1. Introduction

ITF TKD Theory ("we," "our," or "us") operates the website itftkdtheory.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your personal data when you visit our website and use our educational services.

We are committed to protecting your privacy and complying with the UK General Data Protection Regulation (UK GDPR) and the EU General Data Protection Regulation (GDPR).

Data Controller: ITF TKD Theory
Registered Address: 29 Waterloo Place, CV32 5LA Leamington Spa
Contact: docuex@outlook.com

By using our Service, you acknowledge that you have read and understood this Privacy Policy. Your use of our Service constitutes your consent to the data processing described herein, where consent is the lawful basis for processing.

2. Lawful Bases for Processing Personal Data

Under GDPR and UK GDPR, we process your personal data based on the following lawful bases:

Consent (Article 6(1)(a)): For marketing communications and optional features
Contract (Article 6(1)(b)): To provide our educational services and maintain your account
Legitimate Interests (Article 6(1)(f)): For website analytics, security, and service improvement
Legal Obligation (Article 6(1)(c)): To comply with applicable laws and regulations

3. Personal Data We Collect

3.1 Data You Provide Directly

Account Registration (Lawful basis: Contract):

Name (first and last)
Email address
Username and password
Belt rank/level (optional)
ITF school or organisation affiliation (optional)
Country/location within UK/EU

Profile Information (Lawful basis: Contract/Consent):

Profile picture (optional)
Learning preferences
Study goals and objectives
Progress tracking preferences

Communications (Lawful basis: Legitimate interests):

Messages sent through contact forms
Support requests and correspondence
Feedback and survey responses

3.2 Data Collected Automatically

Usage Data (Lawful basis: Legitimate interests):

Quiz scores and completion rates
Study session duration and frequency
Pages visited and time spent on each page
Learning progress and achievements
Feature usage patterns

Technical Data (Lawful basis: Legitimate interests):

IP address (anonymised after 26 months)
Browser type and version
Device type and operating system
Screen resolution and device identifiers
Referring website URLs
Date and time of visits

Cookies and Similar Technologies:

We use cookies as described in our Cookie Policy. Essential cookies are based on legitimate interests, while non-essential cookies require your consent.

3.3 Special Categories of Personal Data

We do not intentionally collect special categories of personal data (sensitive personal data) as defined under GDPR Article 9. If you provide such information voluntarily, we will handle it with appropriate safeguards.

4. How We Use Your Personal Data

4.1 Providing Our Services (Contract)

Deliver quizzes, track progress, and personalise learning experiences
Maintain user accounts and authenticate access
Process payments (if applicable)
Provide customer support

4.2 Service Improvement (Legitimate Interests)

Analyse usage patterns to enhance functionality and content
Conduct research to improve educational effectiveness
Develop new features and services
Ensure website security and prevent fraud

4.3 Communications (Consent/Legitimate Interests)

Send service-related notifications (legitimate interests)
Respond to your enquiries and support requests (legitimate interests)
Send marketing communications about relevant educational content (consent)
Notify you of important updates to our services (legitimate interests)

4.4 Legal Compliance (Legal Obligation)

Comply with applicable laws and regulations
Respond to lawful requests from authorities
Protect our legal rights and interests

5. Data Sharing and Transfers

5.1 We Do Not Sell Personal Data

We do not sell, trade, or otherwise transfer your personal data to third parties for commercial purposes.

5.2 Data Processors

We may share your data with trusted third-party processors who assist us in operating our website and services:

Essential Service Providers:

Hosting providers: For website infrastructure (UK/EU based where possible)
Email service providers: For transactional and marketing emails
Analytics providers: Google Analytics (with IP anonymisation enabled)
Security providers: For fraud prevention and security monitoring

All processors are bound by Data Processing Agreements (DPAs) and must comply with GDPR requirements.

5.3 International Transfers

Where we transfer personal data outside the UK/EU, we ensure adequate protection through:

Adequacy decisions: Countries recognised as providing adequate protection
Standard Contractual Clauses: EU/UK approved contract clauses
Certification schemes: Such as EU-US Data Privacy Framework participants

5.4 Legal Disclosure

We may disclose your personal data when legally required:

In response to court orders, warrants, or legal processes
To comply with regulatory requirements
To protect vital interests or public safety
To establish, exercise, or defend legal claims

6. Data Retention

6.1 Retention Periods

We retain personal data only as long as necessary for the purposes outlined in this policy:

Active Accounts: While your account remains active and for up to 3 years after last activity
Marketing Data: Until you withdraw consent or object to processing
Legal Requirements: As required by applicable law (typically 6-7 years for financial records)
Security Logs: Up to 12 months for security monitoring

6.2 Account Deletion

When you request account deletion:

Personal data is anonymised or deleted within 30 days
Some data may be retained in encrypted backups for up to 90 days
Data required for legal compliance may be retained longer

7. Your Rights Under GDPR

As a data subject in the UK/EU, you have the following rights:

7.1 Right of Access (Article 15)

You can request copies of your personal data and information about how we process it.

