GDPR Compliance
Last updated: November 12, 2025. This policy outlines BMR Education's commitment to data protection for our users in the European Union and the UK.
1.Scope & Commitment
BMR Education is committed to protecting the privacy and security of users in the European Union (EU) and the UK. This policy outlines our practices in compliance with the General Data Protection Regulation (Regulation (EU) 2016/679).
This notice supplements our Privacy Policy and explains how we satisfy GDPR Articles 5-49 and companion frameworks such as the EU AI Act.
2.Controller & Processor Roles
Data Controller: BMR Education primarily acts as a Data Controller for information we collect to provide Services directly to you (e.g., account info, personalization data).
Data Processor: In certain scenarios where we process data on behalf of an educational institution, we function as a Data Processor governed by a Data Processing Agreement (DPA).
3.Legal Bases for Processing
We process data under the following legal bases:
• Consent: Where you provide explicit, affirmative consent (e.g., for optional marketing).
• Contractual Necessity: To perform our contract with you (e.g., managing your account and providing course access).
• Legitimate Interests: For improving our Services, preventing fraud, and conducting analytics, balanced against your rights.
• Legal Obligation: To comply with statutory requirements (e.g., tax or security laws).
4.Your GDPR Rights
You have the following rights:
• Access & Rectification: Request access to or correction of your personal data.
• Erasure ('Right to be Forgotten'): Request deletion of your data when no longer necessary.
• Data Portability: Receive your data in a structured, machine-readable format.
• Object to Processing: Object to data use based on legitimate interests or direct marketing.
• Automated Decision-Making: Object to decisions based solely on automated processing, including profiling.
You can exercise export and deletion rights through the profile panel, or by contacting our Data Protection Officer.
5.International Data Transfers
Personal data may be processed outside the EEA or UK. We ensure appropriate safeguards are in place, such as:
• Standard Contractual Clauses (SCCs): Implementing EC-approved clauses with our partners.
• Adequacy Decisions: Transferring data to countries deemed to provide an adequate level of protection.
6.Data Protection Officer (DPO)
For inquiries regarding your rights or our processing activities, contact our DPO:
Email: [email protected]
Response Time: Within one month for formal data rights requests.
Copyright 2026 BMR Education. All rights reserved.