Is BridgeU GDPR compliant?
Yes, we comply with the principles and requirements of the UK Data Protection Act (DPA),the EU General Data Protection Regulation (EU GDPR) and the UK General Data Protection Regulation (UK GDPR). BridgeU takes its responsibilities to protect the security, confidentiality, integrity and privacy of your data very seriously, and continuously reviews and improves its technical and organisational approach to protecting data and privacy.
How does the UK leaving the EU impact the GDPR?
The EU GDPR has been incorporated into UK law now that the Brexit transition period has ended. (The transition period started when the UK left the EU on 31 January 2020 and lasted 11 months. During that time, the UK was still subject to EU laws like the GDPR.) The key principles, rights and obligations remain the same between the EU and UK GDPR.
We have appointed an EU representative, as required by the EU GDPR, and added their contact details to our privacy notice.
Where can I find BridgeU’s statements on data protection?
You can find our privacy notice, that describes how we process personal data we collect from you or that you provide to us, here. The privacy notice for students is written in clear, plain and age-appropriate language. You can also find our policy on cookies, which are small text files that a website may put onto your device in order to help provide service to you, here. We will inform you when we make any changes to these policies.
Where is my data stored? Where are BridgeU servers located?
Our data is stored in the cloud. That means that the data lives on computers that are based in secure facilities in a number of countries around the world. We work with schools all around the world and using the cloud means that our website operates well wherever it is accessed from.
We only store personal data in, or transfer personal data for processing to, countries that are in the European Economic Area (EEA), or are international countries recognised by the EU as providing adequate protection of personal data, or to the US under the terms of the EU GDPR Standard Contractual Clauses (SCC), or, in certain cases and only for schools based in China, to China.
In particular, we make use of cloud hosting services for the purposes of storing and processing personal data. We currently store data in the EU and the US (Amazon Web Services US-East-1 region, and Google Cloud Platform regions US-West1, US-Central1, and EU-West1).
How is my data protected? How secure are the servers you use?
Your data is protected by industry-standard processes at every layer.
Our servers are maintained by our cloud platform providers, ensuring that the infrastructure that the platform runs on – both the hardware and operating system – is kept up to date by a dedicated team. We use automated alerts to ensure that the software our servers run is kept up to date too, and prioritise security updates.
In addition to that, we take extra precautions to restrict access to data and ensure its integrity. Our databases use encryption-at-rest, meaning that even in the unlikely event of unauthorised access to the cloud servers, data is inaccessible.
Finally, any connections to BridgeU servers are secured by HTTPS and other encryption technologies, using the latest recommendations for encryption strength. This protects your data from any network-based attacks.
What level of encryption do you use across your site?
Data at rest is encrypted using the industry-tested and accepted AES-256 standard. We use 'advanced' ciphers, as recommended by the Open Web Application Security Project (OWASP), for encryption in transit.
How frequent are your site backups?
We maintain both continuous physical backups, which are stored on separate off-site storage, that allows us to rollback the database to any time in the previous 4 days, as well as daily and weekly full-site logical backups - daily back-ups are retained for a week, and weekly back-ups for a month.
The purpose of these backups is business continuity & disaster recovery and they are not designed for recovering from accidental user error. However in emergency situations we can attempt recovery from our backups on a best-effort basis.
How does BridgeU use student, staff and parent personal data?
The purposes for storing and processing personal data are set out in our privacy notices here.
We are the data controller which means that we are responsible for deciding how we hold and use personal information about you.
We process personal data in order to provide service, to analyse use of our website to better understand how people use our service, to make the website better, to administer the service, and to notify users about changes to the service.
We may send service, maintenance and other transactional emails to users of the website. Transactional emails are sent in response to a users using or administering the service, and include things such as password reset emails, maintenance announcements, and changes to the service, features or supported browsers.
We may send non-transactional emails to users, such as newsletters, but only when either the user has explicitly opted to receive these emails, or where we believe, or have been informed, that the user has a legitimate interest in receiving targeted email communications. In either case, we make it easy for users to opt-out of receiving non-transactional emails.
What data does BridgeU collect?
As an example, it includes:
- Your contact and personal information such as name, date of birth, and email address
- If you are a student, we hold information you or your school provides about your education, grades and scores, and higher education preferences and career interests
- If you are a student, we may also hold information you or your school provides during a quiz, test, or personality or career assessment
- We also store information about the kind of device you use to access BridgeU and details of your website visits for administrative and analytical purposes
Can I opt out of sharing my data with BridgeU?
