Fair processing notice: AAT Store

Last updated: 11 March 2024

This fair processing notice applies to users making purchases on the AAT Store and other users of AAT products where these have been purchased by your employing organisation.

The data we collect about you

  • Personal details including your name and contact details (email address, billing address and phone number).
  • Payment information including your bank and card details.
  • Basic records: purchase history and date of initial purchase.

What we do with your data and on what grounds

We can only process your personal data if we have a basis to do so which is permitted by law. This may be that you have given your consent, or it may be one of the other lawful bases for data processing. These comprise situations where it is necessary:

  • for our performance of a contract with you. We process your personal data where it's necessary in order to fulfil a contract with you or to take steps, at your request, before entering into such a contract
  • for our legitimate interests. We process your personal data as and when necessary to do so in order to conduct and manage our business to provide you with the best service and experience. We make sure we consider and balance any potential impact on you and your rights before we process your personal data for our legitimate interests. We don't use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law)
  • to meet our legal obligations. We process your personal data where it's necessary for compliance with legal or regulatory obligations.
Purpose/activityLawful basis for processing including basis of legitimate interest

Customer support in relation to your purchase including:

  • addressing enquiries and resolving issues
  • enabling access to third-party services made available.
  • Performance of a contract with you
  • Supporting activities performed under your consent
Managing payment, including processing invoices and payments, including card payments.
  • Performance of a contract with you
  • Legitimate interests (recovering sums owed to us)
To make important communications relevant to your account.
  • Legitimate interests (for running our business)
  • Performance of a contract with you

To meet our legal obligations, including:

  • data management, including to assess and maintain the quality of data stored, and deal with returned mail and bounced emails, whilst performing analysis on the completeness and correctness of data
  • to meet our regulatory reporting obligations.
  • To meet our legal obligations
  • Supporting activities performed under your consent and the substantial public interest (in respect of sensitive personal data)

Product development and quality control, including to:

  • recruit end users to test the website and other services
  • maintain internal quality levels by conducting call, email and CRM audits
  • identify trends and gather insight relating to AAT products and services
  • monitor engagement with third-party services
  • pre-test exams to develop suitable assessments
  • ensure that an appropriate level of quality and consistency is provided by training providers, and maintained throughout assessments and marking, and that qualifications are fair and accessible to a diverse range of students.
  • Legitimate interests (to improve our business offerings)
  • Supporting activities performed in the substantial public interest (in respect of sensitive personal data)
  • Necessary to meet our legal obligations
IT system administration, to administer internal systems including maintaining access rights, troubleshooting issues and maintaining databases and backups.
  • Performance of a contract with you
  • Legitimate interests (for running our business)
To process data received from third-party organisations to provide access to training content purchased by that organisation.
  • Legitimate interest (for running our business)

Who we share your personal data with

  • Our third-party service providers of payment, user testing, IT, career management consultancy, benefits and rewards and mailing services
  • Supervisory/regulatory bodies, law enforcement and independent investigators relating to disciplinary investigations, complaints and regulatory reporting requirements (including the Financial Conduct Authority, Department for Education, and Office of Qualifications and Examinations Regulation)

Where we get your data from

Other than directly from you, we may also receive personal data from the following third-party sources:

  • markers and our computer based assessment marking software
  • publicly available sources, such as returned post
  • our payment providers, such as BACS
  • your employer if they have procured finance products from us.

How long we keep your data

We will retain most of your data for seven years following the end of your access to the e-learning product. The exceptions to this are below.

  • Your basic account records, such as name, address history and purchase history, will be retained for seven years from the end of your contract to support other required reporting and queries.
  • Credit card details will be managed in line with the Payment Card Industry Data Security Standard (PCI DSS) compliance.

Related content