Privacy notice

Last updated: August 2025

This Privacy Notice explains how The Bravest Path Ltd (“we”, “us”, “our”) collects and uses personal data when you visit our websites, attend our events or programmes, use our learning platform, receive our emails, or otherwise interact with us.

We are committed to handling personal data lawfully, fairly and transparently in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

If anything here is unclear, please contact us using the details in section 16.

1. Who we are and how to contact us

Controller: The Bravest Path Ltd, a company registered in England and Wales (No. 11050995).
Registered office: Ashbourne House, Old Portsmouth Road, Artington, Guildford, Surrey GU3 1LR, United Kingdom
Data Protection Lead: We have appointed a Data Protection Lead (not a statutory DPO).
Contact: info@thebravestpath.com

This notice covers our public websites, learning and community portals, webinars, surveys, email communications, and any service that links to it. If a specific product or client engagement has its own privacy terms, those will apply for that context.

2. When we act as controller or processor

  • Controller: We are the controller for data we collect directly from you through our sites, sign‑up forms, evaluations, marketing, enquiries and billing.

  • Processor for clients: For commissioned programmes delivered to an employer or commissioning body (for example, an NHS Trust), we usually process participant data on behalf of that client under a data processing agreement. In those cases the client’s privacy notice will explain how your data is used, and we act only on their instructions.

3. Personal data we collect

We collect and process the following categories of personal data, as appropriate to your relationship with us:

  • Identity and contact: name, email, phone, job title/role/band, organisation, location/region.

  • Account and participation: registrations, attendance, learning progress, completion status, certificates, community interactions, support tickets.

  • Communications and feedback: survey responses, evaluations, testimonials, queries, and correspondence.

  • Recordings: webinar or event recordings, including audio, video, chat and Q&A where sessions are recorded and you choose to participate.

  • Technical and usage: IP address, device and browser details, approximate location, referring URLs, pages viewed, interaction data, cookie identifiers and similar technologies. See section 10.

  • Billing: purchase history, invoicing details and payment references (we use payment and accounting providers; we do not store full card numbers).

  • Special category data (limited): we do not seek special category data. If you voluntarily share sensitive information in a survey, evaluation or coaching context, we rely on your explicit consent or, where applicable, process it on behalf of your employer as their processor, with appropriate safeguards.

Sources: directly from you; your employer or commissioning body when they book you on a programme; our service providers; and public sources where appropriate.

4. Why we use your data and our lawful bases

We only use personal data where we have a lawful basis. The main purposes and bases are:

  • Provide our services: registrations, enrolment, event delivery, learning access, certificates, participant support. Basis: contract and legitimate interests.

  • Client reporting and programme administration: attendance, completion status, aggregated outcomes for the commissioning client. Basis: contract, legitimate interests.

  • Improve and secure our services: troubleshooting, analytics, service monitoring, security and fraud prevention. Basis: legitimate interests and legal obligations.

  • Marketing and updates: newsletters, event invitations, and content that may interest you. Basis: consent for individuals where PECR requires it, or legitimate interests for corporate subscribers, with opt‑out in all cases. See section 9.

  • Recordings: to make session recordings available to registered participants, quality assurance and to evidence delivery. We will notify you when a session is recorded and provide reasonable choices. Basis: legitimate interests or contract.

  • Legal and regulatory: bookkeeping, taxation, and responding to lawful requests. Basis: legal obligation.

  • Special category data (if volunteered): only with your explicit consent or as processor for your employer under their instructions.

You can object to processing based on our legitimate interests where your rights override those interests. See section 12.

5. If you do not provide data

Where we need data to deliver a service or meet legal requirements, we may be unable to provide that service without it.

6. Automated decision‑making

We do not make decisions based solely on automated processing that produce legal or similarly significant effects on you.

7. Disclosures and recipients of personal data

We share personal data, where necessary and appropriate, with:

  • Commissioning clients for commissioned programmes, so they can manage attendance, impact and outcomes.

  • Service providers (processors) under contract, who only process data on our instructions, such as: learning platforms and community portals, video conferencing and hosting, email and marketing platforms, survey tools, CRM and form tools, cloud hosting and storage, analytics, automation tools, customer support, accounting and payment providers.

