The page you are visiting was formerly part of the Which? University website, but is now being provided by The Uni Guide — part of The Student Room.

For more information please click here.

Cookies help us deliver our services. By using our services, you agree to our use of cookies. Learn more

1. Introduction

Welcome to The Student Room Group Limited (TSRG) privacy notice.

1.1 Scope and aim

This notice applies to data processed in connection with:
 
  • TheStudentRoom.co.uk
  • The Student Room discussion app
  • GetRevising.co.uk
  • TheUniGuide.co.uk
The above are collectively referred to as “websites” in the rest of this notice.

TSRG respects your privacy. We are committed to protecting your personal data when you use our websites. This privacy notice will inform you how we look after your personal data. It will tell you about your rights. It will also say how UK data protection law protects you.

1.2 Data controller and Data Protection Officer (DPO)

The Student Room Group Ltd is the controller for data collected through the websites and is responsible for your personal data. It will be referred to as TSRG, "we", "us" or "our" in this privacy notice).

TSRG Postal address: International House, Queens Road, Brighton, BN1 3XE
TSRG phone: 0800 999 3222
Data Protection Officer email address:
[email protected]

The best way to contact us is via our DPO email address.

1.3 Updates to this notice and your data

The privacy notice was last updated on: 01/04/2020.

TSRG may update this privacy notice at any time. We do this to ensure it is correct and a true reflection of how TSRG process your personal data.

We encourage you to regularly check this page for any changes. This helps you to stay informed about how we are using and protecting your personal data.

It is also important that the personal data we hold about you is accurate and current. We may ask you to confirm or update your data when you use our websites and services.

At other times, please also keep us informed if your personal data changes during your relationship with us. You can do this through your account with us or by getting in touch.

1.4 Third-party links

Our websites may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.

We do not control these third-party websites and are not responsible for their privacy notices. When you leave our websites, we encourage you to read the privacy notice of every website you visit.

2. Data collection and data uses

2.1 The data we collect about you

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you. We have grouped together the data into these categories:

Identity data
e.g. username, first name, last name, date of birth and gender.

Contact data
e.g. email address and telephone numbers.

Technical data
e.g. internet protocol ("IP") address, your login data, browser type and version, time zone settings, browser plug-in types and versions, operating system and the devices you use.

Geographic data
e.g. locations worked out from your IP address and location data you provide, post code, country of residence. 

Profile data 
e.g. your username and password, your education, your interests, preferences, content you create, feedback and survey responses.

Usage data
e.g. how you use our websites and services.

Marketing and communications data
e.g. marketing preferences and email interactions.

Education data
e.g. universities you're interested in, years you want to start university study, university open days you are interested in. 

2.1.1 Aggregated data

We also collect, use and share aggregated data such as statistical or demographic data.

Aggregated data may be worked out from your personal data. It is not considered personal data in law. This is because it does not directly or indirectly reveal your identity.

For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature.

We may combine or connect Aggregated Data with your personal data. This may mean it can directly or indirectly identify you.  If it does, we treat the combined data as personal data.

2.1.2 Special categories of data

Special categories of personal data include details about:
 
  • your race or ethnicity,
  • religious or philosophical beliefs,
  • sex life,
  • sexual orientation,
  • political opinions,
  • trade union membership,
  • information about your health
  • genetic and biometric data.
We do not routinely process this data about you. We also do not routinely collect any information about criminal convictions and offences.

However, in using our websites, members may choose to make content which contains special categories of data. Members may also choose to publicly share this data on our websites.

Doing this is entirely optional. It is only done with you fully involved, such as writing and submitting a post.

2.2 How we collect your data

We use different methods to collect data from and about you including:

i. Direct interactions. You may give us your Identity, Contact, Profile, Geographic and Marketing and Communications Data by filling in forms on our websites. This includes personal data you provide when you:
 
  • use our tools, products, services or websites;
  • create an account on our websites;
  • update an account on our websites;
  • request marketing to be sent to you;
  • enter a competition or promotion; or
  • take part in a survey or market research; or
  • give us some feedback; or
  • complete a form to make an enquiry to a university, download a prospectus or book on to an open day. 
ii. Automated technologies or interactions. As you use our websites, we may automatically collect Technical and Usage Data. This can include data about your equipment, browsing actions and usage patterns. We collect this personal data by using cookies, server logs and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy  for further details.

iii. Third parties. We may receive personal data about you from third parties, including:

 
  • Technical Data from analytics providers: e.g. Google and data management platforms.
  • Identity, Contact and Profile Data when you choose to register on our site via Facebook or Google
  • Geographic data worked out from your IP address: e.g. from geo-identification services.

