Turn your website into an AI chatbot in less than 60 seconds with our interactive demo. Show me!

Privacy policy

Privacy policy

Effective Date: May 2026

Introduction

Welcome to Gecko Labs Ltd (“we,” “us,” or “our”). This Privacy Policy is designed to help you understand how we collect, use, disclose, and safeguard your personal information when you use our services (“Services”). By accessing or using our Services, you agree to the terms of this Privacy Policy.

For the purpose of the Data Protection Act 2018 (the Act) and the UK General Data Protection Regulation (GDPR), Gecko Labs Limited is a company registered in England and Wales with company number 08167863 and its registered office at 86-90 4th Floor Paul Street, London, EC2A 4NE.

Our UK Information Commissioner’s Office Registration Number is ZA054975. A customer refers to an individual or entity that has entered into a contractual relationship with Gecko Engage for the provision of goods or services. A customer may be a natural person, such as an individual consumer, or a legal entity, such as a company or organisation (“Customer” or “you”).

Complaints

You will always have the right to make a complaint at any time to a supervisory body if you think we have not followed data protection rules. In the UK, this is the Information Commissioner’s Office (ICO) (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance at privacy@geckoengage.com. If you are based in another jurisdiction, you may have additional rights or the ability to refer matters to an alternative supervisory body.

Third-party links

Where our services or website includes any links to third-party websites, plug-ins or applications, clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party sites, plug-ins or applications and are not responsible for their privacy statements or practices. When you leave our website or services, we encourage you to read the privacy notice of every site you visit.

Personal Data We Collect

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

Where Gecko Labs Ltd operates as the Data Controller, we collect personal data about you in a variety of ways. Sometimes we collect the personal data directly from you and at times we may receive personal data about you from other sources and third parties. We also collect personal data automatically when you interact with our website at www.geckoengage.com (“Website”) and/or in relation to the use of our Gecko services (“Services”) which we provide via our digital platform (“Platform”) which can be accessed via our Website:

  • Customer Contact information (e.g., name, address, email address, phone number)
  • User credentials (e.g., username, password)
  • Payment information (e.g. bank account and payment card details on payment of invoices)
  • Usage data (e.g. information about how you interact with and use our website, products and services.
  • Technical Data includes internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
  • Marketing and Communications Data includes any preferences you have for receiving marketing from us and our third parties.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice.

We will collect personal data from the following categories of data subjects:

  • Authorised User: any individual employee, contractor or agent of a company who is authorised by the company to use the Services and set up Forms on our Platform;
  • End User: means any students or other individual end users who populate a Form directly, or whose details may be populated in a Form by an Authorised User on their behalf; and
  • User: any person accessing our Platform or Website, whether as an Authorised User or End User.

Where we collect personal data, which we require to provide access to our Services or Platform, from a User who is an Authorised User or End User, we will process that information as a data controller to provide the Services. Where we collect further personal data from a User who is an End User using our Services, we will process that information as a data processor on behalf of the relevant company/companies to provide the Services. Any data processor activities we carry out will be covered under appropriate terms and conditions with the relevant company/companies.

Where we act as data controller, we do not knowingly collect data relating to special category data or information relating to criminal convictions. Where we act as processor and you provide us with any special category personal data (that is to say information as to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation or genetic or biometric data) or personal data relating to criminal convictions and offences, it is a condition of us receiving that information that you expressly consent (and you hereby do) to us processing that personal data or you have all appropriate consents in place and ensure that you are entitled to transfer such personal data to us so that we may lawfully use, process and transfer it in accordance with the agreement we have entered into with you. Accordingly, if you do not want us to process any such categories of personal data, or you do not have the relevant consents in place, please do not provide it to us.

Our website is not intended for individuals under the age of 16. We do not knowingly collect, use, or disclose personal information from children under this age threshold. If we become aware that we have inadvertently gathered information from a user under 16 years old, we will promptly take steps to delete such data from our records. Parents or legal guardians are encouraged to monitor their children’s online activities and use appropriate parental controls to help create a safe online environment. By using our website, you affirm that you are 16 years of age or older, and you understand and agree to comply with our policies. For any concerns regarding the privacy of minors or to report any potential violations, please contact us at privacy@geckoengage.com.

