Privacy Policy
This Privacy Policy explains how Atreo collects, uses, stores, and protects personal data when you visit our website, apply for the Practical Cybersecurity Academy, request information, book a consultation, or communicate with us.
1. Who we are
The company responsible for processing your personal data is:
Atreo
26 Red Arches Park
The Coast
Dublin
D13Y394
Ireland
Website: nordcyberacademy.com
For privacy-related questions, you can contact us at:
Email: gdpr@nordcyberacademy.com
Atreo is the data controller for the personal data described in this Privacy Policy, unless stated otherwise.
2. What personal data we collect
We may collect and process the following categories of personal data:
Information you provide directly
When you complete a form, apply for the academy, request a consultation, contact us, or communicate with our team, we may collect:
- Full name
- Email address
- Phone number
- Country or location
- Company name, if applicable
- Professional background
- Education or experience level
- Career goals and motivation for joining the academy
- Information submitted through application forms, contact forms, or consultation booking forms
- Messages, questions, or other communication you send to us
Information collected automatically
When you visit our website, we may collect certain technical and usage information, such as:
- IP address
- Browser type and version
- Device information
- Pages visited
- Date and time of visit
- Website interaction data
- Referral source
- Cookie and tracking preferences
This information may be collected through cookies, analytics tools, and similar technologies. See the Cookies and Tracking Technologies section below.
Payment-related information
If you purchase or reserve a place in the academy, payment may be processed by a third-party payment provider. We do not intentionally store full payment card details on our systems unless explicitly stated by the relevant payment processor.
We may receive payment-related information such as:
- Payment confirmation
- Billing name and contact details
- Invoice details
- Transaction reference
- Payment status
3. Why we use your personal data
We process your personal data for the following purposes:
To manage academy applications
We use your information to review your application, assess suitability for the academy, contact you about your application, arrange interviews or consultations, and guide you through the next steps.
To provide information about the academy
We may use your contact details to respond to enquiries, send programme information, explain pricing, share cohort details, and answer questions about the Practical Cybersecurity Academy.
To provide the academy services
If you enrol, we use your personal data to manage your participation, provide access to learning materials, communicate about classes, issue certificates where applicable, and provide student support.
To process payments and invoices
We process necessary information to manage payments, instalment plans, invoices, refunds where applicable, and accounting records.
To communicate with you
We may contact you by email, phone, or other communication channels about your application, consultation, enrolment, payment, programme access, or support requests.
To send marketing communications
Where permitted by law, we may send information about academy updates, upcoming cohorts, educational content, offers, or related services. You can unsubscribe from marketing communications at any time.
To improve our website and services
We may use website analytics and interaction data to understand how visitors use our website, improve content, measure campaign performance, and improve the user experience.
To comply with legal obligations
We may process and retain certain personal data where required for tax, accounting, regulatory, legal, or compliance purposes.
4. Legal basis for processing
Under the GDPR, personal data must be processed using a lawful basis. The lawful bases include consent, contract, legal obligation, vital interests, public task, and legitimate interests.
We rely on the following legal bases:
| Purpose | Legal basis |
|---|---|
| Responding to enquiries | Legitimate interests or steps before entering into a contract |
| Reviewing academy applications | Legitimate interests or steps before entering into a contract |
| Booking consultations | Legitimate interests or steps before entering into a contract |
| Providing academy services | Performance of a contract |
| Processing payments and invoices | Performance of a contract and legal obligation |
| Sending essential service communications | Performance of a contract or legitimate interests |
| Sending marketing communications | Consent or legitimate interests, where permitted by law |
| Website analytics | Consent, where required, or legitimate interests depending on the technology used |
| Security, fraud prevention, and website protection | Legitimate interests |
| Tax, accounting, and legal compliance | Legal obligation |
5. Cookies and tracking technologies
Our website may use cookies and similar technologies to make the website work, improve performance, analyse traffic, and support marketing activities.
Cookies may include:
- Strictly necessary cookies required for website functionality
- Analytics cookies used to understand website performance and visitor behaviour
- Marketing cookies used to measure campaigns and show relevant advertising
- Preference cookies used to remember user choices
Where required, we will ask for your consent before placing non-essential cookies on your device. You can manage or withdraw your cookie preferences through the cookie banner or browser settings.
