Article 6 no. 1 (a) GDPR. The personal data collected for these activities will be deleted within two years after the conclusion of the contest or survey has been conducted.
4.7 Marketing activities
We carry out electronic marketing activities to users of our platform and subscribers of our newsletters, to inform about services provided by us or education providers that may be relevant to you.
In order to carry out such marketing activities we process the following personal data:
- Name
- Email address
The legal basis for the processing is your consent, cf. GDPR Article 6 no. 1 (a). In some cases, marketing material is distributed on the basis of GDPR Article 6 no. 1 (f) and the existing relationship with you.
To deliver relevant information to our users, we may target the content solely based on the academic interests associated with your user account. Your academic interests are determined either through the preferences you directly add to your account or from the interests you demonstrate by submitting information request forms for specific academic fields or geographical areas. We do not use any additional information for this purpose.
The legal basis for the processing of personal data that is conducted in order to target the content to your interests is GDPR article 6 no. 1 (a), your consent.
You have the right to withdraw your consent for marketing activities at any time, either by changing the settings in your user account, contacting us directly or by utilizing the unsubscribe option provided in the emails you receive from us. Upon withdrawal of your consent, your personal data will be deleted unless it is required for other purposes, such as maintaining your user account.
4.8 Use of Cookies
We use cookies to ensure the proper functioning of our websites' various services. Cookies are small text files stored on your device's browser when you visit our sites. Some cookies, known as "necessary cookies," are essential for the operation of our websites. These cookies enable fundamental functionalities such as accessing your secure areas.
Where these necessary cookies involve the collection or storage of personal data—such as your IP address, operating system details, browser ID, and your interactions with our site —we process this information based on our legitimate interest in maintaining our website's functionality and security, as stipulated under Article 6 no. 1 (f) of the GDPR.
In addition to necessary cookies, we may use cookies for other purposes, such as for statistical analysis/measurement, marketing, and integration of social media. The legal basis for using such cookies is your separate consent that you have given through the cookie banner on our websites, pursuant to Article 6. no. 1 (a) of the GDPR.
Further details about the cookies used by us and how to manage them can be found within our cookie banner. Apart from necessary cookies, which are essential for website functionality, you have the flexibility to tailor your cookie preferences. Options include accepting all cookies, rejecting all cookies, or customizing settings for each cookie category and purpose by selecting "Settings." You can modify or withdraw your consent at any time by adjusting these preferences in the cookie banner.
You can always delete cookies by going into your browser settings and deleting content. If you need any assistance in this regard, you are welcome to contact us by using the contact details set out at the end of this privacy policy.
5. RECIPIENTS OF YOUR PERSONAL DATA
In addition to providing education providers with submitted information about prospective students, we may disclose personal data to others to the extent necessary for the administration of our operations and to carry out our business.
we may, among other things, share your personal data with our suppliers of IT systems and technical assistance. These parties process your personal data by virtue of their role as data processors, and their processing is subject to a data processing agreement. The suppliers are required to act according to documented instructions from us and may not use personal data for their own purposes.
In order to administrate our services, we also share data with entities within the Keystone Education Group. This processing is subject to inter-company data processing agreements, which ensure coherent processing and sufficient technical and organizational measures.
In addition, we may in some cases disclose your personal data to other companies who will themselves be responsible for how they process your personal data. For example, we may disclose your personal data to partners who handle payment services and public authorities if this is required by law or by a legally enforceable judgment or order.
If we sell or buy any business or assets, we may transfer your personal data to a prospective seller or buyer of such business or assets. If we or a significant part of our assets are sold to another company, your personal data may also be shared in connection with the sale.
We always implement appropriate technical and organizational security measures in accordance with applicable data protection legislation to ensure that your personal data is handled in a secure manner when transferring or sharing personal data with a third party.