How is your personal data collected

We use different methods to collect data from and about you. The main way we will collect your personal data is through your direct interactions with us, but we will also collect data through automated technologies and third parties or other publicly available sources.

  • Your interactions with us. You may give us Contact Data and Payment information by interacting directly with us through our Website or provision of Services, including when you sign up or register for Services. It also might include any information you give us when you request marketing information is sent to you or where you give us feedback or otherwise contact us.
  • Automated technologies or interactions. As you interact with our Website or Platform, we will automatically collect Technical and Usage Data about your equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. We may also receive Technical Data about you if you visit other websites we operate which use our cookies. Details of the cookies we use can be found in our cookie policy.
  • Third parties or publicly available sources. We will receive personal data about you from various third parties and public sources, like providers of technical and payment services that we engage. Additionally, Technical Data may be received from third-party analytics providers or advertising networks (see our cookie policy for further details).

Cookies and Similar Technologies

We use cookies and similar technologies to enhance your experience, analyse trends, administer the website and gather demographic information about our user base. A cookie is a small file of letters and numbers that we put on your computer if you agree. The cookies we use are “analytical” cookies. They allow us to recognise and count the number of visitors and to see how visitors move around the site when they are using it. This helps us to improve the way our Website works, for example by ensuring that users are finding what they are looking for easily. You can change your website browser settings to reject cookies, although this may impair the functionality of our Website.

You can control and/or delete cookies as you wish. You can delete all cookies that are already on your device, and you can set most browsers to prevent them from being placed. If you do this, however, you may have to manually adjust some preferences every time you visit our site, and some features may not work as intended.

We may update our Cookie Policy from time to time. Please review this policy periodically for any changes. The date at the top of this page indicates when it was last updated.

How We Use Your Information

We are committed to complying with relevant data protection laws. Data protection law requires us to meet at least one “legal ground” for processing, currently set out in Article 6 of the UK General Data Protection Regulation. The grounds applicable to the personal data to which this notice relates are as follows:

  • Where the processing is necessary for compliance with a legal obligation to which we are subject, that is the ground on which we are processing that data;
  • Where processing is necessary for the purposes of our legitimate interests or the legitimate interests of a third party, that is the ground on which we are processing that data, provided that your interests or fundamental rights and freedoms which require protection of your data do not override those legitimate interests (our legitimate interests comprise the management, marketing and promotion of our business and services);
  • If you have given your consent to our processing the data, that is the basis on which we are processing that data.
  • Where we need to perform the contract we are about to enter into or have entered into with you.
  • If more than one of the above grounds apply to the processing of data in question, the applicable ground will be the one that is set out first above. If one of the above grounds ceases to apply to the processing of data in question, but other grounds continue to apply, we will be entitled to continue processing pursuant to the next applicable ground.

We will not process personal data in a way that is incompatible with the purposes for which it has been collected or subsequently authorised by you. We also will not collect any personal data that is not needed for the mentioned purposes. For any new purpose of processing we will ask your approval before we begin that processing.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rule, where it is required or otherwise permitted by law.

