Blackbullion privacy notice

This document was last updated on 16 Jan 2025.

Blackbullion Ltd (“Blackbullion”, “we”, “us” or “our”) offers online resources and services to assist our users. Our services are offered on the Blackbullion websites (available at www.blackbullion.com and www.business.blackbullion.com) and the Blackbullion App, as well as other Blackbullion websites and products (together, the “Sites”).

The protection of personal data, as well as compliance with privacy and data protection laws and regulations, is important to our organisation. We aim to ensure the privacy rights of our consumers, business contacts, and employees when we handle information about them.

This policy only applies to personal data collected through our Sites and App operated by Blackbullion or by third parties acting for and on our behalf as data processors and further processed for the purposes specified herein. This policy also does not apply to third-party online resources to which our websites may link, where we do not control the content or the privacy practices of such resources.

Should you have any questions about this policy or our data collection, use and disclosure practices, please contact us.

Who are we?

As referred to in this policy, references to “us”, “we”, “our” and “Blackbullion” means Blackbullion Ltd. (company number 07629923) of 5 Technology Park, Colindeep Lane, London, United Kingdom, NW9 6BX.

For the purposes of the Data Protection Act 2018 and the UK General Data Protection Regulation (“GDPR”), we are a data controller except where we also act as a data processor under the instructions of a third party (such as educational institutions or scholarship providers).

Changes to this policy

We reserve the right to make changes to this Privacy Policy. If we decide to change this Privacy Policy, we will post the changes on www.blackbullion.com/privacy. It is your responsibility to refer back to this Privacy Policy to review any amendments.

This Privacy Policy was most recently updated on the date stated at the beginning.

Collection of personal data

Personal data is anything that can identify an individual, either on its own or through combining it with other factors that could eventually identify an individual.

We have adopted this Privacy Policy to reflect the standards we have in place to protect the data we collect about individuals that is necessary for:

providing the products and services that we offer; and
the normal day-to-day operations of our business

By publishing this Privacy Policy we aim to make it easy for our users, customers and the public to understand what data we collect and store, why we do so, how we receive and/or obtain that information, and the rights each individual has with respect to their data in our possession.

We collect personal data online through our Sites (e.g. thescholarshiphub.org.uk and futures.blackbullion.com) Individuals may access many parts of our Sites without providing any personal data. If you contact us, we may keep a record of that correspondence. If you choose to provide your personal data, such as your name, address, date of birth, telephone number or e-mail address, by entering into forms or data fields on our Sites and/or corresponding with us, we will collect and may use that personal data in accordance with data protection laws.

Who this policy applies to

We handle data in our own right and also for and on behalf of our customers and users.

Our Privacy Policy does not apply to information we collect about businesses or companies, however it does apply to information which we store about the individuals in those businesses or companies.

The Privacy Policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hard copy.

If, at any time, an individual provides data or other information about someone other than himself or herself, the individual warrants that they have that person's consent to provide such information for the purposes specified. The Sites are not available to persons under the age of 16 years. Individuals who are under 16 years of age have to inform and obtain their parents or guardians consent to the processing of their personal information, show this policy to their parents or guardians, provide their parents or guardians’ name and contact information to us, and have their parents’ consent to us processing their child’s personal information.

The information we collect

In the course of business it is necessary for us to collect data where we have express consent, pursuant to contract or where we have demonstrated a legitimate interest. This information allows us to identify who an individual is for the purposes of providing our services, share data when we are required to do so, contact the individual in the ordinary course of business and transact with the individual. Without limitation, the type of information we may collect includes:

Personal Information. We may collect personal details such as an individual’s name, location, date of birth, nationality, image, family details, student's university identification number, course information and other information that allows us to identify who the individual is and share details as part of our services. We may collect personal details as required by a funding or scholarship application which may include but is not limited to course information, name, personal circumstances, income and expenditure. We may also collect relevant information via open banking as required by funding and scholarship providers and for functionality of the Sites.
Contact Information. We may collect information such as an individual’s email address, telephone number, third-party usernames, residential, business and postal address and other information that allows us and others partners such as scholarship providers to contact the individual.
Bank and Transaction Data. If an individual links a bank account with their Blackbullion account, we may collect data relating to that bank account (including without limitation the institution name, sort code, account number, account balance) or any transaction (including without limitation the transaction amount, date, description, merchant) as is necessary in order for us to provide our services.
Engagement Data. Information about the learning content that an individual has viewed. If a user has opted to link their Blackbullion account with their university account (and that university is a client of ours), that university will be able to view the user’s Engagement Data as well.
Assessment Data. If an individual completes any assessments or challenges as part of completing a learning module, we may collect the answers submitted by the individuals and the results of those assessments or challenges. If a user has opted to link their Blackbullion account with their university account (and that university is a client of ours), that university will be able to view the user’s Assessment Data as well.
Information an individual sends us. We may collect any other personal information that an individual sends us.
Statistical & Device Information. We may also collect statistical and device information about an individual’s activity as specified in our Cookie Policy below. We use this information to tailor and improve our services.

