Guidewell Education

Privacy policy

Last updated: November 2025

1. Introduction & Scope

Guidewell Education LLC and its subsidiary Golden Pacific Education LLC (together referred to as  “Guidewell,” “we,” “our,” or “us”) is committed to respecting and protecting the privacy of all individuals who interact with our services. This Privacy Policy explains how we collect, use, disclose, and protect personal information in connection with our educational offerings, websites, platforms, applications, and related services.

This policy applies across all GuideWell Education legal entities and sub-brands, including but not limited to the legal entities Guidewell Education LLC and its subsidiary Golden Pacific Education LLC , as well as its brands which all operate under these entities–UES Education, ESM Group UK, ESM Prep, Guidewell Global, Applerouth Education, College MatchPoint, Summit Education, Metro Academic Prep, Launch Precollege Labs, MBA Mission, and Reach Education (collectively, “Guidewell”). Regardless of which entity you interact with, Guidewell applies a unified set of privacy principles and safeguards.

We recognize that personal data protection requirements vary by jurisdiction. As such, this policy is structured to meet:

  • The requirements of the EU–US Data Privacy Framework (DPF), the UK Extension to the DPF (UK–US Data Bridge), and the Swiss–US DPF;

  • The UK General Data Protection Regulation (UK GDPR) and the EU GDPR;

  • Relevant US federal laws (e.g., the Children’s Online Privacy Protection Act, COPPA); and

  • State privacy laws in California, Virginia, Colorado, Connecticut, Utah, and Nevada.

This Privacy Policy is intended for:

  • Students who use our tutoring, test preparation, or educational services;

  • Parents/guardians who engage us on behalf of their children;

  • Mentors, tutors, and educators who provide services on behalf of Guidewell;

  • Visitors to our websites and users of our online platforms.

If you are a student or parent accessing our services through a school, university, or other educational institution, this policy should be read alongside the institution’s own privacy notices.

By accessing our websites or using our services, you acknowledge the practices described in this Privacy Policy. If any terms conflict with the DPF Principles, the DPF Principles will govern.

2. Our Commitment to Data Privacy Framework (DPF) & UK Data Bridge

Guidewell Education LLC and its subsidiary Golden Pacific Education LLC comply with the EU–US DPF, the UK Extension to the EU–US DPF (UK–US Data Bridge), and the Swiss–US DPF as set forth by the US Department of Commerce.

Guidewell Education LLC and its subsidiary Golden Pacific Education LLC have certified to the US Department of Commerce that we adhere to the DPF Principles with respect to personal data received from the EU, UK, and Switzerland. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit the US Department of Commerce’s website at: https://www.dataprivacyframework.gov/.

Participation in the DPF requires Guidewell Education LLC and its subsidiary Golden Pacific Education LLC to:

  • Maintain robust safeguards for personal data transferred from the UK/EU/Switzerland to the US;

  • Provide clear rights to individuals, including access, correction, deletion, and redress mechanisms;

  • Submit to oversight and enforcement by the US Federal Trade Commission (FTC); and

  • Offer independent dispute resolution, at no cost to individuals.

Our certification covers all sub-brands within the Guidewell Group, ensuring that personal data transferred under the DPF is subject to consistent protection across our organization.

 

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Guidewell Education LLC and its subsidiary Golden Pacific Education LLC commit to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding the handling of personal data received in reliance of the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Guidewell at:

Data Protection Officer: datacompliance@guidewell.com
UK Contact: ukprivacy@guidewell.com 

Within the scope of this privacy notice, if a privacy complaint or dispute cannot be resolved through Guidewell’s internal processes, and in compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, Guidewell commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF to The VeraSafe DPF Dispute Resolution Program. Subject to terms of the VeraSafe DPF Dispute Resolution Program, please submit the required information to VeraSafe here:

https://verasafe.com/public-resources/dispute-resolution/submit-dispute/

These services are provided at no cost to you.

