ABRSM Shop Privacy Policy

shop.abrsm.org (the “Shop”) is operated by The Associated Board of the Royal Schools of Music (Publishing) Ltd, a limited liability company registered in England & Wales No. 01910047 whose registered office is 4 London Wall Place, London EC2Y 5AU, UK.

In this privacy policy we use the terms “ABRSM”, “we”, “us”, “our” to mean both the Associated Board of the Royal Schools of Music (Publishing) Ltd and its parent company, the Associated Board of the Royal Schools of Music (Reg No.1926395).

Both companies are registered with the UK Information Commissioner's Office as data controllers (Z6618494) and (Z6329415).

For UK and EU data-protection law, ABRSM is the data controller for personal data collected through this Shop.

This policy applies only to the Shop and any related emails, SMS, fulfilment and customer-service activities arising from purchases made at shop.abrsm.org. It supplements the main ABRSM Privacy Policy. Where the two overlap, this Shop Policy governs.

The categories below describe what we collect and why.

The Store is not intended for children under 14. We do not knowingly collect their data without parental consent. If we learn we have done so, we will delete it.

We rely on the legal bases shown below.

We use automated tools to:

• Score transactions for fraud risk (e.g. mismatched IP and payment country)
• Show personalised product recommendations and ads based on browsing and purchase history. These processes have no legal or significant effect on you. You may object by contacting us (see Section 16).

We use first and third-party cookies, local storage and server-side tags to remember your basket and keep you logged in, analyse traffic and performance, and show ABRSM ads on social media and other websites. You can manage these via our cookie-consent banner or your browser/device settings. Full details are in our Cookie Policy.

We disclose personal data only with appropriate safeguards:

• Service providers: Shopify Inc. (ecommerce & hosting; servers in Canada, USA, EU), payment processors (Shopify Payments, PayPal, Apple Pay, Google Pay), fulfilment partners & couriers (Royal Mail, UPS), IT support, email, analytics (Google Analytics, Meta Pixel), and trusted partner Page Bros Norwich Ltd for fulfillment of your order.
• Within ABRSM: Relevant abrsm.org teams to support your order or improve services.
• Legal & compliance: HMRC, regulators, law-enforcement bodies and courts where required.

We never sell your personal data.

Some providers operate outside the UK/EEA. When transferring data we rely on:

• UK adequacy regulations;
• UK/EU Standard Contractual Clauses (SCCs) or International Data Transfer Agreements (IDTAs)
• Additional safeguards such as TLS encryption, at-rest encryption and access controls.

We keep data only as long as necessary or required by law, as detailed below.

We follow industry best practice, including:

• HTTPS across the Store
• PCI-DSS Level 1 compliant payment processing.
• Encryption at rest and in transit.
• Role-based access controls and MFA for staff.
• ISO 27001-certified hosting.
• 24/7 security monitoring and annual penetration testing.

If we discover a personal-data breach likely to risk your rights, we will notify the ICO within 72 hours and inform affected users without undue delay.

Your rights are set out in the main ABRSM Privacy Policy

Under the UK GDPR and (where applicable) EU GDPR you may: access the personal data we hold about you; request correction; request erasure (\"right to be forgotten\"); object to or restrict processing; withdraw consent at any time (e.g. via the unsubscribe link); and request data portability in a structured, machine-readable format.

You can exercise these rights by submitting a request via our online privacy webform, emailing privacy@abrsm.ac.uk, or writing to the address in Section 16. You also have the right to lodge a complaint with the UK ICO or your local supervisory authority.

If you opt-in, we may send you emails or SMS about new publications, exam resources, events and special offers. You can opt-out at any time by:

• Clicking unsubscribe in any marketing email.
• Replying STOP to an SMS.
• Updating your preferences in your Shop account.
• Contacting us at dataprotection@abrsm.ac.uk

The Store may link to external sites (e.g. abrsm.org). Those sites are governed by their own privacy policies.

We want everyone to be able to use the Shop easily. The site integrates accessiBe, an automated accessibility solution that:

• Continuously scans the Shop and applies adjustments required by WCAG 2.1 AA and the UK Accessibility Regulations 2018.
• Provides an on-screen Accessibility Interface (look for the circular icon in the bottom left) that lets you choose profiles such as “Seizure-Safe”, “Vision-Impaired”, “Keyboard-Only”, or fine-tune text size, contrast and spacing in real time.
• Optimises pages for popular screen readers (JAWS, NVDA, VoiceOver, TalkBack) through AI-generated alt-text, correct ARIA roles and skip-links.
• Ensures full keyboard navigation, pause/stop controls for moving content and colour ratios that meet or exceed WCAG AA.

AccessiBe’s AI re-scans the Shop every 24 hours to incorporate new or updated content. If any part of the site remains inaccessible, or if you need this policy in large-print, braille or another format, please email accesscoordinator@abrsm.ac.uk or use the contact details in Section 17. We will provide an alternative within five working days.

We may update this policy to reflect legal, regulatory or operational changes. Significant changes will be announced on the Store or via email. Previous versions are archived and available if requested.

Data Protection Officer
Please email: dataprotection@abrsm.ac.uk

If we cannot resolve your concern, you may escalate to the UK Information Commissioner’s Office (ICO) or, if you are in the EU/EEA, to your local data-protection authority.