CEL Privacy Policy

Privacy Policy

College of English Language ("CEL", "we", "us", or "our") is committed to protecting your privacy and to handling your personal data lawfully, transparently and securely. This Privacy Policy explains who we are, what personal data we collect, why and how we use it, who we share it with, how long we keep it, and the rights you have over your data. It applies to prospective, current and former students, parents and guardians, education agents, host families, website visitors, and anyone who contacts us. It is written to comply with the EU General Data Protection Regulation (GDPR), the UK GDPR, and applicable United States privacy laws.

In short: we collect the information we need to handle your application and deliver your course, and to meet legal requirements such as student visas. We never sell your personal data. You can access, correct or delete your information, object to certain uses, and reach us at any time through our contact page.

1. Who We Are (Data Controller)

The data controller responsible for your personal data is:

College of English Language
945 Hornblend Street, 2nd Floor
San Diego, CA 92109
USA

Our representative for data protection matters is Christopher Thebing, Managing Partner. CEL also operates a campus in Vancouver, Canada; where your data is processed in connection with that campus, the relevant CEL entity acts as the controller.

You can reach us about any privacy matter, or to exercise your rights, through our contact page. If you are in the European Economic Area (EEA) or the United Kingdom, the same contact details apply for your rights under the GDPR / UK GDPR.

2. What Personal Data We Collect

Personal data is any information that can identify you, directly or indirectly. We collect most of it during your enquiry, application and enrolment for a language course — either directly from you or through one of our authorised education agents. We may collect and use the following categories:

  • Identity and contact data: name, nationality, gender, title, date of birth, mother tongue, passport details, home address, phone number, email address, and emergency contact information.
  • Financial data: bank statements, payment card details, and billing information.
  • Health and dietary data: medical information and dietary requirements relevant to your studies, accommodation and welfare.
  • Academic data: your level of English and prior academic results.
  • Performance data: grades and test results earned during your course.
  • Attendance data: your attendance in class.
  • Technical and usage data: information collected automatically when you use our website, such as IP address, device and browser type, pages viewed, and how you interact with our pages (for example clicks and scrolling). See our Cookie Policy for details.

Health and dietary information are "special category" data under the GDPR and receive additional protection. We process them only where necessary and, where required, on the basis of your explicit consent.

3. How We Collect Your Data

We collect personal data:

  • Directly from you — when you make an enquiry, complete an application or enrolment form, book accommodation or transfers, contact us, or use our website.
  • From our authorised education agents — who may submit your application and supporting documents on your behalf.
  • Automatically — through cookies and similar technologies on our website (see our Cookie Policy).

4. Why We Use Your Data and Our Legal Basis

We only use your personal data where the law allows us to. Under the GDPR we rely on one or more of the following legal bases, depending on the purpose:

  • To perform our contract with you (Article 6(1)(b)) — processing your application, placing you in an appropriate class based on your level of English, arranging accommodation and transfers, processing payments, and managing your course.
  • To comply with our legal obligations (Article 6(1)(c)) — issuing an I-20 and meeting SEVIS / US immigration requirements, documenting student attendance as required by visa regulations, and meeting tax, accounting and accreditation obligations.
  • For our legitimate interests (Article 6(1)(f)) — monitoring and improving the quality of our teaching and services, safeguarding student welfare and safety, securing our premises and systems, and (where permitted) telling you about similar courses that may interest you. We weigh these interests against your rights and only rely on this basis where your privacy is not overridden.
  • With your consent (Article 6(1)(a), and Article 9(2)(a) for health/dietary data) — for certain marketing communications, SMS messages, non-essential cookies, and the processing of special category data. You can withdraw consent at any time.

Some data is required by law or under our contract with you. If you do not provide it, we may be unable to process your application or deliver our services — for example, we cannot issue an I-20 without the financial evidence and passport copy required by SEVIS, or place you with a host family without knowing your dietary or health needs.

5. Who We Share Your Data With

We share only the personal data that is necessary, and only with:

  • Service providers and partners who help us deliver our services — for example accommodation and host family providers, airport transfer companies, payment processors, and IT and hosting providers. For instance, if you book an arrival transfer, we share your name, arrival details and accommodation address with the transfer provider, and nothing about your return unless you have also booked a return transfer.
  • Education agents through whom you applied, in relation to your booking.
  • Regulatory, government and accreditation authorities where required by law — for example US immigration authorities (SEVIS / DHS), the California Bureau for Private Postsecondary Education (BPPE), and accreditation bodies.
  • Website and analytics providers such as Webflow (hosting), Weglot (translation), Google Tag Manager (tag management) and Google Analytics 4 (website analytics), as described in our Cookie Policy.
  • HubSpot — powers our "Schedule a Call" meetings embed; it processes the booking details you submit (such as your name, email and chosen time) to arrange the call. See legal.hubspot.com/privacy-policy.
  • Security and anti-fraud providers — such as Cloudflare, whose Turnstile service protects our forms from spam and bots and processes limited technical data (e.g. your IP address) for that purpose.
  • ALTCHA — a privacy-friendly spam and bot protection on our forms, operated by BAU Software s.r.o. (Czechia, EU). It works without cookies or tracking and does not retain your form submissions. See altcha.org/privacy-policy.
  • Professional advisers and authorities where necessary to comply with the law, enforce our terms, or protect our rights, property or safety.

