MindGym Privacy Policy

1. Introduction

Mind Gym plc (“we”) are committed to protecting and respecting your privacy and complying with the data protection laws that apply to our business activities.

This notice describes how we process the personal data we obtain about our website visitors, our business clients’ employees and representatives, our individual customers, people who contact us and potential/prospective clients. Please read this notice to understand our practices regarding your personal data and how we treat it.

For the purposes of the data protection laws applicable in the United Kingdom, the data controller of the processing described in this notice is Mind Gym plc, a company registered in England and Wales with company number 3833448 whose registered office is at 160 Kensington High Street, London, W8 7RG, United Kingdom.

2. How we process your personal data

In this section we explain the types of personal data we obtain, the purposes we use that data for and the legal bases we rely on to process personal data for those purposes.

2.1 Types of personal data we obtain

The types of personal data that we obtain and use in the course of our business activities are:

Website usage data: This includes:

technical data about website visitors’ devices and browsers such as the Internet Protocol (IP) address used to connect devices to the Internet, geographical location, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform and login information;
information about website visitors’ use of our website such as referral source, length of visits to certain pages, page views, website navigation paths including the clickstream to, through and from our sites (including date and time), products viewed or searched for, page response times, download errors, page interaction information (such as scrolling, clicks, and mouse-overs) and methods used to browse away from pages; and
social media plugins on our website for LinkedIn, Twitter and Facebook, certain information about our website visitors (IP addresses and information about their browsers and the operating systems) will be transmitted to those social media providers when they browse our website.

This data is collected automatically by our analytics tracking system and third party services and involves the use of cookies. (See our Cookie Policy for more information about our use of cookies.)

Business operations data: This includes:

data relating to our business clients’ personnel and representatives that we obtain in connection with entering into and performing contracts for the provision of our live sessions and other products and services. This includes names, business email addresses, business location addresses, telephone numbers and job titles of our clients’ ‘stakeholders’ and other business contacts with whom we communicate to get contracts signed, process invoices and payments and make practical arrangements for the provision of our workout sessions and other products and services; and
information contained in or relating to any communications we receive, including any personal data contained in the communication content, address and contact details and any metadata associated with the communication. We obtain this data when people contact us by email, phone, via social media platforms or any other method of communication.

Business development data: This includes:

information relating to individuals who work for organisations that we consider might have an interest in our products and services, which we obtain as part of our business development activities from publicly available sources or from the individuals themselves, e.g. at networking and other events. This is likely to include standard business contact data such as name, business email address, job title, company, company location and phone number;
we obtain website visitors’ names and email addresses if they choose to sign up for our newsletter via our website;
information about recipients’ interactions with our newsletter and other marketing emails such as email opening and clicks. This is obtained automatically by our marketing email services provider using various technologies including clear gifs. (See our Cookie Policy for more information about our use of these technologies.);
data provided to us by website visitors via any of our website forms such as our ‘contact us’, enquiry, demo request, event registration and resource download request forms. This includes the visitor’s name, email address, job title, company and company details and any free-text content completed by the visitor. The forms on our website also generate metadata associated about the submission of the form, such as the time and date of submission; and
information relating to coach-led or digital participants who have opted-in for business development communications. This includes the participants name, email address, job title and company.

Coach-led participant data: data relating to or obtained from individual staff of our business clients who participate in live sessions, whether conducted face to face or remotely, that we provide at the request of our business clients. This includes:

