Privacy Policy

Cambridge College of British English — Online Payment Portal

Last updated: 11 November 2025

This Policy explains what personal data we collect when you use our payment Portal, why we collect it, how we use and share it, and the choices and rights available to you.

1) Scope

This Policy applies to users who pay fees or manage student accounts through our online Portal. It complements, and does not replace, the College’s wider student privacy notices and finance policies.

2) Data We Collect

1. Identity & contact: name, student number, email, phone, address, parent/guardian details (where applicable).
2. Account & enrolment: programme/course, batch/session, fee schedules, scholarship/discount info.
3. Payment details: payment method, masked card details (last 4 digits, brand), transaction IDs, amounts, currency, bank authorization codes. We do not store full card numbers, CVV, or PIN on our servers.
4. Technical data: IP address, device/browser type, operating system, time zone, language, cookie IDs, Portal activity logs.
5. Support communications: messages, uploads, and metadata when you contact us.

3) How We Use Personal Data

• Process payments, issue receipts, allocate fees to student accounts, and handle refunds.
• Verify identity, prevent fraud, ensure Portal security, and maintain audit trails.
• Provide reminders and transactional notifications (e.g., due dates, confirmations).
• Comply with legal, regulatory, accounting, and tax obligations.
• Improve the Portal’s performance, usability, and security.

4) Legal Bases for Processing

Depending on your location and applicable law, we rely on one or more of the following legal bases:

• Contract: to process your payments and administer your student account.
• Legal obligation: to satisfy financial reporting, tax, and regulatory requirements.
• Legitimate interests: to operate, secure, and improve the Portal; to prevent fraud and misuse.
• Consent: where required (e.g., certain cookies/analytics). You may withdraw consent at any time.

5) Sharing & Disclosures

• Payment processors & banks: to authorize and settle transactions.
• IT & security providers: hosting, maintenance, monitoring, and support.
• Authorities: when required by law, court order, or to protect rights and safety.
• Intra-group/partners: where necessary for enrolment administration and support, subject to appropriate safeguards.

We do not sell personal data.

6) Payments & Card Data

Online payments are processed by accredited third-party processors that use industry-standard security (e.g., PCI DSS). The College does not store full card numbers or CVV on the Portal. Tokenized references and masked details may be retained for reconciliation, fraud prevention, and refunds.

7) Cookies & Similar Technologies

• Strictly necessary: session and security cookies required for log-in and checkout.
• Preference & performance (optional): to remember settings and improve speed.
• Analytics (optional): to understand usage and improve the Portal.

You can manage cookies via your browser settings. Where required by law, we will request your consent for non-essential cookies.

8) Data Security

• Encryption in transit (HTTPS/TLS) and restricted access on a need-to-know basis.
• Audit logs, strong authentication for administrators, and regular vulnerability management.
• Vendor due diligence and contractual safeguards with service providers.

No method of transmission or storage is 100% secure; we cannot guarantee absolute security.

9) Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this Policy, including legal, accounting, tax, and audit requirements. Typical retention for finance records is 7–10 years (or as required by applicable law and policy). Anonymized or aggregated data may be retained longer.

10) Your Privacy Rights

Subject to applicable law, you may have rights to:

• access and obtain a copy of your personal data;
• request correction of inaccurate or incomplete data;
• request deletion or restriction of processing;
• object to certain processing (including where based on legitimate interests);
• withdraw consent where processing is based on consent;
• port data to another controller (where applicable).

To exercise rights, see Contact below. We may need to verify your identity before responding.

11) Children’s Data

For students under the age of majority, we may collect parent/guardian information to administer payments and communications in line with College policy and applicable law.

12) International Data Transfers

Where data is transferred outside of Sri Lanka or your location (for example, to global payment processors or cloud providers), we implement appropriate safeguards, such as contractual clauses, to protect your information, consistent with applicable law.

13) Changes to This Policy

We may update this Policy periodically. Significant changes will be posted on this page with an updated “Last updated” date.

14) Contact Us

If you believe your rights have been infringed, you may also have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.

© Cambridge College of British English. All rights reserved.