Skip to main content
Home / Privacy Policy

Sponge UK Limited 
privacy policy.

Sponge External Privacy Notice

Sponge External Privacy Notice

Sponge Group of Companies (Sponge Group Limited, Units 2.1-2.3 Paintworks, Arnos Vale, Bristol, BS4 3EH, Sponge Germany GmbH, Hardenbergstr. 32, 10623 Berlin) is committed to protecting the privacy and security of the personal data of our employees, contractors and other third parties with whom we deal in the course of our business, our recruitment activities and the provision of our services. This privacy notice explains who we are, how we collect, share and use your personal information and how you can exercise your privacy rights.

We will ensure that your personal data is:

  • processed lawfully, fairly and in a transparent manner,
  • collected only for specified, explicit and legitimate purposes,
  • is adequate, relevant and limited to what is necessary in connection with the services we provide to you,
  • is accurate and, where necessary, kept up to date,
  • will not be kept in a form which enables it to identify you for longer than necessary,
  • will only be processed in such a way that its security is ensured by appropriate technical and organisational measures to protect it against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Our name and contact details.

Sponge Group Limited, Units 2.1-2.3 Paintworks, Arnos Vale, Bristol, BS4 3EH.

Any questions about data protection at Sponge Group Limited should be directed to our Data Protection Team. dataprotection@spongelearning.com.

Our ICO registration is ZB362295.

Sponge Germany GmbH, Hardenbergstr. 32, 10623 Berlin.

All questions regarding data protection at Sponge Germany GmbH should be directed to our data protection team.

datenschutz-spongecompliance@legitimis.com

VAT number: DE 173211552.

What do we do?

Sponge Group Limited is an award-winning provider of digital learning solutions, including customised learning programmes, learning management systems and ready-made content.

Processing of your personal data.

We process and manage your personal data in accordance with the business relationship we have with you. This business relationship helps us to identify the relevant category of data subject (or group of people whose data we process in the same way) and enables us to tell you the details of how we process your personal data. We interact with you and process your personal data in one or more of the following ways:

1. As a Customer.

1.1 For customer relationship management purposes.

We collect, store and use your personal data to manage our relationship with you based on our business contract with you. The legal basis here is Art. 6 para. 1 lit. (f) UK/EU GDPR, the legitimate interest in continuing existing contracts and acquiring new customers.

We collect: Business contact details, call details, contact information, email address, email content, first name, last name, mobile phone, occupation, password, postcode, title.

From: Yourself.

We share this with: Contracted Sponge teams.

Storage Location: United Kingdom.

Storage period: Length of contract.

1.2 For Learning Content.

We collect, store and use your personal data to enable you to access content on our learning platforms based on the contract we have with you. We need to process your personal data to administer the learning platforms/portal services contract we will enter into or have entered into with you. If you do not provide certain information, we may not be able to fulfil or complete the learning services access contract.

The legal basis here is Art. 6 Para. 1 lit. (f) UK/EU GDPR, the legitimate interest in fulfilling the contract with our customers.

We collect: Business contact, call data, contact information, email address, email content, first name, last name, mobile phone, occupation, password, postcode, title.

From: Your Employer, yourself.

We share this with: Contracted Sponge teams.

Storage Location: United Kingdom.

Storage period: Length of contract.

1.3 For Customer Support.

We need to process your personal data to ensure that we can provide you with the support you need when using our services and learning management platforms, and to process invoices and take payments. This is done on the basis of the contract we have with you. If you do not provide us with certain information in time, we may not be able to fulfil the contract we have with you.

We collect: Company name, country, email address, first name, last name, mobile phone, postcode.

From: Yourself.

We share this with: Contracted Sponge teams.

Storage Location: United Kingdom.

Storage period: Length of Contract.

1.4 For learning analytics.

We collect, store and use your personal data to understand how our learning management platforms and services are used. We do this on the basis of the contract we have with you and the legitimate interest on our part in improving our products acc. Art. 6 Para. 1 lit. (f) UK/EU GDPR.

If you do not provide certain information when requested, we may not be able to fulfil the contract we have with you.

We collect: Behavioural data, browser details, business contact, duration, employer details, first name, last name, mobile phone, occupation, postcode, title.

From: Contracted clients.

We share this with: Contracted clients, Sponge teams.

Storage Location: United Kingdom.

Storage period: Length of contract.

1.5 Conducting the Customer Satisfaction Survey.

We collect, store and use your personal data to obtain feedback on the services we provide. We contact you based on our legitimate interests acc. Art. 6 para. 1 lit. (f) UK/EU GDPR to ensure that we provide you with the best customer experience when accessing our services. The evaluation of your responses is also based on this. The participation is voluntary on the basis of Art. 6 para. 1 lit. (a) UK/EU GDPR.

