The Mend Collective Ltd -- Privacy Policy
Effective date: 30 October 2025
Company No. 16805268
Registered office: 30 Stratford Road, Milton Keynes MK12 5LW UK
Contact email: help@mendcollective.health
1. Who we are
The Mend Collective Ltd ("we", "us", "our") provides digital education, coaching and community support for people living with chronic conditions.
We are the data controller for the personal information you provide when you use our website, platform or assessment tools.
Certain trusted companies process information on our behalf under signed Data Processing Agreements (DPAs) and strict confidentiality obligations.
2. Information we collect
We collect and store the following types of information when you use our services:
- Account details -- name, email address, login credentials (hash only).
- Billing information -- subscription records and payments (handled by a secure payment processor).
- Health and lifestyle information -- diagnoses, symptoms and preferences you choose to share through our assessments or questionnaires ("special category data").
- Community engagement data -- posts, comments, attendance at sessions and usage metrics within our platform.
- Technical data -- IP address, device type and browser information collected via essential cookies.
- Marketing preferences -- whether you have opted in to receive updates or newsletters.
You are not required to share health information, but if you do, it helps us personalise your programme safely.
3. How we use your information
| Purpose | Example | Lawful basis (UK GDPR) |
|---|---|---|
| To provide your membership and personalised programme | Creating your plan and assigning you to the right pathway | Contract |
| To process payments and subscriptions | Secure billing and renewals | Contract / Legal obligation |
| To store and analyse health data securely | Tailoring recommendations and monitoring progress | Explicit consent (Art 9) |
| To send service messages and platform updates | Programme reminders or maintenance notices | Legitimate interest |
| To send marketing emails (if you opt in) | Newsletters and new offer announcements | Consent |
| To maintain security and prevent fraud | Access logging and fraud detection | Legitimate interest |
4. How we obtain consent for health data
Before you submit any information about your health or symptoms, you will be shown a clear consent statement and checkbox explaining how your data will be used.
Your response is timestamped and stored for audit purposes.
You may withdraw consent at any time by emailing help@mendcollective.health.
Important: Withdrawal does not affect processing carried out before you withdrew consent.
5. Who has access to your data
We only share data with carefully selected service providers that help us deliver our services safely and efficiently, for example:
- Platform and hosting providers that run our community and assessment tools
- Payment processors that manage subscriptions securely
- Automation and database providers that transfer data between systems under encryption
- Communication tools for live sessions and customer support
- Cloud storage providers for internal document security
Each provider operates under a signed DPA and has been assessed for security and privacy standards.
Data may be processed outside the UK under approved safeguards (such as the UK International Data Transfer Addendum or Standard Contractual Clauses).
A full list of our current processors is available on request to help@mendcollective.health.
6. How we protect your data
We apply multiple technical and organisational measures:
- Encryption in transit (HTTPS/TLS) and at rest (AES-256 or equivalent)
- Multi-factor authentication for all staff accounts
- Role-based access control (only authorised team members can view personal data)
- Regular access audits and password rotation
- Secure cloud storage with business-grade encryption and audit logging
- Confidentiality and data-handling clauses in all contractor agreements
If we ever suspect a breach, our Incident Response Plan ensures assessment and ICO notification within 72 hours if required.
7. Data retention
| Category | Retention period | What happens after |
|---|---|---|
| Health and assessment data | 12 months after membership ends | Secure deletion or anonymisation |
| Community content | 12 months after account closure | Removal from platform |
| Payment records | 7 years | Retained for legal / tax purposes |
| Marketing preferences | Until you unsubscribe + 3 months | Deleted from mailing lists |
| System logs | 24 months | Automatically purged |
8. Your rights
You can ask us to:
- Access your personal data
- Rectify any errors
- Erase your data (where legally possible)
- Restrict processing or object to certain uses
- Receive a copy in portable form
- Withdraw consent (for health or marketing data)
Email help@mendcollective.health to exercise these rights.
We verify identity before acting and respond within 30 days.
9. Children
Our platform is for adults aged 18 and over. We do not knowingly collect data from minors.
10. Cookies
We currently use only essential cookies for security and session management.
If we introduce analytics or advertising cookies in future, you will be asked for consent through our cookie banner.
11. International transfers
Where data is processed outside the UK or EEA, we apply approved transfer mechanisms (UK IDTA or Standard Contractual Clauses) and conduct Transfer Risk Assessments to verify adequacy.
12. Updates
We may update this policy from time to time to reflect legal or operational changes.
The latest version will always be available at mendcollective.health/privacy.
13. Contact and complaints
Data Protection Lead & Safeguarding Officer: Dr A. Ahmed
Email: help@mendcollective.health
If you are not satisfied with our response, you may contact the UK Information Commissioner's Office:
www.ico.org.uk | 0303 123 1113