Privacy Policy

Data Protection Policy v1.3 updated July 2025

Introduction

The Mindfulness Association (MA) CIC (including its directors, employees, advisors and self-employed contractors) will to the best of its ability adhere to the data protection principles of the Data Protection Act (DPA) which came into force on 25 May 2018, which are:

1. Personal data shall be processed fairly and lawfully.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

Use of personal data

The records we use that contain personal data are hosted by the following DPA compliant software providers:

- Customer Relationship Manager (CRM) software provider ‘Keap’;
- Membership Manager software provider ‘Customer Hub’;
- Office Support software ‘Microsoft 365’ hosted by ‘GoDaddy’;
- Accounting software ‘Quickbooks’;
- Document storage provider ‘DropBox’;
- Merchant account providers‘ Paypal’ and ‘Stripe’;
- Bank account provider ‘Triodos’.

These records are used solely for the purposes of administering course attendance and supporting continued engagement by individuals with the work of the MA. The personal data typically includes name, address, email address, payment card details (not accessible to MA employees), emails sent to individuals, courses attended and other engagement with the work of the MA (e.g. being a member, on email list, etc.) for the purposes of administering attendance on MA courses and supporting continued engagement with the work of the MA.

Emails will be reviewed and if no longer needed for these purposes will be deleted after a period of 6 to 7 years.

Personal data will be shared only with MA employees and self-employed MA tutors delivering the courses participated in (also subject to the DPA), partnering Universities (of Aberdeen and of the West of Scotland (UWS)) and course venues and only to the extent necessary for administering the attendance of individuals on MA courses and supporting engagement with the work of the MA.

Personal data will not be shared with third parties.

Collection of data

When an individual’s data is initially collected, eg. via an online booking or by being inputted manually on Keap, the individual will be made aware of the use which will be made of their information, by using the ‘Privacy Notice ’below and of this data protection policy.

Privacy Notice

The data you provide to Mindfulness Association CIC (MA) will be stored securely and will be used for the purposes of administering your attendance on MA courses and supporting your continued engagement with the work of the MA in accordance with our data protection policy, which can be downloaded from the MA’s website and is in accordance with the UK Data Protection Act. To support your engagement with us we will contact you from time to time via email with guidance to support your ongoing mindfulness practice, including details of upcoming courses, which may be of interest to you. You can opt out of receiving emails from the MA, at any time, by clicking the ‘Unsubscribe ’link at the bottom of our emails or by contacting info@mindfulnessassociation.net.

Deletion of data

At any time, you can request that your records on Keap and Customer Hub be deleted by contacting info@mindfulnessassociation.net.

Records will be deleted, where an individual has opted out of email communication, has not done any prerequisite courses with the MA and has not made any financial transactions with the MA for the previous 6 years.

Paper or electronic copies of documents held by the MA which contain personal information will be reviewed when a course ends and deleted if no longer needed for the purposes of course administration or legal compliance

Emails to and from MA course participants or other individuals making enquiries to the MA will be reviewed and if no longer needed forthe purposes will be deleted after a period of 6 to 7 years.

Paper records will be destroyed by shredding or burning.

In the event that the MA is legally obliged to keep hold of an individual’s data in order to comply with financial or other regulations then, on request it will delete all the information it can and inform the individual of any data which cannot been deleted and the reasons for this.

Right to a copy of information held

On request an individual will be provided with a copy of the information comprising their personal data and held by the MA CIC, within 40 days of the request. All such requests should be sent via email to info@mindfulnessassociation.net.

Information Security

Personal data is hosted by the following data processors, who are compliant with the new Data Protection Act:

- Bank account provider Triodos (accessible by the MA Director, Managing Director(s) and Accounts))
- Merchant Accounts Stripe and PayPal (Heather Regan-Addis, Helen Mathieson, Maria Murney and Accounts team)
- CRM provider Keap, Membership support provider Customer Hub, office support providers Microsoft 365 and GoDaddy and document storage provider DropBox accessible by MA employees and authorised IT and Accounts support contractors
- Accounts provide QuickBooks accessible by Accounts team and authorised external accountancy firm

The data security arrangements of these providers have been reviewed to ensure that they meet the requirements of the Data Protection Act.

The MA CIC Managing Director(s) and authorised IT and Account support contractors will review information security on an annual basis and review this the Membership Manager on or around 25 May each year.

No personal data will be passed to an individual who is not the individual concerned.Personal data passed on to the individual concerned will be sent to their Keap registered email address only.

On receiving or making a phone call MA employees will establish the identity of the caller before disclosing or amending any of their personal data, asking for their postcode and details of the most recent course they attended.

All MA CIC employees and authorised IT and Account support contractors work from home and will ensure that all computers used for processing personal data are password protected, that the password is secure and where possible uses 2fa and that home computers are securely stored when not in use. Computers will be screen locked or logged out of when employees are away from their desks. Desks will be cleared at the end of each day and any personal information or other sensitive information securely stored in a locked cabinet. Computer screens will be positioned so that they cannot be overlooked.

The passwords to the membership site are stored on Keap and are encrypted and so cannot be seen by those authorised to access Keap.

Care will be taken to prevent virus attacks by ensuring computers have virus protection software and undergo regular software updates and care will be taken when opening email attachments and when visiting new websites.

Contacting Our Mailing Lists

We will continue to send you the monthly upcoming courses email and other emails promoting courses that you may be interested in as a way of supporting your continued engagement with the MA. Our aim is to make these emails engaging and supportive for your ongoing mindfulness practice.

If you are a member the weekly membership emails will continue as they are now.

These emails contain an unsubscribe button at the bottom that changes your email status on Keap so that you will no longer receive emails from us.

Mindfulness Association Apps

No personal data is collected by us or will be will be given to any third party, under any circumstances. Your data will also never be used by us for any purpose without specific permission.

The app engages in no ad targeting, data mining, or other activities that may compromise your privacy, and we do not affiliate ourselves with any third parties that do so.