[Effective date: 1st May 2026 Last updated: May 2026 ]
1. Who We Are
Mental Health Innovations (“MHI”, “we”, “us”, “our”) is the data controller for personal data collected through the Digital Training Platform (the “Platform”). MHI is a registered charity in England and Wales, PO Box 78319, London, W10 9FE. MHI’s registered charity number is 1175670. We are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Data Protection Contact: dataprotection@mhiuk.org
If you have any questions about how we handle your personal data, or you wish to exercise your rights, please contact us at the address above.
2. Who This Notice Applies To
This notice applies to all individuals who register for an account on the Platform, whether:
• you are an individual purchasing access directly (B2C); or
• you are an employee, contractor, or representative of a commercial organisation that has purchased access on your behalf (B2B).
Where a commercial organisation provides you with an access token, that organisation may be a joint controller or independent controller in its own right for any personal data it holds about you. We recommend you also review your employer’s privacy notice.
3. Personal Data We Collect
When you register and use the Platform, we collect and process the following categories of personal data:
| Category | Category Data Elements | Purpose |
|---|---|---|
| Account Information | First name, last name, email address, mobile phone number | Account creation, authentication, communication |
| Learning Data | Course(s) registered on, course progress, activity history, course notes | Delivering training, tracking progress, improving content |
| Completion Records | Completion certificates | Evidencing achievement, verification |
| Payment Tokens | Token identifier (no payment card data) | Validating access entitlement |
| Optional Profile Data | Interests, profile picture, and any other optional fields you choose to complete |
Personalising your experience (provided at your discretion) |
| Technical / Cookie Data | IP address, browser type, pages visited, session identifiers | Platform operation, basic analytics, security |
Payment card data
We do not collect, store, or process your payment card details. Payments are processed by a third-party payment provider using Stripe. Your card data is handled entirely by that third party and Stripe in accordance with their own privacy notices and PCI DSS obligations.
4. Lawful Bases for Processing
Because you register for an account before purchasing a course, we rely on different lawful bases at different stages of your journey with the Platform.
Stage 1 - Registration (before purchase)
At the point you create your account, no contract exists between us. We collect your account information (name, email, mobile number) on the basis of our legitimate interests under Article 6(1)(f) UK GDPR - specifically, the interest in allowing prospective users to create an account and browse available courses in preparation for a purchase. We have carried out a legitimate interests assessment and are satisfied that this processing is proportionate and does not override your rights, given the limited data collected and the clear benefit to you of being able to set up your account.
Stage 2 - From the point of purchase
Once you (or your organisation) purchase a course, a contract is formed. From that point, the collection and processing of your account information, learning data, and completion records becomes necessary for the performance of that contract under Article 6(1)(b) UK GDPR.
The table below summarises the lawful bases for all processing activities:
| Processing Activity | Lawful Basis | Detail |
|---|---|---|
| Account registration (pre-purchase) | Legitimate interests (Art. 6(1)(f)) | Enabling you to create an account and explore courses before committing to purchase |
|
Delivering training and tracking progress (post-purchase) |
Contract (Art. 6(1)(b)) | Necessary to perform our contract with you or your organisation |
| Issuing completion certificates | Contract (Art. 6(1)(b)) | Fulfilment of the training service |
|
Post-contract retention of account, learning and certificate data |
Legitimate interests (Art. 6(1)(f)) | To evidence performance, manage disputes, and establish, exercise, or defend legal claims within the 6-year limitation period (Limitation Act 1980) |
| Basic analytics and cookies | Legitimate interests (Art. 6(1)(f)) | Improving platform performance and user experience |
| Marketing communications | Consent (Art. 6(1)(a)) | Only where you have opted in; you may withdraw consent at any time |
|
Optional profile data (interests, profile info/picture) |
Legitimate interests (Art. 6(1)(f)) | Voluntarily provided by you. You can remove this data at any time. |
| Security and fraud prevention | Legitimate interests (Art. 6(1)(f)) | Protecting the Platform and users from unauthorised access |
5. How We Use Your Data
We use your personal data to:
- create and manage your account on the Platform;
- validate your access token and entitlement;
- deliver course content and track your learning progress;
- issue completion certificates;
- communicate with you about your account or courses (e.g. reminders, updates); • send marketing communications where you have opted in;
- operate and improve the Platform through basic analytics; and
- comply with legal obligations and protect against fraud.