each participant’s name, business email address, business phone number, job title and employer name, to the extent provided to us; each participant’s personal email address, personal phone numbers where they have been provided to us.
information arising out of focus groups, surveys and interviews conducted by us as part of a pre-session scoping exercise, which may include names and job titles, demographic information, user opinions, diversity data and individual views and observations on employer/colleagues (see below to the extent that any such information constitutes special categories of personal data);
observational data about our client’s working environment obtained from observations conducted by us (where such observation is agreed with our client);
information contained in third party reports from previous training, which is usually aggregated or anonymised (if provided to us by our client);
information arising out of focus groups and interviews conducted during the session, which may include demographic information, user opinions, diversity data, individual views on employer/colleagues (see below to the extent that any such information constitutes special categories of personal data);
each participant’s IP addresses, which are collected automatically by the virtual workout app;
psychometric data about participants (if psychometric/diagnostic tools are used in the session);
data about participants’ completion of tasks/sessions;
any personal data captured in an audio or video recording of the session (if the session is recorded);
participants’ ratings and feedback on the session, provided by participants using hard copy or online feedback forms (the participant’s IP addresses and a unique randomly generated ID will also automatically be collected);
participants’ names, email addresses and other information relating to their job, if and to the extent that participants choose to provide this information to us in feedback forms or by other means for the purpose of receiving follow-up and/or other emails from us; and
further information about participants, as determined and provided by our client should they choose to do so (see below to the extent that any such information constitutes special categories of personal data).

Digital participant data: data relating to individual customers who engage with our digital products such as our mobile and web-based apps, artificial intelligence (AI) models and tools including names, email addresses and any other information they choose to provide via our digital products, provided to us directly by those individuals when they download, install and use our digital products, and data collected automatically by the apps such as technical data about users’ devices and browsers and analytical data about their use of the app. This includes:

name and business email address, which is usually provided to us by our clients in advance of the session and then separately submitted online by the participants when they register to take part in the session;
each participant’s personal email address where provided to us;
IP addresses, which is collected automatically by the digital products;
session history (scores, time spent, completion data), which is collected automatically by the digital products;
ratings and feedback on the digital products, which is provided to us online by individual participants;
names, email addresses and other information relating to their job, if and to the extent that participants choose to provide this information to us in feedback forms or by other means for the purpose of receiving follow-up and/or other emails from us;
360 diagnostics: the user’s name, email address, phone number and job title; the name, email address, phone number and job title of the user’s manager and their feedback on the user; the name, email address, phone number and job title of each colleague that provides 360 feedback; manager performance data; aggregated participant performance data;
Mind Gym diagnostics: the user’s name, email address, job title and information on their role, division, geographical location, aggregated participant performance data including user engagement, experience and psychological data;
Judgement Quotient (JQ) diagnostics: the user’s name, email address, phone number and job title; psychometric data about the user; aggregated psychometric data;
AI Chatbox: the user’s name, email address; AI generated output of aggregated participant engagement data, segment data and feedback from user; and
Special Categories of personal data: the use of some of our digital products) may involve the provision of special categories of personal data (this is information as to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation or genetic or biometric data). The use of these digital products and/or the provision of this information by you is entirely optional and you will be given the opportunity to explicitly consent to our use of that information for the purposes notified to you before or at the time of providing the information.

2.2 Why we use personal data

Core processing purposes This section described the purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes and our legal bases for doing so. An explanation of what the different legal bases mean can be viewed here:

Purposes of processing	Types of personal data	Legal basis
Analysing use of our website, (e.g. finding out how many people visit various parts of the site and how they use it) in order to improve our website content and our website visitors’ browsing experience, present our website in the most effective manner for our visitors, allow website visitors to participate in interactive features of our website and keep our website safe and secure.	Website usage data	Our legitimate interests in operating a website that successfully promotes our business, expertise, products, and services and is engaging and convenient for our website visitors in order to drive sales and sustain and grow our business in a secure way.
Serving online targeted advertising to people who have shown an interest in our products and services.	Website usage data Business Development Data	Our legitimate interests in promoting our products and services to people who have engaged with our website and shown an interest in our products and services to drive sales and sustain and grow our business.
Providing our products and services, such as live sessions and follow-up communication to our business clients and individual participants.	Business operations data Coach led participant data	Our legitimate interests in providing our products and services to business clients as our core business activity.
Providing digital products to our business clients and individual participants	Digital participant data Special categories of personal data	Performance of a contract (where the data is necessary to provide the product or particular services requested by the individual via the product) In relation to special categories of personal data, consent given by the individual users of the products.
Sending marketing communications about our products and services, including our e-newsletter. Measuring, understanding, and improving the effectiveness of this marketing	Business development data (where participants have indicated they are happy to receive communications)	Our legitimate interests in promoting our products and services and maintaining relationships with our business clients, individuals who have participated in our sessions and individual customers in order to drive sales and sustain and grow our business.
Responding to enquiries	Business operations data	Our legitimate interests in communicating with individuals who contact us in order to develop our business and client relationships and provide a good quality service to clients and potential clients.
Dealing with complaints	Business operations data	Our legitimate interests in providing a good quality service to clients, dealing effectively with complaints, and maintaining relationships with clients.
Keeping business records relating to our transactions, contracts, and provision of products and services	Business operations data Coach led participant data Digital participant data	Our legitimate interests in the effective and proper administration of our business, and, where records are required to be kept by law (e.g. relating to tax), to comply with legal obligations to which we are subject.
Analysing and understanding use of, and feedback on, our products and services so that we can improve the content and functionality of our products and services	Business operations data Coach led participant data Digital participant data Note the above is aggregated and non-reversible so that the resulting data sets contain no personal data	Our legitimate interests in improving our products and services for the benefit of our clients and the individuals who use our products and services and to sustain and grow our business by ensuring that our products and services continually evolve to be market-leading and competitive.