You can refuse to provide your personal data to us. However, if you do not provide your data, this can have an effect on your use of the Sites, or some features on our Sites may not fully function.

The purposes for processing data

We will not use any data other than for the purpose for which it was collected, other than with the individual’s permission, or where we have a legitimate interest. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted.

When you use our app, you can choose to link with a bank to see personalised budgeting insights, monitor what you’re spending in each category or track all your bills and subscriptions on a monthly basis. We will process your contact details and financial data. We do this using open banking which allows you to securely share financial information with authorised providers granting them access to view information such as your transactions and regular payment. We never share your data and. The only person who can see your information is you.

We may process your personal data to the extent permitted or required under applicable laws, for the following purposes:

to verify your identity and to provide and deliver our services and products to you (“Performance Purposes”);
to respond to inquiries from you and/or communicating with you as necessary for the provision of our services (“Contact Purposes”);
to display your banking and financial information (including your open banking data) in your account on our Sites as necessary for the provision of our services and to process your data in relation to funding opportunities (“Financial and Funding Purposes”);
to provide you with research, reports and business intelligence and insights (“Analytics Purposes”);
to provide you with promotional information on Blackbullion’s product and services and to carry out other promotional activities, and to invite you to participate in surveys and market research activities and analyse your interests to improve Blackbullion’s products and services (“Marketing Purposes”);
investigating any complaints about or made by an individual, or if we have reason to suspect that an individual is in breach of any of our terms and conditions or that an individual is or has been otherwise engaged in any unlawful activity; or
to comply with and enforce our rights and perform our obligations under applicable laws (including GDPR).

We process your personal data for Performance Purposes and Analytics Purposes in order to perform our contractual obligations to you. It is also in our legitimate interests to process your personal data for Performance Purposes as it allows us to ensure the proper administration of our Sites and to improve the user experience within our Sites.

Similarly, it is in our legitimate interests to process your personal data for Contact Purposes in order to respond to any inquiries you may have and in order for us to be able to provide the services.

When you book a demo with us, we ask for your name, email address, phone number company name, company headcount, and we ask how you heard about us. We use this information to book a demo call with you and provide you with further information about our services. We record demo calls for training and reference purposes. The legal basis we rely on for this processing is Article 6(1)(f) of the GDPR - Legitimate Interest.

When you sign up to our newsletter or to one of our competitions or prize draw, we may collect information such as an individual’s email address, telephone number, third-party usernames, residential, business and postal address and other information that allows us and others within the partnership to contact the individual. An opt-out option is provided in all our communications. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest or Article 6(1)(a) of the GDPR - Consent.

Occasionally we attend events and conference to raise awareness of our business and services. Event organisers may share event attendee names, company names, and company email addresses with us for marketing purposes. We may also take your business card or contact details from you directly during events. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest.

To give you more information about our services, we may meet with you via a video call. For this we will need your name and email address to get the call set up. We use call recording and note taking software during our meetings which we sometimes use for preparation and training purposes, as well as to gain insights which inform marketing messaging. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest.

When you sign up to one of our events, we will ask you to provide some information about yourself, such as your name and email, to send you an invitation and joining link, as well as your contact details, company name, job title, interests and expectations and payment details (if it is a paid event).We will rely on Article 6(1)(b) of the GDPR - Contractual Obligation and Article 6(1)(f) of the GDPR - Legitimate Interest for this processing. When you join the event, your name and live image may appear on screen. We will rely on Article 6(1)(f) of the GDPR - Legitimate Interest for this processing.

If we record our events, your name and live image may be captured in the video recording. Any contributions you make will also be captured. We may share these recording with attendees, or may publish the recordings to our website, Youtube, Vimeo, social media. You will be informed in advance if an event is going to be recorded, and how it will be shared. We will rely on Article 6(1)(f) of the GDPR - Legitimate Interest for this processing. Following an event, we may send feedback surveys and emails with information about new events that we think will interest you. We rely on Article 6(1)(a) of the GDPR - Consent for this processing.