 

Under certain conditions specified by the EU-U.S. DPF Principles, including as applicable under the UK Extension to the EU–U.S. DPF and the Swiss-U.S. DPF Principles, you may also be able to invoke binding arbitration to resolve your complaint, as described in Annex I of the EU-U.S. DPF Principles and Annex I of the Swiss-U.S. DPF Principles.

 

The Federal Trade Commission has jurisdiction over Guidewell’s compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DFP, and the Swiss-U.S. DPF.

 

The EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF describe Guidewell’s accountability for personal data that it subsequently transfers to a third-party agent. Under the DPF Principles, Guidewell shall remain liable if third party agents process the personal information in a manner inconsistent with the DPF Principles, unless Guidewell proves it is not responsible for the event giving rise to the damage.

Note that Guidewell may be required to release the personal data of EU, UK and Swiss individuals in response to legal requests from public authorities, including to meet national security and law enforcement requirements.

3. Categories of Data We Collect

We collect personal data directly from individuals, through our platforms, from parents/guardians, and automatically via cookies and technologies. The exact data we collect depends on your role (student, parent, mentor, visitor).

3.1 Student Data

  • Identification: name, date of birth, contact information.

  • Academic information: school, grades, coursework, essays, standardized test scores, extracurricular activities.

  • Program participation: tutoring sessions, assessments, scholarship applications, university counseling notes.

  • Special accommodations: details of learning needs or accommodations (where relevant and lawful).

3.2 Parent/Guardian Data

  • Identification: name, relationship to student, contact details.

  • Financial: billing address, occupation, payment card details (processed via secure third-party providers).

  • Communications: emails, messages, and records of calls with our staff.

3.3 Mentor/Employee Data

  • Professional identity: name, role, biography, qualifications, and expertise.

  • Authored content: articles, study materials, or blogs attributed to mentors.

  • Media: photographs or professional headshots published on our websites.

3.4 Sensitive Data

In limited cases, we may process information that qualifies as sensitive or special category data, such as:

  • Health-related data for learning accommodations (e.g., ADHD, dyslexia, IEPs).

  • Socio-economic information relevant for scholarships.

  • Immigration background for admissions counseling.

We only process such data where strictly necessary and with appropriate legal safeguards.

3.5 Technical & Automatic Data

  • Device and log data: IP address, device type, operating system, browser type, unique identifiers.

  • Usage data: login timestamps, clickstream data, session duration.

  • Analytics: metrics from Google Analytics, Microsoft Clarity, and similar tools.

3.6 Media & Audio Data

  • Student photographs (where voluntarily provided).

  • Video conferencing recordings (where tutoring sessions are recorded for quality or safeguarding).

  • Audio samples (if assessments involve spoken exercises).

3.7 Cookies & Tracking Data

We use cookies, pixels, and similar technologies to support functionality, security, analytics, and marketing. This includes:

  • Google Analytics 4 for site usage measurement.

  • Meta Pixel for targeted advertising.

  • Reddit Pixel, Bing Ads, and Microsoft Clarity for marketing and user experience optimization.

  • AWS and other hosting logs for system performance and security monitoring.

4. How We Use Personal Data

We use personal data for defined, lawful purposes only. The ways we use personal data include:

  • Service Delivery: to provide tutoring, mentoring, academic advising, admissions support, and related services.

  • Personalization: to tailor educational programs to individual learning profiles and academic goals.

  • Payments & Account Management: to process transactions, issue invoices, manage accounts, and detect fraudulent activity.

  • Communication: to respond to inquiries, provide updates about scheduled sessions, and share educational materials.

  • Marketing: to send newsletters, promote new services, or provide information about upcoming events (subject to consent, where required).

  • Analytics & Research: to improve our platforms and develop new tools by analyzing patterns of use.

  • Compliance: to meet legal, regulatory, and audit obligations, including safeguarding duties.

We do not sell personal information to third parties.

5. Legal Bases for Processing (UK/EU GDPR)

For individuals located in the UK and EU, we rely on one or more of the following lawful bases to process personal data:

  • Contractual Necessity: to fulfill our obligations in providing educational services.

