Skip to content
Total Skills UK

Privacy Policy

Last updated: March 2026

1. Who We Are

Total Skills Ltd (Company Registration Number 13304241, VAT Registration Number 381693467) is the data controller responsible for the personal data collected through this website (www.totalskills.co.uk) and through our training services. We are a City & Guilds Approved Centre (Centre Number 009512) delivering construction, electrical, and renewable energy training across the United Kingdom.

Our registered office is at Office J, Arnold Business Centre, Brookfield Road, Arnold, Nottingham NG5 7ER.

Our Data Protection Officer is Lucy Kirkby. For any data protection enquiries, you can contact our DPO at [email protected] or by telephone on 0115 666 2366.

This privacy policy explains how we collect, use, store, and protect your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It applies to all personal data we process, whether you are a prospective learner, an enrolled student, a website visitor, or someone who contacts us via our communication channels.

2. What Data We Collect

We collect personal data in several categories depending on how you interact with us. Below is a detailed breakdown of the data we collect and whether it is mandatory or optional.

2.1 Identity and Contact Data (Mandatory)

When you enrol on a course, we require the following information to process your registration:

  • Name: first name and last name
  • Email address: used for enrolment confirmation, course communications, and account access
  • Date of birth: required for awarding body registration and identity verification
  • Postal address: address line 1, city, and postcode — used for certificate delivery and awarding body records
  • Phone number: with country code, used for course reminders and urgent communications
  • Gender: male, female, or other — required by certain awarding bodies for registration
  • Digital signature: collected during enrolment to confirm acceptance of terms and conditions

2.2 Additional Identity Data (Optional)

You may optionally provide the following information during enrolment:

  • Middle name
  • Address line 2
  • Employer name and job title
  • Emergency contact details (name, phone number, and relationship to you)
  • City & Guilds registration number (if you already hold one from a previous qualification)

2.3 Special Category Data

Under UK GDPR, certain types of personal data are classified as "special category data" and require additional safeguards. We collect the following special category data only where you provide explicit consent:

  • Medical conditions: we ask whether you have any medical conditions that may affect your ability to participate in training. If you indicate that you do, you may provide free-text details so we can make reasonable adjustments to your learning environment
  • Learning needs: we ask whether you have any learning difficulties or disabilities. If you indicate that you do, you may provide free-text details so we can offer appropriate support during your course

This data is collected solely for the purpose of making reasonable adjustments under the Equality Act 2010. You are not obliged to provide it, and your enrolment will not be affected if you choose not to disclose this information. Where provided, it is processed under Article 9(2)(a) of UK GDPR (explicit consent).

2.4 Technical Data

When you visit our website, we may automatically collect the following technical data:

  • IP address
  • Browser type and version
  • Device type and operating system
  • Pages visited and time spent on each page
  • Referring website or search term
  • Session data and interaction patterns

This data is collected via Google Analytics (through Google Tag Manager). By default, all analytics cookies are set to deny until you provide explicit consent through our cookie consent banner. For more details, see our Cookie Policy.

2.5 Communication Data

We collect data from your interactions with us across our communication channels:

  • Live chat: messages exchanged via our website chat at chat.totalskills.co.uk, including any personal details you share during the conversation
  • WhatsApp: messages sent and received through the WhatsApp Business API
  • Email: correspondence sent to or received from our email addresses
  • Telephone: records of phone calls, including date, time, and duration

Our live chat system uses AI-assisted responses to help answer common questions quickly. A human team member is always available and can be reached at any point during a chat conversation. AI-generated responses are clearly supplementary to human support, and you may request to speak with a person at any time.

2.6 Financial Data

We do not store your full payment card details on our servers. Payment processing is handled entirely by our PCI DSS compliant payment providers. The financial data we do retain includes:

  • Card brand (e.g. Visa, Mastercard) and the last four digits of your card number, for reference purposes only
  • Stripe customer ID and payment method identifiers
  • GoCardless mandate identifiers (for Direct Debit payments)
  • Klarna session data (for pay-later arrangements)

3. How We Use Your Data

We only use your personal data where we have a lawful basis to do so under UK GDPR. The lawful bases we rely on are contractual necessity, legitimate interest, consent, and legal obligation. Below is a detailed explanation of each purpose and its corresponding lawful basis.