When you set up an account, we will collect your mobile phone number so that we can send you a verification code via SMS. We will rely on Article 6(1)(f) Legitimate Interest of the GDPR for this processing. To improve the service we deliver to you, we use your IP address to carry out some technical functions including operational message logging, load balancer logging, feature flagging, and analytics. For this, we rely on Article 6(1)(f) of the GDPR - Legitimate Interest.

When you apply for a job with us, we ask you for some information about you to manage your recruitment process, such as your name, contact details and CV. We may also invite you to attend an interview via video call and complete tests as part of the recruitment process. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest.

We make use of various job boards in the UK, US, and EEA to advertise roles, and collect applications. We use hiring platforms based in the EEA and US to manage job applications including, interview video call and recruitment We store names of applicants on a spreadsheet, along with interview notes and scores.

If you're offered a job with us, we'll retain your data during your employment and remove it in line with our obligations under UK law. Otherwise we will keep your data during your the interview process and remove it after 12 months.

Where we process your personal data for the Financial and Funding Purposes, we will ask for your consent before conducting any such processing. We will ask you for this consent when you link your bank account to your Blackbullion account. If you do not consent to any such use of your data, or if you withdraw your consent, you will not be able to access certain services on our Sites, such as your financial overview.

Where we process your personal data for Marketing Purposes, we will ask for your consent before conducting any such processing. You will be asked to opt in to receiving promotional information when you sign up to our services and can opt in or out to any marketing activities at any time via your Blackbullion account.

Finally, we may process your personal data to comply with and enforce our rights and perform our obligations under applicable laws.

How information is collected

Most information will be collected in association with an individual’s use of the Sites and our products and services. However, we may also receive data from other sources such as advertising, an individual’s own promotions, public records, mailing lists, contractors, staff, and recruitment agencies. In particular, information is likely to be collected as follows:

Registrations/Subscriptions/Purchases. When an individual registers, subscribes and/or purchases a product, service, list, account, connection or other process whereby they enter data details or grant access to information in order to receive or access something, including a transaction or services.
Accounts/Memberships. When an individual submits their details to open an account and/or become a member with us.
Supply/Contact. When an individual supplies us with services or contacts us in any way.
Pixel Tags. Pixel tags enable us to send email messages in a format customers can read and they tell us whether mail has been opened.

When you visit our Sites, we automatically collect information about your computer or other electronic devices which may include your Internet Protocol (IP) address, date and time of your request and information provided by tracking technologies, such as cookies. For more details concerning cookies, please refer to our Cookie Policy below.

We will publish changes to the way that information is collected at the point of collection and within this Privacy Policy.

We may also collect anonymous data such as traffic, IP addresses and transaction statistics, which may be used and shared on an aggregated and anonymous basis.

When data is disclosed

We disclose an individual’s information as necessary to perform the services on the Sites. It may also be necessary for us to disclose an individual’s data to third parties in a manner compliant with GDPR in the course of our business, such as for processing activities like website hosting.

If a user has opted to link their Blackbullion account with their university account (and that university is a client of ours), we may share that user’s Assessment Data and Engagement Data with staff of the linked university to enhance and inform their service provision as appropriate. Any such processing of Assessment Data and Engagement Data will be conducted for the purpose of performing our services and our contractual obligations to that user. Users that do not wish for their Assessment Data and/or Engagement Data to be shared with any linked universities in this way may choose not to link their accounts, in which case we will not share that data with any universities (but any such users may not have full access to our services).

We will not disclose or share an individual’s data to unrelated third parties under any circumstances unless: (a) applicable consent has been obtained for us to share your personal data with that third party (for example, where you indicate you are interested in an establishment and would like us to share your contact details with them so they can tell you about their offerings, or where you want to share Learning Information with a third party); (b) we are processing your personal data (such as Learning Information, Assessment Data and Engagement Data) as a service provider for or on behalf of that third party, and that third party is the controller in respect of your personal data (for example, where you are signing into Blackbullion in connection with your studies or prospective studies, and we are providing a service to your university, in which case please refer to your university's privacy policy to understand your rights and how your personal data is used); or (c) we engage other third-party services providers to perform tasks on our behalf and we need to share your information with them to provide products and services to you (in which case we will not permit those third parties to use your personal data for their own independent purposes). We will only provide our service providers with personal data which is necessary for them to perform their services, and we require them not to use your information for any other purpose. We will use our best efforts to ensure that all our service providers keep your personal data secure and comply with the requirements of GDPR. These service providers may be located outside the United Kingdom and/or European Economic Area (“EEA”), in which case the provisions of the section below will apply

