Home · Privacy

Privacy Policy

Last updated: 20 April 2026

1. Who we are

MEM Academy CIC ("MEM", "we", "us") is a Community Interest Company registered in England and Wales (Company No. 09702792). We are the data controller for personal data collected through this platform.

Contact: hello@memacademy.org.uk

2. What data we collect

  • Self-referrals (/get-started): name, optional contact details, current situation, pathway interest, free-text notes.
  • Third-party referrals (/refer): referrer name and contact, organisation type, plus the candidate's name, location, situation and any context shared.
  • Account data: email address, role (candidate/employer/gym partner/staff), authentication metadata.
  • Outcome surveys: voluntary wellbeing (ONS4) and physical activity (IPAQ) responses for impact reporting.
  • Technical data: anonymous session identifiers, browser/device information, error logs.

3. Lawful basis

We process personal data under one or more of: (a) consent (referral forms, marketing); (b) legitimate interests (running the platform, safeguarding, fraud prevention); (c) contract (gym partners, employers); (d) legal obligation (safeguarding, financial records).

4. How we use your data

  • To match you to the right MEM pathway and follow up.
  • To route referrals to the appropriate coach or partner.
  • To produce anonymised, aggregated impact reports for funders and the public.
  • To meet safeguarding and governance obligations.

5. Who we share data with

We never sell personal data. We share only with:

  • Sub-processors that host the platform and send transactional email, under written data-processing agreements.
  • Partner organisations (HMPPS, probation, gyms, employers) only where you have consented or there is a lawful basis.
  • Authorities, where required by law or to protect a vulnerable person.

6. Retention

Referral and account records are kept for up to 6 years to meet funder, audit and safeguarding requirements, then deleted or anonymised. You can request earlier deletion at any time.

7. Your rights

Under UK GDPR you have the right to access, rectify, erase, restrict or port your data, and to object to processing or withdraw consent. To exercise any right, email hello@memacademy.org.uk. You can also complain to the Information Commissioner's Office (ico.org.uk).

8. Security

Data is encrypted in transit and at rest. Access is restricted by role-based controls. We are working towards Cyber Essentials Plus certification.

9. Changes

We will update this page when our practices change and revise the "Last updated" date above.