We will not sell or rent your personal data and will get your consent before giving your personal data to any third party for direct marketing communications.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To provide access to the Platform, Website and our Services (including confirming your identity, meeting our contractual and legal obligations, and exercise other rights we have under contract and provide customer support services) (a) Contact Performance of a contract with you
To manage our relationship with you which will include:
(i) Notifying you about changes to our terms or privacy policy;
(ii) Asking you to leave a review or take a survey; and
(iii) Responding to a request for support or information.		 (a) Contact
(b) Technical
(c) Marketing and Communications
(d) Payment information		 (a) Performance of a contract with you
(b) Necessary to comply with a legal obligation
(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our services and to enable us to develop our relationships and grow our business)
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Contact
(b) Technical		 (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud)
(b) Performance of a contract with you
(c) Necessary to comply with a legal obligation
To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (a) Contact
(b) Technical
(c) Marketing and Communications
(d) Usage		 Necessary for our legitimate interests (to study how customers use our services, to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our website, products/services, marketing, customer relationships and experiences (a) Technical
(b) Usage		 Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you based on your Profile Data and send you relevant marketing communications. (a) Contact
(b) Technical
(c) Marketing and Communications
(d) Usage		 (a) Necessary for our legitimate interests (to develop our products/services and grow our business)
(b) Consent, having obtained your prior consent to receiving direct marketing communications.
To liaise with you in relation to our Platform, Services or wider business. (a) Contact Necessary for our legitimate interest (to develop our Services and grow our business).

Marketing

You will receive marketing communications from us if you have requested information from us or purchased services from us and you have not opted out of receiving the marketing. We will process your Contact and Technical Data to form a view on what we think you may want or need or what may be of interest to you.

Third-party marketing

We will not share your personal data, including Contact Data such as telephone numbers, with any third party for marketing purposes, unless we get your express opt-in consent to do so. We may provide you with details of any offers or discounts that we have negotiated with third parties but this will be optional for you to use, and we will not share any personal data with third parties for this purpose. We will not sell your personal data with third parties for marketing purposes.

Opting out

You can ask to stop sending you marketing communications at any time by following the opt-out links within any marketing communication sent to you or by contacting us using the details at the start of this notice. With regards to two-factor authentication communications, you can opt-out by logging into the website and adjusting your user preferences in your account profile by checking or unchecking the relevant boxes.

If you opt out of receiving marketing communications, you will still receive service-related communications that are essential for administrative or customer service purposes.

You can ask third parties to stop sending you marketing messages at any time by contacting them at any time.

Disclosure of Your Information

We may disclose your personal information within Gecko for the purpose of the provision of our services. We may also share your information with third parties in the following circumstances:

  • With your consent
  • To comply with legal obligations
  • In connection with a merger, acquisition, or sale of all or a portion of our assets
  • To protect our rights, property, or safety, or that of our users or others

We may share your personal data with the parties set out below for the purposes set out in the table above.

Third party Detail
Service providers: Where we appoint third parties to provide services on our behalf and as our processors, such service providers to provide financial transaction and payment services, web hosting and support services, and marketing support services.
Professional advisers: including lawyers, bankers, auditors and insurers who provide banking, legal, insurance and accounting services.
Authorities: regulatory, government and industry bodies, like the ICO (or other supervisory authority in relation to data protection and privacy matters), HM Revenue & Customs (or other relevant tax authority), fraud prevention organisation or law enforcement bodies who require reporting of processing activities in certain circumstances, especially in the prevention of money laundering and fraud.
Corporate partners: includes third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy notice.

A full list of our third party Service providers/Sub-processors can be found at our Gecko Trust Page. When we make changes to the list of sub-processors, we will provide you with an update via email.

We require all third parties with whom we share your personal data to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

International transfers

Since we provide an online service and our Services are available in various countries, we may (a) need to transfer your personal data outside the United Kingdom or European Economic Area (EEA) to enable us to provide our Services or (b) receive your data from outside the United Kingdom or EEA.

Whenever we transfer your personal data internationally out of the UK (where applicable), we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the ICO or other appropriate regulatory body; or
  • We may use specific contracts approved for use in international transfers which give personal data appropriate levels of protection (like the International Data Transfer Agreement approved by the ICO for international transfers out of the UK); or
  • We may rely on another ground or exemption to allow us to transfer the personal data internationally. For example, where you are based out with the United Kingdom and have engaged us for services, we will rely on your consent to transfer data from our UK entity to you in another country.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data internationally.

