Privacy Notice - State of Qatar
Effective Date: 22 March 2026 · Last reviewed: 20 May 2026
Applicable Law: Qatar Personal Data Privacy Protection Law (Law No. 13 of 2016 - PDPPL)
Version 2.0 - supersedes v1.0 (22 March 2026) and the corrected Qatar Privacy Notice Supplement v1.0 (12 May 2026), both of which are merged into this notice.
Language. This notice is published in English. A Modern Standard Arabic translation is provided for information only. Pending a sworn Arabic translation prepared by a Qatari‑ licensed legal translator (in commissioning), the English version is the controlling text in the event of any discrepancy. Once the sworn translation is published, the Arabic version will become equally authentic in accordance with Qatari practice and this paragraph will be updated.
Data Subject Response Time. We respond to all PDPPL rights requests within 30 calendar days of receipt and identity verification, in line with the NCGAA Individuals' Rights Guidelines (PDPPL‑02050219E). Complex requests may be extended by one further 30‑day period with written notice to you before the original deadline expires.
1. Identity of the Data Controller
The English Hub is a trading name of Upskill Energy Limited, a company incorporated in the United Kingdom. Upskill Energy Limited is the data controller responsible for the collection and processing of your personal data through The English Hub platform and services offered within the State of Qatar.
2. Qatar Data Protection Contact
For data protection enquiries related to Qatar operations, please contact us by email at [email protected]. General enquiries can be sent to [email protected]. Requests are handled by the Upskill Energy Limited privacy team; we will respond within the timeframes set out in section 13.
3. Types of Personal Data Collected
Account and Identity Data
- Full name, email address, telephone number
- Date of birth, nationality, and country of residence
- Qatar ID number (where required for service delivery)
Educational and Professional Data
- English language proficiency level
- Learning history, course enrolments, and progress records
- Assessment scores and certification records
Technical and Usage Data
- IP address, device identifiers, browser type
- Platform usage data (pages visited, session duration)
- Cookies and similar technologies (subject to consent)
AI Interaction Data
- Inputs provided to AI-powered learning tools
- AI-generated feedback and assessment outputs
- Voice recordings (where speech assessment is enabled, with explicit consent only)
We do not knowingly collect sensitive personal data (religious beliefs, political opinions, health conditions, biometric data) unless strictly necessary and with explicit consent.
4. Legal Basis for Processing
In accordance with Article 4 of the PDPPL, we process your personal data on the basis of your explicit, informed, and freely given consent. Before collection, we will clearly explain the purpose, inform you of the data types, and obtain consent through a clear affirmative action.
Your consent is voluntary. You may withdraw at any time without affecting the lawfulness of prior processing.
5. Purpose of Data Processing
| Purpose | Description |
|---|
| Service Delivery | Account management and educational content delivery |
| Personalised Learning | Tailored content, recommendations, and assessments |
| AI-Powered Tools | AI-driven feedback, pronunciation assessment, adaptive learning |
| Assessment & Certification | Tests, certificates, and academic records |
| Payment Processing | Payments, invoices, and billing management |
| Legal Compliance | Compliance with applicable laws in Qatar and the UK |
| Marketing | Promotional communications (only with separate explicit consent) |
6. Cross-Border Data Transfers
Personal data of Qatar residents is processed across infrastructure located in the European Union (Frankfurt), the United Kingdom, and the United States, depending on the activity. The controller seat is the United Kingdom, but the United Kingdom is not the operational data store for your account data - that sits in Supabase in the European Union.
Qatar → Supabase EU (Frankfurt) → Anthropic US → Sentry EU (Frankfurt) → Vercel (front end) → Microsoft Azure UK South (backend API) → Google Analytics 4 US (with consent) → Rewardful US (with consent)
In accordance with PDPPL Article 17, we obtain your explicit, separate consent for cross‑border transfer at the moment it is needed, naming the destination jurisdictions. Qatar‑resident users see a Qatar‑specific consent panel at sign‑up and again in the dashboard at Settings → Privacy & Data. You may withhold or withdraw this consent at any time - withdrawing it stops the corresponding feature.