Other processing purposes

In addition to our core processing purposes set out above, we may also process personal data if and to the extent necessary for the following purposes:

Purpose	Legal basis
Establishing, exercising or defending legal claims	Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others
Obtaining or maintaining insurance cover, managing risks or obtaining professional advice	Our legitimate interests in protecting our business against risks
Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator	Compliance with a legal obligation
Protecting a person’s vital interests	Protection of vital interests

Supplementary notices

We may from time to time offer products and services which will be subject to specific privacy policies.

Explanation of legal bases

It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice:

Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals to whom the personal data relate

Performance of a contract: processing of personal data is necessary to perform a contract to which an individual is a party or to take steps at the request of an individual prior to entering into a contract

Consent: an individual has given consent to the processing of his or her personal data for one or more specific purposes

Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation imposed by UK or EU law

Protection of vital interests: processing of personal data is necessary in order to protect the vital interests of any individual

3. Cookies

Our websites use cookies to distinguish you from other users of our websites. This helps us to provide you with a good experience when you browse our websites and also allows us to improve our sites. We also use pixels, web beacons and other cookies in some of our emails. For detailed information on the cookies we use and the purposes for which we use them see our Cookie policy.

4. Who we disclose personal data to

The personal data described in this notice may be disclosed to the following categories of recipients, where and to the extent necessary for the purposes described in this notice:

Our group companies: this currently includes Mind Gym (USA) Inc. and Mind Gym Performance (Asia) Pte. Ltd
Insurers and professional advisers: such as lawyers, accountants and business and marketing consultants
Organisations or individuals engaged by us in the course of providing our services: such as individual coaches who deliver our workout sessions (or their personal service companies)
Prospective buyer: if we propose to sell or do sell any of our business or assets, some of the personal data described in this notice may be reviewed by the prospective buyer and/or comprise an asset transferred to the buyer
Social media platforms: if you communicate with us via twitter, LinkedIn or Facebook, the providers of those platforms will process correspondence data sent or received via those platforms
Other registered website users: if you post a message or upload any content to any of our websites, your name and any personal data contained in your message/content will be accessible to other registered website users
Service providers: we use a number of service providers in connection with our website, services, communications, and IT infrastructure, which involves those service providers processing some of the personal data described in this notice to the extent necessary to provide the relevant services.

Additionally, we may disclose your personal data to other organisations or individuals where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above, for example if we are under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply the terms of any agreement to which we are a party, or to protect the rights, property, or safety of Mind Gym, our customers, or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. In all cases, we will only share personal data with such recipients where and to the extent necessary for the relevant processing purpose and in accordance with applicable data protection law.

5. International transfers of personal data

This section describes the circumstances in which the personal data described in this notice process may be transferred to countries outside the European Economic Area (EEA) or the United Kingdom and the safeguards in place to protect that data once it has been transferred.