7.2 Right to Rectification (Article 16)

You can request correction of inaccurate or incomplete personal data.

7.3 Right to Erasure (Article 17)

You can request deletion of your personal data in certain circumstances.

7.4 Right to Restrict Processing (Article 18)

You can request that we limit how we use your personal data in specific situations.

7.5 Right to Data Portability (Article 20)

You can request your data in a structured, machine-readable format.

7.6 Right to Object (Article 21)

You can object to processing based on legitimate interests or for direct marketing.

7.7 Rights Related to Automated Decision Making (Article 22)

You have rights regarding automated decision-making and profiling (if applicable).

7.8 Right to Withdraw Consent

Where processing is based on consent, you can withdraw it at any time.

7.9 Exercising Your Rights

To exercise these rights, contact us at: docuex@outlook.com
We will respond within one month (extendable to three months for complex requests).

8. Data Security

8.1 Technical Measures

We implement appropriate technical safeguards:

Encryption: TLS 1.2+ for data transmission, AES-256 for data at rest
Access controls: Role-based access and multi-factor authentication
Monitoring: Continuous security monitoring and incident response
Regular testing: Security assessments and penetration testing

8.2 Organisational Measures

Staff training on data protection and privacy
Data processing agreements with all processors
Regular privacy impact assessments
Incident response and breach notification procedures

8.3 Data Breach Notification

In case of a personal data breach, we will:

Notify the relevant supervisory authority within 72 hours (where required)
Inform affected individuals without undue delay (if high risk to rights)
Document and investigate all breaches

9. Cookies and Tracking Technologies

9.1 Cookie Categories

Strictly Necessary Cookies: Essential for website functionality (no consent required)
Performance Cookies: Help us understand how visitors use our website
Functional Cookies: Remember your preferences and personalise experience
Marketing Cookies: Track visitors across websites for advertising purposes

9.2 Cookie Consent

We obtain consent for non-essential cookies through our cookie banner. You can:

Accept or reject non-essential cookies
Change your preferences in cookie settings
Withdraw consent at any time

9.3 Third-Party Cookies

We use Google Analytics with:

IP anonymisation enabled
Data retention set to 26 months
Advertising features disabled
Demographics and interest reports disabled

10. Children's Privacy

10.1 Age Requirements

Our services are intended for users aged 13 and over. We do not knowingly collect personal data from children under 13.

10.2 Parental Rights

Parents/guardians of children aged 13-16 can:

Exercise rights on behalf of their child
Request information about data processing
Object to processing or request data deletion

11. International Users

11.1 UK Users

This policy complies with UK GDPR and the Data Protection Act 2018. The UK supervisory authority is the Information Commissioner's Office (ICO).

11.2 EU Users

This policy complies with EU GDPR. You can contact your national supervisory authority with complaints or concerns.

11.3 Non-UK/EU Users

If you're located outside the UK/EU, your data may be transferred to and processed in the UK/EU. We ensure appropriate safeguards are in place.

12. Supervisory Authority

12.1 UK - Information Commissioner's Office (ICO)

Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

12.2 EU Supervisory Authorities

Contact details for EU supervisory authorities: https://edpb.europa.eu/about-edpb/board/members_en

12.3 Right to Lodge Complaints

You have the right to lodge complaints with supervisory authorities about our data processing activities.

13. Updates to This Privacy Policy

13.1 Policy Changes

We may update this policy to reflect:

Changes in data protection laws
New features or services
Feedback from supervisory authorities
Best practice developments

13.2 Notification

We will notify you of material changes by:

Email notification to registered users
Prominent website notice
Updated "Last Modified" date

13.3 Continued Use

Continued use after changes indicates acceptance, except where additional consent is required.

14. Contact Information

14.1 Data Controller Contact

Email: docuex@outlook.com
Address: 29 Waterloo Place, CV32 5LA Leamington Spa
Website: itftkdtheory.com

14.2 Data Protection Officer (if applicable)

If we are required to appoint a DPO, contact details: [DPO Email Address]

14.3 Response Times

We respond to data subject requests within:

Simple requests: 1 month
Complex requests: Up to 3 months (with explanation)
Urgent matters: Within 72 hours where legally required

Privacy Policy