Personal Data Processing Policy
Effective Date:
This Personal Data Processing Policy ("Policy") is established by FAQ MEDIA
HOLDING LTD ("Operator", "we", "us", "our") in accordance with the UK General Data
Protection Regulation (UK GDPR) and the Data Protection Act 2018. This document sets
out how we collect, use, store, transfer, and protect personal data obtained through our
website https://ai-bog.com, and what rights individuals have in relation to their personal data.

1. General Provisions
1.1. The Operator considers the protection of individual rights and freedoms in the
processing of personal data, particularly the right to privacy, to be a primary goal and
responsibility.
1.2. This Policy applies to all personal data that the Operator collects or receives from users
of our website and related services.
1.3. The Policy is publicly available on our website and may be updated periodically.

2. Key Definitions
● Personal Data: Any information that directly or indirectly identifies a natural person.
This includes names, contact information, identification numbers, location data, and
online identifiers. Even data that cannot identify a person on its own but does so
when combined with other data is considered personal data under the UK GDPR.
● Data Subject: A natural person whose personal data is collected or processed. All
rights and protections provided under the UK GDPR apply to this individual.
● Processing: Any operation performed on personal data, whether by automated or
manual means. This includes collecting, recording, structuring, storing, modifying,
retrieving, using, disclosing, deleting, or destroying the data.
● Controller: A person or legal entity (such as a company or public body) that
determines the purposes and means of processing personal data. The controller is
responsible for ensuring that data processing is lawful and compliant with data
protection laws.
● Processor: A third party that processes personal data on behalf of the controller. A
processor must act only on the controller’s instructions and is obligated to implement
appropriate security measures to protect the data.
● Consent: A freely given, specific, informed, and unambiguous indication of the data
subject’s agreement to the processing of their personal data. Consent must be based
on a clear affirmative action.
● Third Country: Any country outside the United Kingdom. Transfers of personal data
to third countries require additional safeguards to ensure that an adequate level of
data protection is maintained.

3. Operator Rights and Responsibilities
The Operator, as the controller of personal data, has both rights and duties under the UK
GDPR and the Data Protection Act 2018.
Rights of the Operator:
● To request accurate and up-to-date personal data from users to ensure proper
service delivery and compliance.
● To continue processing personal data after consent is withdrawn, where another
lawful basis applies (e.g., legal obligations or legitimate interests).
● To define the scope, procedures, and safeguards necessary for the secure and lawful
processing of personal data in line with applicable UK data protection laws.
Obligations of the Operator:
● To provide clear and accessible information about how personal data is collected,
used, and protected.
● To establish and maintain appropriate technical and organisational measures to
safeguard personal data from unauthorized access, loss, or misuse.
● To respond to data subject requests—such as access, rectification, or erasure—in a
timely and lawful manner.
● To report certain types of data breaches to the Information Commissioner's Office
(ICO) without undue delay, and to affected individuals when required.
● To document and maintain records of personal data processing activities where
applicable.
● To ensure staff and service providers handling personal data are adequately trained
and aware of their responsibilities regarding data protection.

4. Data Subject Rights
Individuals whose personal data is processed (data subjects) are entitled to a number of
rights under the UK GDPR. These rights are designed to provide transparency and give
individuals control over how their data is handled:
● Right to be Informed: Individuals have the right to be clearly informed about how
and why their personal data is being processed. This includes details on the
purposes of processing, categories of data, retention periods, and third-party
recipients.
● Right of Access: Individuals may request confirmation as to whether their personal
data is being processed and, if so, obtain access to that data and relevant
information about the processing.
● Right to Rectification: If personal data is found to be inaccurate or incomplete,
individuals have the right to request that it be corrected or supplemented without
undue delay.
● Right to Erasure (“Right to be Forgotten”): In certain circumstances, individuals
can request the deletion of their personal data, such as when the data is no longer
needed for the purposes for which it was collected or when consent is withdrawn.
● Right to Restrict Processing: Individuals may request temporary limitation of
processing, for example, when contesting the accuracy or legality of the data
processing.
● Right to Data Portability: Individuals can request a copy of their personal data in a
structured, commonly used, and machine-readable format, and have the right to
transmit that data to another controller if desired.
● Right to Object: Individuals have the right to object to the processing of their
personal data where it is based on legitimate interests or used for direct marketing
purposes.
● Right to Withdraw Consent: If processing is based on consent, individuals have the
right to withdraw that consent at any time, without affecting the lawfulness of prior
processing.
● Right to Lodge a Complaint: Individuals may file a complaint with the Information
Commissioner’s Office (ICO) if they believe their data protection rights have been
violated.

