Sign in

Legal

Privacy Policy

Version: 2026.04.23

Effective At: 23 April 2026

Privacy Policy

Effective date: 23 April 2026 Version: 2026.04.23

1. Introduction

This Privacy Policy explains how the operator of the ANNUVELL platform (the Company, we, us, or our) collects, uses, shares, stores, and otherwise processes personal data in connection with the ANNUVELL ecosystem, including the main website, marketplace, store, school, support channels, and related services.

This policy is intended to support transparency under applicable data protection law, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and, where relevant, the Privacy and Electronic Communications Regulations 2003 (PECR).

2. Controller Status and Scope

Unless we expressly state otherwise for a particular service or transaction, we act as a data controller for the personal data described in this Privacy Policy.

In some circumstances, we may process personal data on behalf of another person or organisation acting as controller, in which case we act as a processor and apply the relevant contractual and legal safeguards.

3. Personal Data We May Collect

Depending on how you use the platform, we may collect and process the following categories of personal data:

3.1 Identity and Contact Data

  • name;
  • display name or username;
  • email address;
  • telephone number;
  • billing address;
  • delivery address;
  • business or trading details where relevant.

3.2 Account and Authentication Data

  • login identifiers;
  • encrypted or hashed authentication credentials;
  • password reset and verification records;
  • sign-in history and session information;
  • account status, roles, and preferences.

3.3 Transaction and Payment-Related Data

  • order details;
  • purchase history;
  • refund and return records;
  • seller payout or onboarding status;
  • payment references or partial payment metadata supplied by payment processors.

We do not intentionally store full payment card details on our own application servers unless explicitly stated otherwise.

3.4 Marketplace Data

  • listing information;
  • service requests and order records;
  • messages or support information connected to transactions;
  • seller business compliance data;
  • dispute and moderation records.

3.5 Learning and School Data

  • enrolment and course-access data;
  • learning progress;
  • submissions and assessment records;
  • attendance or engagement data;
  • learner communications and support history.

3.6 Technical and Usage Data

  • IP address;
  • browser and device information;
  • operating system;
  • timestamps;
  • referral source;
  • page interactions;
  • logs and diagnostics;
  • cookie or similar technology identifiers.

3.7 Communications and Support Data

  • enquiries you send to us;
  • support tickets and contact form submissions;
  • complaint records;
  • feedback and survey responses.

3.8 Compliance and Legal Data

  • records of legal-policy acceptance;
  • cookie consent records;
  • identity verification information where needed;
  • data-rights request records;
  • fraud-prevention and security investigation records.

4. Sources of Personal Data

We may collect personal data:

  • directly from you;
  • from your use of the platform;
  • from cookies and similar technologies where permitted;
  • from third-party service providers such as payment providers, identity providers, analytics providers, hosting providers, or communication tools;
  • from other users where relevant to a transaction, support case, or dispute;
  • from publicly available or legally available sources where appropriate for fraud prevention, compliance, or business verification.

5. Purposes of Processing

We may process personal data for the following purposes:

  • creating and managing user accounts;
  • providing website, marketplace, store, and school services;
  • processing purchases, returns, refunds, and order support;
  • facilitating transactions between users where applicable;
  • enabling seller onboarding, compliance, and payout workflows;
  • administering courses, assessments, and learner access;
  • authenticating users and securing accounts;
  • communicating with users about transactions, services, or support;
  • improving platform performance, usability, and reliability;
  • operating analytics and preference features where lawfully permitted;
  • monitoring misuse, fraud, abuse, or security incidents;
  • complying with legal, regulatory, tax, accounting, or enforcement obligations;
  • establishing, exercising, or defending legal claims;
  • maintaining records of consents, preferences, and legal-policy acceptance.

6. Lawful Bases for Processing

Where the UK GDPR applies, we rely on one or more lawful bases depending on the context, including:

6.1 Contract

Where processing is necessary to perform a contract with you or take steps at your request before entering into a contract.