A separate Cookie Policy may be used to provide more detailed information about the cookies and tools used on the website.
6. Who we share personal data with
We may share personal data with trusted third parties where necessary for the purposes described in this Privacy Policy.
These may include:
- Website hosting providers
- CRM and marketing automation platforms
- Email service providers
- Analytics providers
- Advertising platforms
- Payment processors
- Accounting and invoicing providers
- Learning platform providers
- Communication and scheduling tools
- IT support and security providers
- Legal, tax, accounting, or professional advisers
- Regulatory authorities, where legally required
We only share personal data where there is a valid purpose and appropriate safeguards are in place.
7. International transfers
Some service providers may process personal data outside the European Economic Area.
Where personal data is transferred outside the EEA, we will use appropriate safeguards as required by GDPR. These may include adequacy decisions, Standard Contractual Clauses, or other legally recognised transfer mechanisms.
8. How long we keep your personal data
We keep personal data only for as long as necessary for the purposes described in this Privacy Policy, including to meet legal, accounting, tax, reporting, and contractual obligations.
Typical retention periods may include:
| Data type | Retention period |
|---|---|
| Enquiry and contact form data | [Insert period, e.g. 12–24 months] |
| Academy application data | [Insert period, e.g. 24 months] |
| Student enrolment records | [Insert period, e.g. duration of programme plus 6 years] |
| Payment, invoice, and accounting records | [Insert period required under Irish tax/accounting law] |
| Marketing contact data | Until you unsubscribe or object, unless another lawful basis applies |
| Website analytics data | [Insert period based on analytics provider settings] |
When personal data is no longer needed, we will delete it or anonymise it where appropriate.
9. How we protect your personal data
We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration, disclosure, or destruction.
These measures may include:
- Access controls
- Secure systems and hosting
- Password protection
- Staff confidentiality obligations
- Data minimisation
- Secure communication tools
- Regular review of data processing practices
- Vendor and processor controls where applicable
No website, system, or online transmission can be guaranteed to be completely secure. However, we take reasonable steps to protect personal data.
10. Your GDPR rights
Under the GDPR, individuals have several rights in relation to their personal data, including the right to be informed, access personal data, request correction, request erasure, restrict processing, data portability, object to processing, and rights related to automated decision-making where applicable.
You may have the right to:
- Request access to the personal data we hold about you
- Request correction of inaccurate or incomplete personal data
- Request deletion of your personal data in certain circumstances
- Request restriction of processing in certain circumstances
- Object to processing based on legitimate interests
- Object to direct marketing at any time
- Request data portability in certain circumstances
- Withdraw consent where processing is based on consent
- Lodge a complaint with a supervisory authority
Withdrawing consent does not affect the lawfulness of processing carried out before consent was withdrawn.
11. Marketing communications
You can opt out of marketing emails at any time by clicking the unsubscribe link in our emails or by contacting us directly.
Even if you unsubscribe from marketing communications, we may still send essential service-related messages, such as information about your application, enrolment, payment, academy access, or contractual relationship with us.
12. Automated decision-making
We do not use personal data for automated decision-making that produces legal or similarly significant effects on you.
If this changes, we will update this Privacy Policy and provide information required by applicable data protection law.
13. Children’s data
The Practical Cybersecurity Academy is not intended for children. We do not knowingly collect personal data from children.
If you believe that a child has provided us with personal data, please contact us so we can take appropriate action.
14. Links to other websites
Our website may contain links to third-party websites, tools, platforms, or services. We are not responsible for the privacy practices or content of third-party websites.
You should review the privacy policies of any third-party websites or services you use.
15. Complaints
If you have concerns about how we process your personal data, please contact us first so we can try to resolve the issue.
As Atreo is based in Ireland, you may also have the right to lodge a complaint with the Irish Data Protection Commission. The European Commission explains that GDPR rights are supervised by independent data protection authorities.
Irish Data Protection Commission
Website: dataprotection.ie
16. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. When we make changes, we will update the “Last updated” date at the top of this page.
Material changes may be communicated through the website or by other appropriate means.