There are some circumstances in which we must disclose an individual’s information:

Third parties permitted by law. In certain circumstances, we may be required to disclose or share personal data in order to comply with legal or regulatory obligations (for example, we may be required to disclose personal data to the police, regulators, government agencies or to judicial or administrative authorities). We may also disclose personal data to:
- regulators or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts; or
- any third party in the context of actual or threatened legal proceedings, provided we can do so lawfully (for example, in response to a court order).
Third parties connected with business transfers. We may transfer your personal data to third parties in connection with a reorganisation, restructuring, merger or acquisition or transfer of assets, provided that the receiving party agrees to treat your personal data in a manner consistent with this Privacy Policy. If we are involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of the business to another company, you consent to us sharing information with that company before and after the transaction closes.

We will not sell your personal data to third parties.

Please note our Sites may, from time to time, contain links to and from the websites of our business contacts or affiliates. Please note that these websites have their own privacy policies and we have no control over how they may use your personal data. You should check the privacy policies of third party websites before you submit any personal data to them.

Transfer of data outside of the EEA

We will not transfer personal data relating to you to a country which is outside the EEA unless one of the following scenarios under GDPR applies:

the country or recipient is covered by UK adequacy regulations under GDPR Article 45;
appropriate safeguards have been put in place which meets the requirements of GDPR Article 46; or
one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer. This includes, in summary:
- where the transfer is necessary to perform, or to form, a contract to which we are a party (i) with you, or (ii) with a third party where the contract is in your interests;
- the transfer is necessary for the establishment, exercise or defence of legal claims;
- you have provided your explicit consent to the transfer; or
- the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.

Cookie policy

Our website uses cookies to distinguish you from other users of our Sites. This helps us to provide you with a good experience when you browse our Sites and also allows us to improve our Sites.

A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your device if you agree. Cookies contain information that is transferred to your device’s hard drive. We use the following cookies on our Sites:

Strictly necessary cookies. These are cookies that are required for the operation of our website. These essential cookies are always enabled because our Sites won’t work properly without them. They include, for example, cookies that enable you to log into secure areas of our Sites. You can switch off these cookies in your browser settings but you may then not be able to access all or parts of our Sites. And some of these cookies are:

Cookie Name	Provider	Purpose	Expiry
_cookie_consent	internal	Used to store the user's cookie consent preferences	1 year 1 month 1 day
laravel_session	internal	Used to identify the user's browsing session	1 month 2 days
XSRF-TOKEN	internal	Used to secure both the user and our website against cross-site request forgery attacks	1 month 2 days

Non-essential cookies. These are additional to the performance of our website and help us improve the service we provide to you and some of these are:

Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our Sites when they are using it. This helps us to improve the way our Sites work, for example, by ensuring that users are finding what they are looking for easily.
Functionality cookies. These are used to recognise you when you return to our Sites. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
Targeting cookies. These cookies record your visit to our Sites, the pages you have visited and the links you have followed. We will use this information to make our Sites and the advertising displayed on them more relevant to your interests.

Cookie Name	Provider	Purpose	Expiry
_ga	Google Analytics	Main cookie used by Google Analytics, enables a service to distinguish one visitor from another	2 years 2 months 2 days
_ga_WK426JZ4FE	Google Analytics	Registers a unique ID that is used to generate statistical data on how the visitor uses the website	2 years 2 months 2 days
_gid	Google Analytics	Registers a unique ID that is used to generate statistical data on how the visitor uses the website	1 day
_gat	Google Analytics	Used by Google Analytics to throttle the request rate	1 minute
_hjSession_1726937	Hotjar	Collects statistics on the visitor's visits to the website, such as the number of visits, average time spent on the website and what pages have been read	2 hours
_hjSessionUser_1726937	Hotjar	Collects statistics on the visitor's visits to the website, such as the number of visits, average time spent on the website and what pages have been read	2 hours
_fbp	Facebook/Meta	Used by Facebook to deliver a series of advertisement products such as real time bidding from third party advertisers	2 hours
_tt_enable_cookie	TikTok	Used by the social networking service TikTok for tracking the use of embedded services	2 hours
_ttp	TikTok	This cookie is used for analytics to improve TikTok remarketing and exclusions audiences	2 hours

Please note that we may share information collected by the cookies with the following third parties. These named third parties may include, for example, advertising networks and providers of external services like web traffic analysis services. These third party cookies are likely to be analytical cookies or performance cookies or targeting cookies:

AWS, which we use to host the Blackbullion platform.
Mixpanel, which provides us with product analytics to improve the service.
Other service providers such as Hotjar, HubSpot, Google Analytics and Facebook.

