This Privacy Statement explains how Britt Academy, part of Orbital Education Group, collects, uses and protects personal data in accordance with the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP) and its implementing regulations, as applicable in Mexico.
It applies to:
- student applicants, current and former students, and their parents or guardians;
- employees, officers, consultants and contracted staff engaged by the school;
- job applicants;
- users of school‑managed IT systems, tools and services; and
- visitors to the school campus and school‑managed websites.
This Privacy Statement should be read alongside any more specific privacy information provided at the point personal data is collected, including role‑specific notices and the school’s Cookie Notice provided by Cookiebot.
For the purposes of applicable data protection law, Britt Academy S.C., with registered address at Prolongación 115 Avenida Sur, Manzana 1 Lote 1, La Joya Linda, 77710 Playa del Carmen, Mexico, acts as the data controller for personal data processed by the school.
As part of an international education group, the school may work with other Orbital Education Group entities to support governance, information technology services and operational management.
The school operates within Orbital Education Group’s data protection framework. At a local level, responsibility for overseeing data protection compliance and handling data protection matters rests with the school’s designated Data Protection Officer (DPO).
For any questions, requests or concerns regarding personal data, please contact: info.playa@brittacademy.com
This contact point should be used for all data protection queries and ARCO rights requests.
Personal data is any information relating to an identified or identifiable individual. This may include:
- identification and contact details;
- family and guardian information;
- financial and billing information;
- academic records and school reports;
- photographs, video recordings and CCTV images; and
- information relating to health, safeguarding or educational support.
Certain personal data is classified as sensitive personal data under Mexican law (for example health data).
Sensitive personal data is processed only where strictly necessary and subject to enhanced safeguards and, where required, express consent.
We collect and process personal data for clear, specific and legitimate purposes linked to the operation of the school, the provision of educational services, safeguarding, and compliance with applicable legal and regulatory obligations.
We do not process personal data for purposes that are incompatible with these.
In some circumstances, personal data may be obtained from sources other than the individual it relates to, including previous schools, referees, recruitment agencies, professional advisers, public authorities or other Orbital Education Group entities, where permitted by law.
Lawful basis for processing
Under Mexican law, personal data is generally processed on the basis of consent, unless an applicable legal exception applies.
Depending on the context:
- consent may be express or implied;
- express consent is required for sensitive personal data;
- certain processing may be carried out where permitted by law without consent.
Retention of personal data
Personal data is stored securely and retained only for as long as necessary.
Retention periods are determined by reference to:
- the purposes for which the personal data was collected and processed;
- applicable Mexican legal, regulatory and safeguarding requirements;
- operational, contractual and administrative needs; and
- the rights and reasonable expectations of the individuals concerned.
By way of example, student records may be retained in accordance with regulatory and safeguarding requirements, and recruitment data retained only for a limited period following completion of the recruitment process.
Retention is managed in line with applicable legal requirements and internal data management practices.
Students, parents and guardians
We process personal data relating to students and their parents or guardians in order to provide education and associated services, including admissions, learning, assessment, pastoral care, safeguarding and compliance with legal obligations.
Most student‑related personal data is required to deliver education and meet statutory and regulatory responsibilities. Where personal data is optional or processed on the basis of consent, this will be made clear at the point of collection.
Personal data is collected during the admissions and enrolment process and throughout a student’s time at the school. Information may be collected through application forms (paper or electronic), school systems, correspondence, meetings, assessments, observations and communications with parents or guardians.
Student personal data is used for purposes including:
- managing admissions and enrolment;
- identifying students and maintaining school records;
- billing and financial administration;
- supporting learning, development and assessment;
- safeguarding student welfare;
- providing pastoral and educational support;
- communicating with families;
- monitoring academic progress; and
- meeting statutory, regulatory and inspection requirements.
Student records are retained in line with applicable legal and operational requirements and internal data management practices.
Children’s online privacy
Where personal data is collected online from or about students, including through admissions portals, learning platforms, forms or other school‑managed website features, the school ensures that such processing is carried out transparently and only for legitimate educational, safeguarding or operational purposes.
Where required under Mexican law, consent is obtained from a parent or legal guardian.
Personal data collected online about students is used only for the purposes explained at the time of collection and is not disclosed to third parties unless this is necessary to deliver those purposes, required by law, or subject to appropriate contractual and data protection safeguards.
Employees and contracted staff
We collect and process personal data during recruitment, onboarding and throughout the course of employment or engagement with the school.
Employee and contractor personal data is processed for purposes including:
- managing employment and contractual relationships;
- administering pay, benefits and workforce processes;
- complying with Mexican labour, tax, social security and safeguarding requirements; and
- ensuring the effective operation and management of the school.
