top of page

Privacy Policy

A legal disclaimer

Privacy Policy

Effective date: 22 September 2025
Last updated: 22 September 2025

Important: This document is provided for general information only and does not constitute legal advice. Please tailor as needed and consult a qualified lawyer.

 

1) Who we are

Controller: BIM XL Limited (trading as BIMXcellence)

  • Registered in: United Kingdom — Company No.: 11361425

  • Registered office: Challow House 15 – 3rd floor RG147GS Newbury United Kingdom

  • Website: bimxcellence.com

  • Contact (privacy): cve90462@myport.ac.uk

  • Data Protection Officer: Not appointed

  • ICO registration number (UK): applying

  • CPD provider reference: #788272

 

This Privacy Policy explains how we collect, use, disclose and protect your personal data when you use our websites, learning platform(s), courses and related services (the Services). We comply with the UK GDPR and the Data Protection Act 2018 and, where relevant, the EU GDPR and applicable e-privacy rules (e.g., PECR in the UK).

2) What this policy covers

This Policy applies when you:

  • visit our website(s) and landing pages;

  • register an account, enrol on a course, complete lessons or assessments;

  • communicate with us (email, chat, phone, support);

  • receive marketing from us;

  • take part in webinars, live sessions, or community forums; and

  • make purchases or access free trials.

 

It does not cover third-party websites or services you access via our Services. Please check their privacy notices.

 

3) Personal data we collect

  • Identity & Contact Data: name, job title, organisation, email, phone, country, billing/shipping addresses.

  • Account Data: username, password (hashed), profile details, preferences.

  • Course & Learning Data: courses enrolled/completed, progress, quiz scores, certificates issued, feedback/surveys, support tickets.

  • Transaction Data: order history, purchase amounts, currency, VAT number, invoices/receipts. (We do not store payment card numbers.)

  • Communications Data: emails, messages, marketing preferences, opt-in/opt-out records.

  • Technical & Usage Data: IP address, device identifiers, browser/OS, time zone, language, pages viewed, clickstream, session/error logs, approximate location (IP-based), cookies.

  • Media & Community Data: profile photos, forum posts, chat messages, webinar recordings (where applicable), uploaded content.

  • Special category data: we do not intentionally collect special categories (e.g., health data). If a specific course requires such data, we will explain the purpose and lawful basis and obtain explicit consent where required.

 

Sources: We collect data directly from you, automatically when you use the Services, and from trusted partners (e.g., platform provider Wix, payment provider PayPal, webinar/video tools Zoom and YouTube), your employer if sponsoring your enrolment with your consent, and public sources (e.g., LinkedIn if you choose to connect).

 

4) Why we use your data and legal bases

  • PurposeExamplesLegal basis

  • Provide the Servicesaccount creation, authentication, course delivery, assessments, certificatesContract (Art. 6(1)(b))

  • Payments & billingorder processing, fraud prevention, invoicing, VAT complianceContract; Legitimate interests; Legal obligation

  • Customer supportrespond to enquiries, troubleshoot issues, service noticesContract; Legitimate interests

  • Service improvementanalytics, bug fixing, UX research, feature developmentLegitimate interests

  • Communicationsservice emails (enrolment, reminders, policy updates)Legitimate interests / Legal obligation

  • Marketingnewsletters, offers, events, surveysConsent where required by PECR/e-privacy; otherwise Legitimate interests

  • Compliancerecord-keeping, audits, regulatory requests, enforcing termsLegal obligation; Legitimate interests

  • Securitymonitoring, access controls, incident detection/responseLegitimate interests; Legal obligation

  • You can withdraw consent at any time where we rely on consent (this does not affect prior processing).

5) Cookies & similar technologies

We use cookies and similar technologies to operate the site, keep you signed in, remember preferences, and measure performance. Where required, we obtain your consent via a cookie banner. You can update your preferences at any time via [Cookie Settings]. For more detail, see our Cookie Notice. (Cookie tool: TBC.)