When you use our Sites you will be asked to consent to our use of cookies and to the sharing of any information collected by the cookies with any third parties. You can choose which analytical, functionality and targeting cookies we can set by selecting the applicable options on our Sites, or by switching off cookies in your browser settings. You can also choose to "Reject All" cookies in the cookie banner. However, if you use your browser settings to disable or block cookies or withdraw your consent to our use of cookies (or to the sharing of information collected by the cookies with any third parties), you may not be able to access all or parts of our Sites and parts of our Sites may not function properly.

Opting “in” or “out” for Marketing Purposes

As stated above, we will only process your personal data for Marketing Purposes with your consent. You may withdraw your consent or opt out of any marketing at any time via your Blackbullion account. You will be aware of this when:

Opt In. Where relevant, you will have the right to choose to have information collected and/or receive marketing information from us by clicking on the ‘opt in’ button; or
Opt Out. Where relevant, you will have the right to choose to exclude yourself from some or all collection of information and/or receiving marketing information from us.

You can ask us to stop sending you marketing messages at any time by logging into the Sites and checking or unchecking relevant boxes to adjust your marketing preferences, by following the opt-out links on any marketing message sent to you or by contacting us at any time.

If you believe that you have received information from us that you did not opt in to receive, you should contact us using the details below.

The safety & security of data

We have implemented appropriate technical and organisational security measures to protect personal data in our possession from unauthorised access, disclosure, alteration or destruction. Such measures include administrative, technical and physical safeguards, for example, limiting access to personal data only to employees and authorised service providers who need to know such information for the purposes described in this Privacy Policy.

We will take all reasonable precautions to protect an individual’s data from unauthorised access. This includes appropriately securing any electronic networks.

Each individual that provides information to us via the internet or by post does so at their own risk. We cannot accept responsibility for misuse or loss of, or unauthorised access to, data where the security of information is not within our control.

We are not responsible for the privacy or security practices of any third party (including third parties that we are permitted to disclose an individual’s data to in accordance with this Privacy Policy or any applicable laws). The collection and use of an individual’s information by such third parties may be subject to separate privacy and security policies. If an individual suspects any misuse, loss of, or unauthorised access to their data, they should let us know immediately.

To the extent permitted by law, we are not liable for any loss, damage or claim arising out of another person’s use of the data where we were authorised to provide that person with the data.

UK & EU - Your rights

If you are a resident in the UK, you have the following rights in accordance with applicable laws and regulations:

Access. You have the right to obtain from us confirmation as to whether or not personal data concerning you is being processed, and, where that is the case, to request access to the personal data. You have the right to obtain one copy of the personal data we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs.
Rectification. You have the right to have incomplete or inaccurate personal data that we process about you rectified.
Erasure. You have the right to request that we delete personal data that we process about you, except we are not obliged to do so if we need to retain such data in order to comply with a legal obligation or to establish, exercise or defend legal claims.
Restriction. You have the right to restrict our processing of your personal data where you believe such data to be inaccurate; our processing is unlawful; or that we no longer need to process such data for a particular purpose unless we are not able to delete the data due to a legal or other obligation or because you do not wish for us to delete it.
Portability. You have the right to obtain personal data we hold about you, in a structured, electronic format, and to transmit such data to another data controller, where this is (1) personal data which you have provided to us, and (2) if we are processing that personal data on the basis of your consent or to perform a contract with you.
Objection. Where the legal justification for our processing of your personal data is our legitimate interest, you have the right to object to such processing on grounds relating to your particular situation. We will abide by your request unless we have compelling legitimate grounds for the processing which override your interests and rights, or if we need to continue to process the data for the establishment, exercise or defence of a legal claim.
Withdrawing Consent. If you have consented to our processing of your personal data, you have the right to withdraw your consent at any time, free of charge. This includes where you wish to opt-out from marketing messages.

