Mind Gym plc (“we”) are committed to protecting and respecting your privacy and complying with the data protection laws that apply to our business activities.
This notice describes how we process the personal data we obtain about our website visitors, our business clients’ employees and representatives, our individual customers, people who contact us and potential/prospective clients. Please read this notice to understand our practices regarding your personal data and how we will treat it.
For the purposes of the data protection laws applicable in the United Kingdom, the data controller of the processing described in this notice is Mind Gym plc, a company registered in England and Wales with company number 3833448 whose registered office is at 160 Kensington High Street, London, W8 7RG, United Kingdom.
In this section we explain the types of personal data we obtain, the purposes we use that data for and the legal bases we rely on to process personal data for those purposes.
2.1 Types of personal data we obtain
The types of personal data that we obtain and use in the course of our business activities are:
Website usage data: This includes:
Business operations data: This includes:
Business development data: This includes:
Coach-led participant data: data relating to or obtained from individual staff of our business clients who participate in live sessions, whether conducted face to face or remotely, that we provide at the request of our business clients. This includes:
Digital participant data: data relating to individual customers who engage with our digital products such as our mobile and web-based apps, including names, email addresses and any other information they choose to provide via our digital products, provided to us directly by those individuals when they download, install and use our digital products, and data collected automatically by the apps such as technical data about users’ devices and browsers and analytical data about their use of the app. This includes:
Special Categories of personal data: the use of some of our digital products may involve the provision of special categories of personal data (this is information as to your racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sex life or sexual orientation or genetic or biometric data). The use of these digital products and/or the provision of this information by you is entirely optional and you will be given the opportunity to explicitly consent to our use of that information for the purposes notified to you before or at the time of providing the information
2.2 Why we use personal data
Core processing purposes
This section described the purposes for which we use personal data in the normal course of our business, the types of personal data we use for those purposes and our legal bases for doing so. An explanation of what the different legal bases mean can be viewed here:
|Purposes of processing||Types of personal data||Legal basis|
|Analysing use of our website, (e.g. finding out how many people visit various parts of the site and how they use it) in order to improve our website content and our website visitors’ browsing experience, present our website in the most effective manner for our visitors, allow website visitors to participate in interactive features of our website and keep our website safe and secure.||Website usage data||Our legitimate interests in operating a website that successfully promotes our business, expertise, products and services and is engaging and convenient for our website visitors in order to drive sales and sustain and grow our business in a secure way.|
|Serving online targeted advertising to people who have shown an interest in our products and services.||Website usage data Business Development Data||Our legitimate interests in promoting our products and services to people who have engaged with our website and shown an interest in our products and services in order to drive sales and sustain and grow our business.|
|Providing our products and services, such as live sessions and follow-up communication to our business clients and individual participants.||Business operations data Coach led participant data||Our legitimate interests in providing our products and services to business clients as our core business activity.|
|Providing digital products to our business clients and individual participants||Digital participant data Special categories of personal data||Performance of a contract (where the data is necessary to provide the product or particular services requested by the individual via the product) In relation to special categories of personal data, consent given by the individual users of the products.|
|Sending marketing communications about our products and services, including our e-newsletter. Measuring, understanding and improving the effectiveness of this marketing||Business development data (where participants have indicated they are happy to receive communications)||Our legitimate interests in promoting our products and services and maintaining relationships with our business clients, individuals who have participated in our sessions and individual customers in order to drive sales and sustain and grow our business.|
|Responding to enquiries||Business operations data||Our legitimate interests in communicating with individuals who contact us in order to develop our business and client relationships and provide a good quality service to clients and potential clients.|
|Dealing with complaints||Business operations data||Our legitimate interests in providing a good quality service to clients, dealing effectively with complaints and maintaining relationships with clients.|
|Keeping business records relating to our transactions, contracts, and provision of products and services||Business operations data Coach led participant data Digital participant data||Our legitimate interests in the effective and proper administration of our business, and, where records are required to be kept by law (e.g. relating to tax), to comply with legal obligations to which we are subject.|
|Analysing and understanding use of, and feedback on, our products and services so that we can improve the content and functionality of our products and services||Business operations data Coach led participant data Digital participant data Note the above is aggregated and non-reversible so that the resulting data sets contain no personal data||Our legitimate interests in improving our products and services for the benefit of our clients and the individuals who use our products and services and to sustain and grow our business by ensuring that our products and services continually evolve to be market-leading and competitive.|
Other processing purposes
In addition to our core processing purposes set out above, we may also process personal data if and to the extent necessary for the following purposes:
|Establishing, exercising or defending legal claims||Our legitimate interests in defending legal claims brought against us, enforcing claims against others and protecting and asserting our legal rights and the legal rights of others|
|Obtaining or maintaining insurance cover, managing risks or obtaining professional advice||Our legitimate interests in protecting our business against risks|
|Compliance with a legal obligation such as a statutory or regulatory obligation or an order of a court, government body or regulator||Compliance with a legal obligation|
|Protecting a person’s vital interests||Protection of vital interests|
We may from time to time offer products and services which will be subject to specific privacy policies.