By jurisdiction
- European Union (Frankfurt, Germany). Supabase (Postgres + object storage - primary store for your account, essay submissions, marking results, consent ledger), PostHog (analytics when consented), Sentry (error monitoring). The bulk of your data sits here at rest, encrypted with AES‑256.
- United States. Anthropic (AI essay marking), Postmark / Resend (transactional email), Google Analytics 4 (when consented), Rewardful (when consented), RevenueCat (mobile IAP), Trustpilot (when consented), Vercel (web hosting), Stripe (payment failover; primary is in Ireland). Not covered by a Qatar adequacy decision; we rely on subprocessor‑specific DPAs containing Standard Contractual Clauses analogues plus your explicit cross‑border consent under PDPPL Article 17.
- United Kingdom. Seat of the controller (Upskill Energy Limited) and the Data Protection Officer. Microsoft Azure UK South hosts our backend API. Administrative records (rights‑request files, audit logs of staff access) may be reviewed in the UK.
- Ireland. Stripe's primary payment‑processing entity for European customers. Failover to Stripe US.
- Global edge. Cloudflare anycast edge for CDN + WAF. No personal data stored at the edge; only ephemeral request/response metadata.
Safeguards in Place
- Subprocessor‑specific Data Processing Agreements incorporating SCCs (or analogues) for every destination outside the EU/UK
- Explicit PDPPL Article 17 cross‑border consent captured at sign‑up for Qatar‑resident users, named per destination jurisdiction
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Opaque identifiers at the AI inference boundary (Anthropic) - essay text is sent with no directly identifying account fields
- Contractual zero‑retention for AI inference: our DPA with Anthropic prohibits use of your submissions to train their models
- Strict role-based access controls
- Binding contractual obligations with all sub-processors
- Periodic security and compliance audits
Copies of any sub‑processor DPA referenced above are available to school DPOs and procurement reviewers on written request to [email protected]. We do not rely on a "legitimate interest" basis to override a refusal of consent by a Qatar resident; where consent is withdrawn, we either rely on contractual necessity (and inform you) or we stop the activity.
7. Data Retention Periods
| Data Category | Retention Period |
|---|
| Account and identity data | Account duration + 3 years |
| Educational records and certificates | 7 years after issuance |
| Payment and billing records | 7 years from transaction date |
| Technical and usage data | 12 months from collection |
| AI interaction data | 12 months (anonymised thereafter) |
| Communication records | 3 years from last interaction |
8. Your Rights Under the PDPPL
Right to Be Informed
Be informed about the collection and processing of your data
Right of Access
Request access to and a copy of the data we hold about you
Right to Rectification
Request correction of inaccurate or incomplete data
Right to Erasure
Request deletion of your data where no longer necessary or consent is withdrawn
Right to Restrict Processing
Request restriction of processing in certain circumstances
Right to Withdraw Consent
Withdraw consent at any time without affecting prior lawful processing
Right to Object
Object to processing, including for direct marketing purposes
Right to Data Portability
Receive your data in a structured, machine-readable format
Right to Lodge a Complaint
Lodge a complaint with the NCGAA if your rights have been violated
9. Data Breach Notification
In the event of a personal data breach likely to affect your rights:
- We will notify the NCGAA within 72 hours
- We will notify affected individuals within 72 hours where there is a high risk
- Notifications will include: the nature of the breach, approximate number affected, likely consequences, and measures taken
10. Children's Data Protection
Under PDPPL Article 16, personal data of individuals under 18 is treated as personal data of a special nature and attracts heightened protection. The English Hub's primary user base is GCSE/IGCSE students, the majority of whom are under 18 - this section is therefore the most important on this page.
- Users under 18 are considered minors under Qatari law
- Our minimum age is 11 (lowered from 13 in May 2026 to accept Year 7 / KS3 students). UK GDPR Article 8 sets the digital age of consent at 13, so for users aged 11-12 we rely on verifiable parental or guardian consent captured via the parent‑link email at sign‑up, not the child's own consent.