We do not sell your personal data. See the SMS section below for our specific commitments regarding your mobile phone number.

6. International Data Transfers

CEL is based in the United States and also operates in Canada. If you are located in the EEA or the UK, the personal data you provide will be transferred to and processed in the United States and, where relevant, Canada — countries which may not provide the same level of data protection as your home country.

Where we transfer personal data out of the EEA or UK, we put in place the appropriate safeguards required by law, such as the European Commission's Standard Contractual Clauses (with the UK Addendum where applicable), or transfers to recipients certified under the EU–US Data Privacy Framework. You can request information about the safeguards we use through our contact page.

7. How Long We Keep Your Data

We keep your personal data only for as long as necessary for the purposes set out in this policy and to meet our legal obligations. In general, we keep information about your bookings for up to 10 years, and student records for the period required by applicable education and immigration regulations. After the applicable period, we securely delete or anonymise your data to the extent technically feasible. Where the law requires us to keep your data for longer, we will do so.

8. Your Rights

Subject to certain conditions and exemptions, you have the following rights over your personal data under the GDPR / UK GDPR:

  • Right to be informed — about how we collect and use your data (this policy).
  • Right of access — to obtain a copy of the personal data we hold about you.
  • Right to rectification — to have inaccurate or incomplete data corrected.
  • Right to erasure — to have your data deleted where there is no longer a lawful reason for us to keep it (this may be limited by our legal obligations).
  • Right to restrict processing — to ask us to suspend the use of your data in certain circumstances.
  • Right to data portability — to receive certain data in a structured, commonly used, machine-readable format, or have it transferred to another controller, where processing is based on consent or contract and carried out by automated means.
  • Right to object — to processing based on our legitimate interests, and to direct marketing at any time.
  • Right to withdraw consent — at any time, where we rely on your consent. This does not affect the lawfulness of processing carried out before withdrawal.
  • Rights relating to automated decision-making — see Section 13.

To exercise any of these rights, please get in touch through our contact page. We will respond within the timeframes required by law (generally within one month). We do not charge a fee unless your request is clearly unfounded or excessive.

9. Right to Complain to a Supervisory Authority

If you have a concern about how we handle your personal data, we would welcome the chance to resolve it — please contact us first through our contact page. You also have the right to lodge a complaint with a data protection supervisory authority:

  • EEA residents: your national Data Protection Authority. A list is available from the European Data Protection Board at edpb.europa.eu.
  • UK residents: the Information Commissioner's Office (ICO) at ico.org.uk.

10. SMS / Text Messaging Communications

If you provide your mobile phone number to College of English Language (CEL), you may receive text messages related to your enrolment, housing, airport transfers, class updates, school activities, maintenance requests, or other services associated with your program.

By providing your phone number and opting in through our forms or communication channels, you consent to receive SMS messages from CEL. Message frequency may vary depending on your program and services. Message and data rates may apply depending on your mobile carrier. Your consent to receive text messages is not a condition of enrolling with us or purchasing any service, and you can opt out at any time.

You may opt out of receiving SMS messages at any time by replying STOP to any message. For assistance you may reply HELP or contact us directly.

No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the categories stated in this Privacy Policy exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties. Your phone number may be shared only with service providers necessary to deliver communications or services related to your program.

11. Cookies and Similar Technologies

Our website uses cookies and similar technologies to make the site work and, with your consent, to analyse traffic, remember your preferences and personalise your experience. We manage these tags through Google Tag Manager and apply Google Consent Mode, so Google analytics cookies are set only when you allow them. For full details of the cookies we use, their purposes and durations, and how to manage or withdraw your consent, please see our Cookie Policy.

12. Children's and Minors' Data

Some of our programs are open to applicants under the age of 18. Where a student is a minor, we process their personal data with the involvement and, where required, the consent of a parent or legal guardian. Under the GDPR, where we rely on consent to offer online services directly to a child, that consent must be given or authorised by the holder of parental responsibility for children under the age set by their country (16, or as low as 13 in some EU member states). If you believe we have collected a child's data without appropriate authorisation, please get in touch through our contact page so we can address it.

13. Automated Decision-Making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing, including profiling.

14. Data Security

We maintain physical, technical and organisational safeguards — such as firewalls, encryption and access controls — to protect your data against unauthorised access, misuse, alteration or loss. Access to personal data is restricted to staff who need it to organise and deliver your stay with us, and we require our service providers to apply appropriate safeguards.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will publish the updated version on our website and update the "Last updated" date below. We encourage you to review this page periodically.

16. How to Contact Us

For any questions about this Privacy Policy, or to exercise your rights, please use our contact page or write to us:

College of English Language
945 Hornblend Street, 2nd Floor
San Diego, CA 92109, USA
Email: info@englishcollege.com

Last updated: 29 May 2026. We review this policy regularly and will post any updates on this page.

Let's Talk
Apply now