Explanation of legal bases
It is only lawful to process personal data if there is a legal basis for doing it. Below is an explanation of the legal bases referred to in this notice.
Legitimate interests: processing of personal data is necessary for the purposes of the legitimate interests of us or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the individuals to whom the personal data relate
Performance of a contract: processing of personal data is necessary to perform a contract to which an individual is a party or to take steps at the request of an individual prior to entering into a contract
Consent: an individual has given consent to the processing of his or her personal data for one or more specific purposes
Compliance with a legal obligation: processing of personal data is necessary for compliance with a legal obligation imposed by UK or EU law
Protection of vital interests: processing of personal data is necessary in order to protect the vital interests of any individual
The personal data described in this notice may be disclosed to the following categories of recipients, where and to the extent necessary for the purposes described in this notice:
Additionally, we may disclose your personal data to other organisations or individuals where disclosure is necessary for the purposes set out in the ‘Other processing purposes’ section above, for example if we are under a duty to disclose or share personal data in order to comply with any legal obligation, or in order to enforce or apply the terms of any agreement to which we are a party, or to protect the rights, property, or safety of Mind Gym, our customers, or others. This may include exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. In all cases, we will only share personal data with such recipients where and to the extent necessary for the relevant processing purpose and in accordance with applicable data protection law.
This section describes the circumstances in which the personal data described in this notice process may be transferred to countries outside the European Economic Area (EEA) or the United Kingdom and the safeguards in place to protect that data once it has been transferred.
In addition to the known transfers described above, it may become necessary to transfer personal data described in this notice to organisations based outside the EEA or the UK in connection with the purposes described in the ‘Other processing purposes’ section above. If this happens, we would ensure that such a transfer complies with the conditions for transfers stipulated by applicable data protection law.
Explanation of safeguards referred to in this section:
Adequacy decision: this means an official decision adopted by the European Commission that a country (or a territory or specified sector within a country) or international organisation ensures an adequate level of protection for personal data.
Standard Contractual Clauses: these are standard data protection clauses for data transfers between EU and non-EU countries adopted by the European Commission pursuant to a decision of the European Commission that those clauses provide an adequate level of protection for personal data transferred between the parties to those clauses. See the Europa website for more information on, and links to, the standard contractual clauses: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en
We will take appropriate technical and organisational precautions to secure the personal data we process and prevent accidental or unlawful destruction, loss or alteration and unauthorised disclosure of, or access to, that personal data.
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our sites, you are responsible for keeping this password confidential, and for all use made of your account with such password. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our sites; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.
We will notify affected individuals and any applicable regulator of any personal data breach where we are legally required to do so.
We will retain data only for so long as is necessary for the purposes for which we hold it. This may vary according to the type of personal data and the purposes for which we use it. If you would like to know what that means in respect of your personal data, please contact us by emailing email@example.com.
In determining how long we retain personal data, we take into consideration the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of the personal data, the purposes for which we process it and whether we can achieve those purposes through other means, our legal obligations, good industry practice, the guidance of relevant UK authorities such as HM Revenue & Customs, and also tax, accounting and health and safety rules.
8.1 Your rights
You have various rights under data protection law in respect of our processing of your personal data. These include rights to:
The availability of these rights varies depending on the legal basis we rely on for processing the relevant personal data, and some rights are qualified (rather than absolute) under applicable data protection law, which we will discuss with you following your request.
8.2 How to exercise these rights
You can exercise any of the rights set out above, free of charge, by using any applicable methods set out in our communications with you, or by contacting us at firstname.lastname@example.org.