6. TRANSFERS OF YOUR DATA TO COUNTRIES OUTSIDE THE EU/EEA
Generally, we process your personal data within the EU/EEA. If the personal data is processed outside the EU/EEA, there is either an adequacy decision from the European Commission in place, which ensures that the third country in question guarantees an adequate level of protection, or we ensure that appropriate safeguards are in place to ensure that your rights under the GDPR are safeguarded. Examples of such appropriate safeguards are that the data transfer is subject to the European Commission's Standard Contractual Clauses (SCC's) or that the relevant third party follows approved standards of conduct.
For education providers located outside the EU/EEA, we will naturally have to transfer your data outside of the EU/EEA in order to provide your request to the relevant education provider. This transfer is necessary for us to submit your information to the education provider of your choice.
As part of this, we obtain your consent, cf. Article 49 no. 1 (a) GDPR. If you do not consent to the relevant education provider receiving the relevant information, we are not able to submit your request. Please note that the country receiving your personal data may not provide the same level of data protection as found within the EU/EEA. It is important to read the privacy policy of the specific education provider for detailed information on the associated risks.
If you would like more information about the security measures we have implemented, please contact us by using the contact details set out at the end of this privacy policy.
7. SECURITY OF THE PROCESSING
All our processing of personal data is secured by relevant and appropriate technical and organizational measures to protect your data and ensure your rights. We regularly review our security policies and processes to ensure that our systems are secure and protected.
We handle personal data so that it is accurate, accessible and processed in accordance with the degree of sensitivity of the data. We also use a range of security technologies and information security procedures to protect personal data from unauthorized access, use or disclosure.
We have entered into data processing agreements with all our suppliers that process personal data.
We restrict access to personal data strictly to the staff or third parties who have a necessary need to process the data on our behalf. These parties are subject to a duty of confidentiality.
8. YOUR RIGHTS WHEN WE PROCESS PERSONAL DATA ABOUT YOU
Below is an overview of your rights under the GDPR:
Right to information and access:
We strive to be open and transparent about how we process your personal data. If you wish to know more about how we process your personal data or wish to receive the personal data we process about you, you can request access to the information we have stored about you. If we receive an access request, we may ask you to provide more information about who you are to ensure that we provide the data to the right person.
The right to rectification:
If you become aware that we hold outdated or inaccurate information about you, you can ask us to correct the error at any time by contacting us.
The right to erasure and restriction:
You have the right to request that your personal data is erased or that its use is restricted, for example, if you believe that your personal data is being processed in violation of applicable law. We will as far as possibly comply with a request to erase personal data, but we cannot do this if we are required by law to store certain data e.g. for accounting purposes or to comply with a legal claim.
The right to data portability:
In some cases, you may have the right to obtain the personal data you have provided to us in a structured, commonly used and machine-readable format. If technically possible, you may also request that the data be transferred to a third party.
The right to object:
You have the right to object to our processing of your personal data if, for example, it is processed on the basis of our legitimate interests.
The right to withdraw consent:
If you have given consent to our processing of your personal data, you always have the right to withdraw this consent at any time by contacting us. However, this does not affect the lawfulness of the processing based on your consent until you have withdrawn it.
To exercise your rights, as described above, you can contact us by using the contact details set out at the end of this privacy policy.
Your inquiry will be answered as quickly as possible, and within one month at the latest. If it takes longer than one month, you will always be notified, together with the reason for such delay.
9. COMPLAINTS
If you feel that our processing of personal data does not comply with what we have described here or that we are otherwise in breach of the data protection regulations, you can complain to the Swedish Data Protection Authority:
Integritetsskyddsmyndigheten
Box 8114, 104 20
Stockholm
Sweden
E-mail: imy@imy.se
You can find more information about complaints to the Swedish Data Protection Authority on their website.
10. CHANGES
If there are changes made in how we process your personal data, we will update or change our Privacy Policy. In the event of major changes, we will inform account users of this.
11. Contact
Our contact information is:
Keystone Education Group AB
Karlavägen 100 A, Plan 5,
115 26 Stockholm
Sweden
Organisationsnummer: 556652-1653
If you have any questions about how we process your personal data, or if you wish to exercise your rights under the GDPR, please contact us at contact@keystoneacademic.com. Detailed information on these rights can be found in Section 8.