6.2 Legitimate Interests

Where processing is necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and interests. This may include platform administration, service improvement, fraud prevention, account security, record-keeping, moderation, and business operations.

6.3 Legal Obligation

Where processing is necessary for compliance with applicable laws, regulations, court orders, or lawful requests.

6.4 Consent

Where we rely on consent, such as for certain categories of non-essential cookies or communications where required by law. Where consent is the lawful basis, you may withdraw it at any time, although this does not affect the lawfulness of processing carried out before withdrawal.

6.5 Vital Interests or Other Available Bases

Where relevant and permitted by law, we may also rely on other lawful bases recognised under applicable data protection law.

7. Cookies and Similar Technologies

We use cookies and similar technologies for essential site operation and, where permitted, for analytics, preferences, and other non-essential purposes. Our Cookie Policy explains this in more detail. Where required by law, non-essential technologies are not activated unless valid consent is obtained.

8. Sharing Personal Data

We may share personal data with the following categories of recipient where necessary and lawful:

  • payment processors and payment service providers;
  • cloud hosting and infrastructure providers;
  • analytics, monitoring, and diagnostics providers;
  • communication and email providers;
  • identity, authentication, and account-security providers;
  • logistics, fulfilment, or delivery partners;
  • marketplace counterparties where necessary for the relevant transaction;
  • educational service providers or integrations used to deliver school functionality;
  • professional advisers, auditors, insurers, or legal representatives;
  • regulators, law enforcement agencies, courts, or public authorities where required or justified by law.

We do not sell personal data in the ordinary commercial sense.

9. International Transfers

Where personal data is transferred outside the UK, we will take appropriate steps to ensure the data remains protected in accordance with applicable law. This may include transfers to countries recognised as providing adequate protection, the use of appropriate contractual safeguards, or reliance on another lawful transfer mechanism.

10. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including to:

  • provide services and maintain accounts;
  • comply with legal, tax, accounting, and regulatory obligations;
  • resolve disputes and enforce agreements;
  • maintain security, fraud-prevention, and audit records;
  • preserve appropriate business records.

Retention periods may vary depending on the nature of the data and the reason we hold it.

11. Security

We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, damage, misuse, or unauthorised disclosure. However, no method of transmission or storage can be guaranteed to be completely secure.

12. Data Subject Rights

Subject to applicable law, you may have the right to:

  • obtain confirmation that we process your personal data;
  • request access to your personal data;
  • request correction of inaccurate or incomplete personal data;
  • request erasure of personal data in certain circumstances;
  • request restriction of processing in certain circumstances;
  • object to processing in certain circumstances;
  • request portability of certain personal data where the right applies;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with the Information Commissioner’s Office (ICO).

We may ask for information necessary to verify identity before responding to a request.

13. Data Rights Requests

You may submit data-rights requests through the channels we make available. We aim to respond without undue delay and in accordance with the timeframes permitted by law. In many cases this will be within one month, although an extension may be permitted where legally justified.

14. Children’s Data

Where the School or other services are used by or in relation to children, we will take appropriate account of the nature of the service, the context of collection, and applicable legal obligations. Parents, guardians, schools, or other responsible adults may also have a role in account administration or lawful authorisation depending on the service model.

15. Automated Decision-Making

We may use automated tools for fraud prevention, security, moderation support, recommendation logic, platform operations, or workflow efficiency. We do not intend to use solely automated decision-making with legal or similarly significant effect unless this is lawful and appropriate safeguards are in place.

16. Third-Party Services and Links

The platform may contain links to third-party sites, services, or integrations. We are not responsible for the privacy practices of third-party services that we do not control. You should review their privacy information separately.

17. Changes to this Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in law, regulation, guidance, operational practice, or platform functionality. The current version will be published through the platform together with its effective date and version.

18. Contact and Complaints

If you have questions about this Privacy Policy, our processing of personal data, or your rights, you may contact us through the published ANNUVELL contact channels.

If you are not satisfied with our response, you may have the right to complain to the Information Commissioner’s Office in the United Kingdom.