Mind Gym international group companies: we transfer some personal data to, and share access to databases containing personal data with, our group companies. Our group companies currently include Mind Gym (USA) Inc., based in the U.S.A., and Mind Gym Performance (Asia) Pte. Ltd, based in Singapore. We have entered into Standard Contractual Clauses with our group companies to ensure that any personal data transferred/shared is subject to suitable safeguards. The Standard Contractual Clauses can be obtained by emailing dpo@themindgym.com.
Service providers: our use of service providers involves some processing of personal data by our service providers in countries outside the EEA or the UK. We ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.

In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the EEA or the UK in connection with the purposes described in the ‘Other processing purposes’ section above. If this were to happen, we will ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.

Explanation of safeguards referred to in this section:

Adequacy decision: this means an official decision adopted by the European Commission that a country (or a territory or specified sector within a country) or international organisation ensures an adequate level of protection for personal data.

Standard Contractual Clauses: these are standard data protection clauses for data transfers between EU and non-EU countries adopted by the European Commission pursuant to a decision of the European Commission that those clauses provide an adequate level of protection for personal data transferred between the parties to those clauses. See the Europa website for more information on, and links to, the standard contractual clauses: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

6. Security

We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our sites, you are responsible for keeping this password confidential, and for all use made of your account with such password. We ask you not to share a password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our sites; any transmission is at your own risk.

Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We will notify affected individuals and any applicable regulator of any personal data breach where we are legally required to do so.

7. Length of data storage

We will retain data only for so long as is necessary for the purposes for which we hold it. This may vary according to the type of personal data and the purposes for which we use it. If you would like to know what that means in respect of your personal data, please contact us by emailing dpo@themindgym.com.

In determining how long we retain personal data, we take into consideration the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, our legal obligations, good industry practice, the guidance of relevant UK authorities such as HM Revenue & Customs, and also tax, accounting and health and safety rules.

8. Your personal data rights

8.1 Your rights

You have various rights under data protection law in respect of our processing of your personal data. These include rights to:

object to us processing your personal data for direct marketing purposes;
withdraw any consent you may have given for our processing of your personal data (if our processing is based on your consent);
access the personal data we hold about you (see section 9 below for further details);
ask us to rectify any personal data we hold about you that is inaccurate or incomplete;
ask us to delete any personal data we hold about you (in certain circumstances);
ask us to restrict our processing of your personal data (in certain circumstances);
object to our processing of your personal data (in certain circumstances);
require us to give you the personal data we hold about you in a structured, commonly used and machine-readable format so that you can provide the data to another data controller, in certain circumstances;

The availability of these rights varies depending on the legal basis we rely on for processing the relevant personal data, and some rights are qualified (rather than absolute) under applicable data protection law, which we will discuss with you following your request.

8.2 How to exercise these rights

You can exercise any of the rights set out above, free of charge, by using any applicable methods set out in our communications with you, or by contacting us at dpo@themindgym.com.

We may ask you to provide further information in order to confirm your identity. Please also note that if you submit unfounded or excessive (for example repetitive) requests to exercise any of these rights, we are permitted under the applicable data protection law to charge a reasonable fee for providing the requested information or taking the requested action, or to decline your request.

For rights available for California residents under the California Consumer Privacy Act of 2018 (“CCPA”) and how to exercise them, please refer to section 13 “For California Residents”.

8.3 Complaining to a supervisory authority

You also have the right to lodge a complaint about our processing of your personal data with a supervisory authority if you are concerned that our processing breaches data protection legislation or does not respect your rights under data protection law. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. The Information Commissioner’s Office ( www.ico.org.uk ) is the supervisory authority in the UK which is responsible for overseeing the application of, and enforcing, data protection law. Relevant contact details for the ICO can be found here: https://ico.org.uk/concerns/.