6. Data Sharing with Your Organisation (B2B Users)
Where your employer or contracting organisation has purchased access to the Platform on your behalf, we may share the following data with that organisation:
- your name and email address;
- course enrolment and completion status;
- certificates of completion; and
- aggregated progress and activity data.
This sharing is necessary for the performance of our contract with that organisation. Your organisation is responsible for its own use of this data in accordance with its own privacy notice.
7. Other Recipients of Your Data
We may share your personal data with:
- hosting and infrastructure providers located in the UK and EEA who operate the Platform on our behalf;
- analytics providers who help us understand Platform usage (limited to non-identifying or pseudonymised data where possible);
- our third-party payment partner and Stripe, solely for payment processing and token validation (they do not receive your learning data); and
- law enforcement, regulators, or other authorities where required by law.
All third-party processors are bound by data processing agreements in accordance with Article 28 UK GDPR.
8. International Transfers
Your personal data is stored and processed within the United Kingdom and the European Economic Area (EEA). We do not routinely transfer personal data outside the UK/EEA.
If any transfer outside the UK/EEA becomes necessary (for example, through a sub-processor), we will ensure appropriate safeguards are in place, such as the UK International Data Transfer Agreement (IDTA), UK Addendum to EU Standard Contractual Clauses, or an adequacy decision by the Secretary of State.
9. Data Retention
We retain your personal data for as long as necessary to fulfil the purposes described in this notice. Specifically:
| Data Category | Retention Period | Rationale |
|---|---|---|
| Account information (name, email, mobile) | Duration of active use, plus 6 years from date of last contract (i.e. last course purchase or completion) |
Contractual basis (Art. 6(1)(b)), then Legitimate interests after the contract ends to evidence performance, manage performance, establish, exercise or defend disputes or legal claims, under the Limitation Act 1980 |
| Learning data (course enrolment, progress, activity history, notes) | Duration of active use, plus 6 years from course completion or last activity | Contractual basis. Forms part of the service record and may be required to evidence delivery of the contracted training |
| Completion certificates | 6 years from date of issue |
Contractual basis. Evidences achievement and may be needed for verification, regulatory, or dispute-resolution purposes |
| Payment tokens | 6 years from date of transaction |
Contractual basis. Required to evidence entitlement and resolve payment-related disputes within the limitation period |
|
Optional profile data (interests, profile picture) |
Deleted when the user clears the data, or 12 months after last account activity, whichever is sooner | Legitimate interests basis. Not necessary for contract performance, so a shorter retention period applies |
| Pre-purchase registration data (accounts that never purchase) | 12 months from registration if no purchase is made | Legitimate interests basis only (no contract formed). Limited justification for extended retention |
| Cookie and analytics data | No longer than 12 months |
Legitimate interests basis. Retained only for ongoing platform improvement |
Where we are required by law to retain data for a longer period (for example, for tax or regulatory compliance), we will do so for the minimum period required.
10. Cookies
The Platform uses cookies and similar technologies for:
- essential operation (e.g. session management, authentication);
- basic analytics (e.g. page views, session duration) to help us improve the Platform.
We do not use advertising or cross-site tracking cookies. You can manage cookie preferences through your browser settings. Disabling essential cookies may affect Platform functionality.
For more detail, please refer to our Cookie Policy.
11. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access - to request a copy of the personal data we hold about you. • Right to rectification - to request correction of inaccurate or incomplete data. • Right to erasure - to request deletion of your data in certain circumstances. • Right to restrict processing - to request we limit how we use your data.
- Right to data portability - to receive your data in a structured, commonly used, machine-readable format.
- Right to object - to object to processing based on legitimate interests.
- Right to withdraw consent - where processing is based on consent (e.g. marketing), you may withdraw at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, please contact us at dataprotection@mhiuk.org. We will respond within one month of receiving your request. We may ask you to verify your identity before processing your request.
12. Complaints
If you are dissatisfied with how we have handled your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
- Website: ico.org.uk
- Telephone: 0303 123 1113
We would, however, appreciate the opportunity to address your concerns before you contact the ICO.
13. Changes to This Notice
We may update this privacy notice from time to time. Where changes are material, we will notify you by email or through a prominent notice on the Platform. The “Effective date” and “Last updated” dates at the top of this notice indicate the current version.
14. Contact Us
If you have any questions about this privacy notice or our data practices, please contact: Data Protection Contact
MHI (UK)
Email: dataprotection@mhiuk.org