In general, if a student, staff member, or parent objects to their data being processed by BridgeU, we will not be able to provide the service to that individual.
Our privacy notice, introduced in April 2021, explained that sometimes, when we partner with universities, we will share some personal information about you where you have told us you are interested in the university, by adding them to your shortlist or application list. (This only applies to students.) We will not share your email address, or other contact details, with universities. We provided students the opportunity to opt-out of your personal information being shared with universities where you have already told us that you are interested in them prior to April 2021.
Is any of my data shared with third parties?
We use a variety of carefully selected third parties to fulfil essential activities (e.g. processing data, storing data, and analysing data). We only use third parties that also comply with the GDPR. We only transfer personal data to a third party that stores data in the EEA, or in a country determined by the EU to provide adequate protection of personal data, or to the US, or, in certain cases and only for schools based in China, to China.
Some of the main third party services that we may use are:
To provide platform functionality
- ManageBac (if a school has an existing account there)
- iSAMS (if a school has an existing account there)
- Parchment (if document sending is enabled and used)
As providers of cloud hosting services
For customer success and operations
To allow us to monitor and improve our service
Do you comply with the EU-U.S. or Swiss-U.S. Privacy Shield?
BridgeU does not have operating subsidiaries in the US and so does not need to register for programs such as these. In July 2020, the European Court of Justice (CJEU), the highest court for EU law, ruled that the EU-U.S. Privacy Shield was invalid. This is referred to as the Schrems II ruling. We have audited all of the potential transfers of data to the US and determined that none of them rely on the EU-U.S. Privacy Shield, and that they are protected and governed by other terms, such as Standard Contractual Clauses, provided by the GDPR.
Do you have a Data Protection Officer (DPO)?
Yes, our DPO can be contacted at firstname.lastname@example.org.
When and how is information shared with universities?
Information shared when using our guidance platform
We will share the personal details of a student when they apply to a university and their school is required to submit application documents electronically through BridgeU in support of the application. A student must explicitly choose to apply to a university when using BridgeU, either on the BridgeU platform itself, or when they apply via the Common App and choose to link their Common App and BridgeU accounts.
Information shared in this way includes:
- Information provided by the school staff specifically for the purpose of supporting the application, including transcripts or other uploaded documents.
- Information specifically relating to the student’s application, for example their Common Application ID.
- Demographic information about the student, as entered by the student/school staff, for example the student’s name and date of birth.
- Basic information about the member of staff submitting the supporting document, for example their name, email address and school contact details.
We may share limited information about students with universities when the student has explicitly told us they are interested in a particular university. We will not share the email address of a student and we do not sell any personal data (or any other data you provide to us) in any circumstances. Students must explicitly add a university to their shortlist or application list in order to tell us they are interested in it.
Information shared when using BridgeU Connect
We make certain aggregated and anonymised information available to universities to allow them to search for and discover schools that they would like to visit in BridgeU Connect.
This information includes:
- publicly available information (the name of the school; and the city, region and country the school is located in)
- aggregate information about the preferences of students (e.g. a school may be listed if a number of students have selected a subject preference that a university is particularly interested in)
At no point are the preferences, or any personal information, of an individual student shared, and we do not share the exact number of students that had a particular preference, only a numeric range.
Counsellors can choose to share their personal data, such as name and email address, with universities when they use BridgeU Connect to receive inquiries and requests from universities. We will not share the personal details of counsellors, or other staff members, in any other circumstances.
Information shared with group companies acting on behalf of universities
We may share partner universities with other companies in our group and, where a group company is acting on behalf of the university, we may also send personal information to those companies for the purpose of administrative support services.
When and how is information shared with schools?
University admissions and recruitment staff can choose to share their personal data, such as name and email address, with schools when they use BridgeU Connect to send inquiries and requests to schools. We will not share the personal details of University staff in any other circumstances.
How is further & higher education information provided to schools and students?
BridgeU collects and publishes information about universities and courses to help students, supported by their school counsellors, research and decide on their higher education options. BridgeU may provide or highlight information, both within the platform and using email, to students where we think it is relevant and useful for them. This information may be provided to us by universities, Government agencies, or other organisations, or it may be information we have created or collected ourselves.
The information we provide may include links to third party websites, at universities or other organisations, that a user may make use of. If a user does so, they leave the BridgeU platform, and their use of any 3rd party website is subject to the terms and conditions published by the 3rd party. BridgeU has no control over the 3rd party website and is not responsible for its content.