2.3 How we use your data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:
 
  • Where we need to enter into a contract with you or have already entered into a contract with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

2.3.1 Consent

Generally, we do not rely on consent as a legal basis for processing your personal data. However, when we do, you will be asked to clearly give your consent, should you wish to.

For example, we may ask for consent for sending seasonal third-party direct marketing communications to you via email or text message.

We will also ask for your consent if you complete a form to make an enquiry to a university, download a prospectus or book on to an open day to allow us to share your personal data with a specific university. 

When we rely on consent, you have the right to withdraw that consent at any time by contacting us.

2.3.2 Purposes for which we will use your personal data

Below we have described all the ways we plan to use your personal data. This includes details of which legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out below.
 
Purpose/Activity:
To register you as a new member
Type of data:
Identity, Contact, Technical, Usage, Marketing and Communications
Lawful basis for processing including basis of legitimate interest:
Performance of a contract with you

Purpose/Activity:
To manage our relationship with you which will include:
- Notifying you about changes to our terms or privacy policy
- Password changes and notifications
Type of data:
Identity, Contact, Technical, Profile, Usage, Marketing and Communications
Lawful basis for processing including basis of legitimate interest:
Performance of a contract with you
Necessary to comply with a legal obligation
Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

Purpose/Activity:
To enable you to partake in a prize draw, competition or complete a survey
Type of data:
Identity, Contact, Profile, Usage, Marketing and Communications
Lawful basis for processing including basis of legitimate interest:
Performance of a contract with you Necessary for our legitimate interests (to study how customers use our products/services, to develop them and grow our business)

Purpose/Activity:
To administer and protect our business and our websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
Type of data:
Identity, Contact, Technical
Lawful basis for processing including basis of legitimate interest:
Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
Necessary to comply with a legal obligation

Purpose/Activity:
To deliver relevant website content and advertisements and emails to you and measure or understand the effectiveness of the products advertising we serve to you
Type of data:
Identity, Contact, Technical, Profile, Usage, Marketing and Communications
Lawful basis for processing including basis of legitimate interest:
Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy)

Purpose/Activity:
To use data analytics to improve our websites, products/ services, marketing, customer relationships and experiences
Type of data:
Identity, Technical, Profile, Usage
Lawful basis for processing including basis of legitimate interest:
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our websites updated and relevant, to develop our business and to inform our marketing strategy)

Purpose/Activity:
Personalisation of our site and email experience with our websites
Type of data:
Identity, Contact, Technical, Profile, Usage, Marketing and Communications
Lawful basis for processing including basis of legitimate interest:
Necessary for our legitimate interests (to develop our products/services and grow our business)

Purpose/Activity:
To deliver seasonal specific email and SMS products to you
Type of data:
Identity, Contact, Marketing and Communications
Lawful basis for processing including basis of legitimate interest:
We will always gain consent for non-regular/seasonal products that we may from time to time wish to deliver to you

Purpose/Activity:
Third Party use of data, including sharing with universities
Type of data:
Identity, Profile, Technical, Usage, Education, Geographic
Lawful basis for processing including basis of legitimate interest:
We will always gain consent for use of your data by third parties

The following sections go into more detail on specific data uses.

2.2.3 Promotional offers from us

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have provided us with your details when you registered; and you have not opted out of receiving that marketing.

2.2.4 Third-party marketing, university enquiries, prospectus downloads and open day bookings

We will get your express opt-in consent before we share your personal data with any company or organisation outside the TSR group of companies for marketing purposes and/or to deal with your requests.

2.2.5 Opting out

You can ask us or third parties to stop sending you marketing messages at any time. You can do this by:
 
  • logging into your accounts on our websites and editing your preferences
  • following the opt-out links on any marketing message sent to you
  • contacting us at any time
  • opting out of marketing messages, will not apply to personal data provided to us for the purposes of managing your account with us, such as password reset emails.