Security

We implement reasonable security measures to protect your information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We adhere to the ISO 27001 and SOC 2 security standards to ensure the confidentiality, integrity, and availability of your information. Our security measures include, but are not limited to:

  • Regular risk assessments
  • Information security policies and procedures
  • Access controls and authentication mechanisms
  • Encryption of sensitive data
  • Incident response and management protocols

In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

While privacy laws may vary between jurisdictions, we are committed to protecting your information in accordance with appropriate lawful mechanisms and contractual terms requiring adequate data protection.

Where a password is required to access certain parts of the Website or Service, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.

Your Rights

The legal rights you have will depend on the country in which you access our dashboard and receive the services. The rights detailed below apply in relation to the UK. Where you are based out with the UK, you may have different or additional rights in respect of your personal data. If this is the case, please contact us and we will confirm any additional rights which may apply.

UK and European Rights

Under UK and European GDPR, you have a number of rights under data protection laws in relation to your personal data. If you wish to exercise any of the rights set out below, please contact us.

  • Your right to be informed: You have the right to understand how we collect and use your data. This privacy notice is our main way of giving you this information but you can also contact us for further information if required.
  • Your right of access: You have the right to ask us for copies of your personal information.
  • Your right of rectification: You have the right to ask us to rectify information you think is inaccurate.
  • Your right to erasure: You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing: You have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing: You have the right to object to processing if we are able to process your information because the process forms part of our public tasks, or is in our legitimate interests. You also have the absolute right to object any time to the processing of your personal data for direct marketing purposes (see “Opting-Out” above for details of how to object to receiving direct marketing communications).
  • Your right to data portability: This only applies to data you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering into a contract and the processing is automated

You can read more about all of these rights at https://ico.org.uk/global/privacy-notice/your-data-protection-rights/.

You can exercise your rights at any time by contacting us using privacy@geckoengage.com. We will work to respond to a valid request within a 30 day period of receipt under GDPR and 45 days of receipt under CPPA/CPRA. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

No fee usually required

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

US Data Subjects

In addition to the above provisions, the following sections may apply to you if you submit data to us while in the United States.

State consumer privacy laws may provide their residents with additional rights regarding our use of their personal information.

Many states, including California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, Texas, Utah, and Virginia provide (now or in the future) their state residents with rights to:

  • confirm whether we process their personal information;
  • access and delete certain personal information;
  • correct inaccuracies in their personal information, taking into account the information’s nature and processing purpose (excluding Iowa and Utah);
  • data portability;
  • opt-out of personal data processing for targeted advertising (excluding Iowa); sales; or profiling in furtherance of decisions that produce legal or similarly significant effects (excluding Iowa and Utah); and
  • either limit (opt-out of) or require consent to process sensitive personal data or process personal data of minors under 18, 17, or 16 years old.

The exact scope of these rights may vary by state. To exercise any of these rights, please submit an email explaining your grounds for appeal to privacy@geckoengage.com, where we will internally escalate the matter. You may contact the attorney general of each state by visiting their respective websites.

Nevada provides its residents with a limited right to opt out of certain personal information sales. Residents who wish to exercise this sale opt-out right may submit a request to this designated address: privacy@geckoengage.com. However, please know we do not currently sell data triggering that statute’s opt-out requirements.

Retention

We will retain copies of your Personal Data in a form that permits identification only for as long as is necessary in connection with the purposes set out in this Policy, unless applicable law requires a longer retention period. To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the Personal Data, potential risk of harm from unauthorised use or disclosure of your Personal Data, purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and applicable legal requirements. We will retain Customers of our services Personal Data for so long as a Customer’s account remains in existence or as needed to provide our services, to comply with our legal obligations, to resolve disputes, and to enforce our agreements.

Where you require that we delete any personal data which has been provided by you or any third party end user of Service, we will comply with any written request to do so.

Updates to this Privacy Policy

We may update this Privacy Policy periodically. The effective date at the top of the policy indicates when it was last revised.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy, please contact us at privacy@geckoengage.com.

We'd love to show you how Gecko works
Our technology is solving complex challenges for all kinds and all size of higher education providers all over the world. We’re confident we can help you too.
Demo Higher Ed's #1 Chatbot
Gecko