1. Who we are
MEM Academy CIC ("MEM", "we", "us") is a Community Interest Company registered in England and Wales (Company No. 09702792). We are the data controller for personal data collected through this platform.
Contact: hello@memacademy.org.uk
2. What data we collect
- Self-referrals (/get-started): name, optional contact details, current situation, pathway interest, free-text notes.
- Third-party referrals (/refer): referrer name and contact, organisation type, plus the candidate's name, location, situation and any context shared.
- Account data: email address, role (candidate/employer/gym partner/staff), authentication metadata.
- Outcome surveys: voluntary wellbeing (ONS4) and physical activity (IPAQ) responses for impact reporting.
- Technical data: anonymous session identifiers, browser/device information, error logs.
3. Lawful basis
We process personal data under one or more of: (a) consent (referral forms, marketing); (b) legitimate interests (running the platform, safeguarding, fraud prevention); (c) contract (gym partners, employers); (d) legal obligation (safeguarding, financial records).
4. How we use your data
- To match you to the right MEM pathway and follow up.
- To route referrals to the appropriate coach or partner.
- To produce anonymised, aggregated impact reports for funders and the public.
- To meet safeguarding and governance obligations.
5. Who we share data with
We never sell personal data. We share only with:
- Sub-processors that host the platform and send transactional email, under written data-processing agreements.
- Partner organisations (HMPPS, probation, gyms, employers) only where you have consented or there is a lawful basis.
- Authorities, where required by law or to protect a vulnerable person.
6. Data retention
We keep different categories of data for different periods, based on legal, funder and safeguarding obligations:
- Account data (name, email, role, profile details): kept while your account is active and for up to 24 months after closure, then deleted or anonymised.
- Payment records (invoices, transaction metadata; no card numbers are stored by us): kept for 6 years to meet UK tax and accounting requirements.
- Safeguarding and community delivery records (session attendance, referrals, incident notes): kept for up to 6 years to meet funder, audit and safeguarding obligations, then deleted or anonymised.
- Analytics and cookies: only loaded after you give consent. Aggregated analytics are retained for up to 26 months; cookie consent choices for up to 12 months.
Where we no longer need identifiable data, we either delete it or irreversibly anonymise it so it can no longer be linked to you.
Account deletion requests
You can request deletion of your account at any time from Account & Data. Requests enter a 30-day cooling-off period during which you can cancel from the same page. After 30 days your account is closed and personal data is deleted or anonymised, except records we are legally required to retain (e.g. payment and safeguarding records, as above).
7. Your rights
Under UK GDPR you have the right to access, rectify, erase, restrict or port your data, and to object to processing or withdraw consent. To exercise any right, email hello@memacademy.org.uk. You can also complain to the Information Commissioner's Office (ico.org.uk).
8. Security
Data is encrypted in transit and at rest. Access is restricted by role-based controls. We are working towards Cyber Essentials Plus certification.
9. Changes
We will update this page when our practices change and revise the "Last updated" date above.