5. Principles of Personal Data Processing
All personal data processing activities carried out by the Operator are based on the following
core principles established by the UK GDPR:
● Lawfulness, Fairness, and Transparency:
Personal data is processed in a lawful manner, based on a valid legal basis (e.g.,
consent, contract, legal obligation). Processing is fair, meaning it aligns with
individuals’ reasonable expectations, and is transparent, meaning individuals are
clearly informed about how their data is used.
● Purpose Limitation:
Data is collected only for specified, explicit, and legitimate purposes. It is not further
processed in a way that is incompatible with those original purposes.
● Data Minimisation:
Only personal data that is adequate, relevant, and limited to what is necessary for the
intended processing purpose is collected and used.
● Accuracy:
Reasonable steps are taken to ensure that personal data is accurate and, where
necessary, kept up to date. Inaccurate or outdated data is corrected or erased
without delay.
● Storage Limitation:
Personal data is kept in a form that permits identification of data subjects only for as
long as necessary for the purposes for which it was collected, unless a longer
retention period is required by law or regulation.
● Integrity and Confidentiality (Security):
Personal data is protected through appropriate technical and organisational
measures against unauthorised or unlawful processing, accidental loss, destruction,
or damage.

6. Purposes of Data Processing
The Operator processes personal data only for specific, explicit, and legitimate purposes, in
accordance with the UK GDPR. These purposes include but are not limited to the following:
● Managing website functionality and user accounts:
To ensure the proper operation, security, and personalization of our website, and to
enable users to create, access, and manage their accounts.
● Providing educational services and certifications:
To deliver access to AI-related training programs, monitor learning progress, issue
certificates, and track participation in courses.
● Customer support and communication:
To respond to inquiries, provide assistance, and maintain records of communication
in order to improve the quality and effectiveness of support.
● Processing payments and issuing invoices:
To manage financial transactions related to our services, including billing, refunds,
and payment confirmations, while complying with financial and accounting
regulations.
● Sending service-related messages and marketing communications:
To provide users with updates about services, changes to policies, or new offerings.
Marketing communications (e.g. newsletters, promotions) are sent only when the
user has provided valid consent, which can be withdrawn at any time.
● Service improvement and user experience enhancement:
To analyse usage trends, gather feedback, and make data-driven improvements to
the platform, its content, features, and interface.
● Compliance with legal and regulatory obligations:
To meet statutory requirements under applicable laws, including tax reporting, data
protection compliance, and responding to lawful requests from authorities.

7. Use of Cookies
Our website uses cookies and similar technologies (such as pixels and local storage) to
ensure technical functionality, analyze user activity, enhance the user interface, and deliver
personalized content. Cookies are small text files that are stored on a user’s device when
they visit a website and are recognized on future visits.
Categories of cookies we use:
● Strictly necessary cookies:
These cookies are essential for the functioning of the website. They enable core
functions such as navigation, session management, security, and access to secure
areas. These do not require user consent as they are necessary for providing the
requested service.
● Analytical and performance cookies:
These cookies help us understand how visitors interact with the website, such as
which pages are visited and how much time is spent on each. We use this data to
improve the website's structure and content. All data is collected in an aggregated
and anonymized format.
● Functionality cookies:
These cookies allow the website to remember user choices (e.g., language, region,
interface preferences) to provide a more personalized and user-friendly experience.
● Marketing cookies (used only with consent):
These cookies are used to display relevant advertisements to users, both on our
website and across other platforms. They also help measure the effectiveness of
advertising campaigns and track post-ad interactions.
Consent and cookie settings
In accordance with UK GDPR and the Privacy and Electronic Communications Regulations
(PECR), users are presented with a cookie banner on their first visit, allowing them to
consent to non-essential cookies (e.g., marketing or analytics). Users may withdraw or
change their consent at any time through their browser settings or cookie management tools
available on the site.
We do not use cookies to collect sensitive personal information, and no personally
identifiable data is shared with third parties without a lawful basis.
Contact
If you have any questions about our use of cookies or how we handle your personal data,
please contact us at:
Email: privacy@ai-bog.com