9. Accessing your personal data

You have the right to obtain from us:

Confirmation as to whether we are processing (including holding) personal data about you; and
If we are processing personal data about you, you are entitled to be provided with:
Information as to the purposes for which we process the data;
Information as to the categories of data that we are processing;
Information as to the recipients or categories of recipients to whom the data has or will be disclosed;
Information as to the envisaged period for which we will store the data, or if not possible, the basis on which that period will be determined;
If the data was not collected from you, information about the source of the data;
Information about any automated decision-making that produces legal effects concerning you or similarly affects you;
Information about the appropriate safeguards used for any transfer of personal data about you outside the EEA or the UK;
A copy of the data (further copies are available at a reasonable charge, which we will inform you of should you request further copies). Please note that this right is subject to the rights and freedoms of others in relation to their own personal data.

Please see section 8.2 above as to how to exercise your rights under this section 9. Section 8.2 applies in full to the exercise of these access rights.

10. Other websites

Our website may include links to third-party websites, plug-ins and applications and we may use third party apps or services to help deliver our products and services. Clicking on those links, enabling those connections, or using those third-party services may allow third parties to collect or share data about you. We do not control these third-party websites or services and are not responsible for their privacy statements or practices. When you move from our website to a third-party website using such links, or you use any of the third-party services, we encourage you to read the privacy notice of that website or service.

11. Changes to this privacy notice

Any changes we make to our privacy notice in the future will be posted on our website and, where appropriate, notified to you by e-mail or other suitable method.

12. Contact

Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to dpo@themindgym.com

13. For California Residents

Pursuant to the CCPA, Mind Gym is providing the following details regarding the categories of Personal Information that we collect, use, and disclose about California residents and California residents’ rights.

We collect, and have collected within the preceding 12 months, the following categories of Personal Information, as listed in the CCPA:

Identifiers, such as name, contact information, IP address, and other online identifiers;

Personal information, as defined in the California customer records law, such as name, contact information, and employment information;

Characteristics of protected classifications under California or federal law, such as age, sex, disability status, primary language, race, citizenship, and marital status, to the extent required or permitted by applicable law;

Commercial information, such as records of products or services purchased, obtained, or considered;

Internet or network activity information, such as browsing history and interactions with our website;

Audio, electronic, visual, and similar information, such as photographs or audio and video recordings created in connection with our business activities;

Professional or employment-related information, such as work history and prior employer, information relating to references, details of qualifications, skills and experience, human resources data, and data necessary for benefits and related administration services; and

For information on the sources of these categories of Personal Information, please refer to the section 2.1 “Types of personal data we obtain” in this Policy.

For information on the third parties to whom these categories of Personal Information are shared, please refer to the section 4 “Who we disclose personal data to” of this Policy.

If you are a resident of California and subject to the CCPA or have similar rights by law in your jurisdiction, you have the right to request that we disclose certain information to you about our collection, use, disclosure, or sale of your personal information over the past 12 months. Once we received and verified your consumer request (see Exercising Access, Deletion and Opt-out Rights), and subject to certain limitations that we describe below, we will disclose such information to you.

You have the right to request any or all of the following:

The categories of personal information we collected about you.
The categories of sources from which the personal information is collected.
Our business or commercial purpose for collecting or selling that personal information.
The categories of third parties with whom we share that personal information.
The specific pieces of personal information we collected about you.

A. Right to Request Deletion

You have the right to request that we delete any of your personal information that we have collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Deletion and Opt-out Rights), we will delete (and direct our service providers to delete) your personal information from our records. However, we may retain personal information that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us or our service provider(s) to perform certain actions, such as detecting security incidents and protecting us from illegal activity.

B. No Sale of Personal Information

We do not ‘sell’ your personal information, as the term “sell" is defined under the CCPA.

C. Exercising Access, Deletion and Opt-out Rights

To exercise the access and deletion rights described above, please submit a request to by emailing the Mind Gym Data Protection Office at dpo@themindgym.com

The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide sufficient information that allows us to reasonably verify that you are the person about whom we collected the personal information. If you use an authorised agent to make request, you must provide the authorized agent written permission to do so, and we may require that you verify your identity directly with us. To protect the security of your personal information, we will not honour a request if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. The method used to verify your identity will vary depending on the nature of the request. You have the right not to receive discriminatory treatment for exercising any of your privacy rights.