Version 1.0 | Effective Date: 1 January 2025 | Last Reviewed: April 2026
1. Our Commitment
Koryis Ltd is committed to full compliance with the UK General Data Protection Regulation (UK GDPR), the EU GDPR 2016/679, and the Data Protection Act 2018. We operate as a data controller in respect of all personal data processed through the IC platform.
2. Lawful Basis for Processing
Performance of a contract (Art. 6(1)(b)): Processing account and learning data to deliver the IC tutoring service.
Legitimate interests (Art. 6(1)(f)): Security monitoring, fraud prevention, and service analytics.
Legal obligation (Art. 6(1)(c)): Retaining records required by UK law.
Consent (Art. 6(1)(a)): Optional communications such as newsletters. You may withdraw consent at any time.
3. Data Subject Rights
Right of Access (Art. 15): Request a copy of all personal data we hold.
Right to Rectification (Art. 16): Request correction of inaccurate data.
Right to Erasure (Art. 17): Request deletion where we no longer have a lawful basis.
Right to Restriction (Art. 18): Request limited processing in certain circumstances.
Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format.
Right to Object (Art. 21): Object to processing based on legitimate interests.
Rights re Automated Decisions (Art. 22): Our mastery scoring is for educational guidance only and does not make legally binding decisions.
4. How to Exercise Your Rights
Submit a written request to Admin@koryis.com. We will respond within one calendar month. We do not charge a fee for reasonable requests. We may ask you to verify your identity before processing.
5. Data Protection by Design and Default
We collect only the minimum personal data needed, grant access on a need-to-know basis, and apply technical safeguards including encryption, access logging, and regular security review.
6. Data Processing Agreements
All third-party sub-processors are engaged under Data Processing Agreements requiring them to process data solely on our instructions, maintain appropriate security measures, and comply with GDPR obligations.
7. International Data Transfers
Where data is transferred outside the UK or EEA we rely on the UK Government's adequacy decisions, Standard Contractual Clauses, or Binding Corporate Rules. Details are available on request.
8. Data Breach Notification
In the event of a personal data breach posing risk to individuals' rights and freedoms, we will notify the UK ICO within 72 hours and affected individuals without undue delay.
9. Supervisory Authority
Our lead supervisory authority is the Information Commissioner's Office (ICO), United Kingdom. You may lodge a complaint at ico.org.uk.