8. Legal Bases for Processing
Under the UK General Data Protection Regulation (UK GDPR), every instance of personal
data processing must have a lawful basis. The Operator processes personal data relying on
the following legal grounds:
● Consent:
We obtain freely given, specific, informed, and unambiguous consent from individuals
for certain types of data processing, such as receiving marketing emails, the use of
non-essential cookies, or enabling optional analytical tools. Consent can be
withdrawn at any time without affecting the lawfulness of processing already carried
out.
● Contractual Necessity:
Personal data is processed when it is necessary to enter into or perform a contract
with the data subject. This includes delivering access to training programs, issuing
certificates, processing payments, and providing customer support.
● Legal Obligation:
In some cases, we are legally required to process personal data to comply with
applicable laws and regulations. This includes tax reporting, maintaining accounting
records, and fulfilling obligations under data protection laws.
● Legitimate Interests:
We may process personal data where it is necessary for our legitimate business
interests, provided such interests are not overridden by the data subject’s rights and
freedoms. Examples include improving website performance, ensuring system
security, conducting internal analytics, and preventing fraudulent activity.
9. Data Collection, Storage, and Transfer
The Operator collects, stores, and transfers personal data in a lawful, secure, and
transparent manner, ensuring compliance with applicable data protection laws.
● Data Collection:
Personal data is collected directly from users through various means, including
registration and contact forms on the website, email correspondence, user
interactions with platform features, and through the use of cookies and third-party
analytics tools. We ensure that users are informed about the data being collected
and its intended use.
● Data Storage:
All personal data is stored on secure servers located within the UK or in jurisdictions
that provide an adequate level of data protection. We implement appropriate
technical and organisational measures such as encryption, firewalls, access controls,
and data backup procedures to protect the confidentiality and integrity of personal
data. Access to data is restricted to authorised personnel only.
● Third-party Data Sharing:
When it is necessary to engage third-party service providers (such as hosting
services, email platforms, learning management systems, or payment processors),
personal data may be shared with them under strict contractual conditions. These
providers act as data processors and are bound by data processing agreements that
require them to adhere to security standards and process the data only on our
instructions.
● International Data Transfers:
If personal data is transferred outside the United Kingdom, such transfers are
conducted in accordance with UK GDPR requirements. We ensure that the recipient
provides appropriate safeguards, such as being located in a country with an
adequacy decision or by entering into Standard Contractual Clauses (SCCs)
approved by the UK regulator. We take all reasonable steps to ensure that data
subjects' rights remain protected.
10. Confidentiality and Security
The Operator is committed to protecting the confidentiality, integrity, and availability of
personal data, in accordance with the principles of UK GDPR and industry best practices.
● Access Control:
Access to personal data is granted strictly on a need-to-know basis. Only authorised
personnel—those whose job roles require it—are permitted to access personal data.
Access rights are regularly reviewed and updated based on role changes or
departures.
● Technical Security Measures:
We implement a range of technical safeguards to protect personal data, including but
not limited to: data encryption (both in transit and at rest), secure authentication
protocols (e.g., passwords, two-factor authentication), firewalls, intrusion detection
systems, and secure backup solutions.
● Organisational Measures:
Staff members with access to personal data are trained in data protection principles
and required to comply with internal policies on confidentiality and secure handling.
Confidentiality agreements are signed where necessary.
● Monitoring and Risk Assessment:
We regularly conduct internal audits, security reviews, and risk assessments to
identify potential vulnerabilities and improve existing protections. Where risks are
identified, we apply proportionate mitigation strategies and monitor their
effectiveness.
● Incident Response:
In the event of a data breach or security incident, we follow a documented incident
response procedure, which includes investigation, containment, and notification to
the Information Commissioner’s Office (ICO) and affected individuals, where legally
required.

11. Retention and Deletion
The Operator retains personal data only for as long as necessary to fulfil the
purposes for which it was collected. Once those purposes are fulfilled, and there is no
ongoing legal or business need to keep the data, it will be securely deleted or anonymised
so that it can no longer be associated with an identifiable individual.
In cases where specific legal or regulatory obligations apply—such as for financial records,
invoices, or tax documentation—personal data may be retained for up to six years or longer,
depending on the applicable legislation.
Data subjects may request the deletion of their personal data at any time. Such requests will
be honoured unless there are overriding lawful grounds for continued processing, such as
legal compliance, contractual obligations, or the establishment, exercise, or defence of legal
claims.

12. Transborder Data Transfers
When personal data is transferred outside the United Kingdom to a third country or
international organisation, the Operator ensures that such transfers comply with the UK
GDPR’s international transfer requirements.
Transfers are permitted only when:
● The destination country benefits from an adequacy decision issued by the UK
government, confirming that it provides an appropriate level of data protection.
● Or the Operator and the recipient have entered into legally binding instruments or
adopted Standard Contractual Clauses (SCCs) approved by the UK’s data protection
authority to ensure appropriate safeguards are in place.
No cross-border transfers of personal data will occur without a valid legal basis and sufficient
protection for the rights and freedoms of the data subjects.

13. Final Provisions
This Personal Data Processing Policy is publicly available and accessible at:
https://ai-bog.com/privacy. It reflects the Operator’s current data protection practices and
may be updated from time to time to reflect changes in legislation, guidance from the
Information Commissioner’s Office (ICO), or the Operator’s internal procedures.
Any significant updates will be communicated appropriately, and the latest version will
always be available on our website.
For all questions, concerns, or requests regarding personal data processing, users may
contact:
● Email: privacy@ai-bog.com
● Regulator: Information Commissioner’s Office (ICO)
Website: www.ico.org.uk