- Article 16 permit posture. Because processing of children's data is a special category, we maintain a complete Article 16 permit application dossier (RoPA, DPIAs, named sub‑processors, cross‑border consent posture, and safeguards) shelf‑ready for submission to NCGAA. Formal submission is currently held pending a Qatari‑licensed legal opinion and will be made when commercial commitment to Qatar warrants the spend or a Qatari customer contractually requires it. The dossier is available to NCGAA on request at [email protected]; the substantive compliance posture (Article 17 cross‑border consent, DPIAs, consent ledger, 30‑day rights SLA, 72‑hour breach plan) is independent of the permit being formally on file.
- For users aged 13-17, we require explicit parental or guardian consent
- Parents and guardians can access, review, and request deletion of their child's data at any time. Under‑18 accounts cannot enter payment details - the paying party is always an adult.
- No targeted advertising served to minors
- AI features used by minors are subject to additional safeguards including human oversight. Our DPA with Anthropic contractually prohibits use of minors' submissions for model training, and essays are transmitted under opaque identifiers with no directly identifying account fields.
- No behavioural profiles of minors for commercial purposes
- Consent ledger. Each guardian consent is recorded with a cryptographic hash and timestamp for evidentiary needs; withdrawal is as easy as the original consent.
10A. NCGAA Registration and Notifications
PDPPL does not impose a general controller‑registration requirement with the National Cyber Governance and Assurance Authority (NCGAA); we therefore do not hold a "general PDPPL registration" because none exists to obtain. The specific NCGAA interactions we owe and maintain are:
- Article 16 permit application for processing personal data of minors (in preparation - see Section 10).
- 72‑hour breach notification to NCGAA for any personal‑data breach likely to result in serious harm to data subjects, plus notification to affected subjects where the risk warrants (see Section 9).
- Personal Data Management System (PDMS) - internal documentation (Records of Processing Activities, Data Protection Impact Assessments, breach response plan, consent ledger) that NCGAA may inspect on notice and that we provide to school DPOs during procurement on request.
A Qatari‑licensed legal opinion confirming our PDPPL compliance posture is available to procurement reviewers on request; this is the customary form of evidence used in Qatari school procurement, because NCGAA does not issue a "PDPPL compliance certificate" for controllers.
11. AI Processing Transparency
| AI Feature | Purpose |
|---|
| Adaptive Learning Engine | Adjusts course difficulty based on performance |
| Language Feedback Tools | Real-time grammar, vocabulary, and writing corrections |
| Speech Assessment | Pronunciation and fluency evaluation (with consent) |
| Progress Analytics | Personalised learning reports and recommendations |
| Chatbot Support | Automated responses to common queries |
Your rights regarding AI processing:
- Right to be informed when AI is processing your data
- Right to request human review of any AI-generated assessment
- Right to opt out of specific AI features
- Right to an explanation of AI-generated feedback
- Your data is not used to train third-party AI models without consent
12. Cultural Considerations
The English Hub respects the cultural heritage, Islamic traditions, and social values of the State of Qatar. All learning content and AI-generated outputs are reviewed for cultural appropriateness and respect for Islamic values. We do not collect or infer data relating to religious beliefs unless strictly necessary and with explicit consent.
13. How to Exercise Your Rights or Complain
To exercise your data protection rights, use the "Privacy & Data" section within your account settings, or contact our Qatar Data Protection Representative.
We will respond within 30 days. Complex requests may be extended by a further 30 days with notice.
If you are not satisfied, you may lodge a complaint with:
National Cyber Governance and Assurance Authority (NCGAA)
State of Qatar
Website: ncsa.gov.qa
You also have the right to seek a judicial remedy through the competent courts of the State of Qatar.
14. Governing Law and Jurisdiction
This privacy notice is governed by the laws of the State of Qatar, including the Personal Data Privacy Protection Law (Law No. 13 of 2016). Any disputes shall be subject to the exclusive jurisdiction of the competent courts of the State of Qatar.
This privacy notice is provided in English. An Arabic translation will be made available in accordance with Qatari legal requirements. In the event of any discrepancy, the Arabic version shall prevail.
© 2026 Upskill Energy Limited. All rights reserved.