  • Legal Obligation: to comply with recordkeeping, tax, employment, or safeguarding laws.

  • Legitimate Interests: to ensure IT security, prevent fraud, conduct analytics, and improve our services, provided these interests are not overridden by your rights.

  • Consent: for marketing communications, use of cookies, and processing of sensitive data where required.

Under the DPF Principles, Guidewell shall remain liable if third party agents process the personal information in a manner inconsistent with the DPF Principles, unless Guidewell proves it is not responsible for the event giving rise to the damage.

6. Children’s Data & Parental Consent

We recognize that children merit special protection under data protection laws.

  • For children under 13 years of age in the US and under 16 in the UK/EU, we require verifiable parental or guardian consent before collecting personal data.

  • Parents and guardians may request access to their child’s data, request corrections, or request deletion at any time by contacting datacompliance@guidewell.com or ukprivacy@guidewell.com.

  • Where tutoring or assessments are recorded (e.g., video or audio), parents will be informed in advance, and such recordings will be used solely for quality assurance, safeguarding, or training.

7. How We Share Personal Data

We do not disclose personal data except as described in this policy.

7.1 Vendors and Onward Transfers

We use trusted third-party vendors under binding contracts to process data on our behalf. Categories include:

  • Cloud hosting providers (e.g., AWS).

  • Analytics and marketing platforms (Google Analytics, Meta, Microsoft).

  • Payment processors (PCI DSS-compliant providers).

  • Customer relationship management systems.

Vendors are required to process data only under our instructions and to implement appropriate safeguards.

7.2 Affiliates

Data may be shared between GuideWell Education LLC, its subsidiary Golden Pacific Education LLC, and their sub-brands (UES, ESM, Applerouth, CMP, Summit, MAP, Launch, Reach, MBA Mission) to provide integrated services.

7.3 Legal Disclosures

We may disclose data in response to lawful requests from government agencies, courts, or law enforcement, consistent with the DPF.

8. International Data Transfers

GuideWell Education LLC and its subsidiary Golden Pacific Education LLC are headquartered in the United States. Accordingly, personal data may be transferred from the UK, EU, or Switzerland to the US.

We rely on:

  • EU–US DPF, UK Extension (UK–US Data Bridge), Swiss–US DPF for transfers.

  • Standard Contractual Clauses (SCCs) with the UK Addendum where required.

  • Supplementary measures including encryption, access control, and role-based data restrictions.

If adequacy decisions are revoked, we will continue using SCCs with additional safeguards.

9. User Rights and Choices

9.A Use of llms.txt and AI-Specific Directives

In addition to standard web technologies, Guidewell  may publish llms.txt files (or similar protocol files) on our websites. These files provide instructions to automated systems, including Large Language Models (LLMs), about how our website content may be accessed, indexed, or used.

  • These files apply to public content only (such as service descriptions, program information, and articles authored by our mentors).

  • We do not include personal data in llms.txt or expose private information through this mechanism.

  • The purpose of these files is to increase transparency with automated systems and to help ensure that only appropriate, non-personal data is ingested by AI crawlers.

  • Publication of these files does not grant permission to use our intellectual property beyond what is already permitted by law or applicable terms of service.

9.1 UK/EU Data Subject Rights

You have the right to:

  • Access your personal data.

  • Request correction of inaccurate data.

  • Request deletion (“right to be forgotten”).

  • Restrict or object to processing.

  • Request portability of data to another provider.

  • Withdraw consent at any time.

  • Lodge a complaint with the Information Commissioner’s Office (ICO) or your local EU supervisory authority.

9.2 US Resident Rights (by State)

US residents have rights under state privacy laws, described in Section 19.

9.3 Swiss Data Subject Rights

Swiss Choice and Means

Swiss individuals have the right to opt out of (i) disclosures of their personal data to third parties, or (ii) uses of their personal data for purposes materially different from those for which it was originally collected or subsequently authorized.

To exercise these choices, Swiss individuals may contact us at datacompliance@guidewell.com.

