Privacy Policy

LOPEX UNICONS LTD (trading as "UNICONS") is committed to protecting the privacy and security of your personal data. This Privacy Policy describes how we collect, use, store, share, and protect personal data about you when you:

• visit our website at www.unicons.co.uk (the "Website");
• register for and use the UNICONS platform (the "Platform");
• submit an enquiry, application, or other form;
• interact with us by email, telephone, or other means.

Data Controller

The data controller responsible for your personal data is:

LOPEX UNICONS LTD 214 High Street, Second Floor Hounslow, TW3 1HB London, United Kingdom

Data Protection Contact / DPO Enquiries

We have designated a data protection contact who can be reached at:

Email: enquiry@unicons.co.uk Post: Data Protection, LOPEX UNICONS LTD, 214 High Street, Second Floor, Hounslow, TW3 1HB, London, United Kingdom

Please mark all data protection correspondence clearly with "DATA PROTECTION ENQUIRY" in the subject line or on the envelope.

ICO Registration

LOPEX UNICONS LTD is registered with the Information Commissioner's Office (ICO) under reference: [ICO Registration Number — to be inserted upon registration].

This Privacy Policy is governed by the UK General Data Protection Regulation (UK GDPR) as retained in UK law by the European Union (Withdrawal) Act 2018, and the Data Protection Act 2018 (collectively, "UK Data Protection Law").

We collect different categories of personal data depending on how you interact with us:

2.1 Website Visitors (Non-Registered)

If you visit our Website without registering, we may collect:

2.2 Registered Students

If you register as a student on the Platform, we collect:

2.3 Registered Agents and Counsellors

If you register as an agent or counsellor, we collect:

2.4 Partner Institution Representatives

2.5 Special Category Data

We will only process special category data (such as health information or disability status) where we have a valid lawful basis to do so, which will generally be your explicit consent or where processing is necessary to comply with our obligations in the field of employment, social security, or social protection law. You are never required to provide special category data to use the core features of the Platform.

We collect personal data through the following means:

3.1 Directly From You

• Registration and account creation: when you register as a student, agent, counsellor, or institution representative on the Platform;
• Enquiry and contact forms: when you complete and submit an enquiry, callback, or contact form on the Website;
• Application forms: when you submit a university application through the Platform;
• Document uploads: when you upload supporting documents such as passports, transcripts, and language certificates;
• Email and telephone communications: when you contact us by email, telephone, or post;
• Survey and feedback responses: when you participate in feedback surveys or user testing;
• Profile updates: when you update your account profile or preferences.

3.2 Automated Technologies

• Cookies and similar tracking technologies: we use cookies, web beacons, pixel tags, and similar technologies to collect technical and usage data when you visit the Website. See our Cookie Policy for full details;
• Server logs: our web servers automatically record certain technical information about your visit, including your IP address, browser type, and pages requested;
• Analytics tools: we use third-party analytics services (including Google Analytics) to collect aggregated usage statistics. These tools may set cookies on your device. See Section 7 for details of these providers.

3.3 From Third Parties

We may receive personal data about you from the following third parties:

• Partner universities and colleges: institutional representatives may provide student information in connection with applications, offers, or enrolment;
• Agents and counsellors: authorised agents or counsellors may submit data on behalf of students they are assisting;
• Payment processors: we receive confirmation of payment transactions from our payment service providers;
• Reference and verification services: we may receive identity verification information from relevant third-party verification providers;
• Publicly available sources: we may supplement your information with data from publicly available sources where relevant and proportionate.

We only process your personal data where we have a valid lawful basis under UK Data Protection Law. The following table sets out our purposes and the corresponding lawful basis:

Legitimate Interests Assessment

Where we rely on legitimate interests as our lawful basis, we have conducted a legitimate interests assessment (LIA) to ensure that our interests are not overridden by your fundamental rights and freedoms. You may request a summary of our LIA by contacting us at enquiry@unicons.co.uk.

Consequences of Not Providing Data

Where the provision of personal data is a contractual requirement or a requirement necessary to enter into a contract, failure to provide the requested data may mean that we are unable to provide you with the relevant services (for example, we cannot process a university application without your academic records).

We do not sell, rent, or trade your personal data to third parties. We may share your personal data with the following categories of recipients, solely for the purposes described in this Privacy Policy:

5.1 Partner Universities and Colleges

Where you submit an application to a partner university or college through the Platform, we will share your application data (including identity, educational, and supporting documentation) with the relevant institution for the purpose of processing your application, making an admissions decision, and managing your enrolment. Such sharing is necessary for the performance of the services you have requested.