Where you wish to exercise any of these rights, please contact us using the details below. For your own privacy and security, we may require evidence of your identity or to be provided with additional information before we are able to act on your request when the information we have is insufficient to accommodate your request. We will attempt to provide any requested information or make requested changes in accordance with applicable laws.

If you cannot update your own information, we will correct any errors in the data we hold about you within 7 days of receiving written notice from you about those errors. Information will be provided within one month of receipt of the request.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

It is an individual’s responsibility to provide us with accurate and truthful data. We cannot be liable for any information that is provided to us that is incorrect. The foregoing (and your right to object as discussed below) apply unless (and to the extent) we hold personal data about you on behalf of a third party and only process it on their instructions, for example where we provide learning and assessment services to a third party such as your university, and you access those services through our Sites, in which case, we will forward your request to that third party which is the controller in respect of the processing of your personal data, and you should liaise with them to discuss your request.

US - Your rights

The right to know. You have the right to ask a business to disclose what personal data they have collected, used, shared or sold about you and why it was collected, used, shared or sold. You have the right to this information for the 12 month period preceding your request. The data should be provided in a portable format.
The right to opt-out of sale. You have the right to ask a business to stop selling your personal information (”opt-out”). With some exceptions, a business cannot sell your personal information if they receive an opt-out request unless you provide authorisation allowing them to again.

Nevada Residents: We do not sell your personal information, but nevertheless we offer an opt out to sales of your data in an overabundance of caution to ensure compliance with Nevada law. Verified requests under Nevada law (NRS 603A) to not make any sale of any covered information we have collected or will collect regarding you may be sent to {email address} Please included in your email "Request for Nevada Opt-Out" in the subject line and in the body of your message.
The right to delete. You have the right to request that businesses delete personal information they collected about you and to tell their service providers to do the same. There are some exceptions that allow businesses to keep your personal information.
The right to non-discrimination. Businesses cannot deny goods or services, charge you a different price, or provide a different level or quality of goods or services just because you exercised your rights under the CCPA.
The right to rectification. You have the right to ask us to rectify the personal information you think is inaccurate or to complete information you think is incomplete. When you ask us to rectify your information, if we’ve shared your personal information with others, we’ll let them know about the rectification where possible.
The right to limit use of sensitive information. You have the right to ask us to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested. If we’ve shared your personal information with others, we’ll let them know about the restriction where possible.
Shine a Light (California Residents). If you are a California resident and have an established business relationship with us, you can request a notice disclosing the categories of personal information we have shared with third parties for the third parties’ direct marketing purposes during the preceding calendar year. To request a notice, please submit your request to: data@blackbullion.com. Please include in your email "Request for California Shine the Light Opt-Out" in the subject line and in the body of your message. Please allow 30 days for a response.

You don't have to pay anything in order to exercise your rights. Please contact us by sending an email to data@blackbullion.com or use our toll free number {phone number} if you wish to make a request under your rights; we have a 45 days to get back to you with a response.

Complaints and disputes

You have the right to object to any processing of personal data that is not based on legitimate interests or the performance of a task in the public interest/exercise of official authority (including profiling), and direct marketing, unless we hold legitimate grounds for processing or the processing is for the establishment, exercise or defence of legal claims.

You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your data infringes upon GDPR.

If an individual has a complaint about our handling of their data, they should address their complaint in writing to us using the contact us details below.

If we have a dispute regarding an individual’s data, we both must first attempt to resolve the issue directly between us.

If we become aware of any unauthorised access to an individual’s data which is likely to result in a high risk for the rights and freedoms of the data subject we will inform them at the earliest practical opportunity once we have established what was accessed and how it was accessed.

If you are based in the UK, you also have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office, if you believe that we have not complied with applicable personal data protection laws. Please see further information on their website: www.ico.org.uk.

Your personal data retention period

Unless we are required or permitted by law to hold on to your data for a specific retention period we will hold your personal data only for as long as is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements, in particular:

contact data is retained for as long as you are an active user of our Sites and for two years after you delete your account;
marketing data is retained unless and until you withdraw your consent; and
funding applications data is retained for the period required by the applicable university for that application.

We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Where possible, we aim to anonymise the information or remove unnecessary identifiers from records that we may need to keep for periods beyond the original retention period. Where we no longer need your personal data, we will dispose of it in a secure manner.

Contacting us

All correspondence with regards to privacy should be addressed to:

data@blackbullion.com
The Data Protection Officer
Blackbullion Ltd
5 Technology Park, Colindeep Lane, London, United Kingdom, NW9 6BX