Privacy Policy

Protecting Your Confidentiality is Our Utmost Priority.

MDA Training Limited Privacy Policy 

Updated draft aligned to current MDA website activity and UK privacy notice expectations 

Last updated: 16 April 2026 

This draft is written as a single public-facing privacy policy for MDA’s website, sales and marketing activity, events, digital learning, simulations and client delivery work. Where a client-specific or role-specific notice applies, that separate notice should also be provided. 

  This Privacy Policy explains how MDA Training Limited (“MDA”, “we”, “us” or “our”) collects, uses, stores and shares personal data when you visit www.mdatraining.com, contact us, register for an event, use one of our digital learning, assessment or simulation platforms, purchase services from us, or otherwise interact with us.

1. Who we are

MDA Training Limited is a company registered in England and Wales under company number 02192786. Our registered office is Greensleeves House, Highfield, Banstead, Surrey, United Kingdom, SM7 3LJ. 

You can contact us about this policy or your personal data at: 

• Email: enquiries@mdatraining.com
• Telephone: +44 (0)20 7233 9393
• Post: Greensleeves House, Highfield, Banstead, Surrey, United Kingdom, SM7 3LJ

2. Scope of this policy and our role

This policy applies to personal data processed through our website, sales and marketing activity, events, digital platforms, simulations, learning solutions, assessments and related business operations, unless a separate privacy notice applies. 

Depending on the context, MDA may act as either: 

• **Data controller** – for example when we manage our website, enquiries, marketing, billing, supplier relationships, business administration, security and compliance; or
• **Data processor** – for example where a client asks us to deliver a programme, event, simulation or assessment on its behalf using participant data supplied by that client and processed under its instructions.

If you take part in an MDA programme, assessment or event through your employer, university, client organisation or another sponsor, that organisation may also have its own privacy notice which you should read alongside this one. 

3. The personal data we may collect

Depending on how you interact with us, we may collect and use the following categories of personal data: 

• identity and contact data, such as your name, job title, employer, email address, telephone number and postal address;
• organisation and relationship data, such as the company you work for, your role, your sector, programme participation details, meeting notes and enquiry history;
• account and transaction data, such as login details, purchases, invoices, payment status and order history;
• learning, event and service delivery data, such as attendance, participation, course activity, simulation outputs, assessment responses, progress records, feedback and support requests;
• marketing and communications data, such as your preferences, subscriptions, consent choices and records of communications with us;
• technical and usage data, such as IP address, browser type, operating system, device information, time zone, log data and information about how you use our website or platforms; and
• any other personal data you choose to provide to us.

We generally do not seek special category personal data. However, in limited cases we may process information such as health, dietary or accessibility requirements where this is necessary to support attendance at an event, make reasonable adjustments, or deliver services safely and appropriately. 

4. How we collect personal data

We may collect personal data: 

• directly from you, including when you complete a contact form, email us, speak to us, register for an event, attend a programme, use a digital platform, submit an assessment or purchase a service;
• from the organisation that engages us to provide services to you or your cohort, such as your employer, university or another sponsoring client;
• automatically through our website or digital platforms using logs, cookies and similar technologies; and
• from carefully selected service providers, event partners or publicly available professional sources where permitted by law.

5. How we use your personal data and our lawful bases

We use personal data only where the law allows us to do so. Depending on the context, we rely on one or more of the following lawful bases under UK data protection law: consent, performance of a contract, taking steps at your request before entering into a contract, compliance with a legal obligation, and legitimate interests. 

We may use your personal data for the following purposes:

1. To respond to enquiries and arrange meetings, demonstrations or proposals

Lawful basis: steps at your request before entering into a contract and/or our legitimate interests in developing and managing client relationships.

2. To deliver our services

This includes training programmes, workshops, simulations, digital learning, events, assessments, reporting, learner support and related administration. 

Lawful basis: performance of a contract, our legitimate interests in delivering services effectively, and where we act for a client, processing in accordance with that client’s instructions.

3. To create and manage accounts, orders, purchases and payments

Lawful basis: performance of a contract and compliance with legal obligations relating to accounting, tax and financial reporting.

4. To administer and improve our website, platforms and services

This includes testing, troubleshooting, analytics, service optimisation, business planning and record keeping. 

Lawful basis: our legitimate interests in running and improving our business, and consent where required for non-essential cookies or similar technologies.

5. To send service communications

This includes updates about bookings, purchases, events, programme logistics, account matters and support. 

Lawful basis: performance of a contract, legal obligation and/or our legitimate interests in delivering services and maintaining appropriate records.

6. To send marketing communications

This includes newsletters, invitations, insight content and information about our services, events and products. 

Lawful basis: consent where required by law, and otherwise our legitimate interests in promoting relevant services in a business-to-business context, always subject to your right to opt out.

7. To protect our business, website, users and systems

This includes monitoring, fraud prevention, security, network management, investigating misuse and enforcing our legal rights. 

Lawful basis: our legitimate interests and, where applicable, compliance with legal obligations.

8. To comply with legal and regulatory requirements

This includes handling complaints, responding to lawful requests, safeguarding records, defending claims and complying with regulators, courts, tax authorities or law enforcement. 

Lawful basis: legal obligation and/or our legitimate interests in establishing, exercising or defending legal claims. 

Where we process special category personal data, we will do so only where we have both a lawful basis and an additional condition under applicable law. Where appropriate, we will ask for your explicit consent. 