Where lawful and appropriate, this may include sensitive personal data, such as health information or data relating to background checks. Such data is processed subject to additional safeguards and, where required, consent.
Employment‑related records are retained in accordance with applicable legal requirements and internal data management practices.
Job applicants
We collect personal data when you apply for a role at the school, whether applications are made through recruitment platforms, by email or during interviews. Applicant data is processed to assess suitability for roles and manage recruitment processes.
Applicant data is retained for a limited period following completion of the recruitment process, in line with applicable legal requirements and internal data management practices.
Where applicants consent to receive information about future opportunities, limited contact details may be processed using third‑party communication platforms. Individuals can withdraw consent at any time.
Marketing and Communications
We may process personal data for marketing, communications and community engagement purposes, including providing information about school events, admissions, educational programmes, open days, newsletters, alumni activities and other school-related services.
Marketing and communications may be sent by email, telephone, SMS, post, social media or other appropriate communication channels, depending on the nature of the communication and the contact preferences provided.
Where required under applicable Mexican law, consent will be obtained before sending marketing communications. Individuals may withdraw consent or opt out of receiving marketing communications at any time by using the unsubscribe option provided in the communication, updating their communication preferences, or contacting the school directly.
Withdrawal of consent will not affect the lawfulness of processing carried out before consent was withdrawn.
We do not sell personal data to third parties for marketing purposes. Personal data used for marketing and communications is managed in accordance with applicable legal requirements, consent records, communication preferences and retention practices.
Users of school IT Systems
Personal data is generated through the use of school‑managed IT systems, networks and email accounts. This information is used to:
- maintain the security, integrity and proper use of systems;
- prevent unauthorised access or misuse; and
- support diagnostics and troubleshooting.
Access to IT‑related data is restricted to authorised personnel and protected by appropriate technical and organisational security measures.
IT-related data is retained for as long as necessary to support system security, integrity and operational requirements, in line with internal data management practices.
Visitors to the school site (including CCTV)
We collect limited personal data about visitors to the school campus, including visitor sign‑in details and CCTV footage, for the purpose of ensuring the safety and security of students, staff and premises.
CCTV operates only in publicly accessible areas, is clearly signposted, and recordings are retained only for the minimum period necessary in accordance with applicable legal requirements, unless required for incident investigation or legal proceedings.
Where consent is required (for example, for certain uses of images, video, marketing or optional services), it is obtained in a clear, specific and informed manner.
Where applicable, consent is obtained from a parent or legal guardian and may be withdrawn at any time by contacting the school.
You have the right to know who we share your personal information with. We limit the sharing of your information to external parties to a minimum. This said we do share your personal information on the following grounds:
- We share your information with other parties who provide services to us.
- We also provide personal information to other parties who provide services to you.
- We will also share personal information to external parties in accordance with our statutory responsibilities.
- A transaction relating to Britt Academy, Mexico.
- In anonymised form as part of statistics or other aggregated data shared with third parties.
As part of an international education group, personal data may be transferred to, stored in or accessed from countries outside Mexico.
Where such transfers occur, appropriate safeguards are implemented in accordance with the LFPDPPP, including ensuring that recipients assume the same data protection obligations described in this Privacy Statement.
Under Mexican law, individuals have the following rights in relation to their personal data:
- Access – to know what personal data we hold and how it is used;
- Rectification – to request correction of inaccurate or incomplete data;
- Cancellation – to request deletion of personal data where appropriate;
- Opposition – to object to certain processing activities.
Individuals may also withdraw consent where processing is based on consent, subject to applicable legal limitations.
Requests to exercise ARCO rights or revoke consent may be submitted by contacting: info.playa@brittacademy.com. We may need to verify identity before responding to a request.
Requests will be handled in accordance with applicable Mexican legal requirements. Where permitted by law, we may refuse a request or require additional information where necessary to assess the request or verify identity.
If you believe your rights have not been respected, you may submit a complaint to the competent Mexican data protection authority.
We do not use personal data for automated decision‑making or profiling that produces legal or similarly significant effects on individuals.
The school implements appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures include access controls, system protections, staff training and contractual safeguards with third‑party providers.
The school operates within Orbital Education Group’s data protection framework. This framework includes group‑wide policies, procedures and oversight mechanisms designed to ensure compliance with applicable data protection requirements.
This Privacy Statement is reviewed at least annually and may be updated to reflect changes in law, regulation or school operations. The most current version will always be available through the school’s official channels. This Privacy Statement was last updated on 01/06/2026.



