Privacy policy

AUREN INSTITUTE
Compliance, Done Right.
Privacy Policy
How we collect, use, and protect your personal data
Version 1.0  |  June 2026
Website and learner-facing policy
Auren Institute  |  CPD Reg. No. 22536  |  UK (East Kilbride) and Malta (Qormi)

Effective date: June 2026    Last reviewed: June 2026

1. Who we are
This Privacy Policy explains how Auren Institute ("Auren Institute", "we", "our", or "us") collects, uses, stores, and protects your personal data when you use our website (www.aureninstitute.com), our learning platform, and our services. Auren Institute is the data controller for that personal data.
Contact: info@aureninstitute.com. Malta office: 92, No. 1, St Edward Street, Qormi QRM 2136, Malta. UK office: 5, Glen Moy, East Kilbride, Glasgow G74 2BE.

2. The law we follow
We process personal data in line with the EU General Data Protection Regulation (Regulation (EU) 2016/679), the UK GDPR and the Data Protection Act 2018, and Malta's Data Protection Act (Chapter 586 of the Laws of Malta), together with any other applicable data protection law.

3. The data we collect
Depending on how you interact with us, we may collect:
- Identity and contact data: name, email address, telephone number, and postal address.
- Professional data: job title, profession, employer, and company size.
- Learning data: enrolments, course progress, assessment outcomes, and certifications.
- Financial and transactional data, where you purchase from us (processed by our payment providers).
- Technical and usage data: IP address, browser type, operating system, and activity collected through cookies and analytics. See our Cookie Policy.

4. How we use your data, and our lawful bases
We process personal data only for defined, legitimate purposes, relying on the following lawful bases:
- Performance of a contract: to deliver and administer courses, manage platform access, and issue certificates.
- Legal obligation: to meet regulatory, accreditation, tax, and statutory requirements.
- Legitimate interests: to improve our services, secure our systems, and run our business, where this does not override your rights.
- Consent: for marketing communications and non-essential cookies, which you can withdraw at any time.

5. Sharing and processors
We do not sell your personal data. We share it only where necessary, with carefully selected processors under written contracts that require GDPR-compliant safeguards. These may include our learning platform and hosting providers, payment processors, IT and cloud providers, accreditation and certification bodies, and professional advisers such as legal and audit services.

6. International transfers
Where personal data is transferred outside the European Economic Area or the United Kingdom, we put appropriate safeguards in place, including European Commission adequacy decisions, Standard Contractual Clauses with the UK Addendum where relevant, or another legally recognised transfer mechanism.

7. How long we keep it
We keep personal data only for as long as necessary for the purpose it was collected, including contractual, legal, accreditation, and audit requirements, after which it is securely deleted or anonymised. The periods below are indicative and reviewed periodically.
Data type — Indicative retention period
Learner records, course progress, and certifications — 5 years after course completion, aligned to accreditation record-keeping
Financial and transactional records — 7 years, in line with statutory requirements and our Finance & Procurement Policy
Enquiry and general communications data — Up to 1 year after your last contact with us
Marketing data (where based on consent) — Until you withdraw consent or after a defined period of inactivity
Website and analytics data — Per the lifetimes set out in our Cookie Policy

8. How we protect it
We apply technical and organisational measures appropriate to the risk, including encryption in transit and, where applicable, at rest, role-based access controls and authentication, secure cloud infrastructure, monitoring and patching, backups and recovery, and staff training on data protection.

9. Your rights
Under data protection law you have the right to access your data, to have it corrected, to have it erased (subject to legal limits), to restrict or object to processing, to data portability, and to withdraw consent where processing relies on it. We respond within one calendar month. To exercise a right, email info@aureninstitute.com.
If you are not satisfied with our response, you can complain to a supervisory authority: in Malta, the Information and Data Protection Commissioner (IDPC); in the UK, the Information Commissioner's Office (ICO).

10. Children
Our services are intended for professionals and adult learners. Where we provide learning to anyone under 18, we apply additional safeguards in line with our Safeguarding and Child Protection Policy and do not knowingly collect children's data without an appropriate lawful basis.

11. Changes to this policy
We may update this policy from time to time, or as the law requires. The current version is always published on our website, and your continued use of the site after a change indicates acceptance of the updated policy.

12. Contact us
For any question about this policy or your personal data, including to exercise your rights, contact our Data Protection Lead:
Email: info@aureninstitute.com
Malta office: 92, No. 1, St Edward Street, Qormi QRM 2136, Malta
UK office: 5, Glen Moy, East Kilbride, Glasgow, G74 2BE
Company: Auren Institute  |  Malta Reg. No. P1421  |  CPD Reg. No. 22536  |  VAT No. MT20967027

Auren Institute  |  Compliance, Done Right.