6) Payments

We use PayPal for online payments. PayPal acts as an independent controller for most payment processing—please review its privacy notice. For bank transfers, we receive payer name, bank reference and amount for reconciliation; we do not receive or store your full bank account details. We do not store payment card numbers on our systems.

7) Disclosures and sharing

We share personal data with:

  • Service providers / processors who help deliver the Services (hosting, LMS, email/SMS, analytics, payments, video/webinar tools, support).

  • Your employer/sponsor with your consent or where they funded your enrolment, to share attendance, progress and completion status as agreed in our contract.

  • Professional advisers (lawyers, auditors, insurers) and authorities where required by law.

  • Business transfers: if we sell, merge or reorganise our business, data may be shared under appropriate safeguards.

 

We do not sell your personal data.

8) International transfers

Our Services may involve transfers of personal data outside the UK/EEA. Data may be hosted in the UK and US (e.g., Wix infrastructure and sub-processors). When we transfer data internationally, we use appropriate safeguards such as UK IDTA, EU Standard Contractual Clauses (SCCs), or adequacy decisions, and implement additional measures where necessary.

9) Data retention

We keep personal data only for as long as necessary for the purposes set out above and to meet legal, accounting or reporting requirements. Typical retention periods:

  • Account & Course Data: active account + 6 years after last activity (unless you request deletion sooner and we have no legal reason to keep it).

  • Certificates / CPD Records: up to 6 years (or longer where professional regulations require).

  • Transaction Records: 6–7 years for tax/audit.

  • Support Tickets & Comms: 2 years after closure.

  • Marketing Preferences: until you opt out; evidence of consent may be retained for 6 years.

  • Web/Security logs: 12–24 months.

 

We will anonymise or securely delete data once retention periods expire.

10) Security

We implement technical and organisational measures appropriate to the risk, including encryption in transit, access controls, least-privilege permissions, MFA for admin accounts, regular backups, staff training, and vendor due diligence. No system is 100% secure; we monitor for incidents and will notify you and regulators of qualifying breaches in line with law.

11) Your rights (UK/EU)

You have the right to: access, rectify, erase, restrict, object (including to direct marketing), data portability, and withdraw consent (where we rely on consent).
To exercise your rights, contact cve90462@myport.ac.uk. We may verify your identity. You also have the right to complain to the UK ICO or your local EU Data Protection Authority.

12) Marketing

We may send training news and offers if you have opted in or where permitted by law (soft opt-in). You can opt out at any time via the unsubscribe link in our emails or by contacting us. We will not send you marketing if you have opted out.

13) Children

Our Services are intended for adults (18+) only. We do not knowingly collect personal data from individuals under 18. If you believe someone under 18 has provided us with personal data, please contact us so we can take appropriate steps.

14) Automated decision-making

We do not make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects. If this changes (e.g., automated proctoring with consequences), we will inform you and explain your rights.

15) Third-party links and integrations

Our Services may include links to or integrations with third-party sites (e.g., webinar tools, community forums, SSO). We are not responsible for their privacy practices. Please review their policies.

16) Changes to this Policy

We may update this Policy to reflect changes to our practices or legal requirements. We will post the updated version with a new “Last updated” date and, where appropriate, notify you by email or in-product message.

17) Contact us

Questions, requests or complaints about this Policy or how we handle your data:

  • Email: cve90462@myport.ac.uk

  • Postal: Privacy Team, BIM XL Limited, Challow House 15 – 3rd floor RG147GS Newbury United Kingdom

  • DPO (if appointed): Not appointed

 

We aim to respond within one month.

Annex A — Our processors

  • Learning platform: Wix — hosting, course delivery

  • Payment processing: PayPal — online payments; Direct bank transfer via your bank (reconciliation only)

  • Email & marketing: TBC — transactional and marketing emails

  • Analytics: TBC — website/product analytics

  • Video & webinars: Zoom; YouTube — streaming and recordings

  • Support & CRM: TBC — customer support

  • Cloud hosting: Wix and its sub-processors (regions may include UK/US)

 

We will update this list as vendors change and will link to their privacy notices where possible.

bottom of page