3.1 Contractual Necessity

We process your data where it is necessary to fulfil our contract with you:

  • Processing your course enrolment and delivering the training services you have booked
  • Processing payments, managing instalment plans, and issuing invoices and receipts
  • Registering you with awarding bodies including City & Guilds (via EDI file containing your name, date of birth, gender, email address, course code, and our centre number 009512), EAL, and LCL Awards for examinations and certification
  • Processing JIB ECS Card applications where you have requested this as part of your training package
  • Submitting ELCAS (Enhanced Learning Credits Administration Service) funding claims for eligible military personnel and veterans
  • Sending you payment reminders at seven days and three days before a payment is due
  • Communicating with you about your course details, schedule changes, venue information, and assessment results

3.2 Legitimate Interest

We process your data where we have a legitimate business interest, provided that your rights and interests do not override ours:

  • Sending course reminders at seven days and one day before your course start date
  • Responding to enquiries you submit via our contact form, email, live chat, WhatsApp, or telephone
  • Improving our website, training materials, and services based on usage patterns and feedback
  • Preventing fraud and protecting the security of our systems and services
  • Measuring advertising effectiveness by sharing securely hashed (non-reversible) identifiers with Google when you complete a purchase on our enrolment platform. This allows us to understand which advertisements led to enrolments. Google cannot use this data to identify you or contact you, and it is used solely for conversion measurement in accordance with Google's data processing terms

3.3 Consent

We process your data based on your explicit consent in the following cases:

  • Sending you marketing communications about upcoming courses, special offers, and promotions. You can opt in during enrolment and unsubscribe at any time using the link provided in every marketing email
  • Collecting and processing special category data (medical conditions and learning needs) for the purpose of making reasonable adjustments
  • Setting analytics cookies on your device to help us understand how visitors use our website (consent managed via our cookie banner)

3.4 Legal Obligation

We process your data where it is necessary to comply with a legal obligation:

  • Maintaining financial records for HMRC tax compliance purposes
  • Retaining enrolment and assessment records as required by our awarding bodies
  • Responding to lawful requests from regulatory authorities or law enforcement

4. Who We Share Your Data With

We share your personal data only where necessary to deliver our services, process payments, or comply with legal requirements. We never sell your personal data to third parties. Each third party can only use your data to the extent required to perform their specific service for us.

4.1 Awarding Bodies

  • City & Guilds: we submit your name, date of birth, gender, email address, and course code via EDI file for examination registration and certification. Our centre number is 009512
  • EAL: we share your registration details for EAL-accredited qualifications
  • LCL Awards: we share your registration details for LCL Awards qualifications

4.2 Payment Processors

  • Stripe: processes card payments, Klarna pay-later transactions, pay-by-bank transfers, and Revolut Pay. Stripe is PCI DSS Level 1 certified
  • GoCardless: processes Direct Debit payments for instalment plans
  • Stripe BACS: processes BACS Direct Debit payments

4.3 Service Providers

  • Amazon Web Services (SES): sends transactional emails on our behalf, such as enrolment confirmations, payment receipts, and course reminders. We do not use AWS for marketing emails
  • LearnWorlds: our learning management system provider, used for delivering self-paced online course content
  • Xero: our cloud accounting platform, used for invoicing and financial record-keeping via secure API integration
  • Meta (WhatsApp Business API): processes WhatsApp messages between you and our team. Meta's own privacy policy also applies to messages sent via WhatsApp

4.4 Funding and Industry Bodies

  • ELCAS: if you are claiming Enhanced Learning Credits as a serving or former member of HM Armed Forces, we share the necessary details to process your funding claim
  • JIB: if you are applying for an ECS (Electrotechnical Certification Scheme) Card or Gold Card, we share your details with the Joint Industry Board to process your application

5. International Data Transfers

Some of our third-party service providers (such as Stripe and Amazon Web Services) may process your data outside the United Kingdom. Where this occurs, we ensure that appropriate safeguards are in place, such as standard contractual clauses approved by the UK Information Commissioner's Office, or the service provider being located in a country that has been granted an adequacy decision by the UK Government. Your data is protected to the same standard regardless of where it is processed.

