info@notapaths.com
Book ConsultationContact Us
NOTAPATHS Logo

Privacy Policy

Effective date: 24 July 2024

Last updated: 24 July 2024

Who we are

Operating business name: Notapaths

Legal entity / Data controller (UK & EEA): JONOTA TRAVEL AGENCY LIMITED (trading as "Notapaths")

Company number: 10212977 (England & Wales)

Registered office: 8a Hessel Street, Ground Floor, London, United Kingdom, E1 2LP

Incorporated on: 3 June 2016

Website: notapaths.com

Privacy contact: info@notapaths.com

We have not appointed a statutory Data Protection Officer. For all privacy matters, contact our privacy team at info@notapaths.com.

Offices & contact

London - Head Office

8a Hessel Street, Ground Floor, London, United Kingdom, E1 2LP

+44 07418 622985 · info@notapaths.com

Hours: Mon–Fri, 09:00–18:00 GMT/BST

EU representative (Article 27 GDPR): If appointed, details will be added here and in our website footer.

1) Scope

This policy explains how we collect, use, disclose, store, and protect personal data when you:

  • • visit our websites or social pages;
  • • submit a form or book a consultation;
  • • engage us for study and work abroad services;
  • • receive updates or marketing communications; or
  • • apply for a role with us.

This policy does not cover third-party websites or services we link to.

2) The data we collect

A) Identity & contact

name, aliases, date/place of birth, nationality, passport/ID numbers, photos, signatures, addresses, phone numbers, email addresses.

B) Academic & professional

CV/résumé, education, employment history, job offers/contracts, salary/tax data, licences, study offers/enrolment, sponsorship/invitations.

C) Family & relationships

marital/partnership status, spouse/partner/children details, birth/marriage records, custody/consent documents.

D) Travel & mobility

prior visas/permits, refusals, travel history, entry/exit stamps, biometrics notices, case numbers, decision letters.

E) Finance & documents

bank statements, proof of funds, sponsorship declarations, company and ownership records, source-of-funds/wealth.

F) Sensitive data (special category/criminal)

health info for medicals, disability accommodations, police certificates, and data revealing racial/ethnic origin or religion where present on official records. We collect this only where necessary and lawful.

G) Technical & usage

device identifiers, IP address, country inferred from IP, pages visited, referring URLs, timestamps, cookies/pixels for analytics and session management.

H) Communications

emails, messages, call notes, WhatsApp/chat transcripts (if you choose to use them), and feedback.

3) Where we get your data

  • • Directly from you or someone you authorise;
  • • Your employer/prospective employer, school, or sponsor;
  • • Government bodies and visa centres where you ask us to interact;
  • • Public sources and verification providers (where appropriate);
  • • Service providers (e-signature, scheduling, payments, translation, identity verification).

4) How we use your data & lawful bases

We process personal data only where a lawful basis applies.

A) Providing services / contract

eligibility assessments, strategy, document preparation, bookings, submissions (where permitted), status tracking, and guidance.

Basis: performance of a contract or steps prior to a contract.

B) Compliance with law

record-keeping, tax/accounting, sanctions and identity checks, lawful requests.

Basis: legal obligation.

C) Legitimate interests

client relationship management, improving services, preventing fraud/abuse, security of our systems, audits, business continuity.

Basis: legitimate interests not overridden by your rights.

D) Consent

optional marketing, testimonials, and certain uses where required.

Basis: your consent (you can withdraw at any time).

E) Vital interests

urgent circumstances affecting health or safety.

Basis: vital interests.

Special category & criminal-history data (only where needed for study/work abroad services):

  • • Legal claims & advice (establishment, exercise, defence of claims);
  • • Substantial public interest where permitted by law;
  • • Explicit consent where required (withdrawal may affect our ability to act).

5) Automated decisions & profiling

We do not make decisions with legal or similarly significant effects based solely on automated processing. Government authorities may use automated tools in their own systems; we do not control those systems.

6) Sharing your data

We share data only for the purposes described and with appropriate safeguards:

  • • Licensed local counsel where regulated representation is required;
  • • Translation/legalisation providers and document couriers;
  • • Medical panels and police certificate bodies at your instruction;
  • • Government authorities and visa centres to submit/manage applications;
  • • Technology vendors acting as processors (secure cloud storage, CRM, email, scheduling, e-signature, ticketing, accounting);
  • • Payment processors for billing;
  • • Professional advisers/auditors;
  • • Successors in a merger, acquisition, or reorganisation (with safeguards).

We do not sell personal data and we do not share it for cross-context behavioural advertising.

Controller vs processor. When engaged directly by you, we are a controller. If we deliver services to you on behalf of your employer/sponsor under their instructions, we may act as a processor and will process your data according to that contract.

7) International transfers

To deliver services, we may transfer data internationally, including:

  • • between the UK and the United States;
  • • between the UK/EEA and other countries relevant to your matter.

For transfers from the UK/EEA to countries without an adequacy decision, we use appropriate safeguards such as:

  • • Standard Contractual Clauses (EU SCCs) and/or the UK Addendum;
  • • vendor participation in the EU-US/UK-US Data Privacy Framework (where applicable);
  • • additional technical and organisational measures (encryption, access controls).

Request copies of applicable safeguards at info@notapaths.com.

8) Data retention

We retain data only as long as necessary for the purposes in this policy and to meet legal/regulatory requirements. Typical periods:

Client matter files

6 years after case closure (longer if required for legal claims)

Accounting & tax

7 years from the end of the financial year

KYC & sanctions checks

5 years from the end of the client relationship (or as required by law)

Marketing contacts

until you opt out, then minimal suppression data for up to 2 years

Recruitment applications

12 months if not hired (or as required by local law)

Messaging transcripts

up to 2 years from case closure (longer if required for compliance)

If you request deletion, we'll comply subject to legal limits and explain any records we must retain.

9) Security

We apply layered safeguards proportionate to risk, including:

  • • role-based/least-privilege access
  • • encryption in transit and at rest (where supported)
  • • MFA for key systems
  • • backups and continuity planning
  • • vendor due diligence and confidentiality obligations
  • • audit logging
  • • employee training

No system is perfectly secure. If we become aware of an incident affecting your data, we will act promptly and, where required by law, notify you and relevant authorities without undue delay.

10) Your rights

Depending on your location, you may have rights to:

• access your data

• rectify inaccurate/incomplete data

• erase data in certain cases

• restrict processing in certain cases

• data portability (machine-readable copy of data you provided)

• object to processing based on legitimate interests or to direct marketing

• withdraw consent where processing relies on consent

• complain to a supervisory authority

How to exercise your rights: email info@notapaths.com. We may need to verify your identity and clarify the request. We aim to respond within one month, or inform you if more time is needed due to complexity.

Supervisory authorities

  • UK: Information Commissioner's Office (ico.org.uk)
  • EEA: your local Data Protection Authority (see edpb.europa.eu)
  • US: your state attorney general or relevant federal agency

Quick summary for clients

We collect only what's needed to deliver study and work abroad services and meet legal duties.

We never sell your personal data.

We share data only with authorities, licensed counsel, and trusted providers-under safeguards.

You control marketing choices and can exercise privacy rights at any time.

We keep data only as long as needed and protect it with layered security.

Contact

Email (privacy)

info@notapaths.com

UK postal

JONOTA TRAVEL AGENCY LIMITED (t/a Notapaths), 8a Hessel Street, Ground Floor, London, United Kingdom, E1 2LP

Head Office

8a Hessel Street, Ground Floor, London, United Kingdom, E1 2LP
+44 07418 622985
info@notapaths.com