5.2 Agents and Counsellors

Where you are a student using the services of a registered UNICONS agent or counsellor, your application data and progress will be visible to that agent or counsellor through the Platform. By using a managed application service, you consent to this access.

5.3 IT Service Providers and Cloud Hosting

We use third-party IT service providers and cloud hosting services to operate and maintain the Platform. These providers act as our data processors and are subject to contractual obligations (Data Processing Agreements) that restrict their use of your data and require them to implement appropriate security measures. These providers include hosting, email, and CRM service providers operating in accordance with UK-adequate data protection standards.

5.4 Payment Processors

We use regulated third-party payment service providers to process fee payments. Payment card data is transmitted directly to the payment processor using industry-standard encryption (PCI DSS compliant) and is not stored on our servers.

5.5 Analytics Providers

We use third-party analytics services, including Google Analytics, to collect aggregated and anonymised data about Website usage. These providers may use cookies and similar technologies. You can opt out of Google Analytics tracking by visiting tools.google.com/dlpage/gaoptout or by managing your cookie preferences.

5.6 Legal and Regulatory Authorities

We may disclose your personal data to courts, law enforcement agencies, regulators (including the ICO), or other governmental authorities where we are required to do so by law, court order, or regulatory direction, or where we reasonably believe disclosure is necessary to prevent fraud, protect our rights, or protect the safety of others.

5.7 Professional Advisers

We may share personal data with our legal advisers, accountants, and insurers where necessary for the provision of professional services, subject to appropriate confidentiality obligations.

5.8 Business Transfers

In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our business or assets, your personal data may be transferred to the relevant third party as part of that transaction, subject to equivalent data protection obligations.

LOPEX UNICONS LTD is based in the United Kingdom and primarily processes your personal data within the UK. However, some of our third-party service providers and partner universities are located outside the UK, including in countries in the European Economic Area (EEA) and beyond.

6.1 Transfers to the EEA

The UK Government has recognised the EEA as providing an adequate level of protection for personal data under UK law. Transfers to EEA-based recipients are therefore permissible without additional safeguards.

6.2 Transfers to Other Countries

Where we transfer personal data to countries outside the UK and EEA that are not subject to an adequacy decision, we ensure that appropriate safeguards are in place, which may include:

• International Data Transfer Agreements (IDTAs): the UK standard contractual clauses approved by the ICO;
• Binding Corporate Rules (BCRs): where the recipient is part of a corporate group with approved BCRs;
• Adequacy regulations: where the destination country benefits from a UK adequacy decision.

6.3 Partner Universities

Where applications are submitted to partner universities located outside the UK or EEA, the transfer of your application data is necessary for the performance of the contract between you and UNICONS and for the purposes of the university application you have requested. By submitting an application to a non-UK or non-EEA institution through the Platform, you acknowledge that your data will be transferred to that institution.

You may request further information about the specific safeguards applicable to any particular international transfer by contacting us at enquiry@unicons.co.uk.

We retain your personal data only for as long as is necessary for the purposes for which it was collected, subject to any longer retention periods required by law or regulation. The following retention schedule applies:

Where data is no longer required, we securely delete or anonymise it in accordance with our internal data retention and disposal policy. Anonymised data (which can no longer identify you) may be retained indefinitely for statistical and research purposes.

Under UK Data Protection Law, you have the following rights in relation to your personal data. We will respond to all valid requests within one calendar month of receipt, although we may extend this period by a further two months for complex or numerous requests (in which case we will notify you of the extension within the first month).

8.1 Right of Access (Subject Access Request)

You have the right to request a copy of the personal data we hold about you, together with information about how we process it, the categories of data concerned, the recipients to whom it has been or will be disclosed, and the anticipated retention period.

8.2 Right to Rectification

You have the right to require us to correct any inaccurate personal data we hold about you, and to complete any incomplete personal data, without undue delay.

8.3 Right to Erasure ("Right to be Forgotten")

You have the right to request that we delete your personal data where: - The data is no longer necessary for the purposes for which it was collected; - You withdraw consent (where processing is based on consent) and there is no other lawful basis; - You object to processing and there are no overriding legitimate grounds; - The data has been unlawfully processed; - Erasure is required to comply with a legal obligation.

This right is not absolute and does not apply where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defence of legal claims, or for certain other purposes specified in UK GDPR.

8.4 Right to Restriction of Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.

8.5 Right to Data Portability

Where processing is based on your consent or on the performance of a contract, and is carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.

8.6 Right to Object

You have the right to object at any time to the processing of your personal data where we rely on legitimate interests as our lawful basis. You also have an absolute right to object to the use of your personal data for direct marketing purposes, and we will cease such processing immediately upon receipt of your objection.