Swiss Right of Access

Swiss individuals have the right to access personal data about them that Guidewell processes under the Swiss-U.S. DPF and may correct, amend, or delete such information where it is inaccurate or processed in violation of the Principles.

9.4 Exercising Your Rights

To exercise any rights, contact datacompliance@guidewell.com or ukprivacy@guidewell.com. We will respond within the statutory timelines.

10. Cookies and Tracking Technologies

We use cookies and tracking technologies for:

  • Strictly necessary functions: authentication, security, session management.

  • Preferences: remembering settings and choices.

  • Analytics: understanding usage patterns (Google Analytics, Microsoft Clarity).

  • Marketing: delivering relevant advertising (Meta Pixel, Reddit Pixel, Bing Ads).

You can control cookies through your browser or via our cookie preference center. Non-essential cookies will only be used where you consent.

11. Security Measures

We implement technical, administrative, and physical safeguards:

  • Technical: encryption in transit and at rest, multi-factor authentication, firewalls, monitoring.

  • Administrative: staff training, restricted access, policies, confidentiality agreements.

  • Physical: secure offices, device encryption, controlled visitor access.

We regularly test and update our security practices.

12. Data Retention & Deletion

We retain personal data only for as long as necessary:

  • Student records: up to 10 years after services.

  • Payment and billing data: 7 years (legal requirement).

  • Essays and scholarship applications: 2 years.

  • Mentor/employee authored content: for as long as published.

  • Marketing contact data: until you withdraw consent or remain inactive.

  • Anonymized or aggregated data: may be kept indefinitely.

When data is no longer needed, it is securely deleted or anonymized.

13. Government Access & Lawful Requests

Guidewell may be required to disclose the personal data of EU, UK, and Swiss individuals in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

14. Breach Response & Notifications

We maintain an incident response plan. In case of a data breach:

  • We will assess and contain the incident.

  • Notify affected individuals without undue delay, if required.

  • Notify supervisory authorities within 72 hours under GDPR.

  • Take corrective and remedial measures.

15. Independent Dispute Resolution Mechanism

Guidewell provides a free, independent dispute resolution process for individuals whose data we process under the DPF. Our selected provider is VeraSafe. If you have an unresolved privacy or data use concern, you may contact this provider directly at no cost.

16. Arbitration under DPF

As a last resort, and under certain conditions, you may invoke binding arbitration before a Data Privacy Framework Panel. This option is available after other dispute resolution mechanisms have been exhausted.

17. Policy Updates & Change Notifications

We may update this Privacy Policy from time to time. If we make material changes, we will notify users by:

  • Email (where possible), and/or

  • Prominent notice on our website.

The “Last Updated” date at the top of this policy reflects the most recent revision.

18. Contact Us

If you have questions, requests, or complaints, please contact us:

  • Data Protection Officer: datacompliance@guidewell.com

  • UK Contact: ukprivacy@guidewell.com

19. Jurisdiction-Specific Addenda

19.1 California (CCPA/CPRA)

California residents have the right to:

  • Know categories of personal information collected, disclosed, or sold.

  • Request deletion of personal information.

  • Correct inaccurate personal information.

  • Opt out of sale or sharing of data.

  • Limit use of sensitive personal information.

We do not sell personal information. We honor opt-out requests for targeted advertising.

19.2 Virginia (VCDPA)

Virginia residents may request access, correction, deletion, portability, and opt-out of targeted advertising or profiling.

19.3 Colorado (CPA)

Colorado residents have rights similar to Virginia residents, with appeal rights if requests are denied.

19.4 Connecticut (CTDPA)

Connecticut residents have access, correction, deletion, portability, and opt-out rights.

19.5 Utah (UCPA)

Utah residents may access and delete data and opt out of targeted advertising.

19.6 Nevada (NRS 603A)

Nevada residents may opt out of the sale of covered information. GuideWell does not sell personal data under Nevada law.

End of Policy

Explore our brands
© 2025 Guidewell Education