6. Marketing

We may contact you by email, telephone, post or other business communication channels about our services, events, insights and related content, but only in accordance with applicable law, including the Privacy and Electronic Communications Regulations (PECR) where relevant. 

You can opt out of marketing at any time by using the unsubscribe link in an email, by replying to the message, or by contacting us using the details in this policy. We may still send you non-marketing service messages where necessary. 

7. Cookies and similar technologies

Our website and digital services may use cookies, pixels, local storage and similar technologies. Some are strictly necessary for the operation, security and basic functionality of the site or platform. Others, such as analytics, preference or marketing technologies, may be used only where you have given consent when consent is required. 

Where we use third-party media, event, analytics or platform tools, those providers may also process technical information in line with their own privacy notices. You can manage your cookie preferences through any cookie banner, settings tool or browser controls made available to you. 

8. Sharing your personal data

We do not sell your personal data. 

We may share personal data, where appropriate, with: 

• the client, employer, university or sponsoring organisation that asked us to deliver a service to you or your cohort;
• learning platform, simulation, assessment, hosting, cloud storage, CRM, payment processing, event management, videoconferencing, IT support and email service providers who support our operations;
• professional advisers such as lawyers, auditors, insurers and accountants;
• regulators, public authorities, courts, law enforcement agencies or other third parties where disclosure is required by law or necessary to protect our rights; and
• prospective buyers, investors or group restructuring advisers if our business or assets are sold, transferred or reorganised, subject to appropriate confidentiality protections.

Where third parties process personal data on our behalf, we require them to do so under written contracts with appropriate confidentiality, security and data protection obligations. 

9. International transfers

Some of our service providers or clients may operate outside the UK. Where we transfer personal data outside the UK, we will do so only when permitted by law and with appropriate safeguards in place. 

Depending on the circumstances, those safeguards may include: 

• transfer to a country covered by UK adequacy regulations;
• the use of the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses; or
• another lawful transfer mechanism or exception recognised under UK data protection law.

You can contact us if you would like more information about the safeguards used for a particular transfer. 

10. Data security

We use appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful processing, accidental loss, destruction or damage. These measures may include access controls, secure systems, role-based access, contractual controls with suppliers and processes for handling security incidents. 

No method of transmission or storage is completely secure. However, we take data security seriously and review our safeguards regularly. 

11. How long we keep personal data

We keep personal data only for as long as reasonably necessary for the purposes for which it was collected, including to meet legal, regulatory, tax, accounting, contractual and reporting obligations. 

Our typical retention approach is: 

• **Enquiries and prospect records:** usually up to 24 months after the last meaningful contact, unless a longer period is justified.
• **Client, supplier and business relationship records:** usually for the duration of the relationship and up to 6 years afterwards.
• **Programme, event, simulation and assessment records:** for as long as needed to deliver the relevant service and then in line with client instructions, contractual commitments and legal requirements; where MDA is the controller, this is typically no longer than reasonably necessary and often up to 6 years after the relevant engagement unless a different period is justified.
• **Financial and transaction records:** usually up to 6 years after the end of the relevant financial year, or longer if required by law.
• **Marketing suppression records:** as long as needed to ensure we respect your opt-out request.
• **Technical logs and cookie-related data:** in line with operational need, our cookie settings and the relevant provider retention periods.

We may keep anonymised information for longer where it no longer identifies you. 

12. Your rights

Subject to applicable law, you may have the right to: 

• be informed about how your personal data is used;
• request access to the personal data we hold about you;
• request correction of inaccurate or incomplete personal data;
• request erasure of your personal data in certain circumstances;
• request restriction of processing in certain circumstances;
• object to processing based on legitimate interests, including direct marketing;
• request portability of personal data where applicable;
• withdraw consent at any time where we rely on consent;
• ask for human review if you are subject to a solely automated decision with legal or similarly significant effects, where that right applies; and
• lodge a complaint with the Information Commissioner’s Office (ICO).

If you would like to exercise any of your rights, please contact us using the details in section 16. We may need to verify your identity before responding. 

13. Automated decision-making

We may use automated tools to support administration, scoring, reporting, analytics or platform functionality. However, we do not normally make decisions about individuals based solely on automated processing where those decisions have legal or similarly significant effects without meaningful human involvement. If this changes for a particular service, we will provide additional information. 

14. Third-party sites and services

Our website, emails and platforms may contain links to third-party websites, applications, plug-ins, video platforms, social media services or other external services. If you follow those links or interact with those services, your personal data will be processed according to the relevant third party’s own privacy information. We are not responsible for the privacy practices of third-party sites or services we do not control. 

15. Changes to this policy

We may update this policy from time to time to reflect changes in our services, website, legal obligations or operational practices. When we do so, we will post the updated version on the relevant website or platform and update the “Last updated” date at the top of the policy. 

16. Contact us and complaints

If you have questions about this policy, would like to exercise a privacy right, or want to raise a concern about how we use your personal data, please contact: 

MDA Training Limited  

Greensleeves House, Highfield, Banstead, Surrey, United Kingdom, SM7 3LJ   

Email: enquiries@mdatraining.com   

Telephone: +44 (0)20 7233 9393 

We would appreciate the chance to address your concerns first. You also have the right to complain to the Information Commissioner’s Office if you believe your personal data has been handled unlawfully or unfairly.