2.2.6 Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our websites may become inaccessible or not function properly. For more information about the cookies we use, please see our cookie policy.

2.2.7 Other uses of your personal data

Your personal data will not be used for any other purpose without your explicit consent, unless permitted or required by law.

2.3 Change of purpose

We will only use your personal data for the purposes for which we collected it, unless:
 
  • we reasonably consider that we need to use it for another reason; and
  • that reason is compatible with the original purpose.
  • If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
You can contact us if you wish to get an explanation about how the processing for the new purpose is compatible with the original purpose, please contact us. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

2.4 If you fail to provide personal data

Where we need to collect personal data
 
  • by law, or
  • under the terms of a contract we have with you
  • and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with goods or services).
    In this case, we may have to cancel a product or service you have with us, but we will notify you if this is the case at the time.

3. International transfers

Your personal data will not normally be transferred outside of the European Economic Area (EEA). However, in some cases we may be required to do so. If this happens, we will always ensure appropriate safeguards are in place. Section 4 includes details of any international transfers.
 

4. Sharing your data

We will not share any of your personal data without your consent, except in the following circumstances:

  a) Third-party data processors
We may use third-party data processors to carry out specific activities. We will ensure contracts are in place with all third-party processors. The contacts will contain all the clauses required by data protection law. Our current categories of data processors are:

  Email service providers
 
  • e.g. Salesforce Marketing Cloud, MailGun
  • They send the emails from us to you – both marketing emails and those helping you manage your account and notifications; or help us manage and verify email addresses.
  • Locations: EEA or US based (transferred based on EU-US Privacy Shield, binding corporate rules or standard contractual clauses)
Survey and quiz tools
 
  • e.g. SurveyMonkey, GetFeedBack,
  • We use these to enable you to partake in surveys and quizzes and help us gather feedback
  • Location: EEA or US based (transferred based on EU-US Privacy Shield, binding corporate rules or standard contractual clauses)
Data and analysis service providers
 
  • e.g. Google Analytics, Permutive
  • We use these to collect data on site visitors and pageviews to understand our audience and improve our websites and the services we offer you
  • Location: EEA or US based (transferred based on EU-US Privacy Shield, binding corporate rules or standard contractual clauses)
Website maintenance tools and I.T. and development services
 
  • We use these to administer, protect, develop and improve our websites; and to manage our I.T. systems.
  • Location: EEA or US based (transferred based on EU-US Privacy Shield)
Hosting service providers 
 
  • e.g. Rackspace, Amazon Web services (AWS)
  • They host our websites and data
  • Location: EEA or US based (transferred based on EU-US Privacy Shield)
Ad serving providers
 
  • e.g. Google Ad Manager, Google Video and Display 360, Facebook
  • We use these services to deliver relevant advertising to you on our sites and elsewhere and understand the effectiveness of the adverts
  • Location: EEA or US based (transferred based on EU-US Privacy Shield)
Personalisation tool
 
  • e.g. Optimise
  • We use this service to personalise your experience on our sites and in emails to ensure it is as relevant as possible for you
  • Location: EEA or US based (transferred based on EU-US Privacy Shield)
Geo-identification service
 
  • e.g. MaxMind
  • We use this to find out your approximate location, based on your IP address, so we can deliver more relevant ads, content and emails to you.
  • Location: US based (transferred based on EU-US Privacy Shield)
Customer relationship managment systems
 
  • e.g. Salesforce CRM
  • We use these to manage your enquiries to universities, and to log your form completions for open days and prospectuses
  • Location: UK and US based (transferred based on EU-US Privacy Shield) 
Professional advisors
 
  • e.g. lawyers, bankers, auditors and insurers who provide consultancy, legal, insurance and accounting services
  • Location: United Kingdom based
     
b) Sub-contractors
TSRG may use a sub-contractor to carry out specific tasks. If this includes the processing of personal data, the sub-contractor is treated the same as other staff at TSRG. This ensure the same legal requirements are in place to protect your personal data. They are always based in the EEA.

c) Regulators or other authorities
Sometimes, official regulators or authorities may legally require information about our data processing. This will rarely require us to share personal data. If we need to share personal data, we would only ever share the minimum data the law requires us to share.
  Your personal data will not be shared with any other third parties except those above.