8.7 Rights in Relation to Automated Decision-Making and Profiling

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects on you. Where we use any form of automated decision-making, you have the right to request human review of that decision.

8.8 Right to Withdraw Consent

Where we process your personal data on the basis of your consent, you have the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

To exercise any of the rights described in Section 8, please contact us as follows:

Email: enquiry@unicons.co.uk (please include "DATA SUBJECT REQUEST" in the subject line)

Post: Data Protection Enquiries, LOPEX UNICONS LTD, 214 High Street, Second Floor, Hounslow, TW3 1HB, London, United Kingdom

What to Include in Your Request

To enable us to locate your data and verify your identity (which we are required to do before fulfilling any request), please include:

• Your full name and email address registered with us;
• A description of the specific right you wish to exercise;
• Any relevant details to help us locate your data (for example, your account username or application reference number);
• Where required: a copy of a valid form of identification (such as a passport or driving licence) — we will process this securely and delete it once your identity has been verified.

Cost

We will not charge a fee for fulfilling a subject access request or for exercising any other right under UK GDPR, unless the request is manifestly unfounded or excessive, in which case we may charge a reasonable administrative fee or refuse to comply (and will notify you accordingly).

Response Timeframe

We aim to respond to all requests within one calendar month. For complex or multiple requests, we may extend this period by a further two months and will inform you of the extension within the first month.

10.1 Internal Complaints

If you are unhappy with how we have handled your personal data or with our response to any data subject request, we encourage you to contact us in the first instance at enquiry@unicons.co.uk so that we have the opportunity to address your concerns.

10.2 Right to Complain to the ICO

You have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's supervisory authority for data protection matters, if you believe that we have not complied with UK Data Protection Law:

Information Commissioner's Office Wycliffe House, Water Lane Wilmslow, Cheshire, SK9 5AF Website: ico.org.uk Telephone: 0303 123 1113

We would, however, appreciate the opportunity to address your concerns before you approach the ICO, and encourage you to contact us in the first instance.

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, accidental loss, alteration, disclosure, or destruction. These measures include:

• Encryption: data in transit is encrypted using TLS 1.2 or higher; sensitive data at rest is encrypted using industry-standard encryption algorithms;
• Access controls: access to personal data is restricted to employees and contractors who need it to perform their job functions, subject to role-based access controls;
• Authentication: multi-factor authentication is required for administrative access to systems holding personal data;
• Security testing: we conduct regular vulnerability assessments and penetration testing of our Platform;
• Staff training: all staff receive data protection and information security training as part of their induction and on an ongoing basis;
• Incident response: we maintain a documented data breach response procedure and will notify you and the ICO of any notifiable breach in accordance with our obligations under UK GDPR (within 72 hours of becoming aware of a breach, where required).

No method of transmission over the internet or electronic storage is completely secure. While we take all reasonable steps to protect your personal data, we cannot guarantee absolute security and accept no liability for breaches that are outside our reasonable control.

In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay.

We use cookies and similar tracking technologies on the Website. Cookies are small text files placed on your device that help us to provide you with a better experience.

A full explanation of the types of cookies we use, their purposes, durations, and how to manage your cookie preferences is set out in our Cookie Policy.

By continuing to use the Website without adjusting your cookie settings, you consent to our use of non-essential cookies as described in the Cookie Policy.

The UNICONS Platform is primarily intended for individuals aged 18 and over. We do not knowingly collect personal data from children under the age of 13 without verifiable parental consent. If you are aged 13 to 17, you must have the consent of a parent or legal guardian before using the Platform or submitting any personal data.

If we become aware that we have inadvertently collected personal data from a child under 13 without appropriate consent, we will take steps to delete that data promptly. If you believe that a child under 13 has provided us with personal data without consent, please contact us at enquiry@unicons.co.uk.

We may update this Privacy Policy from time to time to reflect changes in our data processing practices, applicable law, or regulatory guidance. When we make material changes to this policy, we will notify you by:

• Posting the updated policy on the Website with a revised "Last Updated" date;
• Sending a notification email to registered users where the changes are significant;
• Displaying a prominent notice on the Website or Platform for a reasonable period following the update.

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.

Your continued use of the Website or Platform following the posting of an updated Privacy Policy constitutes your acknowledgement of the changes. Where we are required by law to obtain your consent to any change in how we process your personal data, we will seek that consent before implementing the change.

Effective Date: 1 September 2025 Last Reviewed: 1 September 2025

This policy was prepared in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.