We may ask you to provide further information in order to confirm your identity. Please also note that if you submit unfounded or excessive (for example repetitive) requests to exercise any of these rights, we are permitted under the applicable data protection law to charge a reasonable fee for providing the requested information or taking the requested action, or to decline your request.
For rights available for California residents under the California Consumer Privacy Act of 2018 (“CCPA”) and how to exercise them, please refer to section 13 “For California Residents”.
8.3 Complaining to a supervisory authority
You also have the right to lodge a complaint about our processing of your personal data with a supervisory authority if you are concerned that our processing breaches data protection legislation or does not respect your rights under data protection law. You may do so in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. The Information Commissioner’s Office ( www.ico.org.uk ) is the supervisory authority in the UK which is responsible for overseeing the application of, and enforcing, data protection law. Relevant contact details for the ICO can be found here: https://ico.org.uk/concerns/.
You have the right to obtain from us:
Please see section 8.2 above as to how to exercise your rights under this section 9. Section 8.2 applies in full to the exercise of these access rights.
Our website may include links to third-party websites, plug-ins and applications and we may use third party apps or services to help deliver our products and services. Clicking on those links, enabling those connections, or using those third-party services may allow third parties to collect or share data about you. We do not control these third-party websites or services and are not responsible for their privacy statements or practices. When you move from our website to a third-party website using such links, or you use any of the third-party services, we encourage you to read the privacy notice of that website or service.
Any changes we make to our privacy notice in the future will be posted on our website and, where appropriate, notified to you by e-mail or other suitable method.
Questions, comments and requests regarding this privacy notice are welcomed and should be addressed to email@example.com
Pursuant to the CCPA, Mind Gym is providing the following details regarding the categories of Personal Information that we collect, use, and disclose about California residents and California residents’ rights.
We collect, and have collected within the preceding 12 months, the following categories of Personal Information, as listed in the CCPA:
Identifiers, such as name, contact information, IP address, and other online identifiers;
Personal information, as defined in the California customer records law, such as name, contact information, and employment information;
Characteristics of protected classifications under California or federal law, such as age, sex, disability status, primary language, race, citizenship, and marital status, to the extent required or permitted by applicable law;
Commercial information, such as records of products or services purchased, obtained, or considered;
Internet or network activity information, such as browsing history and interactions with our website;
Audio, electronic, visual, and similar information, such as photographs or audio and video recordings created in connection with our business activities;
Professional or employment-related information, such as work history and prior employer, information relating to references, details of qualifications, skills and experience, human resources data, and data necessary for benefits and related administration services; and
For information on the sources of these categories of Personal Information, please refer to the section 2.1 “Types of personal data we obtain” in this Policy.
For information on the third parties to whom these categories of Personal Information are shared, please refer to the section 4 “Who we disclose personal data to” of this Policy.
If you are a resident of California and subject to the CCPA or have similar rights by law in your jurisdiction, you have the right to request that we disclose certain information to you about our collection, use, disclosure, or sale of your personal information over the past 12 months. Once we received and verified your consumer request (see Exercising Access, Deletion and Opt-out Rights), and subject to certain limitations that we describe below, we will disclose such information to you.
You have the right to request any or all of the following:
A. Right to Request Deletion
You have the right to request that we delete any of your personal information that we have collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer request (see Exercising Access, Deletion and Opt-out Rights), we will delete (and direct our service providers to delete) your personal information from our records. However, we may retain personal information that has been de-identified or aggregated. Furthermore, we may deny your deletion request if retaining the information is necessary for us or our service provider(s) to perform certain actions, such as detecting security incidents and protecting us from illegal activity.
B. No Sale of Personal Information
We do not ‘sell’ your personal information, as the term “sell" is defined under the CCPA.
C. Exercising Access, Deletion and Opt-out Rights
To exercise the access and deletion rights described above, please submit a request to by emailing the Mind Gym Data Protection Office at firstname.lastname@example.org
The request should include your contact information and describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it. In addition, you should provide sufficient information that allows us to reasonably verify that you are the person about whom we collected the personal information. If you use an authorised agent to make request, you must provide the authorized agent written permission to do so, and we may require that you verify your identity directly with us. To protect the security of your personal information, we will not honour a request if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. The method used to verify your identity will vary depending on the nature of the request. You have the right not to receive discriminatory treatment for exercising any of your privacy rights.