We collect: Company name, email address, first name, last name, views.

From: Yourself.

We share this with: Suppliers, Sponge teams.

Storage location: United Kingdom and United States of America.

Storage period: Three years.

1.6 To provide system development.

We collect, store and use your personal data to improve our internal production systems and enterprise resource planning systems and to enhance our platforms.

We do this based on our legitimate interests acc. Art. 6 para. 1 lit. (f) UK/EU GDPR in improving the efficiency and usability of the services we provide to you.

We collect: Contact information, first name, last name.

From: Yourself.

We share this with: Suppliers, Sponge teams.

Storage location: India.

Storage period: Three years.

2. As a Learner.

2.1 To resolve login/technology issues.

We collect, store and use your personal data to support access to our learning management platform and services based on our contract with your learning provider. This is necessary to support your access to our learning management platforms and to ensure the security of these systems.

We collect: Contact information, email address, email content, first name, last name, mobile phone, occupation, password, postcode, title.

From: Yourself.

We share this with: Sponge Teams.

Storage Location: United Kingdom.

Storage period: Contract period plus 6 years.

2.2 Facial Recognition for Access to Training.

Where enabled, we collect, store and use your personal data, in particular your photo, to provide you with access to our learning management platform. We do this based on the contract we have with your learning provider, who is the data controller. The legal basis here is Art. 6 Para. 1 lit. (f) UK/EU GDPR is the legitimate interest in fulfilling the contract with our customers.

If you do not provide us with certain information, we may not be able to fulfil the contract we have with your learning provider.

We collect: Photographs of yourself, learners.

We share this with: Sponge teams, yourself, learning providers.

Storage Location: United Kingdom and Ireland.

Storage period: Length of contract.

3. As a Potential Customer.

3.1 For email marketing.

We need to process your personal data to send you newsletters, promote our services and invite you to business events that we believe will be of benefit to you.

We do this based on our legitimate interests acc. Art. 6 Para. 1 lit. (f) UK/EU GDPR, which are to facilitate engagement with potential new client organisations, to increase external awareness of the Sponge brand, to understand external business issues and to develop appropriate solutions.

We collect: Company name, country, email address, first name, last name, mobile phone, postcode.

From: Potential company, research, website visitors, conference/webinar attendee lists.

We share this with: Sponge teams.

Storage Location: United Kingdom.

Storage period: Three Years.

3.2 For data cleansing for marketing purposes.

We need to process your personal data to ensure that we have accurate, up to date and appropriate information about you to support our marketing. We do this based on our legitimate interest acc. Art. 6 Para. 1 lit. (f) UK/EU GDPR in building and maintaining a business relationship with our customers.

We collect: Company name, country, email address, first name, last name, mobile phone, postcode.

From: Potential company, research, website visitors, conference attendees.

We share this with: Suppliers.

Storage Location: United Kingdom.

Storage period: Three years.

4. As a Website Visitor.

4.1 To manage your cookie preferences.

We collect, store and use your personal data to make our website more intuitive and user-friendly and to protect the security and effective functioning of our websites based on your consent. This is necessary to monitor how our website is used so that we can (a) improve the layout and information on our website and provide a better service to our website users and (b) monitor how our website is used to detect and prevent fraud, other crimes and misuse of our website. The basis for this is Art. 6 para. 1 lit. (f) UK/EU GDPR is the secure operation of our website.

We collect: Cookies, country, email address, IP address, name, occupation.

From: Yourself.

We share this with: Suppliers.

Storage Location: United Kingdom.

Storage period: The duration of your browsing session.

5. As a Potential Employee.

5.1 To select candidates for employment.

We collect, store and use your personal data to assess your skills, qualifications and suitability for the job or role during this process based on our legitimate interest.

It is in our legitimate interest to carry out background checks, communicate with you about the recruitment process and keep records in relation to our recruitment process.

If you do not provide us with the information we need to consider your application, we will not be able to process your application. The basis for this is Art. 6 para. 1 lit. (b) UK/EU GDPR, the processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

We collect: CV, education, email address, employment, first name, interview notes, surname, location.

From: Yourself and recruitment agencies.

We share this with: Recruitment agencies.

Storage Location: United Kingdom and United States of America.

Storage period: Six months.

Your Data.

May be shared with other third parties such as Tax authorities or other regulatory or law enforcement agencies in certain circumstances, but only in accordance with the law and where strictly necessary.

Automated decision making and profiling.

You will not be subject to decisions that have a significant impact on you and are based solely on automated decision making, including profiling, unless you have given us your consent to do so or it is necessary for the formation or performance of a contract.

Your rights.

Access. You have the right to ask us for copies of your personal data. This right always applies. There are some exceptions, which means you may not always receive all the personal data we process.