5. Data security

We have put in place appropriate technical and organisational security measures. This is to prevent misuse of your data, including:
 
  • your data being lost or changed
  • your data being seen by someone who should not have access
  • your data being used in ways not listed here
Only people at TSRG and third parties who have a need to use your data will have access. They will only process your personal data on the instruction of TSRG. They will also be subject to a duty of confidence.

We have put in place procedures to deal with any suspected personal data breach. This includes processes to notify you and any applicable regulator of a breach where we are legally required to do so.

6. Data retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for. This includes for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal data, we consider
 
  • the amount, nature, and sensitivity of the personal data,
  • the potential risk of harm from unauthorised use or disclosure of your personal data,
  • the purposes for which we process your personal data
  • whether we can achieve those purposes through other means, and
  • the applicable legal requirements
In some circumstances we may aggregate or anonymise your personal data for research or statistical purposes. This means the data can no longer be associated with you. In these situations, the data stops being classed as personal data and we may use this information indefinitely without further notice to you.

There are two exceptions to these rules:
1) You request the deletion of all your personal data (see Your legal rights below for further information)
2) There is another legal basis for keeping any of the data for longer, for example, the establishment or defence of a legal claim

7. Children’s Information

In the UK a child is defined as being under the age of 13 for data protection laws. Our websites are not aimed at people below the age of 13. Most products and services are aimed at people aged 14 and above.

We therefore do not knowingly process the personal data of any children.

This privacy notice has also been reviewed to ensure people aged 14 or above can understand it.

8. Your legal rights

Under certain circumstances, you have rights under UK law in relation to your personal data.

No fee usually required: you will not usually have to pay a fee to exercise these rights. However, if a request is clearly unfounded, repetitive or excessive, we may decide to charge a reasonable fee before proceeding.

Time limit to respond: we will usually respond within 30 days unless the request is particularly complex. In this case, we will notify you to keep you updated.

What we may need from you: when using these rights, we may also request more information from you. This will be to confirm your identity and to ensure the security of personal data.
 
i. Informed
You have the right to be informed about what personal data is processed, what it is used for, why we are processing it, who is processing it and your legal rights. This privacy notice is our way of informing you of this.

ii. Consent
Where we rely on your explicit consent as the legal basis for processing your data. You have the right to withdraw that consent at any time and object to us processing your data.

iii. Access
You have a right to request a copy of the personal data we hold about you at any time. This is also known as a data subject access request.

iv. Correction
You have the right to request we correct any incomplete or inaccurate data we hold about you. We may need to confirm any changes to data you request are correct.

v. Erasure
You have the right to request we delete any personal data we hold about you. Sometimes this might not be possible, e.g. if we are required by law to keep certain records, in which case we will tell at the time of your request.

vi. Objection to processing
In some situations, e.g. where we are relying on legitimate interests to process personal data or where we are using your data for direct marketing, you have the right to object to the processing. In some cases, we may demonstrate that we have compelling legitimate grounds to continue to process your data which override your rights and freedoms.

vii. Restriction of processing
You have the right to request we stop processing your data if:
 
  • You want us to establish the data’s accuracy
  • Where our use of the data is unlawful, but you don’t want us to delete it
  • Where you need us to hold the data, even if we no longer require it, as you need to establish, exercise or defend a legal claim
  • You have objected to our use of your data, but we need to verify overriding legitimate grounds.
viii. Data portability
You have the right to receive a copy of the personal data you have provided us, should you wish to transfer it to another data controller. The data we provide should be in a structured machine-readable format.

ix. Withdraw consent
At any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

Please contact our Data Protection Officer if you wish to exercise any of these rights.
Email: [email protected]

You have the right to make a complaint at any time to the Information Commissioner's Office ("ICO"). The ICO is the UK supervisory authority for data protection issues (www.ico.org.uk).

However, we would like the chance to deal with your concerns before you contact the ICO. Therefore, please do contact us in the first instance.