  • Professional advisers and insurers.

  • Authorities and regulators where required by law.

  • Potential buyers or transferees in the event of a reorganisation.

We publish an up‑to‑date list of our main categories of processors on request.

8. International transfers

We are UK‑based. Some of our service providers are located outside the UK and the EEA. Where we make restricted transfers, we use appropriate safeguards, such as:

  • The UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, including transfer risk assessments, or

  • Adequacy mechanisms recognised by the UK (for example, the UK‑US Data Bridge for certified US organisations), or

  • The EU‑US Data Privacy Framework where relevant for EU data handled for clients.

We do not rely on implied consent by use of our site for international transfers.

9. Marketing and your choices (PECR)

  • We send email marketing to individuals only with your consent, unless the soft opt‑in applies to our own similar products or services.

  • We may send marketing to corporate subscribers (for example, name@nhs.net) based on our legitimate interests, and will always provide an easy way to opt out.

  • You can change your preferences or unsubscribe at any time using the link in our emails or by contacting us.

10. Cookies and analytics

We use cookies and similar technologies to operate the site, remember preferences, measure performance and, where you consent, to help tailor content and marketing. You can manage your choices at any time via the Cookie Settings link on our site.

Cookie categories we use include:

  • Strictly necessary for core functionality.

  • Performance/analytics to understand usage and improve the site.

  • Functional to remember choices.

  • Advertising/targeting where enabled.

For analytics and ad platforms we configure them to respect your choices. See each provider’s privacy pages for details. We follow UK ICO guidance for e‑privacy and cookies.

11. Retention

We keep personal data only as long as necessary for the purposes above. Typical retention periods are:

  • Programme records: usually up to 6 months after programme end.

  • Contracts, invoices and financial records: 6–7 years for tax/audit.

  • Recordings: typically up to 24 months unless needed longer for programme access agreed with the client.

  • Marketing preferences: until you opt out, with regular reviews.

  • Support correspondence and access logs: usually 12–24 months.

Where data is held on behalf of a client as processor, we follow the client’s retention instructions.

12. Your rights

Depending on your location and the circumstances, you may have the right to:

  • access a copy of your personal data;

  • have inaccurate data corrected;

  • have data erased in certain cases;

  • restrict or object to processing, including objections to marketing;

  • data portability for information you provided to us;

  • withdraw consent where we rely on consent;

  • complain to the Information Commissioner’s Office (ICO) if you are unhappy with how we handle your data.

ICO contact: Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Helpline: 0303 123 1113. Website: ico.org.uk.

13. Exercising your rights

Email info@thebravestpath.com with the subject line “Data rights request”. We may ask for information to verify your identity and to help us locate your data. If we process your data on behalf of a client as their processor, we will direct your request to that client where appropriate.

14. Children

Our services are designed for adults in professional settings. We do not knowingly collect data from children under 16. If you believe a child has provided personal data to us, please contact us so we can delete it.

15. Security

We implement appropriate technical and organisational measures to protect personal data, including access controls, encryption in transit for our websites and platforms, secure configurations, staff confidentiality commitments, and supplier due diligence. No system can be guaranteed 100% secure. If you suspect unauthorised access to your account or data, contact info@thebravestpath.com immediately.

16. How to contact us

The Bravest Path Ltd
Ashbourne House, Old Portsmouth Road, Artington, Guildford, Surrey GU3 1LR, United Kingdom
Email: info@thebravestpath.com

17. Changes to this notice

We will update this notice when needed and will post the latest version here. Material changes will be highlighted for a reasonable period.

18. Third‑party links and platforms

Our sites may contain links to third‑party websites and platforms. Their privacy notices apply when you visit those services. We are not responsible for their practices.

Important client addendum for commissioned programmes

Where we deliver a programme commissioned by your employer or an NHS body, we typically process your data under a contract with that organisation and according to their instructions. We may provide the client with attendance, completion and high‑level outcomes to help them evaluate impact. If you have questions about how your data is used in that context, please refer to your employer’s privacy notice or contact us and we will assist.

Version control

Version 2025‑08‑01