6. How Long We Keep Your Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The specific retention periods are as follows:

  • Enrolment and assessment records: 5 years from the date of your last qualification, as required by City & Guilds and other awarding bodies
  • Financial and payment records: 7 years, as required by HMRC for tax compliance purposes
  • Email logs: 30 days
  • Chat conversations: 12 months from the date of the conversation, for quality assurance and training purposes
  • Contact form enquiries: 12 months from the date of submission
  • Marketing consent records: retained until you withdraw your consent
  • Website analytics data: 26 months (the Google Analytics default retention period)
  • Webhook and audit logs: 12 months

When the retention period expires, we securely delete or anonymise your data so that it can no longer be associated with you. Where data must be retained for legal or regulatory purposes beyond the standard retention period, access is restricted to authorised personnel only.

7. Data Security

We take the security of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against unauthorised access, alteration, disclosure, or destruction. These measures include:

  • Encryption in transit: all data transmitted between your browser and our servers is encrypted using HTTPS with HSTS (HTTP Strict Transport Security) preload enabled
  • Content Security Policy: we enforce Content Security Policy (CSP) headers to protect against cross-site scripting and other injection attacks
  • PCI DSS compliant payment processing: all payment card data is processed by Stripe and GoCardless, both of which are PCI DSS Level 1 certified. We never store, process, or transmit full card numbers on our own servers
  • Encrypted certificate storage: digital certificates and sensitive credentials are stored using encryption at rest
  • Role-based access control: access to personal data is restricted to staff members who need it to perform their duties. Each staff member has individual login credentials with appropriate permission levels
  • Audit logging: all changes to enrolment data are recorded in an audit log that captures the timestamp, IP address, and the user who made the change. This allows us to trace and investigate any unauthorised modifications
  • Data lock after certification: once a certificate has been issued for your qualification, your enrolment data is locked to prevent accidental modification. Any subsequent changes require administrator approval and are fully logged

While we take all reasonable precautions, no method of electronic transmission or storage is completely secure. If you have reason to believe that your interaction with us is no longer secure, please contact us immediately at [email protected].

8. Live Chat & WhatsApp Messaging

We offer live chat support through our website and messaging via WhatsApp Business. This section explains how your data is handled when you use these services.

8.1 Data Collected via Chat and Messaging

  • Your name, if you choose to provide it
  • Your email address, if you choose to provide it
  • Your phone number (automatically associated with WhatsApp messages)
  • The content of all messages exchanged during the conversation
  • Conversation history and session metadata (timestamps, session duration)

8.2 AI-Assisted Responses

Our live chat system uses artificial intelligence to help answer common questions quickly and accurately. AI-generated responses are based on our course information, pricing, and frequently asked questions. A human team member is always available during business hours and can be reached at any point during a conversation. If the AI is unable to answer your question satisfactorily, your enquiry will be automatically escalated to a member of our team.

8.3 WhatsApp

Messages sent via WhatsApp are processed through Meta's WhatsApp Business API. Meta acts as a data processor for message delivery. Meta's own privacy policy also applies to your use of WhatsApp. We recommend reviewing their policy if you choose to contact us via this channel.

8.4 Retention and Deletion

Chat conversations and WhatsApp message histories are retained for 12 months for quality assurance and service improvement purposes. You can request deletion of your chat history at any time by contacting us at [email protected].

9. Cookies

Our website uses cookies and similar tracking technologies. By default, all non-essential cookies (including analytics cookies) are set to deny until you provide explicit consent through our cookie consent banner.

For a full explanation of the cookies we use, their purposes, and how to manage your cookie preferences, please see our Cookie Policy.

10. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, you have the following rights regarding your personal data. These rights are not absolute and may be subject to certain conditions and exemptions.

  • Right of access:you have the right to request a copy of the personal data we hold about you. This is commonly known as a "subject access request". We will provide this information free of charge within one month of receiving your request
  • Right to rectification: you have the right to request that we correct any personal data that is inaccurate or incomplete. If you are an enrolled learner, you can also submit correction requests through our learner portal
  • Right to erasure: you have the right to request that we delete your personal data. Please note that we may not be able to comply with this request where we are required to retain your data for legal or regulatory purposes (for example, awarding body requirements or HMRC tax records)
  • Right to restrict processing: you have the right to request that we limit how we use your data in certain circumstances, for example while we investigate a complaint you have raised about accuracy
  • Right to data portability: you have the right to request your personal data in a structured, commonly used, and machine-readable format (such as CSV or JSON), and to have it transferred to another data controller where technically feasible
  • Right to object: you have the right to object to the processing of your personal data where we are relying on legitimate interest as the lawful basis. You also have the absolute right to object to direct marketing at any time
  • Right to withdraw consent: where we process your data based on your consent (such as marketing emails or special category data), you have the right to withdraw that consent at any time. Withdrawing consent does not affect the lawfulness of any processing carried out before you withdrew it

10.1 How to Exercise Your Rights

To exercise any of your rights, you can contact our Data Protection Officer, Lucy Kirkby, at [email protected] or by telephone on 0115 666 2366. We will acknowledge your request within five working days and provide a substantive response within one month. If your request is particularly complex, we may extend this period by a further two months, but we will inform you of any extension within the initial one-month period.

10.2 Learner Portal Access

If you are an enrolled learner, you can view much of the personal data we hold about you through your learner portal. The portal also provides a change request workflow: you can submit a request to update your details, which will be reviewed and approved by an administrator. This provides a convenient self-service option in addition to contacting us directly.

10.3 Unsubscribing from Marketing

You can unsubscribe from marketing communications at any time by clicking the "unsubscribe" link included at the bottom of every marketing email we send. You can also contact us directly to be removed from our marketing list. Please note that unsubscribing from marketing will not affect essential communications related to your enrolment, such as course reminders and payment notifications.

11. Children's Privacy

Our training courses are designed for adults aged 18 and over. We do not knowingly collect personal data from children under the age of 18. Some of our courses accept learners aged 16 and 17 with parental or guardian consent, and in such cases the parent or guardian must provide their own consent for the collection and processing of the learner's personal data. If you believe we have inadvertently collected data from a child under 16 without appropriate consent, please contact us immediately so we can take steps to delete it.

12. Automated Decision-Making

We do not use your personal data for automated decision-making or profiling that produces legal or similarly significant effects. While our live chat uses AI-assisted responses, these are limited to answering informational queries and do not involve decisions about your enrolment, assessment, certification, or any other matter that would have a significant impact on you.

13. Complaints

If you are unhappy with how we have handled your personal data, we encourage you to contact us first so we can try to resolve your concern.

  • Internal complaint: contact our Data Protection Officer at [email protected]. We aim to respond to all complaints within five working days
  • External complaint: you have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent supervisory authority for data protection. You can contact the ICO at ico.org.uk or by calling 0303 123 1113

14. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes to this policy, we will notify you by email (if we hold your email address) and update the "Last updated" date at the top of this page. We encourage you to review this policy periodically to stay informed about how we protect your data.

15. Contact Us

If you have any questions about this privacy policy, wish to exercise your data protection rights, or need to speak with our Data Protection Officer, please contact us using any of the methods below.

Data Protection Officer: Lucy Kirkby
Email: [email protected]
Phone: 0115 666 2366
Address: Total Skills Ltd, Office J, Arnold Business Centre, Brookfield Road, Arnold, Nottingham NG5 7ER
Company Registration: 13304241
VAT Number: 381693467

See also: Terms & Conditions | Cookie Policy