Rectification. You have the right to ask us to rectify personal data that you believe is inaccurate or incomplete. This right always applies.

Erasure. You have the right to request that we erase your personal data if it is no longer necessary for the purpose for which it was collected, or if you withdraw your prior consent to its processing and we have no other legal basis for processing it, or if it is processed unlawfully, or if it must be erased to comply with a legal obligation, or if it is used for direct marketing purposes for which we have no legitimate grounds.

Restriction. You have the right to ask us to restrict the processing of your personal data if it is inaccurate (so that we can verify its accuracy) or if it is processed unlawfully (and you want us to stop the processing rather than erase it), or if you have objected to the processing while we verify that we have legitimate grounds for processing, or if the data is no longer needed for the purpose for which it was collected and you want us to retain it for the establishment, exercise or defence of legal claims.

Portability. This only applies to personal data that you have provided to us. You have the right to ask us to transfer or share the data you have provided to us from one organisation to another. This only applies if we are processing personal data on the basis of your consent or as part of a contract or in discussions with you about entering into a contract and the processing is automated.

Object. You have the right to object to the processing of your personal data where we claim legitimate interests as the legal basis for the processing or where the data is used for direct marketing.

Withdrawal of consent. You may withdraw consent you have previously given us to process your personal data for one or more specific purposes. This will not affect the lawfulness of the processing that took place before you withdrew your consent. This may mean that we can no longer offer you certain products or services and we will inform you if this is the case.

You have the right to complain to a supervisory authority, in the UK this is the Information Commissioner's Office.

Breaches.

We have procedures in place to deal with suspected data breaches and will notify you and any relevant supervisory authorities of a suspected breach where we are required to do so by law.

Dealing with your requests.

We will deal with your requests as soon as possible, but it may take up to one month (possibly extended to 3 months if the law allows). There is usually no charge for processing, but we may charge a reasonable fee if your request is manifestly unfounded, repetitive or excessive, or we may refuse to comply with your request in these circumstances.

We may need to request certain information from you to confirm your identity and ensure your right to access your personal data (or exercise your other rights). This is a security measure to ensure that your personal data is not disclosed to anyone who does not have the right to receive it. We may also contact you to ask for more information about your request to speed up our response.

Notice This notice does not form part of any service contract.

Changes to this privacy notice.

We may update this notice from time to time. Any changes we make to our policy in the future will be posted on our website and, where appropriate, notified to you by email. Please visit our website regularly to check for any updates or changes to our policy.

Supplementary information.

Direct marketing.

Our direct marketing activities comply with the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), which means that you may receive direct marketing communications from us if you have requested them or if you have purchased one of our services and have not opted out of receiving them, or if the communications are necessary for the performance of a contract between us.

Security.

We have reasonable security measures in place to prevent your personal information from being accidentally lost, used, altered, disclosed or destroyed, or accessed without authorisation. Although the security of data transmission or storage cannot be guaranteed, we employ a range of commercially reasonable physical, technical and procedural measures to protect personal information. These measures include confidentiality agreements with third parties, secure development practices, security audits of service providers, products and services that may be used, and ISO27001 organisational security policies.

We also have procedures in place to deal with suspected personal data breaches and will notify you and the relevant supervisory authorities of a breach where we are required to do so by law.

Cookies.

Cookies are small files that we store on the device (computer, mobile phone, tablet or other mobile device) that you use to access our website or portal.

We use the term "cookies" to refer not only to cookies but also to other technologies such as pixels, web beacons and page tags. Our website uses "first-party cookies" (set by our own website) and "third-party cookies" (set by other websites).

Informing you about the use of cookies and managing them is required under the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).

What cookies do we use?

We use the following types of cookies:

Required. These are essential for the proper functioning of our website. This category only includes cookies that provide basic website functionality and security features. No personal data is stored in these cookies.

Not necessary. These cookies are not essential for the website to function properly. They are used to collect personal data from users about analytics, ads and other embedded content, and help us analyse and understand how you use our website. We always ask for your consent before using these types of cookies.

Blocking cookies. You can also disable cookies by changing your browser settings to refuse all or some cookies. The settings and steps for managing cookies vary from browser to browser, so we recommend that you consult your browser's documentation.

If you set your browser to block all cookies (including "necessary" cookies), you may not be able to access all or parts of our website.

Request more information about the cookies we use.

For a detailed list of the cookies we use, including information about the type of cookie, the validity period and links to third party websites, please contact dataprotection@spongelearning.com or click on this link https://www.spongelearning.com.

Version

Approved by

Date

1.0

Julia Pugh & GDPR 360

24/01/2023

1.1

Julia Pugh & Legitimis

13/07/2023